CA2114155C

CA2114155C - Real-time fraud monitoring system

Info

Publication number: CA2114155C
Application number: CA002114155A
Authority: CA
Inventors: Wayne E. Relyea; Suzanne E. Ronca
Original assignee: American Telephone and Telegraph Co Inc
Current assignee: AT&T Corp
Priority date: 1993-03-31
Filing date: 1994-01-25
Publication date: 1998-01-27
Anticipated expiration: 2014-01-25
Also published as: EP0618713A3; AU5767194A; DE69427317T2; JP3723235B2; DE69427317D1; EP0618713A2; CA2114155A1; JPH06350698A; KR940023085A; US5706338A; EP0618713B1; TW225623B

Abstract

Increased network security is provided by monitoring in real time one or more characteristics or attributes of telephone calls that are placed through the network and notifying the network customer, in real time, when the attributes are indicative of abnormal or fraudulent network usage. The subscriber, once notified of the abnormal usage, is in a position to take steps to minimize unauthorized network usage. For example, the subscriber can selectively block network usage, deny access to the network on a call-by-call basis, or trace the call to catch the unauthorized user while the call is still in progress.

Description

2~1415~

REAL-TIME FRAUD MONITORING SYSTEM

Technical Field This ~ ' relates to systems for ~ usage on a teleconh ' -network and, more pardcularly, to systems for monitoring network usage in real dme.

S ''~ "~.Jundof the Invendon There are cmrently many situations in which telecommunications ~c~ . ~c are usedby indi~ls without authorization. This unauthorized use places a large financial burden on the endq which owns the network or pays for use of the network. Certain telecommu - - - - o h. ' , such as those n~ ~. J~k.~t which allow access to network fi~ s 10 through the use of an authorizadon code or toll-free ~ one number ("800 number"), are pardcularly suscepdble to such unauthorized use. A Software Defined N ~.J.k (SDN) is one examp!e of such a t~c~o----wnicadons netvork. A SDN is a network in which sharedtransmission and i,.. ' ~ lE facilides are configured under son~ control through the use of a database to provide a network customer (hereafter referred to as "the ' ' sr") with the IS capabilities of a private network. SDNs having a "remote access" capability allow access to the software-defined private network facilides from off ~ .J.I~ ~an;c - This feature is usefuL for exa nple, for allowing a busin~ r - - t~A~ " g outside c~ ~F ~y p~ es to gain access to the company's private network. Though useful and convenient, this remote access capability may present a security ris',c to the ne~vork customer (hereafter refer ed to as "the 20 subssriber") who is responsible for paying for network usage. In pardcular, the same authonzadon code that gives the businessperson access to the network can be used by unauth~ized users to gain access to the network.
Cu~rent methods for detecdng and prevendng unauthorized use of a con ' '~
network have not adoquately addressed the ~ For example, systems which detect fraud 2S based on data obtained at the end of the billing cycle do not provide i Jfr- - Iy timely information. By the dme the in~ ~ - bcco--~s a. ' b!c to the owner of the private network, large amounts of fraudulent usage could already have o.,c~-~d. Other methods for daling with the problem of unauthoriLed use involve automadcally denying or ~ ring access to the network when abnonna1 use is i~ A Systems which use this technique may 30 annoy vAlid users of the network whose authorized calls are blosked inadvertently. Also, ystems which automadcally deny acsess encourage ..&L.~" seeking access to the network ~ ~ t ~ ' - -r; ~ }

2 2 1 ~
o try other authorizadon codes or points of entry to the network. Such systems do not provide a means for catching unauthorized users.

