US20170118618A1 - Detection of sms spam - Google Patents

Detection of sms spam Download PDF

Info

Publication number
US20170118618A1
US20170118618A1 US15/399,845 US201715399845A US2017118618A1 US 20170118618 A1 US20170118618 A1 US 20170118618A1 US 201715399845 A US201715399845 A US 201715399845A US 2017118618 A1 US2017118618 A1 US 2017118618A1
Authority
US
United States
Prior art keywords
associated
grey
network addresses
text message
spam
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US15/399,845
Inventor
Yu Jin
Ann E. SKUDLARK
Nan Jiang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Intellectual Property I LP
Original Assignee
AT&T Intellectual Property I LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/268,025 priority Critical patent/US9357362B2/en
Priority to US15/079,577 priority patent/US9572004B2/en
Application filed by AT&T Intellectual Property I LP filed Critical AT&T Intellectual Property I LP
Priority to US15/399,845 priority patent/US20170118618A1/en
Assigned to AT&T INTELLECTUAL PROPERTY I, L.P. reassignment AT&T INTELLECTUAL PROPERTY I, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JIANG, NAN, SKUDLARK, ANN E., JIN, YU
Publication of US20170118618A1 publication Critical patent/US20170118618A1/en
Application status is Pending legal-status Critical

Links

Images

Classifications

    • H04W4/26
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/24Accounting or billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00Arrangements for user-to-user messaging in packet-switching networks, e.g. e-mail or instant messages
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00Arrangements for user-to-user messaging in packet-switching networks, e.g. e-mail or instant messages
    • H04L51/12Arrangements for user-to-user messaging in packet-switching networks, e.g. e-mail or instant messages with filtering and selective blocking capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements or network protocols for addressing or naming
    • H04L61/60Details
    • H04L61/6018Address types
    • H04L61/605Telephone numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements or network protocols for addressing or naming
    • H04L61/60Details
    • H04L61/6018Address types
    • H04L61/6054International mobile subscriber identity [IMSI] numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04W4/005
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements or network protocols for addressing or naming
    • H04L61/60Details
    • H04L61/6004Structures or formats of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements or network protocols for addressing or naming
    • H04L61/60Details
    • H04L61/6018Address types

Abstract

A method and system for identifying short message service (SMS) spammers identifies senders as spammers by determining that the senders are sending SMS messages to devices included in a grey phone space. Devices in the grey phone space are identified using various methods including an analysis of call detail records. A grey ratio for a sender is determined as a ratio of messages sent to grey phone numbers by the sender to messages sent to all phone numbers by the sender. A sender is identified based on a difference between the grey ratio for the sender and a second grey ratio being above a threshold.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of and claims priority to U.S. patent application Ser. No. 15/079,577 filed Mar. 24, 2016 and since issued as U.S. Patent X, which is a continuation of and claims priority to U.S. patent application Ser. No. 14/268,025 filed May 2, 2014 and since issued as U.S. Pat. No. 9,357,362, with both applications incorporated herein by reference in their entireties.
  • FIELD OF THE DISCLOSURE
  • The present disclosure describes a system and method for detecting spammers by identifying phone numbers that should not receive SMS messages and the senders of such messages to the identified phone numbers.
  • In one embodiment, a method for identifying spammers includes identifying a plurality of grey phone numbers. Grey phone numbers are phone numbers associated with devices that are not expected to receive SMS messages. A plurality of call records are analyzed to determine a number of messages sent by a short message service sender to any of the plurality of grey phone numbers. A short message service sender is identified as a spammer based on the number of messages sent by the short message service sender to any of the plurality of grey phone numbers. In one embodiment, the analyzing a plurality of call records further comprises determining a specific grey ratio for the short message service sender as a ratio of short message service messages sent to the plurality of grey phone numbers by the short message service sender to short message service messages sent to all phone numbers by the short message service sender, and the identifying further based on identifying the short message service sender as a spammer based on the specific grey ratio compared to a second grey ratio for a legitimate short message service sender. In one embodiment, the identifying is further based on a difference between the specific grey ratio and the second grey ratio being above a threshold. The identifying, in one embodiment, is further based on the short message service sender sending messages to a number of unique terminating numbers. In one embodiment, the identifying a plurality of grey phone numbers comprises determining that a phone number is associated with one of a data only device and a machine-to-machine device. The determining that a phone number is associated with one of a data only device and a machine-to-machine device, in one embodiment, is based on an international mobile equipment identity number associated with a device having been assigned the phone number. In one embodiment, the identifying a plurality of grey phone numbers, the analyzing a plurality of call records, and the identifying the short message service sender as a spammer are performed periodically.
  • An apparatus and computer readable medium for detecting spammers by identifying phone numbers that should not receive SMS messages and callers who send messages to the identified phone numbers is also disclosed herein.
  • BACKGROUND OF THE DISCLOSURE
  • The present disclosure relates generally to telecommunications, and more particularly to fast and accurate detection of SMS spam numbers via monitoring grey phone space.
  • The increase in use of mobile devices has brought with it an onslaught of unwanted Short Message Service (SMS) spam. It has been reported that the number of spam messages in the US increased 45% in 2011 to 4.5 billion messages. In 2012, according to some reports, more than 69% of the mobile users received text spam. The vast amount of SMS spam not only results in an annoying customer user experience but a significant cost to cellular service providers and customers.
  • One approach adopted by mobile carriers to identify unwanted SMS is based on user spam reports. In particular, users forward spam messages to short code 7726 (which corresponds to letters on telephone keypads and forms the word “SPAM” on most phones). Carriers then confirm these reported spam numbers and restrict them from future SMS activities. This method, however, suffers from low user report rate and user delays in reporting, resulting in significant detection delay. This method is also vulnerable to denial-of-service attacks since malicious users can game the system to disable legitimate users by sending fake spam reports to 7726. Other methods such as volumetrics used to detect spam numbers are often inapplicable in practice due to high false alarm rates, because many legitimate customers often exhibit similar SMS sending patterns, such as the numbers employed by schools, churches and other organizations for informing their members or subscribers of information. There are existing systems deployed at the Signaling System Number 7 (SS7) network to detect and filter spam messages by inspecting SMS message content and search for predefined spam signatures (e.g., keywords, strings or regular expressions). Nonetheless, spammers can evade detection by obfuscating text content. Some systems have been developed such as smartphone applications (referred to as apps) to classify spam messages on user mobile devices. However not all the devices, such as feature phones, support execution of such apps. In addition, many of those types of apps carry a large overhead which can drain battery power and reduce system resources. Furthermore, from a user's perspective this method is a late defense as the spam message has already arrived on a user's device. Depending on the user's message plan, the user may be charged for the message, become vulnerable to malware, and suffer the annoyance from receiving unsolicited and unwanted messages. Moreover, high volumes of spam messages may result in in congestion and other impacts on network performance.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 shows a network in which the method and apparatus for identifying SMS spammers is used according to one embodiment;
  • FIG. 2 depicts a chart illustrating the probability density function;
  • FIG. 3 depicts a chart illustrating an accuracy of a model evaluated given different choices of η on the test data set;
  • FIG. 4 depicts a flow chart of a method for identifying spammers according to one embodiment; and
  • FIG. 5 depicts a high-level block diagram of a computer for identifying spammers according to one embodiment.
  • DETAILED DESCRIPTION OF THE DRAWINGS
  • The system and method for identifying short message service (SMS) spammers described herein is referred to as Greystar. Greystar detects spam numbers in a scalable, fast and accurate way, with minimum number of false positives in a manner so as to not disturb legitimate customers. Greystar uses existing SMS call detail records (CDRs) that are typically collected for billing purposes and employs a concept of grey phone numbers to identify emerging spam activities. Grey phone numbers (also referred to as grey numbers), in one embodiment, are phone numbers associated with devices that are not expected to receive SMS messages. Grey phone numbers are, in one embodiment, associated with two types of mobile devices: data only devices (e.g., many laptop cards, eReaders and cellular data modems, etc.) and machine-to-machine (M2M) communication devices (e.g., point-of-sale machines, fleet tracking devices and utility meters, etc.) Because these grey numbers do not participate actively in regular SMS communication as other mobile numbers do, they form a grey territory that legitimate mobile users rarely enter. In other words, numbers that access grey numbers may likely be spam numbers. On the basis of the grey phone space, Greystar employs a statistical classification algorithm to detect spam numbers, in one embodiment, based on their interactions with the grey phone numbers and other regular numbers.
  • In one embodiment, Greystar is used in a cellular network that utilizes a Universal Mobile Telecommunications System (UMTS), which is a popular third generation (3G) mobile communication technology adopted by many mobile carriers. In other embodiments, Greystar can be used in other types of networks. FIG. 1 depicts system 100 having an architecture for delivering SMS messages inside UMTS networks. When sending an SMS message, end user equipment (e.g., UE A 102) directly communicates with one of cell towers 104, 106 (a cell tower is also referred to as a node-B), which forwards the message to a Radio Network Controller (e.g., RNC 108). RNC 108 transmits the message to Mobile Switching Center (MSC) server (e.g., MSC 110), where the message enters the Signaling System 7 (SS7) network and is stored at Short Messaging Service Center (SMSC), shown in FIG. 1 as SMSC 112. From SMSC 112, the message is routed to the serving MSC, in this example MSC 118 of the recipient (UE B 126), then to the serving RNC 120 and one of node-B 122,124, and finally reaches UE B 126. Similarly, messages originating from other carrier networks, (e.g., from UE C 116 via network 114) will also traverse the SS7 network and serving MSC 112 before arriving at UE B 126. It should be noted that similar SMS architecture is also adopted in other types of 3G/4G cellular networks. Greystar system 128 is shown in FIG. 1 receiving information, namely call records, from MSC 118 according to one embodiment. It should be noted that Greystar 128 may be in communication with other devices to receive call records and additional information. In addition, although the examples and embodiments described herein focus on SMS through a voice control channel, similar defenses for fighting email spam can be readily applied to defend against short message spam through data channels and other short message services through mobile data channels, such as iMessage, Tweets and MMS, etc.
  • Information used for determining grey phone numbers and SMS spammers consists, in one embodiment, of SMS Call Detail Records (CDRs) and User spam reports. SMS CDRs are used for understanding SMS user/spammer activities and evaluating the performance of the Greystar system. These records, in one embodiment, are collected at the serving MSC's of the SMS recipients (e.g., MSC 110, 118 of FIG. 1) and may be transmitted to Greystar 128 directly or via MSC 118 as shown in FIG. 1. This means that these collected records represent SMS messages targeting active mobile customers (i.e., the ones that are currently connected to the network) and have been successfully routed through the SS7 network. Each record contains an SMS receiving time, an originating number, a terminating number and an International Mobile Equipment Identity (IMEI) for a device associated with a terminating number. User spam reports, in one embodiment, contain spam messages reported by mobile users to a carrier. In one embodiment, a cellular service provider deploys an SMS spam reporting service for its users: when a user receives an SMS text and deems it's a spam message, the user can forward the message to a spam report number designated by the cellular service provider. Once the spam is forwarded, an acknowledgment message is returned, which asks the user to reply with the spammer's phone number (also referred to as the spam number). Once the above two-stage process is completed within a predefined time interval, a spam report is created, which includes the reporter's phone number, the spammer's phone number, the reporting time and the content of the reported spam message.
  • Although user spam reports provide a list of known spam numbers, user spam reports are not comprehensive and can be noisy. Therefore, in one embodiment, a different source to obtain ground truth is utilized. In particular, fraud agents from a UMTS carrier are used to manually verify spam number candidates detected. The fraud agents use more comprehensive sources of information. For example, fraud agents can investigate the ownership and the price plan information of spam candidates, examine their SMS sending patterns and correlate them with known spam numbers in terms of their network locations and active times, etc. The final decision is made conservatively by corroborating different evidence. However, in one embodiment, fraud agents provide a reasonably authoritative ground truth. It has been determined that such a manual investigation process deployed for more than one year has generated no observable false alarms. Therefore, in one embodiment, fraud agents are treated as the authority for verifying spam numbers. That is, a list of spam number candidates is submitted to fraud agents and the fraud agents return a list of confirmed spam numbers.
  • Greystar, in one embodiment, is a crowdsourcing method (i.e., it relies on indicators from spam recipients to alert emerging spam activities.) However, Greystar is a passive crowdsourcing method. Greystar is passive in that it does not depend on SMS recipients to submit reports regarding received spam messages. Rather, it selects a set of mobile phone numbers with certain characteristics, which are referred to as grey numbers, and callers sending SMS to these grey numbers can be used to determine the existence of spamming activities. Greystar monitors the footprints of spammers on these grey numbers in order to detect spam numbers. The passive crowdsourcing method used by Greystar addresses the problems in the existing active crowdsourcing solution using user spam reports. First, the population of grey numbers is much larger and increasing over time, providing more “spam alerts” to capture more spam numbers more quickly. Second, by passively monitoring SMS communication with grey numbers, user delay introduced when spam reports are submitted is avoided. Last, passive crowdsourcing aids in avoiding errors in active spam reports and assists in preventing malicious users from gaming the detection system and launching denial-of service (DoS) attacks on other legitimate users.
  • SMS spamming activities are defined as follows. During a spamming process, a spammer selects (following a certain strategy) a sequence of target phone numbers, X:={x1,x2, . . . ,xt, . . . } (1≦t≦T), to send SMS messages to over time T. Each target phone number is a concatenation of two components, the 3-digit area code xt α(α ε A), which is location specific, and the 7-digit subscriber number xt s, where 0≦xt s≦107. In the examples that follow, only US phone numbers (which have 10 digits excluding the country code “1”) are used and phone numbers from other countries following the same North American Numbering Plan (NANP) are removed. The statistics used in the following examples are calculated based on data from one month. To compare the activities of spam numbers and regular numbers, a same number of random samples from each group is obtained. In particular, the spam numbers are identified from user spam reports and the regular users are randomly sampled from all the remainder of users appearing in the month-long CDR data set. The samples of both spam numbers and regular numbers are investigated by fraud agents to remove false positives and false negatives.
  • In one embodiment, grey phone space is identified as follows. Information identifying a device associated with each phone number is readily available in the CDR data, which can be identified based on the first eight-digit TAC of inside the International Mobile Equipment Identity or IMEI. TAC identifies a particular model (and often revision) of wireless devices for use on a GMS, UMTS or other IMEI-supporting wireless networks. A manufacturer can request an eight-digit Type Allocation Code for a new phone model from the international GSM standards body to identify that device. The remaining six digits in IMEI identify a particular device from that phone model. A TAC to device mapping from a UMTS carrier is used to identify 27 mobile device types (defined by the carrier) which is summarized as follows. Data-only types comprise, for example, laptop cards, tablets, netbooks, eReaders, 3G data modems, etc. M2M types comprise, for example, security alarms, telematics, fleet tracking devices, point-of-sale terminals, medical devices, etc. Phone types, comprise, for example, smartphones, feature phones, quick messaging phones, personal digital assistants, etc. It should be noted that a finer grained analysis at individual device level may also be performed. However, it has been determined that, except for the GPS devices, devices within each type have strong similarity in their SMS activeness distributions. As such, there is little to be gained by defining grey numbers at the device level.
  • The design of Greystar, in one embodiment, is based on observations pertaining to spammer activities. The logic of Greystar is illustrated in Algorithm 1, which, in one embodiment, is executed at a predefined frequency.
  • Algorithm 1 Graydar algorithm. 1: Input: SMS records D from the past T hours, T = 24 hours, M = 50; 2: Output: Spam number candidates C; 3: From D, identify a set of numbers Orig who send SMS to gray numbers; 4: for Each SMS sender s ∈ Orig do 5:  Extract the records associated with s: Ds ∈ D; 6:  From Ds, identify the gray TNs Gs and normal TNs Ns  accessed by s; 7:  if |Gs| + |Ns| < M and |Gs| > 0 then 8:   continue; 9:  end if 10:  if Crowdsource(Gs, Fs)=1 then 11:   C := C ∪ {s}; 12:  end if 13: end for
  • In one embodiment, the algorithm is run hourly but could be run periodically over a different time period. Greystar employs a time window of T (e.g., T equals 24 hours in this example). The footprints of SMS originating numbers, e.g., the sets of normal and grey numbers accessed (GS and NS), are identified for each sender within T. Next, a filter process is conducted which places two requirements on originating numbers to be classified. The two requirements, in one embodiment, are that in the past X hours: 1) the originating number has been active enough (e.g., the originating number has sent messages to no less than M=100 recipients in the past X hours, based on the high SMS sending rate exhibited by known spam numbers) and 2) the originating number has contacted or attempted to contact at least one grey number. In one embodiment, X is 24 hours. These two criteria, especially the second one, can help significantly reduce the candidates to be classified in the follow up step. Research has shown that, on average, only less than 0.1% of users send SMS to grey numbers in each day. More importantly, these users cover a majority of active SMS spammers in the network. Therefore, the filtering step noticeably reduces the system load as well as potential false alarms. Once a sender passes the filtering process, the function crowdsource is called to classify the sender into either a spam number or a normal number by investigating the footprints of the sender (i.e., the grey numbers and normal numbers it has accessed). In one embodiment, a Beta-Binomial model for building the crowdsource function is used.
  • A design of a classifier, according to one embodiment, is as follows. In one embodiment, it is assumed that target selection of a random spammer follows a two-step process. First the spammer chooses a specific target phone number block (or the entire phone space for the random spammer). Second, the spammer uniformly chooses target phone numbers from the block. Let θ denote the density of grey numbers in the target block and X:={xi}, 1≦i≦n be the sequence of target phone numbers. Meanwhile, let k be the number of grey phone numbers in X. The target selection process can then be formulated as the following generative process:
  • 1. Choose a block with θ; and
  • 2. Choose xi˜Bernoulli(θ),1≦i≦n;
  • It should be noted that θ varies as a spammer targets different phone number blocks. The choice of phone number blocks can be arbitrary. For example, a spammer can choose a large phone block across multiple area codes or a small one with only a fraction of phone numbers in an area code. Therefore, θ itself can be considered as a random variable. We assume θ follows a Beta distribution, i.e.,
  • θ˜Beta(α,β), with a probability density function as:
  • P ( θ α , β ) = Γ ( α + β ) Γ ( α ) Γ ( β ) θ α ( 1 - θ ) β ,
  • where Γ is the gamma function. Therefore, the random variable k follows a Beta-binomial distribution:
  • P ( k n , α , β ) = ( n k ) Γ ( k + α ) Γ ( n - k + β ) Γ ( n + α + β ) Γ ( α + β ) Γ ( α ) Γ ( β )
  • It should be noted that in Bayesian inference, the Beta distribution is the conjugate prior probability distribution for the Bernoulli and binomial distributions. In one embodiment, instead of using the Bernoulli model, the second stage of the target selection process can be modeled as sampling from a multinomial distribution corresponding to different device types. In this embodiment, the conjugate prior distribution of the multinomial parameters is the Dirichlet distribution. However, preliminary experiments show little performance gain from applying the more sophisticated model in comparison to the increased cost in computation.
  • In one embodiment, the target selection process of normal users is expressed with the same process. Because normal users tend to communicate more with non-grey numbers, their corresponding θn's are usually much smaller. Let αn and fan βn be the parameterization of the Beta distribution associated with θn. For a number that has accessed n targets, out of which k are grey numbers, we classify it as a spam number when
  • P ( spammer k , n ) P ( normal k , n ) = P ( k n , α , β ) P ( spammer ) P ( k n , α n , β n ) P ( normal ) > 1 ,
  • where the first equation is derived using Bayes theorem. It is equivalent to
  • P ( k n , α , β ) P ( k n , α n , β n ) > P ( normal ) P ( spammer ) = η
  • In practice, it is usually unclear how many spammers are in the network, therefore to obtain a direct estimate of η is challenging. Instead, in one embodiment η is chosen using cross validation on training data.
  • There are five parameters to be estimated in the model above, α,β, αn, βn and η. In one example, we use the data from one month to determine the model. To obtain ground truth, a list of all the telephone numbers that have sent messages to more than 50 recipients in a 24 hour time window among which at least one is grey (see Algorithm 1) is submitted to the fraud agents. Fraud agents carry out investigation on these numbers and confirm spam numbers in the list. The month of data is then divided into two subsets, the first two weeks of data for fitting the model (i.e., to determine the first four parameters) and the rest of data is reserved for testing the model to estimate η.
  • In particular, using the training data set, the parameters α's and β's are estimated using maximum likelihood estimation. With the fitted parameters, the probability density function θ˜Beta(α, β) and θ˜Beta(αnn) is illustrated in chart 200 of FIG. 2. The mass of the probability function corresponding to the normal users concentrates on a narrow region close to 0, implying that the grey numbers that a normal user communicate with is much less than the non-grey numbers. In contrast, the curve associated with spam numbers widely spreads out, indicating more grey numbers are likely to be touched by spam numbers given their employed random target selection strategies.
  • The accuracy of the model is evaluated given different choices of η on the test data set and the result is displayed in chart 300 of FIG. 3. The x-axis represents the false alarm rate (or the false positive rate) and the y-axis stands for the true detection rate (or the true positive rate). From FIG. 3, with a certain η, Greystar can detect more than 85% spam numbers without producing any false alarm.
  • FIG. 4 depicts a flow chart of a method 400 for identifying spammers according to one embodiment. In one embodiment, method 400 is performed at Greystar 128 shown in FIG. 1. Returning to FIG. 4, at step 402, a plurality of grey phone numbers is identified. The identification of the plurality of phone numbers can be accomplished using one or more of the methods described previously. For example, statistical classification algorithms are used, in one embodiment, to identify a plurality of grey phone numbers. At step 404, a plurality of call records is analyzed to determine a number of messages sent by a short message service sender to any of the plurality of grey phone numbers. In one embodiment, call records over one of various time periods are analyzed to determine how many messages were sent by a short message service sender to any of the grey phone numbers. Since the devices associated with grey phone numbers do not typically receive messages from short message service senders, a short message service sender sending a message to a grey device may potentially be a spammer. However, since it is possible for a grey phone number to receive a short message service message from a non-spammer, in one embodiment, a single message from a short message service sender is not considered enough to classify the short message service sender as a spammer. At step 406, the short message service sender is identified as a spammer based on the number of messages sent by the short message service sender to any of the plurality of grey phone numbers. Various additional data, information, or methods of analysis may augment one or more of the steps of method 400. In one embodiment, the analyzing a plurality of call records further comprises determining a specific grey ratio for the short message service sender as a ratio of short message service messages sent to the plurality of grey phone numbers by the short message service sender to short message service messages sent to all phone numbers by the short message service sender, and the identifying further based on identifying the short message service sender as a spammer based on the specific grey ratio compared to a second grey ratio for a legitimate short message service sender. In one embodiment, the identifying is further based on a difference between the specific grey ratio and the second grey ratio being above a threshold. The identifying, in one embodiment, is further based on the short message service sender sending messages to a number of unique terminating numbers. In one embodiment, the identifying a plurality of grey phone numbers comprises determining that a phone number is associated with one of a data only device and a machine-to-machine device. The determining that a phone number is associated with one of a data only device and a machine-to-machine device, in one embodiment, is based on an international mobile equipment identity number associated with a device having been assigned the phone number. In one embodiment, the identifying a plurality of grey phone numbers, the analyzing a plurality of call records, and the identifying the short message service sender as a spammer are performed periodically.
  • Greystar system 128 shown in FIG. 1, as well as each of the devices shown in FIG. 1 (e.g., SMSC 112, MSC 110,118, UE A 102, etc.) may each be implemented using a computer. A high-level block diagram of such a computer is illustrated in FIG. 5. Computer 502 contains a processor 504 which controls the overall operation of the computer 502 by executing computer program instructions which define such operation. The computer program instructions may be stored in a storage device 512, or other computer readable medium (e.g., magnetic disk, CD ROM, etc.), and loaded into memory 510 when execution of the computer program instructions is desired. Thus, the method steps of FIG. 4 can be defined by the computer program instructions stored in the memory 510 and/or storage 512 and controlled by the processor 504 executing the computer program instructions. For example, the computer program instructions can be implemented as computer executable code programmed by one skilled in the art to perform an algorithm defined by the method steps of FIG. 4. Accordingly, by executing the computer program instructions, the processor 504 executes an algorithm defined by the method steps of FIG. 4. The computer 502 also includes one or more network interfaces 506 for communicating with other devices via a network. The computer 502 also includes input/output devices 508 that enable user interaction with the computer 502 (e.g., display, keyboard, mouse, speakers, buttons, etc.) One skilled in the art will recognize that an implementation of an actual computer could contain other components as well, and that FIG. 5 is a high level representation of some of the components of such a computer for illustrative purposes.
  • The foregoing Detailed Description is to be understood as being in every respect illustrative and exemplary, but not restrictive, and the scope of the inventive concept disclosed herein is not to be determined from the Detailed Description, but rather from the claims as interpreted according to the full breadth permitted by the patent laws. It is to be understood that the embodiments shown and described herein are only illustrative of the principles of the inventive concept and that various modifications may be implemented by those skilled in the art without departing from the scope and spirit of the inventive concept. Those skilled in the art could implement various other feature combinations without departing from the scope and spirit of the inventive concept.

Claims (19)

1. A method, comprising:
retrieving, by a server, electronic records associated a text message;
comparing, by the server, the electronic records to network addresses, the network addresses associated with devices lacking a capability to receive short messaging service text messages; and
determining, by the server, that the text message is spam in response to the electronic records matching at least one of the network addresses associated with the devices lacking the capability to receive the short messaging service text messages.
2. The method of claim 1, further comprising retrieving call records as the electronic records associated the text message.
3. The method of claim 1, further comprising comparing an originating number to the network addresses.
4. The method of claim 1, further comprising retrieving grey phone numbers as the network addresses.
5. The method of claim 1, further comprising determining a grey ratio associated with an originating number associated with the text message.
6. The method of claim 1, further comprising determining a terminating number associated with the text message. The method of claim 6, further comprising determining that the terminating number is associated with a data-only device.
8. A system comprising:
a processor; and
a memory device, the memory device storing instructions, the instructions when executed causing the processor to facilitate a performance of operations, the operations comprising:
retrieving electronic records associated a text message;
comparing the electronic records to network addresses, the network addresses associated with devices lacking a capability to receive short messaging service text messages; and
determining that the text message is spam in response to the electronic records matching at least one of the network addresses associated with the devices lacking the capability to receive the short messaging service text messages.
9. The system of claim 8, wherein the operations further comprise retrieving call records as the electronic records associated the text message.
10. The system of claim 8, wherein the operations further comprise comparing an originating number to the network addresses.
11. The system of claim 8, wherein the operations further comprise retrieving grey phone numbers as the network addresses.
12. The system of claim 8, wherein the operations further comprise determining a grey ratio associated with an originating number associated with the text message.
13. The system of claim 8, wherein the operations further comprise determining a terminating number associated with the text message.
14. The system of claim 13, wherein the operations further comprise determining that the terminating number is associated with a data-only device.
15. A machine-readable storage medium comprising executable instructions which, responsive to being executed by a processor, facilitate performance of operations comprising:
retrieving electronic records associated a text message;
comparing the electronic records to network addresses, the network addresses associated with devices lacking a capability to receive short messaging service text messages; and
determining that the text message is spam in response to the electronic records matching at least one of the network addresses associated with the devices lacking the capability to receive the short messaging service text messages.
16. The machine-readable storage medium of claim 15, wherein the operations further comprise retrieving call records as the electronic records associated the text message.
17. The machine-readable storage medium of claim 15, wherein the operations further comprise comparing an originating number to the network addresses.
18. The machine-readable storage medium of claim 15, wherein the operations further comprise retrieving grey phone numbers as the network addresses.
19. The machine-readable storage medium of claim 15, wherein the operations further comprise determining a grey ratio associated with an originating number associated with the text message.
20. The machine-readable storage medium of claim 15, wherein the operations further comprise determining a terminating number associated with the text message.
US15/399,845 2014-05-02 2017-01-06 Detection of sms spam Pending US20170118618A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US14/268,025 US9357362B2 (en) 2014-05-02 2014-05-02 System and method for fast and accurate detection of SMS spam numbers via monitoring grey phone space
US15/079,577 US9572004B2 (en) 2014-05-02 2016-03-24 System and method for fast accurate detection of SMS spam numbers via monitoring grey phone space
US15/399,845 US20170118618A1 (en) 2014-05-02 2017-01-06 Detection of sms spam

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/399,845 US20170118618A1 (en) 2014-05-02 2017-01-06 Detection of sms spam

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US15/079,577 Continuation US9572004B2 (en) 2014-05-02 2016-03-24 System and method for fast accurate detection of SMS spam numbers via monitoring grey phone space

Publications (1)

Publication Number Publication Date
US20170118618A1 true US20170118618A1 (en) 2017-04-27

Family

ID=54356214

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/268,025 Active US9357362B2 (en) 2014-05-02 2014-05-02 System and method for fast and accurate detection of SMS spam numbers via monitoring grey phone space
US15/079,577 Active US9572004B2 (en) 2014-05-02 2016-03-24 System and method for fast accurate detection of SMS spam numbers via monitoring grey phone space
US15/399,845 Pending US20170118618A1 (en) 2014-05-02 2017-01-06 Detection of sms spam

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US14/268,025 Active US9357362B2 (en) 2014-05-02 2014-05-02 System and method for fast and accurate detection of SMS spam numbers via monitoring grey phone space
US15/079,577 Active US9572004B2 (en) 2014-05-02 2016-03-24 System and method for fast accurate detection of SMS spam numbers via monitoring grey phone space

Country Status (1)

Country Link
US (3) US9357362B2 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198237A1 (en) * 2004-02-06 2005-09-08 International Business Machines Corporation Method, system, and computer program product for activating non-SMS device using chat protocol
US20090023427A1 (en) * 2007-07-20 2009-01-22 Starscriber Corporation Automated call back request for a mobile phone
US20120215862A1 (en) * 2011-02-22 2012-08-23 Yigang Cai Spam reporting and management in a communication network
US8412779B1 (en) * 2004-12-21 2013-04-02 Trend Micro Incorporated Blocking of unsolicited messages in text messaging networks
US20140004892A1 (en) * 2012-07-02 2014-01-02 Ilona Murynets Short message service spam data analysis and detection
US20140155026A1 (en) * 2011-03-15 2014-06-05 Jae Seok Ahn Method for setting spam string in mobile device and device therefor
US20140199975A1 (en) * 2013-01-15 2014-07-17 Apple Inc. Management of unwanted calls and/or text messages

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6101393A (en) 1997-11-20 2000-08-08 Ericsson Inc. Selective acceptance of short message service (SMS) messages in a cellular telephone network
US6819932B2 (en) 2001-03-05 2004-11-16 Tekelec Methods and systems for preventing delivery of unwanted short message service (SMS) messages
US7145875B2 (en) 2001-03-05 2006-12-05 Tekelec Methods and systems for preventing short message service (SMS) message flooding
US6643359B2 (en) 2001-05-25 2003-11-04 Qwest Communications International Inc. Data-only telephone service
KR20070032943A (en) 2004-05-25 2007-03-23 인터내셔널 비지네스 머신즈 코포레이션 A method and system for filtering messages, including spam and / or virus in a wireless communication system
US8190686B2 (en) 2004-08-17 2012-05-29 Alcatel Lucent Spam filtering for mobile communication devices
US20060168032A1 (en) 2004-12-21 2006-07-27 Lucent Technologies, Inc. Unwanted message (spam) detection based on message content
WO2007005868A2 (en) 2005-07-01 2007-01-11 Markmonitor, Inc. Enhanced fraud monitoring systems
WO2007110093A1 (en) 2006-03-27 2007-10-04 Telecom Italia S.P.A. A method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor
US20070233861A1 (en) 2006-03-31 2007-10-04 Lucent Technologies Inc. Method and apparatus for implementing SMS SPAM filtering
WO2008053426A1 (en) 2006-10-31 2008-05-08 International Business Machines Corporation Identifying unwanted (spam) sms messages
US8458262B2 (en) * 2006-12-22 2013-06-04 At&T Mobility Ii Llc Filtering spam messages across a communication network
KR100842868B1 (en) 2007-04-27 2008-07-02 주식회사 누리비젼 Spam short message blocking system using call back short message and spam short message blocking method using the same
CN101374297B (en) 2007-08-22 2013-07-03 鸿富锦精密工业(深圳)有限公司 The mobile communication terminal and a short message transmission method
CN101938714A (en) 2009-06-29 2011-01-05 国际商业机器公司 Method and equipment for detecting spam messages
US8774143B2 (en) 2010-11-18 2014-07-08 General Electric Company System and method of communication using a smart meter
US9439051B2 (en) 2011-09-01 2016-09-06 Toyota Motor Engineering & Manufacturing North America, Inc. System for providing Internet access to an automotive vehicle having a multimedia device
US9232373B1 (en) * 2013-10-21 2016-01-05 West Corporation Providing data messaging support by intercepting and processing received short message service (SMS) messages at a customer support service
US9294890B1 (en) * 2013-10-21 2016-03-22 West Corporation Intercepting and processing received short message service (SMS) messages to provide an automated response
US9143907B1 (en) * 2013-10-21 2015-09-22 West Corporation Providing data messaging support by intercepting and redirecting received short message service (SMS) messages

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198237A1 (en) * 2004-02-06 2005-09-08 International Business Machines Corporation Method, system, and computer program product for activating non-SMS device using chat protocol
US8412779B1 (en) * 2004-12-21 2013-04-02 Trend Micro Incorporated Blocking of unsolicited messages in text messaging networks
US20090023427A1 (en) * 2007-07-20 2009-01-22 Starscriber Corporation Automated call back request for a mobile phone
US20120215862A1 (en) * 2011-02-22 2012-08-23 Yigang Cai Spam reporting and management in a communication network
US20140155026A1 (en) * 2011-03-15 2014-06-05 Jae Seok Ahn Method for setting spam string in mobile device and device therefor
US20140004892A1 (en) * 2012-07-02 2014-01-02 Ilona Murynets Short message service spam data analysis and detection
US20140199975A1 (en) * 2013-01-15 2014-07-17 Apple Inc. Management of unwanted calls and/or text messages

Also Published As

Publication number Publication date
US20150319586A1 (en) 2015-11-05
US20160205528A1 (en) 2016-07-14
US9572004B2 (en) 2017-02-14
US9357362B2 (en) 2016-05-31

Similar Documents

Publication Publication Date Title
US8737985B2 (en) Methods and systems for zone creation and adaption
Shaik et al. Practical attacks against privacy and availability in 4G/LTE mobile communication systems
US20060026242A1 (en) Messaging spam detection
EP1965329A2 (en) Apparatus and methods for managing content exchange on a wireless device
EP3534634A1 (en) System and method for identity protection using mobile device signaling network derived location pattern recognition
KR101186743B1 (en) Detection of unwanted messages spam
US20090135730A1 (en) Detection in Mobile Service Maintenance
EP2498442B1 (en) Methods, systems and devices for the detection and prevention of malware within a network
US9165288B2 (en) Inferring relationships based on geo-temporal data other than telecommunications
US20170163817A1 (en) Method and system for preventing illicit use of a telephony platform
US20140172992A1 (en) Techniques For Communicating Notifications to Subscribers
JP5653647B2 (en) Predicting the presence of mobile user equipment
US8630393B2 (en) System and method for blocking telephone calls
US20120134321A1 (en) Systems and methods for enabling recipient control of communications
US20100087173A1 (en) Inter-threading Indications of Different Types of Communication
US9369479B2 (en) Detection of malware beaconing activities
Min et al. Secure cooperative sensing in IEEE 802.22 WRANs using shadow fading correlation
KR20060071359A (en) Storing anti-spam black lists
JP2009532769A (en) Method and apparatus for implementing SMSSPAM filtering
EP2842274A1 (en) Systems and methods for prioritizing messages on a mobile device
WO2007147142A2 (en) Wireless user based notification system
US8868663B2 (en) Detection of outbound sending of spam
US20160006753A1 (en) System and Method for Embedded Mobile (EM)/Machine to Machine (M2M) Security, Pattern Detection, Mitigation
US8407793B2 (en) Method and apparatus for providing mobile device malware defense
US9154514B1 (en) Systems and methods for electronic message analysis

Legal Events

Date Code Title Description
AS Assignment

Owner name: AT&T INTELLECTUAL PROPERTY I, L.P., GEORGIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JIN, YU;SKUDLARK, ANN E.;JIANG, NAN;SIGNING DATES FROM 20140411 TO 20140428;REEL/FRAME:040870/0716

STCB Information on status: application discontinuation

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER