WO1998039899A1 - System and method for real-time fraud detection within a telecommunications system - Google Patents

System and method for real-time fraud detection within a telecommunications system Download PDF

Info

Publication number
WO1998039899A1
WO1998039899A1 PCT/US1998/003507 US9803507W WO9839899A1 WO 1998039899 A1 WO1998039899 A1 WO 1998039899A1 US 9803507 W US9803507 W US 9803507W WO 9839899 A1 WO9839899 A1 WO 9839899A1
Authority
WO
WIPO (PCT)
Prior art keywords
call information
information records
call
network
signaling protocol
Prior art date
Application number
PCT/US1998/003507
Other languages
French (fr)
Inventor
Judy Lynn Betts
Michael J. Hatlak
Michael J. Mcguire
Original Assignee
Ameritech Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ameritech Corporation filed Critical Ameritech Corporation
Priority to AU66642/98A priority Critical patent/AU6664298A/en
Publication of WO1998039899A1 publication Critical patent/WO1998039899A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/36Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0148Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2218Call detail recording

Definitions

  • This invention relates generally to detecting fraudulent use of a resource such as a telecommunications network and particularly to methods and systems for detecting and analyzing fraudulent use of a telecommunications network in real- time.
  • Modern telecommunications networks consist of a number of interconnected switches which may be provided by a common operating company Individuals may gain unauthorized access to the network to use the network resources without paying services charges to the operator. Such unauthorized use often results in the wrong party being charged for the use because the fraudulent user is unknown. When the wrong party is charged for the unauthorized use, the telecommunication network's operator will be unable to collect the charges. Such unauthorized use may account for a significant portion of a network operating expenses and impose a financial burden on the operating company.
  • Fraudulent use of a telecommunications network also consumes valuable network resources which may degrade the quality of service provided to legitimate customers.
  • the misuse of network resources denies legitimate customers access to the network.
  • An effective way of preventing fraudulent use of a network is to detect the misuse as it occurs. If the misuse is detected as it is occurring, it may then be prevented before or as it occurs. The ability to detect fraudulent use in real-time can thus significantly reduce the financial burden imposed on a network operator. Accordingly, a network which accurately detects fraudulent use of a telecommunications network, in real-time, is needed.
  • the software may include upgrades and patches which can interfere with the switching and cause the switch to malfunction.
  • This combination of shortcomings results in a data collection method where a call detail record may not be created for all calls. Accordingly, some fraudulent calls may go undetected.
  • Another problem with prior data collection methods is that the call records are dependent upon the individual switches.
  • the call record format is determined by the particular switch handling the call.
  • a network may contain a number of different types of switches. Each switch is programmed to create a call detail record which includes predetermined parameters. Thus, the modification of call detail records generated at the switch level requires the modification of all switches within the telecommunications network that is being monitored for fraud.
  • FIG. 1 is a schematic view of a real-time fraud detection system for use in a modern telecommunications network.
  • FIG. 2 is a flow chart describing the process of using the system of FIG. 1 to perform real-time fraud detection within a modern telecommunications network.
  • FIG. 3 is a graphic representation of a call information record. DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS
  • the preferred embodiment of the present invention enables a telecommunications network operator to detect fraudulent use of a telecommunications network in real-time.
  • the fraud detection is accomplished by effectively analyzing data associated with each call placed through the telecommunications network.
  • the preferred embodiment of the invention enables the operator to analyze a customizable set of call information records in order to detect fraudulent calls.
  • the customizable set of call information records is modifiable or customizable independent of the switching equipment within the network.
  • the preferred embodiment also allows for the detection of fraud in a manner which does not load the switching equipment within a network, thereby, resulting in a better quality of service within the network. Referring now to FIGS. 1 and 3, the preferred embodiment of the invention incorporates a real-time fraud detection system 20 into a modern telecommunications network 10.
  • Modern telecommunications networks typically utilize a signaling protocol 22 to control the switching of voice and data traffic within the network 10.
  • Many different types of existing signaling protocols may be utilized. These signaling protocols may take two common forms, in-band signaling and out-of-band signaling. In-band signaling protocols are interspersed with the voice and data transmissions that are carried over the network. In-band signaling protocols are transmitted with voice and data transmissions between common elements within the network 10. Thus, the in-band signaling protocols are transmitted between the same switches which carry the voice and data communications over the network 10.
  • MFR1 Multiple Frequency Rl
  • out-of-band signaling protocols are segregated from the corresponding voice and data transmissions. Out-of-band signaling protocols are transmitted along different transmission channels than those that carry voice and data transmissions. Typically, out-of-band signaling protocols are transmitted between the central offices 30 and signal transfer points (STPs) 36.
  • STPs signal transfer points
  • SS7 Signaling System 7
  • the present embodiment includes a signal protocol receiver 40 for collecting signaling protocols 22 transmitted within the telecommunications network 10.
  • the collection of network signaling protocol transmissions is well known to those skilled in the art.
  • the signal protocol receiver 40 is separate from the switching equipment within the central offices 30 and the STPs 36 in the network 10.
  • the signal protocol receiver 40 collects the signaling protocol transmissions 22 and does not handle call switching.
  • the signal protocol receiver 40 allows for the non-intrusive monitoring of calls occurring within the network 10.
  • the present embodiment utilizes the signal protocol receiver 40 to detect fraudulent calls within networks that utilize either in-band signaling protocols or out-of-band signaling protocols.
  • the signal protocol receiver 40 collects signaling protocols 22 associated with each call placed through the network 10.
  • One problem with in-band signaling protocols is that a centralized point of collection does not exist.
  • a signal protocol receiver 40 must be located at each switch 32 within the central offices 30 of the network 10.
  • the signal protocol receiver 40 collects the data by sampling the transmitted signaling protocols 22 from the switching equipment 32 in the central offices 30 of the network 10.
  • Out-of-band signaling protocols have a centralized point of collection as all transmissions are sent through STPs 36.
  • a signal protocol receiver 40 is located at each STP 36 within the network 10.
  • the signal protocol receiver 40 collects data associated with all of the calls occurring within the network 10.
  • the signal protocol receiver 40 collects the data by sampling the signaling protocol transmissions transmitted via the STPs 36.
  • the signal protocol receiver 40 collects call data directly from the ongoing transmission by using a high impedance bridge tap well known to those skilled in the art.
  • the bridge tap allows for the effective collection of data without affecting the quality of transmissions with the network 10.
  • call data can be effectively collected for every call through the network 10. Accordingly, calls are not missed, and each fraudulent call can be detected.
  • the signal protocol receiver 40 does not produce a load on the switches in the central offices 30 or the STPs 36, which handle the switching of signaling protocols and voice and data transmissions.
  • the independent signal protocol receiver 40 removes the burden of creating call records from the switching equipment in the central offices 30 and the STPs 36, allowing for better quality transmissions.
  • the signaling protocol data 22 is collected, it is decoded into a useable format.
  • a decoder 42 is used to decode the data as it is collected. For example, decoder 42 transforms the signaling protocol transmissions 22 into a call parameter data 24 which can be analyzed.
  • the decoder 42 formats the transmitted signaling protocol transmissions into call information records 26 (CIRs) using standard high level programming data structures.
  • the CIRs 26 can include various parameters associated with an ongoing call. Some commonly used parameters include: originating; terminating; billing type; using duration; aggregate duration; call volume; etc.
  • the selective incorporation of parameters included in the CIRs 26, eliminates unnecessary data, allowing the signaling protocol data 22 to be processed in a more efficient manner. It also enables the operator to adapt the fraud system 20 to changing requirements by adding new parameters to the CIRs 26 as such parameters become key indicators of fraudulent calls.
  • the signal protocol receiver 40 collects and decodes the signaling protocol data into a CIR 26.
  • the signal protocol receiver 40 can programmed to create various types of CIRs 26 based upon the operator's preferences. An operator can choose the specific call parameters that are included within a CIR 26.
  • the signal protocol receiver 40 can then be programmed to create CIRs 26 which incorporate the specific combination of parameters chosen by the operator.
  • the system can be modified by programming the signal protocol receivers 40 within the network 10. Accordingly, the system is modifiable independent from the switching equipment within the central offices 30 and the STPs 36.
