KR20160141613A - System and method for detecting illegal traffic - Google Patents

System and method for detecting illegal traffic Download PDF

Info

Publication number
KR20160141613A
KR20160141613A KR1020150077564A KR20150077564A KR20160141613A KR 20160141613 A KR20160141613 A KR 20160141613A KR 1020150077564 A KR1020150077564 A KR 1020150077564A KR 20150077564 A KR20150077564 A KR 20150077564A KR 20160141613 A KR20160141613 A KR 20160141613A
Authority
KR
South Korea
Prior art keywords
call
traffic
pattern
illegal
corresponds
Prior art date
Application number
KR1020150077564A
Other languages
Korean (ko)
Other versions
KR101942965B1 (en
Inventor
백광현
김우태
안태진
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Priority to KR1020150077564A priority Critical patent/KR101942965B1/en
Priority to PCT/KR2016/004805 priority patent/WO2016195261A1/en
Publication of KR20160141613A publication Critical patent/KR20160141613A/en
Application granted granted Critical
Publication of KR101942965B1 publication Critical patent/KR101942965B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a system and a method for detecting illegal traffic. The purpose of the present invention is to provide a system and a method for detecting illegal traffic by interconnect bypass or the like which bypasses a network of a telecommunication operator whose major source of revenue is based on a rate difference, by detecting a unique occurrence pattern by type or form of the illegal traffic. The system for detecting illegal traffic comprises: a traffic collecting unit for collecting call traffic from an exchange, and parsing a call detail record (CDR) from the call traffic; a pattern detecting unit for detecting whether a pre-defined pattern occurring in illegal traffic occurs by type in the call traffic on the basis of the CDR; and an illegal traffic detecting unit for determining whether the call traffic is illegal traffic on the basis of a detection result of the pattern by the type, and for transmitting a determination result to the exchange, wherein the illegal traffic is what has been introduced into the exchange through an illegal traffic path other than a normal traffic path provided by a telecommunication operator.

Description

TECHNICAL FIELD [0001] The present invention relates to an apparatus and method for detecting illegal traffic,

The present invention relates to an illegal traffic detection apparatus and a method thereof.

The Communications Fraud Control Association (CSCF) reported that the amount of damage to global unauthorized communications usage was around $ 43bn in 2013, and the percentage of illegal call top-5 traffic (Interconnect Bypass, SIM BOX) . In this way, the types of illegal archetypes and their forms of occurrence are becoming a reality.

This way of bypassing the call route not only reduces the revenue of the service provider but also utilizes the public Internet network without any effort (equipment investment and line expansion) to secure the service quality, Although it causes problems, it is a reality that it is limited to detect and block.

Conventionally, there is a configuration in which a call pattern including call detail record (CDR) information is compared with a predefined abnormal traffic in order to block illegal international calls to judge whether there is an abnormal traffic. However, there are limitations in detecting individual types of illegal traffic when using only CDR information in the current environment that causes illegal traffic in various types and infinite ways.

SUMMARY OF THE INVENTION Accordingly, the present invention has been made in view of the above problems, and it is an object of the present invention to provide a method and apparatus for detecting an illegal traffic type or an inherent pattern of illegal traffic, And to provide an apparatus and method for detecting illegal traffic that is bypassed.

According to an aspect of the present invention, an illegal traffic detection apparatus includes a traffic collecting unit collecting call traffic from an exchange and parsing a call detail record (CDR) from the call traffic, A pattern detector for detecting occurrence of a pattern in an illegal traffic that has been predefined from the call traffic, and a pattern detector for detecting whether the call traffic is an illegal traffic based on the pattern detection result for each type, and transmitting the determination result to the exchange And the illegal traffic may be an illegal traffic that has been transmitted to the exchange through an illegal traffic route without passing through a normal traffic route provided by a communication carrier.

Wherein the illegal traffic detection unit comprises:

It is possible to determine whether the call traffic collected from the exchange is received from the illegal traffic path including the calling side bypass gateway, the Internet network, and the called side bypass gateway.

Further comprising a database for storing the illegal traffic,

The traffic collecting unit,

And if it is found in the database, transmits illegal traffic detection information indicating that the call traffic is illegal traffic to the exchange, inquiring the database if the call traffic is present in the database,

The traffic collecting unit,

If the call traffic does not exist in the database, the call detail record may be generated and transmitted to the pattern detector.

Wherein the illegal traffic detection unit comprises:

It is possible to finally determine whether the call traffic is an illegal traffic considering a combination of the patterns, a predetermined weight for each pattern, and a use frequency for each pattern detected by the pattern detecting unit.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the calling terminal of the call traffic is a wireless terminal and corresponds to a pattern for generating a call without regional movement based on the call detail recording.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the call traffic corresponds to a pattern used only for voice communication based on the call detail recording.

