Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013

7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013

http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 1/32

Real-Time Analysis andPrevention of Carrier Fraud



Carrier Fraud Business Backgroud

Fraud if one of the key reasons for carrier revenue loss

Subex study for 2012 shows that over 6 billion USD or 3% of total business volumeis lost due to interconnect fraud

Carriers are noticing increase of interconnect fraud

Various fraud scenarios are often facilitated by complex environment Large number of interconnect carriers included in traffic transit

Difficulties in credit risk assesment

Evolution of new services and product offerings

Regulatory framework

Rate variations for same service on different level of interconnects

'XHWRPDUNHWFRPSHWLWLRQWKHOHYHORI³DFFHSWDEOHORVV´LVSUDFWLFDOO\QRQH[LVWLQJ

Carriers are focusing on quick detection and prevention of carrier fraud



Common Carrier Fraud Scenarios

Carrier own

networkSIM-box

Hacked PBX

Traffic generation

Re-filing

Tromboning

Boomeranging

False answer

Late releaseRoaming fraud

Premium callback

DoS attacks

Interconnect and roaming partner networks



Typical Fraud Management Process

Passive servicedata analytics

Active test callgeneration

Analyze

Casemanagement

Clarification

Conclusion

Evaluate Legal action Technical

blocking

Act



Delay

Actionscope

Passive servicedata analytics

Active test callgeneration

Analyze

Casemanagement

Clarification

Conclusion

Evaluate Legal action Technical

blocking

Act

Challenges in the Process

Delay



Process Challenges - Delay

Network elements often provide service usage data with delay

Time needed to collect data

Usually this data needs to move through some other processing stages (primarilymediation) before it is available for fraud analysis

Time required for fraud analysis

Delay until executing technical action

Time to resolve issue bilaterally with interconnected carrier



Process Challenges ± Scope of Action

Legal and regulatory limitations

Limitation of blacklisting on network elements

Carriers causing fraud are often not connected directly



Process Challenges ± Scope of Action



Heksagon Approach

Core Network

Real-time capabilities achieved

through call control interfaces to

core network

Advanced analytical system

evaluating traffic patterns, profile

deviations, analyzing test calls

and supporting case management

I n t e g

r a t e d a n a l y t i c a l a n d

r e a l - t i m e s o

l u t i o n



Main Features

Processing of real-time data stream from HexRT

Combination with offline data (network elements, mediation, roaming data, IT systems)

Constant analytical evaluation of all collected data for deviations from standard patterns,trends and long-term averages

Matching of collected data with out-of-the box and user defined scenarios

Detection of potential fraud violation cases

Case management workflow support



Graphical Fraud Scenario Designer



Processing Features

Combination of real-time and near-real-time service usage data

Real-time feed from HexRT (call-control and RADIUS/DIAMETER)

Raw CDR data from switches

xDR data from SMS-C and platforms

Signalling information from monitoring systems

Test call information

Multi stage data correlation

Stage 1: all events belonging to one session on one network elements

Stage 2: same session across all affected network elements (call path, etc.)

Stage 3: unrelated session but corresponding to a specific fraud scenario (e.g.

³ZDQJLUL´

Evaluation of events corresponding to all active fraud scenarios



Analytical Features

Ad-hoc analytics of events through OLAP reporting and dashboards

Evaluation of cases according to:

Fixed thresholds

Deviation from average values Variations from traffic profiles

Standard processed scenarios:

From service usage data: re-filing, SIM box detection, tromboning, hacked PBX,

WUDIILFJHQHUDWLRQSUHPLXPFDOOEDFN³ZDQJLUL´'R6DWWDFNVERRPHUDQJLQJ

roaming fraud Additionaly from test call data: false answer, late release

Custom defined scenarios



Fraud Analytics



Handling of Detected Cases

Notification and alerting in case of detected cases

Support of evaluation and decision workflow through case management

Manual application of updated rules to HexRT based on confirmed fraud cases fraud expert confirms action to apply parameters corresponding to detected case to

the real-time platform

Automatic application of additional rules to HexRT

for scenarios which require very fast reaction and for which detection process can

clearly identify fraud parameters (e.g. Wangiri, DoS attacks, hacked PBX)