  • a common signal protocol receiver/decoder is the call completion analysis system manufactured by Tekno Industries of Bensenville, Illinois.
  • the resulting CIRs 26 are analyzed to determine if unauthorized use of the network 10 is occurring.
  • the CIRs 26 are transmitted from the decoder 42 to a pre-processor 44.
  • the pre-processor 44 classifies the CIRs 26 based upon the CIR 26 parameters.
  • the pre-processor 44 classifies the CIRs 26 into three basic categories: originating; terminating; and bill to type. Within each basic category, the pre-processor 44 further classifies the CIRs 26 into sub-categories such as national, cellular, international, pay phone hot numbers, etc.
  • the classification is configurable and modifiable. This configurability allows the operator to change the monitoring and classification process as different techniques for detecting fraud are developed.
  • the pre-processor 44 also has the ability to discard undesirable CIRs 26 and count the number of CIRs 26 that are discarded. For example, one type of an undesirable CIR 26 may be a duplicate record.
  • the functionality of the pre-processor 44 is implemented with an NT computer operating system platform.
  • the NT operating system platform allows for an inexpensive modular format which allows the system to be easily expanded or modified as new techniques for detecting fraud are developed.
  • the preferred embodiment may be implemented with software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
  • the CIRs 26 are transmitted from the pre- processor 44 to a watch point processor 46.
  • the watch point processor 46 stores CIRs 26 in a random access memory or a data base 48. Once the CIRs 26 are stored, the watch point processor 46 can continuously apply control techniques to the CIRs 26 in the database 48.
  • the control techniques enable the operator to monitor the various parameters of the CIRs 26 in an organized manner. Some call parameters which can be monitored include: duration, aggregate duration, volume, volume/duration, and simultaneous calls.
  • the control techniques allow for a number of thresholds 60 to be applied to the CIRs 26. The control technique compares the operator defined thresholds 60 to selected parameters of the CIRs 26.
  • the thresholds 60 can be applied to a singular CIR 26 and/or groups of CIRs 26.
  • the CIRs 26 can also be compared to one another on a singular or a group basis in order to detect fraud. This methodology allows for a very diverse range of threshold analysis in an attempt to detect fraudulent use which occurs in a variety of forms, as the fraudulent use is occurring.
  • One example of CIR data that may indicate fraudulent use is multiple successive calls charged to the same customer. Another such example is calls with long durations charged to a common customer.
  • the watch point processor 46 and its accompanying control technique software utilizes a UNIX operating system based platform.
  • the development of the control technique software is well understood by those skilled in the art.
  • the UNIX-based system allows for the scalability needed to monitor data from a very small number of switches to hundreds of switches simultaneously.
  • the preferred embodiment may be implemented with software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
  • the alerts 62 generated by the watch point processor 46 are utilized to signal the operator that fraud has been detected.
  • the alerts 62 generated can be in the form of audible, visual, or a remote alert.
  • a audible or visual alert can be generated by the fraud system 20 to alert the operator that fraud has been detected.
  • a remote alert 62 can be sent to an operator via a cellular telephone or a pager system. After receiving the alert 62, the operator may analyze the alerts and take the proper action in response. The operator can notify the customer whose resources are being fraudulently used or the operator can suspend the fraudulent use by cutting off the user and denying further access to the network 10. In addition to notifying the operator that fraud is occurring, the alerts 62 can be analyzed to detect patterns of fraud.
  • an alert 62 when an alert 62 is generated by the watch point processor 46 it is sent to the fraud analysis processor 50.
  • the fraud analysis processor 50 stores each alert 62 in a random access memory or a database 52.
  • the fraud analysis processor 50 receives all the CIRs 26 to create a database 54 containing every call that occurs within the network 10.
  • the archiving of information enables a telecommunications network operator to analyze the most recent alerts 62 and CIRs 26 to detect patterns or trends of fraud that are occurring.
  • the CIRs 26 are stored eight days for customer profiling and daily alert generation.
  • the CIR 26 data is stored in daily tables and indexed according to type of call such as international, domestic, high risk areas, toll free, etc.
  • This data is analyzed daily to detect unusual patterns such as increased traffic volume by number of attempts or duration.
  • the fraud analysis processor 50 compares today's traffic for each unique number to the previous days data and the same day last week. Changes in traffic patterns such as short-term or duration increases in traffic volume can be highlighted.
  • This method detects subscribers that have had their services compromised or even subscribers that are new and are running up large call volumes.
  • the fraud analysis processor 50 allows the operator to detect fraudulent calls early so the operator can take a pro-active measures. For example, new high risk customers that have large volumes within the first week of service may be required to supply deposits to continue service.
  • the preferred embodiment may be implemented with computer software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
  • GUI graphic user interface
  • the graphic user interface includes all the graphical tools needed to setup and display the pre described functions.
  • Each system element may have its own integrated GUI.
  • the signal protocol receiver/decoder 40 has a GUI that allows the operator to define the CIRs easily and efficiently.
  • the pre-processor 44 has a GUI that displays the status of all call parameters as well as the setup and configuration of the pre-processor 44.
  • the watch point processor 46 has a GUI that allows the operator to setup the thresholds easily and efficiently.
  • the fraud analysis processor 50 has a GUI that allows the operator to analyze the alerts 62, take appropriate action to resolve the alerts 62 and commit all activity into a fraud log .
  • all the GUI interfaces are integrated onto one platform, a NT computer operating system based work station.
  • the preferred embodiment may be implemented with software well known to those of skill in the art.
  • the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
  • the interface is constructed in such a way that any number of operators can access the CIR 26 data and analyze the alerts 62.
  • the result is an integrated solution for combating fraudulent activity in the telecommunications network 10 in a real-time/in-progress manner. Referring now to FIG.
  • Real-time call data is collected 10 for each call that is occurring through a telecommunications network.
  • the signal protocol receiver (FIG. 1) collects signaling protocol data directly from the transmissions of the data.
  • the signal protocol receiver is capable of collecting both in-band signaling protocol data and out-of-band signaling protocol data, as described in detail above.
  • After the signaling protocol data is collected it is decoded 20 and transformed to a useable format.
  • a decoder (FIG. 1) is used to decode the signaling protocol data.
  • the decoder can decode signaling protocol data that is extracted from a network using either in-band or out-of-band signaling protocols.
  • the decoder transforms the data into a useable form.
  • CIR call information record
  • the decoder formats the decoded data into a CIR that contains various call parameters and is created according to predetermined operator preferences.
  • the CIRs are created, they are analyzed to determine whether fraudulent calls are occurring.
  • the CIRs are transmitted to a pre-processor which classifies the CIRs 40, as described above.
  • the pre-processor classification eliminates unneeded portions of the data that is collected.
  • the watch point processor (FIG. 1).
  • the watch point processor stores the CIRs in a random access memory 50.
  • the stored CIRs are compared to predetermined operator defined thresholds 60 by the watch point processor. If any of the CIRs are not within the thresholds, an alert is generated 70 by the watch point processor.
  • the alerts can be in the form of audible, visual or remote, as described in detail above.
  • the alerts are transmitted to the fraud analysis processor (FIG. 1 ) where they are stored 80 in a random access memory.
  • the storage of the alerts enables a operator to analyze the alerts and take the appropriate action to terminate the fraudulent call or transmission.
  • the alerts and CIRs are also archived 90 by the fraud analysis processor (FIG. 1). This archival of data facilitates the analyzation of data to determine trends of fraud. All of the steps described above can be accomplished in real time during the duration of the call. It is to be understood that the steps of pre-processing, watch point processing and fraud analysis processing could be accomplished by utilizing a single processor equipped with the necessary peripherals. Accordingly, all of the storage and archival steps could be accomplished by utilizing a single database.
  • the current embodiment of the present invention provides an improved method and system for detecting fraudulent use of a telecommunications network.
  • the embodiment enables the detection of fraud by effectively analyzing the signaling communication protocol transmissions that are associated with each existing call.
  • the embodiment enables the operator to analyze a customized set of call detail records by selecting which call parameters will be incorporated into the call detail records.
  • the embodiment allows for the detection of fraud in a manner which places no additional load on the switching equipment which handles the voice and data transmissions within a network.