Wherein the pattern detecting unit comprises:

It is possible to detect whether or not the call traffic corresponds to a pattern in which the ratio of call success rate to total call rate is over the threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether or not the call traffic corresponds to a pattern in which the number of the called number exceeds the threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the call traffic corresponds to a pattern in which the number of voice communication attempts exceeds the threshold value with respect to the number of times of use for each service based on the call detail recording.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the call traffic corresponds to a pattern in which the number of voice channel assignment subscribers in the base station exceeds the threshold based on the call detail recording.

Wherein the pattern detecting unit comprises:

It is possible to detect whether or not the call traffic corresponds to a pattern in which the number of nightly call occurrences exceeds the threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether or not the call traffic corresponds to an average call hold time of the incoming call success call less than a threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the call traffic corresponds to a pattern in which the utilization rate in the subscriber network exceeds the threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the call traffic corresponds to a pattern in which the call volume of the subscriber exceeds a threshold based on the call detail record.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the quality of the call traffic corresponds to a pattern having a threshold value or less based on the call detail recording.

Wherein the pattern detecting unit comprises:

It is possible to detect whether the calling number of the call traffic corresponds to the pattern of prepaid charging based on the call detail recording.

According to another aspect of the present invention, an illegal traffic detection method includes: collecting call traffic from an exchange; determining whether the collected call traffic is an illegal traffic that has been defined; if the collected call traffic is not the illegal traffic, The method comprising the steps of: parsing a call detail record (CDR) from the collected call traffic; detecting whether a pattern occurring in the illegal traffic predefined from the call traffic is generated based on the call detail record; Determining whether the collected call traffic is an illegal traffic in consideration of a combination of the patterns, a predefined weight for each pattern, and a use frequency; and transmitting information indicating whether the collected call traffic is illegal traffic to the exchange Comprising:

The illegal traffic may have been transmitted to the exchange through an illegal traffic path including a source side bypass gateway, an Internet network, and a destination side bypass gateway without passing through a normal traffic route provided by a communication service provider.

The method of claim 1,

Determining whether the call terminal of the call traffic is a wireless terminal based on the call detail record and corresponds to a pattern for generating a call without local movement; determining whether the call traffic corresponds to a pattern using only voice call based on the call detail record; Determining whether the call traffic corresponds to a pattern in which call origination call rate as compared to the total call success rate exceeds a threshold based on the call detail record; Determining whether the number of times of voice call attempts to the number of times of use of the call traffic is equal to a pattern exceeding a threshold value based on the call detail record based on the call detail record, If the call traffic is a voice channel Determining whether the number of subscribers corresponds to a pattern exceeding a threshold value; determining whether the call traffic corresponds to a pattern in which the number of nightly call occurrences exceeds a threshold based on the call detail record; Judging whether the traffic corresponds to a pattern in which the use rate in the subscriber network exceeds a threshold value based on the call detail record, Determining whether the call traffic corresponds to a pattern in which a call volume of a subscriber exceeds a threshold value; determining whether the quality of the call traffic corresponds to a pattern having a threshold value or less based on the call detail record; If the originating number of the call traffic is prepaid Determining whether the subscription corresponding to the pattern, and if the at least one of the patterns, the results and the call traffic determines the pattern may include the step of updating the database.

According to the embodiment of the present invention, by analyzing and detecting a pattern of illegal traffic that bypasses the call path, it is possible to immediately detect and block the illegal traffic when it occurs.

1 is a schematic network configuration diagram for illegal traffic detection according to an embodiment of the present invention.
2 is a block diagram illustrating a detailed configuration of an illegal traffic detection apparatus according to an embodiment of the present invention.
3 is a flowchart illustrating an illegal traffic detection process according to an embodiment of the present invention.
4 and 5 are flowcharts illustrating a pattern detection process according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

Also, the terms of " part ", "... module" in the description mean units for processing at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An apparatus and method for detecting illegal traffic according to an embodiment of the present invention will now be described in detail with reference to the drawings.

1 is a schematic network configuration diagram for illegal traffic detection according to an embodiment of the present invention.

Referring to FIG. 1, the calling terminal 100 may include a landline phone or a mobile. The mobile of the calling terminal 100 connects wirelessly to the originating exchange 200 through the base station or the wired phone of the calling terminal 100 connects to the originating exchange 200 by wire.

Upon receiving the call connection request signal from the calling terminal 100, the originating exchange 200 confirms the called party location information, and transmits the call connection request signal to the destination switching center 300, which manages the checked location information .

