Table of Contents:

Definition and Overview

1. Introduction to Telecom Fraud

2. IT Security vs. SP Network Security

3. IP and NGN Vulnerabilities

4. Fraud-Assisting Business Drives

5. IP and NGN Challenges

6. Data Collection

7. Analysis Algorithms

Self-Test

Glossary

PDF of this tutorial

Several algorithms were developed to detect fraud in telephony and cellular networks, much like the ones used by N–IDS and H–IDS. Universities worldwide are currently researching new IDS algorithms, with current detection methods already taking advantage of algorithms in the field of expert systems, data mining, artificial intelligence, and machine learning.

NGN and IP FMS must expand existing detection methods through the introduction of new algorithms in order to ensure detection not only of current fraud techniques but also of new and emerging ones.

Threshold-Based Analysis

Identification of fraudulent usage by means of comparing traffic patterns against predefined thresholds is a simple yet extremely effective approach. The system is based on the concept by which most losses to service providers are caused by fraudsters engaging in large-scale commercial fraud. Such a method can produce an alert, for example, the moment the number of calls being made from a certain location exceeds the threshold of calls defined for that location. This method can be used to successfully recognize and contain theft of long, short, and/or expensive calls.

The straightforward nature of this algorithm allows simple, efficient implementation, thus allowing support of the large amount of traffic carried over telco networks.

It does, however, require fine-tuning in respect of the actual setting of thresholds, as the latter must be performed meticulously for each customer and point of contact. Moreover, this technique does not detect several types of fraud.

Inference Rules Analysis

Inference rules analysis is a fraud-containment method based on expert systems and rule production engines. It enables the preconfiguration of specific, sophisticated inference rules to determine the possible fraud types. For instance, the system administrator may feed the system the following inference rule, useful for detecting various callback scams:

>>If the caller is (domestic) number C
>>and the call destination is (overseas) number X
>>and the call length is less than 10 seconds
>>and (overseas) number X calls (domestic) number C within 30 seconds,
>>then alert on possible callback fraud; process for further investigation

Inference rule analysis can very difficult to manage because the proper configuration of such rules requires precise, laborious, and time-consuming programming for each imaginable fraud possibility. The dynamic appearance of multiple new fraud types demands that these rules be constantly adapted to include existing, emerging, and future fraud options.

Moreover, it also presents a major obstacle to scalability. The more data the system must process, the more drastic is the performance downfall.

On the other hand, these systems are very powerful and allow the detection of practically any scam or traffic pattern.

Profile-Based Analysis

Profile-based analysis can also be used to detect fraudulent activity. A customer profile is sketched according the habitual usage patterns of each user, and any deviation from the profile is immediately brought to the operator's attention. For example, customer "Jones" is known to make a weekly total of: 5–15 local calls, 2–10 interstate calls, and 0–4 long-distance calls. The system will officiate dynamic comparison and analysis of the weekly usage records of customer "Jones" and display the relevant results.

To illustrate this type of analysis, let's inspect the VoIP calls made by customer "Jones" during a typical week (see Table 1):

An abnormal call log would indicate fraud at first glance (see Table 2):

Profile-based analysis has many advantages. In addition to the clarity and ease in which results are presented, systematic investigation assists in the immediate discovery of fraud methods that were never considered, or even imagined, before the FMS revealed them. It also makes the preconfiguration of fraud rules unnecessary. However, the fair possibility the customer "Jones" has indeed established recent connections in Nigeria, Haiti, and Mozambique may result in a large amount of "false-positive" alarms, or in other words, the system may enforce security measures for what seems to be fraudulent usage of customer "Jones" account, only to discover that said usage was perfectly legal. In addition, thorough examination of "x-positive" alarms to determine whether they are "false-positive"or "true-positive" demands long hours of laborious investigation from many employees.

Neural Networks

Neural Networks is a rather innovative approach designed to function like the human brain. The creation of this technology stems from an idea that a system simulating neural response, such as the independent assimilation of real-time data and subsequent triggering of command chains in response to this data, is better equipped to deal with machine learning than other "unintelligent" applications. Neural Networks can actually calculate user profiles in an independent manner, thus adapting more elegantly to the behavior of the various users. Neural Networks are claimed to substantially reduce operation costs. This system has one drawback: upon identifying a profile deviation, it cannot logically explain the results of its calculation—reasons for triggering the event. Moreover, the advantages and disadvantages of the profile-based analysis in the large part can also be applied for Neural Networks.