Abstract

Real-time detection of the fraudulent use of a telecommunications network is accomplished by analyzing data for each call that is occurring within the network. A signal protocol receiver is used to collect signaling protocol (10) for each call that is occurring within the network. The Signaling protocol data is collected, decoded (20) and formatted (30) into call information records (CIRs). The CIRs contain various operator specified parameters (40) for each call that is occurring within the network. The CIRs are compared to operator defined thresholds (60). If any of the CIRs exceeds the thresholds, an alert is generated (70). The alerts are stored (80) in a database so that trends of fraudulent use can be detected and prevented. This method of fraud detection provides for the effective analyzation of every call that is occurring within the network. Accordingly, no call goes unanalyzed and ideally no fraud goes undetected. Additionally, the method does not impose an additional load on the network switching equipment and therefore results in a better quality of transmissions.

Description

SYSTEM AND METHOD FOR REAL-TIME FRAUD DETECTION WITHIN A TELECOMMUNICATIONS SYSTEM
TECHNICAL FIELD
This invention relates generally to detecting fraudulent use of a resource such as a telecommunications network and particularly to methods and systems for detecting and analyzing fraudulent use of a telecommunications network in real- time.
BACKGROUND OF THE INVENTION
Modern telecommunications networks consist of a number of interconnected switches which may be provided by a common operating company Individuals may gain unauthorized access to the network to use the network resources without paying services charges to the operator. Such unauthorized use often results in the wrong party being charged for the use because the fraudulent user is unknown. When the wrong party is charged for the unauthorized use, the telecommunication network's operator will be unable to collect the charges. Such unauthorized use may account for a significant portion of a network operating expenses and impose a financial burden on the operating company.
Fraudulent use of a telecommunications network also consumes valuable network resources which may degrade the quality of service provided to legitimate customers. The misuse of network resources denies legitimate customers access to the network.
An effective way of preventing fraudulent use of a network is to detect the misuse as it occurs. If the misuse is detected as it is occurring, it may then be prevented before or as it occurs. The ability to detect fraudulent use in real-time can thus significantly reduce the financial burden imposed on a network operator. Accordingly, a network which accurately detects fraudulent use of a telecommunications network, in real-time, is needed.
Prior systems have attempted real-time fraud detection. One example of such a system is disclosed in U.S. Patent No. 5,495,521 to Rangachar, which describes a method and means for preventing fraudulent use of a telephone network. The system described therein utilizes the switching equipment located within a network's central offices to collect data and create a call detail record. The call detail record information is automatically generated by the switching equipment to provide data that is analyzed to detect fraudulent network use. One problem with this data collection technique is that the switching equipment's primary function is to switch traffic within the system. The creation of call detail records, however, is a secondary function of the switching system. Accordingly, the switching equipment is not a efficient mechanism for generating call detail records. Also, the switching equipment is equipped with hardware and extensive software which facilitate the switching of calls. The software may include upgrades and patches which can interfere with the switching and cause the switch to malfunction. This combination of shortcomings results in a data collection method where a call detail record may not be created for all calls. Accordingly, some fraudulent calls may go undetected. Another problem with prior data collection methods is that the call records are dependent upon the individual switches. Typically, the call record format is determined by the particular switch handling the call. A network may contain a number of different types of switches. Each switch is programmed to create a call detail record which includes predetermined parameters. Thus, the modification of call detail records generated at the switch level requires the modification of all switches within the telecommunications network that is being monitored for fraud.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a schematic view of a real-time fraud detection system for use in a modern telecommunications network.
FIG. 2 is a flow chart describing the process of using the system of FIG. 1 to perform real-time fraud detection within a modern telecommunications network. FIG. 3 is a graphic representation of a call information record. DETAILED DESCRIPTION OF THE PRESENTLY PREFERRED EMBODIMENTS
The preferred embodiment of the present invention enables a telecommunications network operator to detect fraudulent use of a telecommunications network in real-time. The fraud detection is accomplished by effectively analyzing data associated with each call placed through the telecommunications network. The preferred embodiment of the invention enables the operator to analyze a customizable set of call information records in order to detect fraudulent calls. The customizable set of call information records is modifiable or customizable independent of the switching equipment within the network. The preferred embodiment also allows for the detection of fraud in a manner which does not load the switching equipment within a network, thereby, resulting in a better quality of service within the network. Referring now to FIGS. 1 and 3, the preferred embodiment of the invention incorporates a real-time fraud detection system 20 into a modern telecommunications network 10. Modern telecommunications networks typically utilize a signaling protocol 22 to control the switching of voice and data traffic within the network 10. Many different types of existing signaling protocols may be utilized. These signaling protocols may take two common forms, in-band signaling and out-of-band signaling. In-band signaling protocols are interspersed with the voice and data transmissions that are carried over the network. In-band signaling protocols are transmitted with voice and data transmissions between common elements within the network 10. Thus, the in-band signaling protocols are transmitted between the same switches which carry the voice and data communications over the network 10. For example, one such type of in-band signaling protocol is Multiple Frequency Rl (MFR1).
In comparison to in-band signaling, out-of-band signaling protocols are segregated from the corresponding voice and data transmissions. Out-of-band signaling protocols are transmitted along different transmission channels than those that carry voice and data transmissions. Typically, out-of-band signaling protocols are transmitted between the central offices 30 and signal transfer points (STPs) 36. For example, Signaling System 7 (SS7) is one such type of out-of-band signaling protocol.
The present embodiment includes a signal protocol receiver 40 for collecting signaling protocols 22 transmitted within the telecommunications network 10. The collection of network signaling protocol transmissions is well known to those skilled in the art. The signal protocol receiver 40 is separate from the switching equipment within the central offices 30 and the STPs 36 in the network 10. The signal protocol receiver 40 collects the signaling protocol transmissions 22 and does not handle call switching. The signal protocol receiver 40 allows for the non-intrusive monitoring of calls occurring within the network 10.