When the call connection request signal is transmitted from the originating exchange 200, the destination switching center 300 transmits a call connection request signal to the corresponding destination terminal 400.

At this time, the originating exchange 200 and the destination exchange 300 may be network networks of different countries. The originating exchange 200 or the destination exchange 300 may also be an international exchange.

At this time, the path consisting of the calling terminal 100, the originating exchange 200, the terminating exchange 300, and the terminating terminal 400 corresponds to a normal traffic path provided by the communication service provider network. The normal traffic route is a normal communication carrier, which receives the business license of the government and pays the telecommunication fee charged with the expenses for securing the call quality as well as the tax payment for the business execution.

On the other hand, the calling terminal 100 may be connected to the calling side bypass gateway 600 via the originating exchange 200. [

The source side bypass gateway 600 is connected to the destination side bypass gateway 700 through the Internet network 700.

When the calling terminal 100 transmits a call connection request signal, the calling exchange 200 transmits a call connection request signal to the calling side bypass gateway 500. The called party bypass gateway 700 receives a call connection request signal from the calling party gateway 500 through the Internet 600 and delivers the call connection request signal to the called exchange 300 where the corresponding called party is located.

Here, the destination bypass gateway 7700 converts the call connection request signal, that is, the call traffic, into a local call in the called party's own country instead of the international call, and the corresponding traffic is transmitted to the called exchange 300 of the mobile communication service provider in the called party country ). ≪ / RTI > Then, the terminating switchboard 300 forwards the call connection request signal received from the terminating bypass gateway 700 to the terminating terminal 400.

The called party bypass gateway 700 can mount a large number of SIM cards, which are called SIM boxes, and act as a voice telephone exchange device to connect to the called party.

At this time, when the calling terminal 100 is wireless, a path composed of the base station → the originating exchange 200 → the calling side bypass gateway 600 → the Internet network 700 → the receiving side bypass gateway 800 is a route of illegal traffic . Here, the point where the bypass traffic is distinguished, that is, the point where the bypass traffic starts, unlike the normal traffic, becomes the originating exchange 200.

In addition, when the calling terminal 100 is a wired terminal, the calling terminal 100, the originating exchange 200, the calling bypass gateway 600, the Internet 700, and the called party bypass gateway 800 The path corresponds to an illegal traffic path. Here, the time point at which the bypass traffic is identified is the originating exchange 200.

This illegal traffic route refers to a route that bypasses a telecommunication service provider network, whose main source of revenue is a difference in the price of the service charge, such as Interconnect Bypass.

The illegal traffic route may include a bypass gateway 500 or 700 for connecting a sender country and a receiver country to a general Internet 600 and a destination country to a separate wireless device so that the international section is relatively inexpensive But also provides an abnormal call path by switching to a domestic call, not an international call, through the bypass gateway 700, which is a wireless connection device installed on the called party side. In other words, illegal calls on the phone, especially the SIM Box, constitute an illegal call that constitutes a separate call line instead of a normal communication service carrier's call route and converts the difference of the charges into profit.

The illegal traffic detection device 800 collects call traffic in the interval of the telephone service switching devices 200 and 300 and compares the traffic traffic with the patterns generated in the illegal traffic to determine whether the traffic is illegal, Results.

The illegal traffic detection device 800 is connected to the destination switching center 300 to collect call traffic from the destination switching center 300 and then determines whether the call traffic is received through illegal traffic, that is, illegal traffic path. And transmits the illegal traffic detection information to the terminating exchange 300 to perform predetermined processing such as call blocking.

The configuration of the illegal traffic detection device 800 may be implemented as shown in FIG.

2 is a block diagram illustrating a detailed configuration of an illegal traffic detection apparatus according to an embodiment of the present invention.

2, the illegal traffic detecting device 800 includes a traffic collecting unit 801, a database 803, a pattern detecting unit 805, and an illegal traffic detecting unit 807.

The traffic collecting unit 801 collects call traffic from the switchboard 300 and parses a call detail record (CDR) from the call traffic.

Here, the call detail record (CDR) includes a telephone number of a call originating subscriber, a telephone number to receive a call, a start time of a call, a call time, a billing telephone number, , Type (voice, SMS, etc.), error status, call end time, and the like.

The traffic collecting unit 801 collects all the traffic flowing into the destination switching center 300. Not only the signal traffic but also the media traffic information among the traffic flowing into the destination switching center 300 is collected and processed for CDR (Call Detail Record) information of the incoming traffic and data for quality information analysis of the media.

When the traffic collecting unit 801 collects the call traffic, the traffic collecting unit 801 inquires the database 903 to determine whether the call traffic exists in the database 803. That is, it is judged whether it corresponds to the illegal traffic stored in the database 803. If it exists in the database 803, transmits illegal traffic detection information to the switch 300 indicating that the call traffic is illegal traffic.