Summarv of the Invention Inawed networlc security is p.u.id~d in accordance with the invendon by i g S in real dme one or more chalacterisdcs or attdbutes of telephone calls that are placed through the network and nodfying the subscriber, in real dme, when the attdbutes are indicadve of r~ r-~~ fraudulentnetworlcusage. The ~ ,oncenodfiedofthe~ mlusage, is in a posidon to take steps to minimize unauthorized networlc usage. For example, the ~ I ~iter can selc~el~ block network usage, deny access to the network on a call-by-call 10 basis, ~ trace the call to catch the unauthorized user while the call is sdll in progress.
In an e%emplary embodiment of the invendon, thresholds indicadve of a~ r -' network usage are established by: t rihe-5 Calls placed in the network chargeable to a subscriber are m~nitored on an ongoing basis. In particular, selected attributes of a call in-progress are obtained or dGdved from data ~ v.;~xl in real dme from the billing record for 15 the call. The attdbutes of the call are ~,.~sscd to determine whether those attributes exceed one or more of the established thresholds set by the s~Jbs- ~ il~. . If a threshold is e ccr~-~
the ~ er is immediately nodfied so that the: b~ ikr can authorize and direct ~ ~ -prevendve action with respect to the call or othenvise modify access to the s~bs--i~,. s network Alt~ ly, some pre-authorized acdon, such as blccLing b~ . calls, can 20 be talcen automadcally and without ~: ~ e the br~ ' when a threshold is e-c~

Brief Desc'r~ - of the Drawinoc In the drawings~
FIG. 1 is a simplified blocl~ diagram of an illustradve e---bc~ nt of a comm - ~netwadc which includes a networlc usage monitoring system coa~ .t~d in accordance with 25 the principles of the invendon;
FIG. 2 is a bloclt diagram of the format of a typical record stored in the fraudmonitoring ~ ss~ of FIG. l; and FIGs. 3 and 4 are flow charts of an exemplary process for determining in real dme whether the atlributes of a call indicate abnormal network usage.

