KR101492733B1 - Method for detecting toll fraud attack in Voice over Internet Protocol service using novelty detection technique - Google Patents

Abstract

The present invention relates to a method of detecting toll fraud attack in a mobile voice over internet protocol (VOIP) service and includes creating an input variable for a detection model by using a history including past toll fraud attack information and past call detail records (CDRs), building an individual toll fraud attack detection model by using a single novelty detection algorithm by using the created input variable, combining the built individual toll fraud attack detection models to build an ensemble novelty detection model, and applying a new call detail record to the ensemble novelty detection model to determine the presence/absence of toll fraud attack. According to the present invention, by detecting the toll fraud attack in the mobile VOIP service by utilizing the novelty detection technique, it is possible to represent excellent toll fraud attack detection performance compared to a typical rule based detection technique based on expert′s knowledge and it is possible to enhance accuracy.

Description

FIELD OF THE INVENTION [0001] The present invention relates to a method for detecting a fraud attack in an Internet telephone service using an outlier detection technique,

The present invention relates to a method of detecting a billing bypass attack in an Internet telephone service, and more particularly, to a method of detecting a billing bypass attack in an Internet telephone service by constructing an ensemble detector combining a plurality of individual outlier detection techniques.

Since Internet telephony was first introduced in 1999 under the brand name of dial pad, the number of subscribers of Internet telephony service in Korea exceeded 10 million in 2012, and the number of cumulative subscribers is increasing year by year. Internet telephony is evolving into an increasingly diverse range of additional services, and now it is possible to build a telephony environment with no difficulty for individuals.

While Internet telephony services are growing in this way, Internet telephony is creating various social issues along with vulnerabilities in the IP network environment.

For example, denial of service (DDoS) denial of service, eavesdropping using packet sniffing, and the use of the flexible function of Internet telephony, spamming large numbers of calls to unspecified numbers, Voice phishing, and billing bypass attacks.

Among them, recent cases of damage caused by Toll Fraud Attack are increasing. In Korea, a system was introduced in August 2012 to report the damage caused by the BIS attack through the Korea Internet Security Agency (KISA), but it is not easy to see how much damage has been done yet.

A busting attack is one of attacks that steals a subscriber of a service user or avoids billing by making a call through a communication device such as a vulnerable IP PBX or an Internet telephone gateway.

However, most Internet telephony service providers have not yet been able to detect abnormal traffic, including bogus bypass attacks. In addition, the scale and countermeasures against bribery bypass attacks, and the lack of guidelines to detect and prevent them.

Overseas, it has been long time ago to understand the scale of damage to fraud loss in the telecommunication industry and to think about ways to minimize such damage. According to the 2009 survey by the Communications Fraud Control Association (CFCA), a US nonprofit organization that seeks to identify scams and reduce damages, the amount of damage from fraud has increased by about 34 percent since 2005 Estimated at about $ 720 to $ 80 billion per year. It was also found that more than 55% of the damage occurred through account theft or vulnerable telecommunications equipment.

As such, as the area of Internet telephony service in the telecommunication industry becomes more and more wider, there is a possibility that various social problems as well as weaknesses on the IP network base are likely to increase. Although a bill-off attack is less well-known than eavesdropping, spam, and voice phishing, it can cause financial loss immediately to a business operator or user. Therefore, attention should be paid to counter-bombardment attacks as well as prevention measures and information sharing.

In fact, in October 2009, a hacking of the exchanges built in South Korea's special operators resulted in the use of international calls in Maldives and Somalia, resulting in damage of more than about 110 million won. A hacked exchange was used without permission by an international hacker in China without access control to allow only authorized device calls. In addition, there is a case of damage of international telephone of tens of million won by Internet telephone hacking in domestic domestic travel agency.

Until now, there has been a lack of systems in the telecom industry to grasp the damage caused by fraud, to analyze patterns for fraud detection, to share information (IP, caller ID, pattern, etc.) In addition, in 2013, the Korea Communications Commission (KCC) will establish a system for collecting and sharing information on illegal calls and pattern information of international phone calls between telecommunication carriers in 2013. Will be implemented.

The seriousness of the bill-bypassing attack is that even if such an attack is made, it may not be recognized. For example, you might get a month's worth of bills, or even a few months later, without knowing it. And it is not easy to find abnormal call traffic patterns in many call detail records (CDRs).

Most of the methods for obtaining information for the BGP attack are based on searching the VoIP communication equipment in the specific network band. It can also identify vulnerabilities in telecommunication equipment and retrieve account information, or secure communications through telecommunication equipment. As an attacker identifies vulnerabilities, Internet telephony service providers can proactively detect such attempts while monitoring their firewall or network traffic. However, it is not easy to block the IPR attacks because of the communication equipments where the communication equipment is dispersed and the access control is not defined in various network environments.

In addition, it is not easy to judge whether the current telephone call service provider or the transit service provider is calling due to a bypassing attack, if the call information is already stolen or a call is made via weak communication equipment.

Korean Patent No. 10-1177002

Disclosure of Invention Technical Problem [8] The present invention has been conceived to solve the above-mentioned problems, and it is an object of the present invention to provide a method of detecting a billing bypass attack in an Internet telephone service by using an outlier detection technique in order to improve detection performance and accuracy of a billing bypass attack The purpose is to provide.

The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

According to an aspect of the present invention, there is provided a method of detecting a Binding Detachment Attack in a Voice over Internet Protocol (VoIP), including: a history in which past toll fraud attack information is recorded; Generating input parameters of the detection model using call detail records (CDRs), constructing a separate billing bypass detection model using a novelty detection algorithm using the generated input variables A step of constructing an ensemble outlier detection model by combining the constructed individual bill bypassing attack detection models, and a step of applying a new call history record to the ensemble outlier detection model to determine whether or not the system is a bill bypassing attack.

The past call history record includes nominal information including a caller telephone number, a recipient telephone number, a service product code, a charge imposing group, a call type, a connection failure code, and a continuous type (continuous) information.

Wherein the input parameter of the detection model is calculated by using a history in which the past accounting detour attack information is recorded to calculate a frequency of occurrence of a charging detour attack for each of the nominal information, Can be generated.

According to an embodiment of the present invention, in the step of constructing the ensemble outlier detection model, the ensemble outlier detection model is constructed by applying a majority rule to the individual outliers detection models, In the step of applying the ensemble outlier detection model, the result of determining whether or not the individual outlier detection model is in charge of the toll bypass attack is integrated. If the number of the individual outlier detection models judged by the charge detour attack is larger than the number of the individual outlier detection models, It can be judged as an attack.

In another embodiment of the present invention, in the step of judging whether or not the billing bypassing attack is determined, if the outlier score obtained by applying the new call history record to the ensemble outlier detection model is equal to or greater than a predetermined reference value, It can be judged as a call attempt.

More specifically, in the step of constructing the ensemble outlier detection model, the ensemble outlier detection model is constructed by arithmetically combining outlier scores calculated by the individual outlier detection models, The arithmetic mean is calculated with respect to the outlier score calculated by each of the individual outlier detection models by using the ensemble outlier detection model, and if the arithmetic mean is equal to or greater than a predetermined reference value, it is determined that the attack is a bill bypass detour. Otherwise, It can be judged as a call attempt.

Wherein the single outlier detection algorithm is a Gaussian density estimator, a Mixture of Gaussian distribution estimate, a single outlier detection algorithm is a parzen window, and the single outlier detection algorithm is a k- -Nearest Neighbor-based outlier detection or the single outlier detection algorithm may be K-Means Clustering-based outlier detection.

According to the present invention, detection of a billing bypass attack in an Internet telephone service using an outlier detection technique can exhibit a superior detection performance of a billing bypass attack as compared with a rule-based detection technique depending on the knowledge of an existing expert, There is an effect that can be improved.

Further, according to the present invention, it is expected that convenience of maintenance and management in the Internet telephone service will be increased.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram illustrating a billing bypass attack in an Internet telephone service. FIG.
FIG. 2 is a flowchart illustrating a method of detecting a billing bypass attack in an Internet telephone service according to an embodiment of the present invention.
3 is a diagram showing a classification criterion by the classification algorithm and a classification criterion by the outlier detection technique.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted in an ideal or overly formal sense unless expressly defined in the present application Do not.

In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and redundant explanations thereof will be omitted. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method of detecting a billing bypass attack in a Voice over Internet Protocol (VoIP).

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram illustrating a billing bypass attack in an Internet telephone service. FIG. 1 is a simplified diagram of an Internet telephony service.

Referring to FIG. 1, the normal call traffic in the Internet telephone service is the same as the direction of the blue arrow. That is, a call is started from the user group 100 on the left side, and a call is made to the called party group 200 via the router 110, the VoIP service provider 120, the ITSP 130 and the router 140 do. The user group 100 includes an IP phone, a VoIP gateway, a voice mail system, an IPPBX, and the like. Likewise, the recipient group 200 includes an IP phone, a VoIP gateway, a voice mail system system, IPPBX, and the like.

The flow shown in the red arrow direction in FIG. 1 indicates abnormal call traffic. That is, for example, when the attacker 300 obtains the account information of the Internet phone and attempts to make a call, or a call is made via a weak communication device such as a VoIP gateway, a voice mail system, or an IPPBX Or an abnormal call attempt may occur.

If a provider providing Internet telephone service detects such a burglar-bypass attack in advance, it will block the root of the attack and exclude the billing due to it, but if it can not be detected, it is highly likely to be billed to the user. If you do not check your details, you will pay a fee that you do not use. In this way, like a fraud, the attacker takes advantage of the action, while the victim (business or service subscribers) suffers as much as the gain of the attacker.

The present invention proposes a method for more efficiently detecting a billing bypass attack in the Internet telephone service.

FIG. 2 is a flowchart illustrating a method of detecting a billing bypass attack in an Internet telephone service according to an embodiment of the present invention.

Referring to FIG. 2, an input parameter of a detection model is generated using a history in which past toll fraud attack information is recorded and call detail records (CDRs) in the past S201).

Then, an individual billing bypass attack detection model is constructed using a single novelty detection algorithm using the generated input variables (S203).

Then, an established ensemble outlier detection model is constructed by combining the constructed individual bill detour attack detection models (S205).

Then, a new call history record is applied to the ensemble outlier detection model to determine whether or not the call is a bypass detour (S207).

If it is determined in step S207 that the outlier score obtained by applying the new call history record to the ensemble outlier detection model is equal to or greater than a predetermined reference value, it is determined that the call is a bypass detour. Otherwise, it is determined that the call attempt is normal.

In one embodiment of the present invention, the single outliers detection algorithm may be a Gaussian density estimator, a Mixture of Gaussian distribution estimation, a parzen window, a k-Nearest Neighbor- Detection, and K-cluster clustering-based outlier detection.

The outlier detection technique assumes all the given data as one category, then measures the similarity with the existing data with respect to the new data. If the similarity is sufficiently similar, it judges as the same category. Otherwise, the machine learning (machine learning) technique.

In particular, the outlier detection technique is more effective than the binary classification method in cases where it is difficult to collect data belonging to a specific category or the imbalance between categories is severe.

FIG. 3 shows the difference between the conventional classification and the outlier detection technique. FIG. 3 (a) is an example of a conventional classification technique, and FIG. 3 (b) is an example of an outlier detection technique.

Referring to FIG. 3, a general classification scheme classifier generates a classification criterion that best distinguishes two categories, assuming that normal data and abnormal data are sufficient.

Therefore, A and B in Fig. 3 (a) are mostly classified as normal by the classification algorithm. However, in the case of FIG. 3, since the abnormal data is very small compared to the normal data, the classification algorithm can not sufficiently learn the attributes of the abnormal data.

On the other hand, in FIG. 3 (b), since the outlier detection technique only learns normal data and generates a classification boundary, A and B are classified as abnormal data.

When a call is made using an Internet telephone service (VoIP), the information stored in the call detail record (CDR) includes the telephone number of the sender and the receiver, the receiver area code, the service product code, the charge imposing group, And continuous information such as a waiting time and a talk time.

At this time, it is possible to calculate the frequency of occurrence of the past accounting detour attack on the nominal value of the specific attribute by using the history of the past accounting detour attack. For example, if there are 100 call records with a recipient area number of 1, and there are 5 recipient area codes in the past 1 month, the value for recipient area code 1 is 0.05 . By using the same method, it is possible to construct a set of input variables used in the outlier detection model by assigning the frequency of the past accounting detour attack to the value of the variable for all the CDR variables.

Various techniques may be used in the method of the present invention to detect anomaly. For example, a Gaussian density estimator, K-means clustering, Mixture of Gaussian (MoG), K-Nearest Neighbor (kNN) Algorithm and data mining including machine learning and machine learning algorithms can be used.

Gaussian distribution estimation is a representative distribution estimation outlier detection methodology in which Gaussian distribution estimation is a representative distribution estimation outlier detection methodology. Assuming that all normal data (normal call record) is generated from the same Gaussian distribution as shown in the following Equation 1, Σ), and calculates the probability density of the new data to determine whether it is normal.

Where x is the input variable values for the new call record, and p (x) is the probability that this call record is included in the normal call record. If the probability is sufficiently large (eg, 95% of the average normal data), the call record is determined to be a normal call, and if the probability is low, it is determined that the call is a bypass detour.

The mixed Gaussian distribution estimation assumes that the normal data is generated from two or more population groups rather than a single regular population, and the probability that the new data belongs to the normal data region is calculated as follows.

Where p _k (x) is the probability that the new call record belongs to the kth normal cluster, and P (k) is the ratio of the kth cluster to the total data.

The fuzzy window technique is the most refined case of mixed Gaussian distribution estimation, assuming that the total number of clusters is equal to the number of normal data and the probability that the new call log X belongs to the normal data area is calculated as follows.

k-Nearest neighbors based outlier detection, when a new call record X is given, calculates k call records that are most similar to the call record using the Euclidean distance calculation method, and then the mean distance from k neighbors is sufficiently small , It is determined that the call is a normal call. This can be expressed by the following equation.

K-mean clustering is a representative clustering-based outlier detection technique. It is assumed that normal data can be divided into K homogeneous clusters as shown in the following equation.

At this time, K-average clustering minimizes the within-cluster sum of squared errors as shown in Equation (6) to find an optimal group that can best represent normal data.

Here, c _i is the center of the i th cluster Ci, and if the optimal number K of groups and the centroid of each group are determined through Equation 6, The degree of similarity with the nearest group is measured to determine whether or not it is normal.

Since K-means clustering does not assume that all data are generated in a single distribution, unlike the Gaussian distribution estimate, it can be used very effectively when the data does not represent a form of normal distribution.

The SVDD technique finds the minimum hypersphere that represents the normal call record in the feature space and identifies only the region inside the phrase as normal.

By using the ensemble outlier detection method that combines individually constructed single outlier detection algorithms, it is possible to perform a further improved detection of the burglary bypass attack. There are two main ways of detecting the BAC attack using the ensemble technique.

First, the principle of majority rule is applied to the presence of bypass deterrence determined by the individual outlier detection algorithm. For example, when the three outlier detection algorithms of the five outlier detection algorithms for the new call record are determined to be a bill bypassing attack and the remaining two outlier detection algorithms are determined to be normal records, the ensemble technique is finally This is a method to judge that it is a detour attack.

Second, it is a method of arithmetically combining the outlier scores (probabilities) calculated by the individual outlier detection algorithm. That is, when the outlier scores calculated by the five outlier detection algorithms for the new call records are 0.9, 0.85, 0.8, 0.75, and 0.7, respectively, the outlier score of the ensemble technique is 0.8, For example, in the case of 0.7, the call record has a value greater than the reference value, and thus it is determined that the call is a bypass detour.

While the present invention has been described with reference to several preferred embodiments, these embodiments are illustrative and not restrictive. It will be understood by those skilled in the art that various changes and modifications may be made therein without departing from the spirit of the invention and the scope of the appended claims.

100 user groups 200 called groups
110, 140 Router 120 VoIP service provider
130 ITSP 300 Attacker

Claims (11)

A method of detecting a bill bypassing attack in a Voice over Internet Protocol (VoIP)
Generating input parameters of a detection model using past history of toll fraud attack information and call detail records (CDRs);
Constructing an individual billing bypass attack detection model using a single novelty detection algorithm using the generated input variables;
Constructing an ensemble outlier detection model by combining the established individual bill detour detection models; And
And a step of applying a new call history record to the ensemble outlier detection model to determine whether or not the call is a bill bypassing attack,
The past call history record includes nominal information including a caller telephone number, a recipient telephone number, a service product code, a charge imposing group, a call type, a connection failure code, and a continuous type the method comprising the steps of: (a) receiving a call connection request message from the Internet telephone service;
delete The method according to claim 1,
In the step of generating an input variable of the detection model,
Wherein the input parameter of the detection model is generated by calculating a frequency of occurrence of a billing bypass attack for each of the nominal information by using a history in which the past accounting detour attack information is recorded, Detection of Bypass Attacks.
The method according to claim 1,
In constructing the ensemble outlier detection model, the ensemble outlier detection model is constructed by applying a majority rule to individual outliers detection models,
In the step of judging whether or not the billing bypassing attack is performed, the ensemble outlier detection model is applied to synthesize the determination result of each of the individual outlier detection models to determine whether or not the billing bypass detours are performed, And if the number of detection models is greater than the number of detection models, it is determined to be a charging detour attack.
The method according to claim 1,
In the step of determining whether or not the charging detour attack is made,
Wherein the control unit determines that the call is a normal call attempt if the outlier score obtained by applying the new call history record to the ensemble outlier detection model is equal to or greater than a predetermined reference value, Way.
The method of claim 5,
In the step of constructing the ensemble outlier detection model, the ensemble outlier detection model is constructed by combining the outlier scores calculated by the individual outlier detection models in an arithmetic manner,
In the step of judging whether or not the charging bypassing attack is performed, the ensemble outlier detection model is applied to obtain an arithmetic average for the outlier score calculated in each individual outlier detection model. If the arithmetic mean is equal to or greater than a predetermined reference value, , Otherwise, it is determined that the call is a normal call attempt.
The method according to claim 1,
Wherein the single outlier detection algorithm is a Gaussian density estimator.
The method according to claim 1,
Wherein the single outlier detection algorithm is a Mixture of Gaussian distribution estimation.
The method according to claim 1,
Wherein the single outlier detection algorithm is a parzen window. ≪ RTI ID = 0.0 > 11. < / RTI >
The method according to claim 1,
Wherein the single outlier detection algorithm is a k-Nearest Neighbor based outlier detection.
The method according to claim 1,
Wherein the single outlier detection algorithm is a K-Means Clustering (K-Means Clustering) based outlier detection.

Images