When the collected traffic traffic does not exist in the database 803, the traffic collecting unit 801 generates a call detail record (CDR) and transmits the generated call detail record (CDR) to the pattern detector 905.

The database 803 stores illegal traffic information and pattern information indicated by illegal traffic. The database 903 stores the origination / destination number, the detour traffic detection history, the details specified in Table 1, that is, [whether it is mobility, whether voice call is only available, . And whether or not the prepaid rate is available], the bypass traffic detection history is used for checking whether the past occurrence history is managed or not, such as a black list, and the rest is for storing the data for the bypass traffic judgment.

The pattern detecting unit 805 detects whether a pattern is generated according to the type of the pattern that is generated when the abnormal traffic occurs in the call based on the collected information transmitted from the traffic collecting unit 801. [ Here, the types of the patterns can be implemented as shown in Table 1.

Pattern type Pattern detection method Is it mobility? Whether the base station / target call processing is changed Use voice calls only Whether voice calls are used (SMS, data, etc.) Outgoing / incoming successful call ratio

Figure pat00001
Diversity of the called number Number of called number> threshold Voice service rate
Figure pat00002
 Base domestic subscriber number Number of Base Voice Channel Channel Subscribers> Threshold Number of nightly calls Number of nightly calls> Threshold Received successful call Average hold time Call successful call average call hold time> threshold Subscriber Network Utilization Rate
Figure pat00003
 High traffic volume (subscribers) Subscriber call volume (trial call)> threshold Base station traffic volume congestion (base station basis) Base station / target call processing load ratio / number of used channels (voice call)> threshold Decreased call quality Delay, jitter, and packet loss> threshold Caller ID pre-paid plan availability Whether you have a pre-paid plan for your caller ID

In Table 1, the threshold value is different for each pattern according to the characteristics of the pattern.

Referring to Table 1, the pattern detector 805 detects whether a pattern is generated according to a type of a pattern appearing in illegal traffic defined from call traffic based on the call detail record (CDR) transmitted from the traffic collecting unit 801.

In addition, the pattern detector 805 detects whether the calling terminal of the call traffic is a wireless terminal based on call detail recording (CDR) and corresponds to a pattern for generating a call without regional movement.

In addition, the pattern detector 805 detects whether the call traffic corresponds to a pattern using only a voice call based on call detail recording (CDR).

In addition, the pattern detector 805 detects whether the call traffic corresponds to a pattern in which the call success rate exceeds the threshold, based on the call detail record (CDR).

In addition, the pattern detector 805 detects whether the call traffic corresponds to a pattern in which the number of the called number exceeds the threshold, based on the call detail record (CDR).

In addition, the pattern detector 805 detects whether the number of voice communication attempts exceeds the threshold, based on the call detail record (CDR).

In addition, the pattern detector 805 detects whether the call traffic corresponds to a pattern in which the number of voice channel assignment subscribers in the base station exceeds a threshold based on call detail recording (CDR).

In addition, the pattern detector 805 detects whether the traffic traffic corresponds to a pattern in which the number of nightly call occurrences exceeds the threshold based on call detail recording (CDR).

Further, the pattern detector 805 detects whether or not the call traffic corresponds to the average call hold time of the incoming call success call less than the threshold based on the call detail record (CDR).

In addition, the pattern detector 805 detects whether the call traffic corresponds to a pattern in which the utilization rate in the subscriber network exceeds the threshold, based on call detail recording (CDR).

Further, the pattern detector 805 detects whether the call traffic corresponds to a pattern in which the call volume of the subscriber exceeds the threshold, based on the call detail recording (CDR).

Further, the pattern detector 805 detects whether the quality of the call traffic corresponds to a pattern having a threshold value or less based on call detail recording (CDR).

In addition, the pattern detector 805 detects whether the calling number of the call traffic corresponds to the prepaid charging subscription pattern based on the call detail recording (CDR).

The illegal traffic detecting unit 807 minimizes the false positives based on the information of the patterns detected from the pattern detecting unit 805 to determine whether or not the traffic is detouring by the call. At this time, illegal traffic can be detected by a certain combination of detected patterns as an embodiment for detecting illegal traffic. At this time, the pattern is made up of unique and unique parameters for determining the interconnection bypass traffic.

The illegal traffic detector 807 determines whether the call traffic is an illegal traffic based on the detection result of the pattern for each pattern type, and transmits the determination result to the exchange 300.

The illegal traffic detection unit 807 detects the traffic traffic collected from the switchboard 300 through the interconnection bypass unit 700 including the source side bypass gateway 500, the Internet network 600, ) From the illegal traffic path.