Case Management



High Level Architecture

Call Control

Service

Quality

Measurement

Fraud

Screening

and Active

Testing

Dynamic

Routing

Management

INAP/CAMEL/SIP

DIAMETER RADIUS



Main Features

Module is connected to core network either using SS7 CAP/INAP or SIP protocol

Each call is forwarded to HexRT platform which provides information how to process on

switch

Evaluation of call parameters

Low level evaluation of number matching, nummeration check,

nature of address control, etc.

Complex rules defined by combination of low-level filters

Execution of action according to detected scenario No interference, Call release, Call re-route, etc.



Rule Definition



Management of HexRT Rules

Standard out-of-the-box scenarios corresponding to typical fraud types

Re-filing of international traffic

Dynamic scenarios automatically extended by detected cases in HexFraud system

Hacked PBX Traffic generation

3UHPLXPFDOOEDFN³ZDQJLUL´

DoS attack

Custom defined rules created through user interface

Exceptions to standard scenarios



Monitoring Console



Challenges of Described Approach

Corresponding call control interfaces required in core network

Increased complexity of call handling

5LVNRIGLVWXUELQJOLYHWUDIILFGXHWRLQFRUUHFWUXOHGHILQLWLRQ³FDWDVWURSKLF´UXOHVEORFNLQJsignificant portions of traffic are automatically deactivated by system, but rules that

disturb regular traffic in smaller scales are allowed)



Benefits of Described Approach

Effective combination of advanced analytical features with real-time detection and

prevention mechanism

All operational delays reduced to minimum allowing very fast reaction

Possibility to selectively block fraudulent traffic within wider interconnect traffic flow

Collateral benefits:

Better level of visibility and control of interconnect traffic

Improved level of understanding of routing in foreign networks

Detection of SIM boxes and gateways in foreign networks



Deployment Case



OJSC Megafon is one of the leading telecommunication operatators in Russian

Federation currently providing services to more than 64 million subscribers

System HexRT is deployed on international and long-distance mobile and fixed-line

network over 1 year ago

Integration to core network is achived using CAMEL and INAP protocols

Deployed system allows processing of more than 1000 call attempts per second



SSP

STPCarrier

INAP/CAMEL

Core network

Management

modulerules

provisioning within configuration MMLs

INAP/CAMEL

Carrier

Architecture

HexFraud,

HexLCR

HexRT

HexRT



Results

Analyzed scenarios:

Re-filing of international traffic

Invalid national traffic

Traffic generation to premium destinations

Call-EDFNVFKHPHV³ZDQJLUL´

SIM-box traffic termination

Boomeranging

Tromboning

From commercial standpoint complete investment in this project was fully returned within the first

year of operation



Q & [email protected]



Backup slides:Company Introduction



Heksagon Group ± software development company with background in designing, building andimplementing telecommunication IT systems

Specialized in solutions for comprehensive fraud management, routing management and trafficanalysis for telecommunication operators

Headquarters in Cyprus

Main development site in Slovenia

Offices in Cyprus, Slovenia, Russia, Germany

and USA

Company Introduction



ɈȺɈɆɌɌ ± Russia

ɈȺɈMGTS ± Russia

OAO Megafon ± Russia

OAO MTS ± Russia

Callax group ± Germany Dialround ± USA

010012 GmbH ± Germany

CSC Telecom ± Estonia, Lithuania, Latvia

Selected Reference



Heksagon Products

HexLCROptimal Price and Routing

ManagementSystem

HexTrafficMediation and analytics of network traffic data

HexRTReal-time fraud control andprevention

HexFraudDetection and analysis of carrier fraud.

Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013

Documents

Transcript of Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013