Table of Contents:

Definition and Overview

1. Introduction to Telecom Fraud

2. IT Security vs. SP Network Security

3. IP and NGN Vulnerabilities

4. Fraud-Assisting Business Drives

5. IP and NGN Challenges

6. Data Collection

7. Analysis Algorithms

Self-Test

Glossary

PDF of this tutorial

Data collection is the first stage in implementing an FMS. Obtaining rich, diverse information from multiple layers is a key factor for the success of an FMS in the IP and next-generation networks environment.

Various probes, IP mediation, and billing mediation products can assist in the collection of this information.

Application-Level Usage Records

Application-level usage records describe the service provided to the customer. Typically, these records will also be used for billing, since they provide all the necessary details in regard to the service used.

These billing records are typically collected from the servers providing the specific service, such as telephony services, video services, and so on.

Application-level records may be provided by the following:

• VoIP: media gateway controllers (MGCP, H.248), gatekeepers (H.323)
• Broadcast servers: music on demand, video servers
• Voice switches
• E-mail servers, Web/WAP servers

Login and Authentication Level

A typical NGN includes various login, authentication, authorization, and security mechanisms. These mechanisms are referred to as "login and authentication layer" and may provide vital information to a fraud analysis system.

Information provided by the login and authentication may be provided by the following elements:

• Radius and LDAP servers
• remote access server (RAS)
• DHCP servers
• DNS servers
• Firewalls
• virtual private network (VPN) gateways

Network-Level Information

Network-level information describes the traffic and the flows at the IP layer. This layer typically characterizes bandwidth and resource consumption.

Network elements that provide this information include the following:

• Routers and switches
• Cisco Netflow
• SNMP/RMON I + II
• Address translation (NAT)

Access Level

Access networks are used as the technology that connects the customer for the "last mile." Common technologies include cables, wireless, DSL, and dialup.

This layer holds the information about the user location. It is also aware of the hardware and Layer-2 addresses of the user terminal, such as IMSI, serial numbers, MAC address, and more.

Statistics collected by the access network are typically not affected when circumventing with the IP layer and therefore prove to be very useful for detecting irregular events.

Access-level information may be collected from the following elements:

• RAS
• CMTS
• DSLM
• Integrated multiservice access platform (IMAP)
• LMDS/WLL base stations

Triggered Content Events

Triggered content events are generated by probes, which inspect the payload carried over the network. These probes can search for text of known "exploit" scripts (used for hacking).

Triggered content events are being used today for intrusion detection systems but can also be useful for detecting elusive fraud scams.