The illegal traffic detecting unit 807 may determine whether the call traffic is illegal traffic considering the combinations of patterns, the weights predefined for each pattern, and the usage frequency for each pattern detected by the pattern detecting unit 805. [

The illegal traffic detection unit 807 calculates the final risk score by combining the risk score (weight) for each pattern as shown in Table 2, and if the final risk score exceeds the predefined threshold, it can be detected as illegal traffic.

For example, it can be detected as illegal traffic when the risk score is 17 or more.

Pattern type Risk Risk score Is it mobility? Stage 1 4 Use voice calls only Step 2 3 Outgoing / incoming successful call ratio Step 2 3 Subscriber Network Utilization Rate Step 2 3 Diversity of the called number Step 3 2 Voice service rate Step 3 2 Base domestic subscriber number Step 3 2 Number of nightly calls Step 3 2 Received successful call Average hold time Step 3 2 Decreased call quality Step 3 2 Caller ID Pre-paid plan availability Step 3 2 High traffic volume (subscribers) Step 4 One Base station traffic volume congestion (base station basis) Step 4 One

Hereinafter, the illegal traffic detection process and the pattern detection process for illegal traffic detection will be described in detail. At this time, the same reference numerals are used in connection with the configurations of FIG. 1 and FIG.

3 is a flowchart illustrating an illegal traffic detection process according to an embodiment of the present invention.

Referring to FIG. 3, the traffic collecting unit 801 collects traffic traffic from the switchboard 300 (S101).

The traffic collecting unit 801 performs data processing for analyzing CDR information and media quality information on the call traffic collected in step S101 to determine whether an illegal traffic pattern is generated (S103).

The traffic collecting unit 801 inquires of the database 803 whether the CDR information processed in step S103 exists in the database 803 (S105) and receives the result (S107).

The traffic collecting unit 801 determines whether the call traffic collected in step S101 corresponds to the illegal traffic stored in the database 803 (S109).

At this time, if the traffic is not an illegal traffic, the data processed in step S103 is transmitted to the pattern detector 805 (S111).

The pattern detector 805 analyzes a pattern of traffic traffic based on the data (including CDR) received in step S111 (S113). Then, the analysis result is transmitted to the illegal traffic detection unit 807 (S115).

Based on the pattern analysis information received in step S115, the illegal traffic detector 807 determines whether the call traffic collected in step S101 is an illegal traffic (step S117). Then, the determination information is transmitted to the traffic collecting unit 801 (S119).

The traffic collecting unit 801 determines whether the call traffic is illegal traffic based on the determination information received in step S119 (S121).

If it is determined in step S121 that illegal traffic is present or if it is determined in step S109 that the illegitimate traffic has been stored, illegal traffic detection information is forwarded to the switch 300 (S123) to be utilized for illegal traffic blocking and management. That is, when the data managed by the database 803 and the traffic received are collected or the traffic matching the illegal traffic pattern is collected, the illegal traffic detection information is transmitted to the exchange 300.

In addition, the pattern analysis information and the illegal traffic judgment information determined in the steps S113 and S117 are stored in the database 803.

The step S113 will be described in detail with reference to FIGS. 4 and 5. FIG.

4 and 5 are flowcharts illustrating a pattern detection process according to an embodiment of the present invention.

First, referring to FIG. 4, the traffic collecting unit 901 parses the CDR from the collected traffic (S201).

The pattern detector 805 determines whether the calling terminal is mobility based on the CDR information parsed in step S201 (S203). That is, it is confirmed whether the terminal (SIM) used in the destination bypass gateway (600) is a pattern for continuously generating a call without regional movement despite being a wireless terminal.

At this time, if the mobility is not confirmed, the pattern detector 805 determines whether the pattern is the voice call only pattern (S205). In other words, it checks whether a text message or internet is used in addition to a voice call in a pattern according to the roles of the bypass gateways 500 and 700 relaying a voice call.

At this time, if the pattern is not a pattern using only a voice call, the pattern detector 805 checks the ratio of call origination / incoming call success (S207). That is, it detects whether the traffic occurs in a unidirectional direction according to the direction in which the bypass occurs in the call. In the case of illegal traffic, this detection pattern is confirmed because only an outgoing call is generated based on the direction of the called party.

At this time, if the call is not generated in a single direction, the pattern detector 805 checks whether the called number is diversified (S209). That is, whether or not to transmit a plurality of numbers out of a usage pattern of a general user is confirmed by a detection pattern. For example, it is determined whether the number of the called number is a pattern exceeding the threshold value.