The present embodiment utilizes the signal protocol receiver 40 to detect fraudulent calls within networks that utilize either in-band signaling protocols or out-of-band signaling protocols. The signal protocol receiver 40 collects signaling protocols 22 associated with each call placed through the network 10. One problem with in-band signaling protocols is that a centralized point of collection does not exist. Thus, to capture in-band signaling protocols, a signal protocol receiver 40 must be located at each switch 32 within the central offices 30 of the network 10. The signal protocol receiver 40 collects the data by sampling the transmitted signaling protocols 22 from the switching equipment 32 in the central offices 30 of the network 10.
Out-of-band signaling protocols have a centralized point of collection as all transmissions are sent through STPs 36. Thus, to capture out-of-band signaling protocols, a signal protocol receiver 40 is located at each STP 36 within the network 10. The signal protocol receiver 40 collects data associated with all of the calls occurring within the network 10. The signal protocol receiver 40 collects the data by sampling the signaling protocol transmissions transmitted via the STPs 36.
With both out-of-band and in-band signaling formats, the signal protocol receiver 40 collects call data directly from the ongoing transmission by using a high impedance bridge tap well known to those skilled in the art. The bridge tap allows for the effective collection of data without affecting the quality of transmissions with the network 10. By utilizing a dedicated signal protocol receiver 40, which is independent from the switching equipment in the central offices 30 and the STPs 36, to collect signaling protocols 22, call data can be effectively collected for every call through the network 10. Accordingly, calls are not missed, and each fraudulent call can be detected. Also, the signal protocol receiver 40 does not produce a load on the switches in the central offices 30 or the STPs 36, which handle the switching of signaling protocols and voice and data transmissions. The independent signal protocol receiver 40 removes the burden of creating call records from the switching equipment in the central offices 30 and the STPs 36, allowing for better quality transmissions. After the signaling protocol data 22 is collected, it is decoded into a useable format. A decoder 42 is used to decode the data as it is collected. For example, decoder 42 transforms the signaling protocol transmissions 22 into a call parameter data 24 which can be analyzed. The decoder 42 formats the transmitted signaling protocol transmissions into call information records 26 (CIRs) using standard high level programming data structures. The CIRs 26 can include various parameters associated with an ongoing call. Some commonly used parameters include: originating; terminating; billing type; using duration; aggregate duration; call volume; etc. The selective incorporation of parameters included in the CIRs 26, eliminates unnecessary data, allowing the signaling protocol data 22 to be processed in a more efficient manner. It also enables the operator to adapt the fraud system 20 to changing requirements by adding new parameters to the CIRs 26 as such parameters become key indicators of fraudulent calls.
In a preferred embodiment, the signal protocol receiver 40 collects and decodes the signaling protocol data into a CIR 26. The signal protocol receiver 40 can programmed to create various types of CIRs 26 based upon the operator's preferences. An operator can choose the specific call parameters that are included within a CIR 26. The signal protocol receiver 40 can then be programmed to create CIRs 26 which incorporate the specific combination of parameters chosen by the operator. Thus, the system can be modified by programming the signal protocol receivers 40 within the network 10. Accordingly, the system is modifiable independent from the switching equipment within the central offices 30 and the STPs 36. A common signal protocol receiver/decoder is the call completion analysis system manufactured by Tekno Industries of Bensenville, Illinois.
After the signaling protocols 22 have been collected and decoded, the resulting CIRs 26 are analyzed to determine if unauthorized use of the network 10 is occurring. The CIRs 26 are transmitted from the decoder 42 to a pre-processor 44. The pre-processor 44 classifies the CIRs 26 based upon the CIR 26 parameters. The pre-processor 44 classifies the CIRs 26 into three basic categories: originating; terminating; and bill to type. Within each basic category, the pre-processor 44 further classifies the CIRs 26 into sub-categories such as national, cellular, international, pay phone hot numbers, etc. The classification is configurable and modifiable. This configurability allows the operator to change the monitoring and classification process as different techniques for detecting fraud are developed. The pre-processor 44 also has the ability to discard undesirable CIRs 26 and count the number of CIRs 26 that are discarded. For example, one type of an undesirable CIR 26 may be a duplicate record. In a preferred embodiment, the functionality of the pre-processor 44 is implemented with an NT computer operating system platform. The NT operating system platform allows for an inexpensive modular format which allows the system to be easily expanded or modified as new techniques for detecting fraud are developed. Additionally, the preferred embodiment may be implemented with software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
After the CIRs 26 are classified, they are analyzed to determine whether unauthorized use is occurring. The CIRs 26 are transmitted from the pre- processor 44 to a watch point processor 46. The watch point processor 46 stores CIRs 26 in a random access memory or a data base 48. Once the CIRs 26 are stored, the watch point processor 46 can continuously apply control techniques to the CIRs 26 in the database 48. The control techniques enable the operator to monitor the various parameters of the CIRs 26 in an organized manner. Some call parameters which can be monitored include: duration, aggregate duration, volume, volume/duration, and simultaneous calls. The control techniques allow for a number of thresholds 60 to be applied to the CIRs 26. The control technique compares the operator defined thresholds 60 to selected parameters of the CIRs 26. When any of the thresholds 60 is satisfied or exceeded, an alert 62 is generated. The thresholds 60 can be applied to a singular CIR 26 and/or groups of CIRs 26. The CIRs 26 can also be compared to one another on a singular or a group basis in order to detect fraud. This methodology allows for a very diverse range of threshold analysis in an attempt to detect fraudulent use which occurs in a variety of forms, as the fraudulent use is occurring. One example of CIR data that may indicate fraudulent use is multiple successive calls charged to the same customer. Another such example is calls with long durations charged to a common customer.
Preferably, the watch point processor 46 and its accompanying control technique software utilizes a UNIX operating system based platform. The development of the control technique software is well understood by those skilled in the art. The UNIX-based system allows for the scalability needed to monitor data from a very small number of switches to hundreds of switches simultaneously. Additionally, the preferred embodiment may be implemented with software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
The alerts 62 generated by the watch point processor 46 are utilized to signal the operator that fraud has been detected. The alerts 62 generated can be in the form of audible, visual, or a remote alert. A audible or visual alert can be generated by the fraud system 20 to alert the operator that fraud has been detected. Additionally, a remote alert 62 can be sent to an operator via a cellular telephone or a pager system. After receiving the alert 62, the operator may analyze the alerts and take the proper action in response. The operator can notify the customer whose resources are being fraudulently used or the operator can suspend the fraudulent use by cutting off the user and denying further access to the network 10. In addition to notifying the operator that fraud is occurring, the alerts 62 can be analyzed to detect patterns of fraud. According to a preferred embodiment, when an alert 62 is generated by the watch point processor 46 it is sent to the fraud analysis processor 50. The fraud analysis processor 50 stores each alert 62 in a random access memory or a database 52. In addition to storing the alerts 62, the fraud analysis processor 50 receives all the CIRs 26 to create a database 54 containing every call that occurs within the network 10. The archiving of information enables a telecommunications network operator to analyze the most recent alerts 62 and CIRs 26 to detect patterns or trends of fraud that are occurring. In a preferred embodiment, the CIRs 26 are stored eight days for customer profiling and daily alert generation. The CIR 26 data is stored in daily tables and indexed according to type of call such as international, domestic, high risk areas, toll free, etc. This data is analyzed daily to detect unusual patterns such as increased traffic volume by number of attempts or duration. For example, the fraud analysis processor 50 compares today's traffic for each unique number to the previous days data and the same day last week. Changes in traffic patterns such as short-term or duration increases in traffic volume can be highlighted. This method detects subscribers that have had their services compromised or even subscribers that are new and are running up large call volumes. The fraud analysis processor 50 allows the operator to detect fraudulent calls early so the operator can take a pro-active measures. For example, new high risk customers that have large volumes within the first week of service may be required to supply deposits to continue service. Additionally, the preferred embodiment may be implemented with computer software as known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++.
In the presently preferred embodiment, the steps of establishing thresholds 60 and generating and analyzing alerts 62 can be enhanced by utilizing a graphic user interface (GUI). The graphic user interface includes all the graphical tools needed to setup and display the pre described functions. Each system element may have its own integrated GUI. For example, the signal protocol receiver/decoder 40 has a GUI that allows the operator to define the CIRs easily and efficiently. The pre-processor 44 has a GUI that displays the status of all call parameters as well as the setup and configuration of the pre-processor 44. The watch point processor 46 has a GUI that allows the operator to setup the thresholds easily and efficiently. The fraud analysis processor 50 has a GUI that allows the operator to analyze the alerts 62, take appropriate action to resolve the alerts 62 and commit all activity into a fraud log . Preferably, all the GUI interfaces are integrated onto one platform, a NT computer operating system based work station. Additionally, the preferred embodiment may be implemented with software well known to those of skill in the art. For example, the preferred embodiment may be written in a high level programming language such as Pascal, C or C++. The interface is constructed in such a way that any number of operators can access the CIR 26 data and analyze the alerts 62. The result is an integrated solution for combating fraudulent activity in the telecommunications network 10 in a real-time/in-progress manner. Referring now to FIG. 2, the system described above is utilized to perform real-time fraud detection. Real-time call data is collected 10 for each call that is occurring through a telecommunications network. The signal protocol receiver (FIG. 1) collects signaling protocol data directly from the transmissions of the data. The signal protocol receiver is capable of collecting both in-band signaling protocol data and out-of-band signaling protocol data, as described in detail above. After the signaling protocol data is collected it is decoded 20 and transformed to a useable format. A decoder (FIG. 1) is used to decode the signaling protocol data. The decoder can decode signaling protocol data that is extracted from a network using either in-band or out-of-band signaling protocols. The decoder transforms the data into a useable form. After the data is decoded, it is correlated 30 into a call information record (CIR). The decoder formats the decoded data into a CIR that contains various call parameters and is created according to predetermined operator preferences.
After the CIRs are created, they are analyzed to determine whether fraudulent calls are occurring. The CIRs are transmitted to a pre-processor which classifies the CIRs 40, as described above. The pre-processor classification eliminates unneeded portions of the data that is collected. After the CIRs have been classified, they are transmitted to the watch point processor (FIG. 1). The watch point processor stores the CIRs in a random access memory 50. The stored CIRs are compared to predetermined operator defined thresholds 60 by the watch point processor. If any of the CIRs are not within the thresholds, an alert is generated 70 by the watch point processor. The alerts can be in the form of audible, visual or remote, as described in detail above.
The alerts are transmitted to the fraud analysis processor (FIG. 1 ) where they are stored 80 in a random access memory. The storage of the alerts enables a operator to analyze the alerts and take the appropriate action to terminate the fraudulent call or transmission. The alerts and CIRs are also archived 90 by the fraud analysis processor (FIG. 1). This archival of data facilitates the analyzation of data to determine trends of fraud. All of the steps described above can be accomplished in real time during the duration of the call. It is to be understood that the steps of pre-processing, watch point processing and fraud analysis processing could be accomplished by utilizing a single processor equipped with the necessary peripherals. Accordingly, all of the storage and archival steps could be accomplished by utilizing a single database. The current embodiment of the present invention provides an improved method and system for detecting fraudulent use of a telecommunications network. The embodiment enables the detection of fraud by effectively analyzing the signaling communication protocol transmissions that are associated with each existing call. The embodiment enables the operator to analyze a customized set of call detail records by selecting which call parameters will be incorporated into the call detail records. By collecting data directly from a STP, the embodiment allows for the detection of fraud in a manner which places no additional load on the switching equipment which handles the voice and data transmissions within a network.
It is also to be understood that a wide range of changes and modifications to the embodiments described above will be apparent to those skilled in the art and are contemplated. It is therefore intended that the foregoing detailed description be regarded as illustrative rather than limiting, and that it be understood that it is the following claims, including all equivalents, that are intended to define the spirit and scope of the invention.

Claims

We claim:
1. A method for detecting fraudulent access to a telecommunications network comprising the steps of: providing a signal protocol receiver independent from a network switching equipment; collecting signaling protocol data for a call from the telecommunications network using the signal protocol receiver; decoding the signaling protocol data; correlating the signaling protocol data into call information records; analyzing the call information records during the duration of the call to detect fraudulent use of the telecommunications network.
2. The method of claim 1 further comprising the step of classifying the call information records.
3. The method of claim 1 further comprising the step of storing the call information records in a database.
4. The method of claim 1 wherein the step of analyzing the call information records comprises comparing the call information records to pre- established thresholds.
5. The method of claim 1 wherein the step of analyzing the call information records comprise comparing the call information records to one another.
6. The method of claim 4 wherein the step of analyzing the call information records comprises generating an alert when at least one of the call information records exceeds the thresholds.
7. The method of claim 6 wherein the alert is in the form of audio, visual or remote.
8. The method of claim 4 wherein the step of analyzing the call information records comprises storing the alerts and call information records in a database and maintaining data for a predetermined number of days, to facilitate an analysis of fraudulent trends.
9. The method of claim 1 wherein the signaling protocol data is in- band and is collected at the switches within a network.
10. The method of claim 1 wherein the signaling protocol data is out- of-band and is collected from the STPs within a network.
11. The method of claim 1 wherein the call information records contain at least one of the following parameters: originating, terminating, billing type, using duration, aggregate duration, call volume.
12. A system for detecting fraudulent access to a telecommunications network comprising: a signal protocol receiver independent from the network switching equipment for collecting signaling protocol data; a decoder for decoding the signaling protocol data and formulating call information records; a processor for analyzing the call information records in order to detect fraudulent use of the telecommunications network.
13. The system of claim 12 wherein the processor comprises preprocessor for classifying the call information records and a watch point processor for comparing the call information records to operator defined thresholds
14. The system of claim 12 wherein the processor further comprises a fraud analysis processor for storing the alerts and the call information records in a database.
15. A method for detecting fraudulent access to a telecommunications network comprising the steps of: providing a signal protocol receiver independent from the network switching equipment; collecting signaling protocol data from the network using the signal protocol receiver; decoding the signaling protocol data; correlating the signaling protocol data into call information records containing at least one call parameter; classifying the call information records based upon the at least one call parameter; analyzing the call information records by comparing them to pre-established thresholds or other call information records; generating an alert if the call information records exceed the thresholds; storing the alerts in a database; storing the call information recording in a database.
PCT/US1998/003507 1997-02-24 1998-02-23 System and method for real-time fraud detection within a telecommunications system WO1998039899A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU66642/98A AU6664298A (en) 1997-02-24 1998-02-23 System and method for real-time fraud detection within a telecommunications system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/807,039 US6327352B1 (en) 1997-02-24 1997-02-24 System and method for real-time fraud detection within a telecommunications system
US08/807,039 1997-02-24

Publications (1)

Publication Number Publication Date
WO1998039899A1 true WO1998039899A1 (en) 1998-09-11

Family

ID=25195419

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/003507 WO1998039899A1 (en) 1997-02-24 1998-02-23 System and method for real-time fraud detection within a telecommunications system

Country Status (3)

Country Link
US (6) US6327352B1 (en)
AU (1) AU6664298A (en)
WO (1) WO1998039899A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000027105A1 (en) * 1998-11-03 2000-05-11 Siemens Aktiengesellschaft Revision method for the detection of network fraud
WO2000052911A2 (en) * 1999-03-01 2000-09-08 Nokia Networks Oy Method and system in a telecommunication system
US7142651B2 (en) 2001-11-29 2006-11-28 Ectel Ltd. Fraud detection in a distributed telecommunications networks
US10250755B2 (en) * 2013-09-13 2019-04-02 Network Kinetix, LLC System and method for real-time analysis of network traffic

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6643362B2 (en) * 1998-11-19 2003-11-04 Global Crossing, Ltd. Call-processing system and method
US20030195847A1 (en) * 1996-06-05 2003-10-16 David Felger Method of billing a purchase made over a computer network
US7555458B1 (en) 1996-06-05 2009-06-30 Fraud Control System.Com Corporation Method of billing a purchase made over a computer network
US8229844B2 (en) 1996-06-05 2012-07-24 Fraud Control Systems.Com Corporation Method of billing a purchase made over a computer network
US6327352B1 (en) * 1997-02-24 2001-12-04 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US7136471B2 (en) * 1997-03-27 2006-11-14 T-Netix, Inc. Method and apparatus for detecting a secondary destination of a telephone call based on changes in the telephone signal path
CA2351478A1 (en) * 1998-11-18 2000-05-25 Lightbridge Inc. Event manager for use in fraud detection
US7140039B1 (en) 1999-06-08 2006-11-21 The Trustees Of Columbia University In The City Of New York Identification of an attacker in an electronic system
US7272855B1 (en) * 1999-06-08 2007-09-18 The Trustees Of Columbia University In The City Of New York Unified monitoring and detection of intrusion attacks in an electronic system
US7013296B1 (en) 1999-06-08 2006-03-14 The Trustees Of Columbia University In The City Of New York Using electronic security value units to control access to a resource
US6879582B1 (en) * 2000-09-29 2005-04-12 Lucent Technologies Inc. Media terminal adapter-cellular transceiver (MTA-CT)
US20020138427A1 (en) * 2001-03-20 2002-09-26 Trivedi Prakash A. Systems and methods for communicating from an integration platform to a billing unit
GB0207392D0 (en) * 2002-03-28 2002-05-08 Neural Technologies Ltd A configurable data profiling system
US20050154688A1 (en) * 2002-05-13 2005-07-14 George Bolt Automated performance monitoring and adaptation system
GB0210938D0 (en) * 2002-05-13 2002-06-19 Neural Technologies Ltd An automatic performance monitoring and adaptation system
US20040203721A1 (en) * 2002-08-30 2004-10-14 Grooms Paul C. System and method for managing call quality and system performance in a telecommunication system
GB0221925D0 (en) * 2002-09-20 2002-10-30 Neural Technologies Ltd A system for the retrospective classification of archived events
US7783019B2 (en) * 2003-05-15 2010-08-24 Verizon Business Global Llc Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US7817791B2 (en) * 2003-05-15 2010-10-19 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7971237B2 (en) * 2003-05-15 2011-06-28 Verizon Business Global Llc Method and system for providing fraud detection for remote access services
US7774842B2 (en) * 2003-05-15 2010-08-10 Verizon Business Global Llc Method and system for prioritizing cases for fraud detection
US7502447B2 (en) 2003-11-25 2009-03-10 Alcatel Lucent Call failure recording
US6987961B1 (en) * 2004-06-28 2006-01-17 Neomagic Corp. Ethernet emulation using a shared mailbox between two processors in a feature phone
US7545920B2 (en) * 2004-11-30 2009-06-09 Sbc Knowledge Ventures, L.P. Call reporting
US7991874B2 (en) * 2005-03-16 2011-08-02 At&T Intellectual Property I, L.P. Method and system for business activity monitoring
US9167471B2 (en) 2009-05-07 2015-10-20 Jasper Technologies, Inc. System and method for responding to aggressive behavior associated with wireless devices
US20070025534A1 (en) * 2005-07-12 2007-02-01 Sudeesh Yezhuvath Fraud telecommunications pre-checking systems and methods
US8107459B1 (en) * 2005-10-31 2012-01-31 At&T Intellectual Property Ii, L.P. Method and apparatus for executing a call blocking function
US7760861B1 (en) * 2005-10-31 2010-07-20 At&T Intellectual Property Ii, L.P. Method and apparatus for monitoring service usage in a communications network
WO2007070612A2 (en) * 2005-12-14 2007-06-21 Tekelec Methods, systems, and computer program products for detecting and mitigating fraudulent message service message traffic
US7986773B2 (en) * 2006-08-29 2011-07-26 Cisco Technology, Inc. Interactive voice response system security
US8542802B2 (en) 2007-02-15 2013-09-24 Global Tel*Link Corporation System and method for three-way call detection
US9225838B2 (en) 2009-02-12 2015-12-29 Value-Added Communications, Inc. System and method for detecting three-way call circumvention attempts
US20100235909A1 (en) * 2009-03-13 2010-09-16 Silver Tail Systems System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis
US20100235908A1 (en) * 2009-03-13 2010-09-16 Silver Tail Systems System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Analysis
US8243904B2 (en) * 2009-12-04 2012-08-14 International Business Machines Corporation Methods to improve security of conference calls by observation of attendees' order and time of joining the call
US8635683B2 (en) * 2009-12-04 2014-01-21 International Business Machines Corporation Method to improve fraud detection on conference calling systems by detecting re-use of conference moderator passwords
US20110135081A1 (en) * 2009-12-04 2011-06-09 Charles Steven Lingafelt Methods to improve fraud detection on conference calling systems by detection of non-typical useage of moderator passcode
US8494142B2 (en) 2009-12-04 2013-07-23 International Business Machines Corporation Methods to improve fraud detection on conference calling systems based on observation of participants' call time durations
US20110135073A1 (en) * 2009-12-04 2011-06-09 Charles Steven Lingafelt Methods to improve fraud detection on conference calling systems by detection of conference moderator password utilization from a non-authorized device
GB201115007D0 (en) * 2011-08-31 2011-10-12 Bae Systems Plc Detection of predetermined activities by users of mobile telephony networks
US9107076B1 (en) * 2012-07-27 2015-08-11 Sprint Communications Company L.P. Data fraud detection via device type identification
US9419988B2 (en) * 2013-06-20 2016-08-16 Vonage Business Inc. System and method for non-disruptive mitigation of messaging fraud
US9426302B2 (en) 2013-06-20 2016-08-23 Vonage Business Inc. System and method for non-disruptive mitigation of VOIP fraud
US9699660B1 (en) 2015-03-31 2017-07-04 EMC IP Holding Company LLC Big data analytics for telecom fraud detection
WO2017066648A1 (en) 2015-10-14 2017-04-20 Pindrop Security, Inc. Call detail record analysis to identify fraudulent activity and fraud detection in interactive voice response systems
TR201517657A2 (en) * 2015-12-31 2017-07-21 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A SYSTEM FOR DETECTING LONG-TERM CALLS
TR201517613A2 (en) * 2015-12-31 2017-07-21 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A SYSTEM FOR DETERMINATION OF FRAUD IN TELECOMMUNICATION SYSTEMS
US9729727B1 (en) * 2016-11-18 2017-08-08 Ibasis, Inc. Fraud detection on a communication network
US10404481B2 (en) * 2017-06-06 2019-09-03 Cisco Technology, Inc. Unauthorized participant detection in multiparty conferencing by comparing a reference hash value received from a key management server with a generated roster hash value
US9930088B1 (en) 2017-06-22 2018-03-27 Global Tel*Link Corporation Utilizing VoIP codec negotiation during a controlled environment call
US10812663B2 (en) 2018-03-03 2020-10-20 Leo Anthony Wrobel, JR. Apparatus and method for using an intelligent network for analyzing an event external to a signaling network
US10972472B2 (en) 2018-06-01 2021-04-06 Bank Of America Corporation Alternate user communication routing utilizing a unique user identification
US10855666B2 (en) 2018-06-01 2020-12-01 Bank Of America Corporation Alternate user communication handling based on user identification
US10798126B2 (en) 2018-06-01 2020-10-06 Bank Of America Corporation Alternate display generation based on user identification
US10785220B2 (en) 2018-06-01 2020-09-22 Bank Of America Corporation Alternate user communication routing
US10785214B2 (en) 2018-06-01 2020-09-22 Bank Of America Corporation Alternate user communication routing for a one-time credential
US10484532B1 (en) * 2018-10-23 2019-11-19 Capital One Services, Llc System and method detecting fraud using machine-learning and recorded voice clips
US11470194B2 (en) 2019-08-19 2022-10-11 Pindrop Security, Inc. Caller verification via carrier metadata