Detailed r~e--'Pq :;
Referring now to the J~,g~, FIG. 1 shows a cr 1~ network 10 which illustradvely is an SDN configured for a ~,bs(-i~,. C~mm~lnications network 10 includes ' ' 3 2 1 ~
' hree ~' ~e~c - custoiner p.~ s which belong to the ' ~brr, namely, subscriber locations 12, 14, and 16. Sl~b ' ~c - Y 12, 14, and 16 are interc- ~stP~ through an int~ gc (IXC) netwo~ic 18. IXC netwodc 18 includes IXC ~ s 20, 22, and 24, a ~ - ~ 25 f~ implementing the SDN, a processing rneans 26 for collecting billing (referred 5 to ~ as "billing data CQ~ 26"), and a processing means 28 for analyz~ng aspects of the billing data to detect z ' ~cr--~ ~' netwarlc usage (h( _d~. referrcd to as "fraud - - ~1 g p~.~s~r 28").
The principles of the ~ ~ - - will be illustrated by d~ibing the process by which the attributes of a i l~p~ - - call, placed by a calling party at b~ r-her locadon 12 to a called 10 party at subscriber locadon 14, are monitoled to detect abnonnal usage of network 10. In this exampb, a call placed from a telephone stadon 30 at subscriber locadon 12 is e-b-~d through a private branch exchange (PBX) 32 and routed through IXC switches 20 and 22 of IXC network 18 to subscriber locadon 14. At ~S~ibçr location 14, the call passes via a PBX 34 to the called party at i l ~h~ ~ stadon 36. Remote access to network 10 is plo.idcd lS to callers outside of the nctwork, for exarnple, at a l~:h~' ~ne stadon 37, via PBX 32. - ;-Billing data C~ ~tl~r 26 collects from IXC switch 20 data that will be used for purpose of billing the call placed from t~'e~ e stadon 30. Billing data cQIlect~r 26 receives the data from IXC switch 20 and generates a call detail record which contains all or some pordon of the data ~ce;~ from IXC switch 20. A ~' ~e - call detail record is 8 ~ for each and -20 every billed call. Billing data coll~b,, 26 g a~cs the call detail record in real dme. As used herein, a record is said to be generated in "real dme" if the record is generated either soon after the call has terminated or whilc the call is in-progress. (A call is said to be "terminated" when the c; ~ between the calling and called pardes is broken.) Billing data co~ 26 can be any suitable or convenient ~ e~ g means which collects 2S informadon about a call in real dme. One suitable embodiment of billing data coll~r~or 26 is d~,-;~d in commody-owned, copending U.S. patent a~ r Serial No.
f~ed February 23, 1993, entitbd "Telecommunicadon I'~IT_~.J~I~ Arrangement For Providing Real rlme Access To Call Records," which is hereby incorporated by ,ef~
In ~nce with the ~ fraud monitoring l, ~c,sso~ 28 is p.~.idcd to receive 30 call detail roc~ds, in ceal time, from billing data colL~r~r 26. Fraud ~ _ In~essor can be embodied as a resident application on billing data cQll~r~or 26 or, in the al~.,...at;~
as a separate l>.u~o downstream from billing data cQllect~r 26 (or several billing data CQIl~ Fraud monitoring ~ c 28 uses the call attributes that are stored in a call detail ~ecord as ~ below to derive various indices (e.g., average call duradon for calls 3S made using a selected authorizadon code). Fraud monitoring p.~CSS~l then compares thé call attributes and/orderived indices with ~ thresholds which the: bs iher (perhaps with 4 2~141~;~
he assistance of the t~!~r~ ~ne service p,o.i~.) has previously selected orestablished as being indicative of abno mal network usage. The thresholds are established by the ~.~I,s~ in view of the sl ~ ~ikr's panicular needs or p,~f~ -~ nces When the att~ibutes of a caU being analyzed indicate that the caU , s~ ts an S abnormd use ~ potentially unauthorized use of the networlc (f~ example, an attribute exce,eds a ~ r~d threshold), fraud monitoring processor 28 communicates with: bs ih~r ~ ~ ~e s 16 to alert the - ~s ~ ibCr of the abnormal use. Fraud monitoring I ,- 28id~ ~;rirs to the subscriber premises that the caU is abnormd by communicating direcdy with a bs: iher worlcstation 38. ~Iternatively, fraud monitoring ~ u~,~S3~ 28 ~ ~ through IXC
networlc 18 via interexchange switches 20 and 24, and through a PBX 40 at - bs~
premises 16. PBX 40 then communicates with customer premise equipment, such as a fax machine 42 ~ a printer 44, to give the subscriber nodce in rea1 dme of the a~ r---~ use.
Alternadvely, the ~ - rih~r could be nodfied of abnorrnal use by a tel~ call. The ~k ~ can ~l~ti~ block network usage, deny access to the network on a call-by-call lS basis, trace the caU to catch the unauthorized user while the call is sdll in progress, or take other ar, ~op ~ acdon, such as by nodfying the ~ r - service ~ u.id~. or modifying the SDN database.
In another preferred e_-bs'- ~. the l_~r~ ~~ service l,.u.;der, such as the interexchange carrier, automadcally takes some pre-authori sd action in ~--r~~~ to a threshold being e~rcç~d For example, the s ~ may pre: -' i7P the l I ph~
~e~vice provider to interrupt calls in-prûgress when it is determined (in real dme) that a threshold indicadve of abnormal network usage has been e~ ed~1 Such pre-a ti-ori7~d acdon can be talcen autornadcally, without nodfying or ec ~ m~raneously with notifying the subscriber that a threshold has been e~ce<~kd 2S Once a caU detail record for a call has been ~,.u,e;,~d and it is determined that none of the predetermined thresholds have been e-e~d~, fraud monitoring p u~sso~ 28 will preferably discard its copy of the caU detail record. Discarding reco~ds in this manner minimi_es the storage capacity required within fraud monitoring p ~essûr 28. While the aetual da~ eontained in the record are not necessarily retained, sebcted indices that are affeeted by ~ ealeulated from the data arc maintained. For example, informadon such as the average eaU duradon. the number of calls placed under each authc - ~r code, or other such information is maintained as a "running total."
As mendoned abo~ve, a call detail record is e - ~ either during a call or after the call has terminated. A call detail record that is g ~r -~ after the caU is terminated typically 3S eontains more informadon than a record that is generated while a call is in progress. For exampb, in the former case, the call detail record may include informadon specifying the total 5 211415~
~uration of the call, while in the lat~ case, such information is unavailable. Nevertheless, records formed while a call is in-progress can be analyzed and the information utilized while the caUer is stiU on the line. Such information can be advantageously used, for example, in fraud ~t--- and tracing.
FIG. 2 shows the structure of an exemplary call detail record S0 received by fraud monitonng ~ ~ 28. Call detail record S0 includes one or more key data fields S2 (the contents of which are shown in the drawing as "Record i"), which I c, ~!~ identify the record. Attribute data in each record are designated 54-1 through S4-N, where N indicates the number of different attributes or cha~ 5 of the call which the record ~< 5~ dk 5 In the context of long distance calling, these attributes may include the calling number (54-1), the time of access (54-2), the terrninating (called) number (54-3), the call duradon (54-4), an indication of whether the call was c~ t or incomplete (54-5), the authorization code or 800 number used to gain acc-ss to the network (54-6), the type of ~ g --- lg station (e.g., a pay phone, ordinary ~ e, etc.) (54-7), or other ~ - b~. (54-N) which idendfy the call lS and may be useful in determining whether the call l.r-- an a' .~1 use of the communication network for the subscriber.
The networlc usage monitoring c~. N ~ s of the in~enlion are a~ '~le to several different types of communicadons ~ ~. J~I~S. For example, all calls made from a ~ub ' 's p.~ s can be monitored to detect abnormal usage. Alternadvely, tnonitoring can be limited to situations in which access to r~.~h;~ ,d network f~ es is granted, for example, on the basis of an authorizadon code l,.u.;d~d by the calling party, the calling party's i ':ph~
number, or by dialing an 800 number.
FlGs. 3 and 4 show flow charts of an exemplary method for monitoring network usage in real dme to detect P~ ~- ~~ ~' usage. The process begins on FIG. 3 at step 100, where a real 2S dme call detail record, such as the call detail record of FIG. 2, is received by fraud ;ng .ccs3~r 28. Fraud monitoring p.~c< ~cor 28 first t~ s the call type from the attributes in the call detail record (step 102). For example, the call detail record indicates whether the call is an SDN cellular call, an SDN or remote network access call (e.g., from an off n( ~. J~l!.
location swh as b~:kp' - ~ stadon 37 of FIG. 1) requiring an aulh.,.;~io~ code, or a remote network access call through an 800 number access.
Once the call type is identified, fraud monitodng &.u~e~ 28 detern~ines from the call detail record the calling number, authorizadon code, or originadng 800 number ~ appropriate f~ the call type (step 104). For the purpose of this ill r~ - ~ and the l~-n~ er of FIGs.

3 and 4, it will be assumed that the call was placed using an aulh~ ~ P~q code, and that fraud 3S monitoring processor 28 has obtained that authorizadon code from the call detail record.
Fraud monitoring processor 28 then determines from the call detail record the terminadng 6 2 1 1 ~
~, ' number (or terminating NPA/country code) of thc call (step 106).
At this point in the process, fraud ~ O~;-lg p vcessol 28 begins to analyze the call attributes. For cxampb, the ~ Ol d~te- - - - s. in step 108, whether thc call is a c~ . ' call, that is, whether the call has been answered If the call has been complcted, fraud monitonng ~ ~ 28 ~ . ts a counter which maintains a count of ,~: d calls for the particular authorization code under which the call was placed (step 110). If the call is incomplete, that is, the call is l n._ x' by the called party, f~ e ~ C~SSol 28 increments a counter which maintains a count of ~ - - l~lc ~ calls for the auth ~ - - code under which the call was placed (step 112). Fraud monitonng ~ 28 also derives for the authorization code the percentage of incomplete calls (stcp 118). The incomplete call percentage is calculated using information held by counters and obtained in steps 110 and 112.
Assuming the call detail record was generated after termination of a call, the call detail r?~ will include the call duradon (also referred to herein as the "holding dme"). In this case, fraud monitoring ~ ,cessol 28 will ~ ~ a counter which maintains a record of the total call duradon, i.e., the total usage, for the au~ code under which the call was inidated (step 114). Fraud monitoring l,.~ss~ 28 also will derive the average holding time for calls placed using the authorization code (step 116).
Referring now to FIG. 4, fraud monitoring l, ~es~. 28 then ~ s, from infonnation contained in thc call detail record, the ~ _ ~ e NPA or country code of the call (step 120). The ~ esY,- deterrnincs whetha this is the first appearance of this NPA or country code for this authorization code (step 122). If it is the first appearance, the ~).~ess~r increments a counter (step 124) that tracks the number of ~ '~c~e ~ NPAs and country codes from which calls have been made using the authorization code. If instead it is the second or later appearance of an NPA/country code, processing continues to step 126.
2S Having obtained or derived the various stadsdcal values for a caJI, fraud ~ ring processor 28 compares the stadsdcal values with thresholds ~ -?~ sly established by the ?i bscr~?t~ f~theauthorizadoncode(step126). AblC~--'netwo*usageis~~ if any of the stadsdcal values e~coed one or more of the p~ thresholds. As shown in step 128, for e~mp1e, if the total number of calls, total number of minutes of call duration, the number of incomplete calls, or the number of ~;ff~.~,-'l NPAs/country codes exceed the prodetermined thresholds established by the L ~~ for that auth~ ~ --- code, the subscriber is nodfied of the ?~ ~amq1 network usage (step 130). Similarly, as shown in step 132, fraud monitoring p ~ 28 can determine whether the average holding dme is above or bebw the bounds of the threshold for average holding dme for the pardcular au~
3S code. If so, the subscriber is nodfied (step 134).
It is to be un~.~l~od that although various indices and calculadons have been 7 2II~Ir~5 L~.i~d above as being calculated for a given authodzadon code, the indices couldalternatively be calculated based on the calling number (e.g., calculate average holding time f~ calls placed from a particular calling number), the 800 number used to gain access to the n~ ~.J~ or the subscdber's calls as a whole. Similarly, the thtesholds set by the: kcrikr S to indicate abnormal network usage can be s,~if;cd individually for each autho~izadon code, calling number, ~ 800 number used to access the networL or can be "~;f~d by the ' s ~- in a mcre universal manner. It also is vithin the ssope of the invention to derive and, ~ separate indices and thresholds f~ calls placed to selected h ~ ' _ Ir - lS
As used herein, Nterminating locations" ~ ' ' s, for example, ~ ~ ;ng '-rs 10 ter g NPAs and terminating country codes.
Of course, one skilled in the art will al r ~ ~I that criteria other than those d< ~ - ik~
in FlGs. 3 and 4 could be used to detetmine whether there is abnotmal net~vork usage without depardng from the scope or spirit of the ~ ._ - For . ' . fraud monitonng ~, .ce;.~
28 could be corllfigured to nodfy the b ~-~r in real dme ~ ~ a call is placed to a 15 country code that is on a list of prohibited country codes.
In accordance with another feature of the Invendon, eash of the stadsdcal values and counted values A~ 5~ .ikd above can be cbared or reset after a y~,A~ uined period of time as selected by the subscriber. This enables the s '~ sc~ to monitor the network usage for a patticular calling number or access code on any ~ 1-_ - - basis. For ~ 'e. the calls 20 made under a selected access code can be monitored on a daily basis if a 2~hour period would provide useful il r ~ -_ tO the bs~ ly, the calls made under that access code could be monitored on a weekly or monthly basis.
It will be understood that the foregoing is merely illustradve of the principles of the invendon, and that various modificadons can be made by those skilled in the art without 2S depardng from the ssope and spi it of the invention.

Claims

1. A method for monitoring usage of a communications network to detect abnormal usage thereof, the method comprising the steps of:
receiving in real time a plurality of predetermined attributes of a telephone call;
processing the plurality of attributes to identify abnormal usage; and notifying a subscriber in real time of the occurrence of the abnormal usage.

2. The invention as described in claim 1 wherein the plurality of predetermined attributes are received while the call is in-progress.

3. The invention as described in claim 1 wherein the processing step comprises:
comparing selected ones of the plurality of attributes with corresponding predetermined thresholds, the predetermined thresholds being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if any of the selected ones of the plurality of attributes exceeds its corresponding predetermined threshold.

4. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls originating from a predetermined originating telephone number.

5. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined authorization code.

6. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined 800 number.

7. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed to a predetermined termination location.

8. The invention as described in claim 1 wherein the processing step comprises:
processing at least one of the attributes to derive at least one additional value indicative of a pattern of network usage;
comparing the additional value with a predetermined threshold, the predeterminedthreshold being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if the additional value exceeds the predetermined threshold.

9. The invention as described in claim 1 further comprising the step of modifying, in real time, access to the network in response to feedback from the subscriber.10. The invention as described in claim 9 wherein the modifying step comprises automatically blocking a subsequent telephone call having predetermined attributes specified by the subscriber.