At this time, if the called number does not vary, the pattern detector 805 checks whether the voice service ratio, that is, the number of voice call attempts exceeds the threshold (S211). That is, the service utilization rate of a data service such as a text message or the Internet is compared with that of a voice call to determine whether the usage rate of the voice service exceeds the threshold value.

At this time, if the number of voice communication attempts does not exceed the threshold, the pattern detector 805 determines whether the number of base domestic subscribers exceeds the threshold (S213). As the number of base domestic subscribers, a plurality of SIM cards ranging from several tens to several hundreds are installed and operated in the called party bypass gateway installed in the called party side, so that it is confirmed by the detection pattern.

Referring to FIG. 5, if the number of subscribers does not exceed the threshold in step S213, the pattern detector 805 determines whether the number of nighttime calls is equal to or greater than a threshold (S215). In the case of the traffic overcoming by the call, the receiver confirms that a lot of nighttime calls are generated in comparison with the general user in consideration of the unspecified number of in-points.

At this time, if the number of night calls is less than the threshold value, the pattern detector 805 determines whether the average call hold time of the incoming call successful call is less than a threshold value (S217). Most of the traffic in the call - by - loop is mostly unidirectional and generates an incoming call to avoid detection by this detection. Therefore, the ratio of the incoming call to the outgoing call is remarkably low, so that the average call time is confirmed, and the ratio is compared to confirm the detection pattern.

At this time, if the average call hold time of the incoming call successful call is equal to or larger than the threshold value, the pattern detector 805 determines whether the utilization rate in the subscriber network exceeds the threshold value (S219). Even if the bypass gateways 500 and 700 generate illegal traffic, since the communication charge in the same communication service provider is lower than the communication charge for the other death, the communication ratio in the same communication service provider network becomes remarkably high, .

At this time, if the occupancy rate in the home network does not exceed the threshold value, the pattern detector 805 determines whether the call volume of the subscriber exceeds a threshold value (S221). In other words, this detection pattern is confirmed in consideration of the fact that the use of the telephone is considerably larger than that of the general user like the heavy user.

At this time, if the call volume of the subscriber does not exceed the threshold value, the pattern detector 805 detects whether the base station call volume is judged as the congested state (S223). Since the base station call volume level uses several tens to several hundreds of SIM cards at the same time, it is confirmed by the detection pattern considering that the call volume within the base station coverage is much higher than the call volume of peripheral base stations.

At this time, if the base station call volume does not exceed the threshold value, the pattern detector 805 determines whether the call quality degrades (S225). The degradation of the call quality is mainly caused by the use of the public Internet network, which is generally inexpensive, between the source country and the destination country. As a result, the delay, jitter, and packet loss rate are significantly increased at the time of increasing traffic volume, resulting in quality degradation. This quality deterioration phenomenon is confirmed by a detection pattern.

If the deterioration of the call quality is not confirmed, the pattern detector 805 determines whether the call origination number is a prepaid charge subscription (S227). SIM cards that induce bypass traffic tend to minimize subscription and user information leakage by using prepaid pricing, thus confirming this detection pattern.

The pattern detecting unit 805 updates the pattern detection result determined in steps S203 to S227 to the database 803 (S229). Then, the pattern detection result is transmitted to the illegal traffic detection unit 807.

Then, the illegal traffic detection unit 807 performs a final illegal traffic detection process based on the pattern detection result.

The embodiments of the present invention described above are not implemented only by the apparatus and method, but may be implemented through a program for realizing the function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, It belongs to the scope of right.

Claims (18)