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring

Family Cites Families (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4002848A (en) * 1974-11-14 1977-01-11 Reliable Electric Company Toll fraud eliminator for telephone systems
US4159400A (en) * 1978-08-10 1979-06-26 General Telephone Company Of California Toll fraud detector
US4188508A (en) * 1978-08-21 1980-02-12 Brindle Patrick A Telephone call restricting apparatus
US4811378A (en) 1986-08-29 1989-03-07 American Telephone And Telegraph Company, At&T Bell Laboratories Toll fraud control
US4799255A (en) * 1987-01-30 1989-01-17 American Telephone And Telegraph Company - At&T Information Systems Communication facilities access control arrangement
US6185415B1 (en) 1992-03-24 2001-02-06 Atcomm Corporation Call security system
US5351290A (en) * 1992-09-11 1994-09-27 Intellicall, Inc. Telecommunications fraud prevention system and method
US5345595A (en) * 1992-11-12 1994-09-06 Coral Systems, Inc. Apparatus and method for detecting fraudulent telecommunication activity
JP3166943B2 (en) * 1992-12-31 2001-05-14 ソニー株式会社 Database access processing method
US5506893A (en) 1993-02-19 1996-04-09 At&T Corp. Telecommunication network arrangement for providing real time access to call records
TW225623B (en) * 1993-03-31 1994-06-21 American Telephone & Telegraph Real-time fraud monitoring system
US5602906A (en) * 1993-04-30 1997-02-11 Sprint Communications Company L.P. Toll fraud detection system
US5420910B1 (en) 1993-06-29 1998-02-17 Airtouch Communications Inc Method and apparatus for fraud control in cellular telephone systems utilizing rf signature comparison
US5504810A (en) 1993-09-22 1996-04-02 At&T Corp. Telecommunications fraud detection scheme
US5465387A (en) 1993-10-08 1995-11-07 At&T Corp. Adaptive fraud monitoring and control
US5495521A (en) 1993-11-12 1996-02-27 At&T Corp. Method and means for preventing fraudulent use of telephone network
US5438570A (en) * 1993-12-29 1995-08-01 Tekno Industries, Inc. Service observing equipment for signalling System Seven telephone network
US5463681A (en) 1993-12-29 1995-10-31 At&T Corp. Security system for terminating fraudulent telephone calls
US5757895A (en) * 1995-11-09 1998-05-26 Unisys Corporation Extracting and processing data derived from a common channel signalling network
US5592530A (en) * 1995-01-25 1997-01-07 Inet, Inc. Telephone switch dual monitors
US5768354A (en) * 1995-02-02 1998-06-16 Mci Communications Corporation Fraud evaluation and reporting system and method thereof
US5729597A (en) * 1995-05-16 1998-03-17 At&T Corp Service and information management system for a telecommunications network
US5596632A (en) * 1995-08-16 1997-01-21 Mci Communications Corporation Message-based interface for phone fraud system
US5875236A (en) * 1995-11-21 1999-02-23 At&T Corp Call handling method for credit and fraud management
JP3763907B2 (en) * 1995-12-12 2006-04-05 エイ・ティ・アンド・ティ・コーポレーション Method for monitoring signaling messages in a communication network
US5805686A (en) * 1995-12-22 1998-09-08 Mci Corporation Telephone fraud detection system
US5937043A (en) * 1996-11-27 1999-08-10 Mciworldcom, Inc. Mechanism for a system and method for detecting fraudulent use of collect calls
US6327352B1 (en) * 1997-02-24 2001-12-04 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US5912954A (en) * 1997-02-28 1999-06-15 Alcatel Usa Sourcing, L.P. Method and system for providing billing information in a telecommunications network
US6085084A (en) * 1997-09-24 2000-07-04 Christmas; Christian Automated creation of a list of disallowed network points for use in connection blocking
FR2838018B1 (en) 2002-03-26 2004-08-20 France Telecom APPARATUS FOR TESTING AN ASYMMETRICAL FLOW LINK

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000027105A1 (en) * 1998-11-03 2000-05-11 Siemens Aktiengesellschaft Revision method for the detection of network fraud
WO2000052911A2 (en) * 1999-03-01 2000-09-08 Nokia Networks Oy Method and system in a telecommunication system
WO2000052911A3 (en) * 1999-03-01 2001-01-25 Nokia Networks Oy Method and system in a telecommunication system
US7142651B2 (en) 2001-11-29 2006-11-28 Ectel Ltd. Fraud detection in a distributed telecommunications networks
US10250755B2 (en) * 2013-09-13 2019-04-02 Network Kinetix, LLC System and method for real-time analysis of network traffic
US10701214B2 (en) 2013-09-13 2020-06-30 Network Kinetix, LLC System and method for real-time analysis of network traffic

Also Published As

Publication number Publication date
US7248681B2 (en) 2007-07-24
US7058166B2 (en) 2006-06-06
US6567511B2 (en) 2003-05-20
US6327352B1 (en) 2001-12-04
US20020071538A1 (en) 2002-06-13
US7406161B2 (en) 2008-07-29
US20080267375A1 (en) 2008-10-30
AU6664298A (en) 1998-09-22
US20060233337A1 (en) 2006-10-19
US20070242818A1 (en) 2007-10-18
US20030228008A1 (en) 2003-12-11
US7570751B2 (en) 2009-08-04

Similar Documents

Publication Publication Date Title
US6327352B1 (en) System and method for real-time fraud detection within a telecommunications system
US5805686A (en) Telephone fraud detection system
US8170947B2 (en) Fraud detection based on call attempt velocity on terminating number
US5602906A (en) Toll fraud detection system
US7433855B2 (en) System and method for detecting and managing fraud
JPH06350698A (en) Monitoring method with utilization of communication network
US6947532B1 (en) Fraud detection based on call attempt velocity on originating number
CN106937007A (en) System, method and device that a kind of harassing call is reminded
US6570968B1 (en) Alert suppression in a telecommunications fraud control system
US6636592B2 (en) Method and system for using bad billed number records to prevent fraud in a telecommunication system
EP1308020A1 (en) Telecommunications systems
CN110167030B (en) Method, device, electronic equipment and storage medium for identifying crank calls
JP2004527185A (en) System and method for preventing fraudulent calls using a common billing number
US6169724B1 (en) Egress network service monitor
CA2448530A1 (en) Variable length called number screening
CN114338916A (en) Theft-fighting alarm method and system
EP0794649A1 (en) Use monitor for communication system
CN116915904A (en) Call service detection method, device and storage medium
CN111064850A (en) System and method for realizing prevention, control and reminding of crank calls based on communication network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM GW HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

NENP Non-entry into the national phase

Ref country code: JP

Ref document number: 1998538578

Format of ref document f/p: F

122 Ep: pct application non-entry in european phase