A traffic collector for collecting call traffic from an exchange and parsing a call detail record (CDR) from the call traffic,
A pattern detector for detecting occurrence of a pattern in an illegal traffic predefined from the call traffic based on the call detail record,
And an illegal traffic detector for determining whether the call traffic is an illegal traffic based on the detection result of the pattern for each type and transmitting the determination result to the exchange,
Wherein the illegal traffic is transmitted to the exchange through an illegal traffic route without passing through a normal traffic route provided by a communication carrier. The method according to claim 1,
Wherein the illegal traffic detection unit comprises:
And judges whether or not the call traffic collected from the exchange is received from the illegal traffic path comprising the originating bypass gateway, the internet network, and the destination-side bypass gateway. The method according to claim 1,
Further comprising a database for storing the illegal traffic,
The traffic collecting unit,
And if it is found in the database, transmits illegal traffic detection information indicating that the call traffic is illegal traffic to the exchange, inquiring the database if the call traffic is present in the database,
The traffic collecting unit,
And generates and transmits the call detail record to the pattern detector if the call traffic does not exist in the database. The method of claim 3,
Wherein the illegal traffic detection unit comprises:
Wherein the traffic detection unit determines whether the call traffic is illegal traffic considering the combinations of the patterns, the weights predefined for each pattern, and the usage frequency for each pattern detected by the pattern detection unit. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detecting whether the calling terminal of the call traffic is a wireless terminal based on the call detail recording and corresponds to a pattern for generating a call without regional movement. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the call traffic corresponds to a pattern used only for voice communication based on the call detail recording. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the call traffic corresponds to a pattern in which a ratio of call success rate to total call rate is over a threshold based on the call detail record. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
Based on the call detail record, whether the call traffic corresponds to a pattern in which the number of the called number exceeds a threshold value. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether or not the number of times of voice call attempts to the number of times of use of the call traffic by the total service corresponds to a pattern exceeding a threshold based on the call detail recording. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detecting whether the call traffic corresponds to a pattern in which the number of voice channel assignment subscribers in the base station exceeds a threshold based on the call detail recording. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the call traffic corresponds to a pattern in which the number of occurrences of nighttime calls exceeds a threshold based on the call detail record. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether or not the call traffic corresponds to an average call hold time of the incoming call success call less than a threshold based on the call detail record. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the call traffic corresponds to a pattern in which a utilization rate in a subscriber network exceeds a threshold based on the call detail record. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the call traffic corresponds to a pattern in which the call volume of the subscriber exceeds a threshold based on the call detail record. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the quality of the call traffic corresponds to a pattern having a threshold value or less based on the call detail recording. 5. The method of claim 4,
Wherein the pattern detecting unit comprises:
And detects whether the calling number of the call traffic corresponds to the prepaid charging subscription pattern based on the call detail recording. Collecting call traffic from the exchange,
A step of judging whether the collected call traffic is an illegal traffic defined before,
Parsing a call detail record (CDR) from the collected call traffic if the collected call traffic is not illegal traffic;
Detecting whether or not a pattern occurring in the illegal traffic predefined from the call traffic is generated based on the call detail record,
Determining whether the collected call traffic is an illegal traffic in consideration of a combination of the patterns, a predetermined weight for each pattern, and a use frequency for each pattern; and
And transmitting information indicating whether the collected traffic traffic is an illegal traffic to the exchange,
Wherein the illegal traffic is introduced into the exchange through an illegal traffic path including a source side bypass gateway, an internet network, and a destination side bypass gateway without going through a normal traffic path provided by a communication provider. 18. The method of claim 17,
The method of claim 1,
Determining whether the calling terminal of the call traffic is a wireless terminal based on the call detail recording and corresponds to a pattern for generating a call without regional movement,
Determining whether the call traffic corresponds to a pattern using only a voice call based on the call detail recording,
Determining whether the call traffic corresponds to a pattern in which call origination success ratio as compared to the total call success rate exceeds a threshold based on the call detail record;
Determining whether the call traffic corresponds to a pattern in which the number of called numbers exceeds a threshold based on the call detail record,
Determining whether the call traffic corresponds to a pattern in which the number of times of voice call attempts to the number of times of use for each service exceeds a threshold based on the call detail recording,
Determining whether the call traffic corresponds to a pattern in which the number of voice channel assignment subscribers in the base station exceeds a threshold based on the call detail recording,
Determining whether the call traffic corresponds to a pattern in which the number of nightly call occurrences exceeds a threshold based on the call detail record;
Determining whether the call traffic corresponds to an average call hold time of the incoming call success call less than a threshold based on the call detail record;
Determining whether the call traffic corresponds to a pattern in which a utilization rate in a subscriber network exceeds a threshold based on the call detail record,
Determining whether the call traffic corresponds to a pattern in which the call volume of the subscriber exceeds a threshold based on the call detail record,
Determining whether the quality of the call traffic corresponds to a pattern having a threshold value or less based on the call detail recording,
Determining whether the call number of the call traffic corresponds to the prepaid charge subscription pattern based on the call detail record, and
Updating the result of the determination of the pattern and the corresponding traffic traffic to a database if the at least one of the patterns corresponds to at least one of the patterns;
And detecting an illegal traffic.
KR1020150077564A 2015-06-01 2015-06-01 System and method for detecting illegal traffic KR101942965B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150077564A KR101942965B1 (en) 2015-06-01 2015-06-01 System and method for detecting illegal traffic
PCT/KR2016/004805 WO2016195261A1 (en) 2015-06-01 2016-05-09 Illegal traffic detection device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150077564A KR101942965B1 (en) 2015-06-01 2015-06-01 System and method for detecting illegal traffic

Publications (2)

Publication Number Publication Date
KR20160141613A true KR20160141613A (en) 2016-12-09
KR101942965B1 KR101942965B1 (en) 2019-01-28

Family

ID=57440686

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150077564A KR101942965B1 (en) 2015-06-01 2015-06-01 System and method for detecting illegal traffic

Country Status (2)

Country Link
KR (1) KR101942965B1 (en)
WO (1) WO2016195261A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019245131A1 (en) * 2018-06-20 2019-12-26 주식회사 케이티 Apparatus and method for detecting illegal call
KR20200003350A (en) * 2018-06-20 2020-01-09 주식회사 케이티 Apparatus and method for detecting illegal call
KR20200085089A (en) * 2019-01-04 2020-07-14 주식회사 엘지유플러스 Analysis server and operating method of analysis server

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10141009B2 (en) 2016-06-28 2018-11-27 Pindrop Security, Inc. System and method for cluster-based audio event detection
WO2018053518A1 (en) 2016-09-19 2018-03-22 Pindrop Security, Inc. Channel-compensated low-level features for speaker recognition
US10325601B2 (en) 2016-09-19 2019-06-18 Pindrop Security, Inc. Speaker recognition in the call center
US10397398B2 (en) 2017-01-17 2019-08-27 Pindrop Security, Inc. Authentication using DTMF tones
US11019201B2 (en) 2019-02-06 2021-05-25 Pindrop Security, Inc. Systems and methods of gateway detection in a telephone network
WO2020198354A1 (en) 2019-03-25 2020-10-01 Pindrop Security, Inc. Detection of calls from voice assistants

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4413833B2 (en) * 2005-08-15 2010-02-10 日本電信電話株式会社 Illegal route monitoring system and method
KR101281160B1 (en) * 2006-02-03 2013-07-02 주식회사 엘지씨엔에스 Intrusion Prevention System using extract of HTTP request information and Method URL cutoff using the same
KR20110079044A (en) * 2009-12-31 2011-07-07 주식회사 케이티 System and method for detecting illegal call
KR20120007112A (en) * 2010-07-14 2012-01-20 충남대학교산학협력단 Benz-x-azole based dye for detecting heavy metal ions
KR101492733B1 (en) * 2013-10-02 2015-02-12 서울과학기술대학교 산학협력단 Method for detecting toll fraud attack in Voice over Internet Protocol service using novelty detection technique

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019245131A1 (en) * 2018-06-20 2019-12-26 주식회사 케이티 Apparatus and method for detecting illegal call
KR20200003350A (en) * 2018-06-20 2020-01-09 주식회사 케이티 Apparatus and method for detecting illegal call
US11323560B2 (en) 2018-06-20 2022-05-03 Kt Corporation Apparatus and method for detecting illegal call
KR20200085089A (en) * 2019-01-04 2020-07-14 주식회사 엘지유플러스 Analysis server and operating method of analysis server

Also Published As

Publication number Publication date
KR101942965B1 (en) 2019-01-28
WO2016195261A1 (en) 2016-12-08

Similar Documents

Publication Publication Date Title
KR101942965B1 (en) System and method for detecting illegal traffic
US8023942B2 (en) Network-based system and method for global roaming
EP1771031A2 (en) Tracking roaming cellular telephony calls for anti-fraud
EP2209331B1 (en) Mobile Telecommunications Network Roaming
US20090069047A1 (en) Methods, systems, and computer program products for detecting wireless bypass in a communications network
CN105636047A (en) Fraud user detecting method, fraud user detecting device and fraud user detecting system
JP2002528016A (en) Signaling system and method for network-based prepaid wireless telephone service
JP2004500759A (en) Method and apparatus for detecting and preventing telephone fraud
CN101982990B (en) Calling control method and device
WO2012080781A1 (en) A method and system for detecting mobile numbers used by international gateway bypass (sim box) operators
CN101098502A (en) SMS rubbish filtering MAP information treatment
KR20110079044A (en) System and method for detecting illegal call
CN102572840B (en) A kind of method utilizing monitoring signaling technology to differentiate novel malicious callback service
EP1829402A1 (en) Method and system for analysing network connections
EP1212890B1 (en) Collecting charging data in a telecommunications system
Airn Analysis and detection of SIM box
KR102403137B1 (en) Smart phone to be displayed a telephone charge
US6580788B1 (en) System and method for identifying modem connections in a telephone network
WO2002003336A2 (en) System and method for automatic billing-system verification
JP6007604B2 (en) Small wireless base station, charging system and charging method
CN101203023A (en) Method and device for implementation of same city special case with roam number pool
KR101463748B1 (en) System and method for providing corporate zone service
KR101524129B1 (en) Mobile communicating apparatus and mehtod for spitefully preventing mobile service
CN101594604A (en) Process user is chargeed in telecommunication system
KR100706987B1 (en) System and Method for Analyzing Traffic of Mobile Number Portability Terminal by Using Tariff Information

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant