CA2114155C - Real-time fraud monitoring system - Google Patents
Real-time fraud monitoring systemInfo
- Publication number
- CA2114155C CA2114155C CA002114155A CA2114155A CA2114155C CA 2114155 C CA2114155 C CA 2114155C CA 002114155 A CA002114155 A CA 002114155A CA 2114155 A CA2114155 A CA 2114155A CA 2114155 C CA2114155 C CA 2114155C
- Authority
- CA
- Canada
- Prior art keywords
- call
- network
- usage
- predetermined
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M7/00—Arrangements for interconnection between switching centres
- H04M7/006—Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
- H04M7/0081—Network operation, administration, maintenance, or provisioning
- H04M7/0084—Network monitoring; Error detection; Error recovery; Network testing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/36—Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/38—Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/42—Systems providing special services or facilities to subscribers
- H04M3/4228—Systems providing special services or facilities to subscribers in networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q3/00—Selecting arrangements
- H04Q3/0016—Arrangements providing connection between exchanges
- H04Q3/0029—Provisions for intelligent networking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q3/00—Selecting arrangements
- H04Q3/58—Arrangements providing connection between main exchange and sub-exchange or satellite
- H04Q3/62—Arrangements providing connection between main exchange and sub-exchange or satellite for connecting to private branch exchanges
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2203/00—Aspects of automatic or semi-automatic exchanges
- H04M2203/60—Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
- H04M2203/6027—Fraud preventions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2215/00—Metering arrangements; Time controlling arrangements; Time indicating arrangements
- H04M2215/01—Details of billing arrangements
- H04M2215/0148—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13092—Scanning of subscriber lines, monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13093—Personal computer, PC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13095—PIN / Access code, authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13097—Numbering, addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13103—Memory
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/1313—Metering, billing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13139—Fraud detection/prevention
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13179—Fax, still picture
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13204—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13216—Code signals, frame structure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/1322—PBX
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13284—Call tracing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13383—Hierarchy of switches, main and subexchange, e.g. satellite exchange
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13512—800 - freefone
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13515—Indexing scheme relating to selecting arrangements in general and for multiplex systems authentication, authorisation - fraud prevention
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q2213/00—Indexing scheme relating to selecting arrangements in general and for multiplex systems
- H04Q2213/13545—Indexing scheme relating to selecting arrangements in general and for multiplex systems monitoring of signaling messages, intelligent network
Abstract
Increased network security is provided by monitoring in real time one or more characteristics or attributes of telephone calls that are placed through the network and notifying the network customer, in real time, when the attributes are indicative of abnormal or fraudulent network usage. The subscriber, once notified of the abnormal usage, is in a position to take steps to minimize unauthorized network usage. For example, the subscriber can selectively block network usage, deny access to the network on a call-by-call basis, or trace the call to catch the unauthorized user while the call is still in progress.
Description
2~1415~
REAL-TIME FRAUD MONITORING SYSTEM
Technical Field This ~ ' relates to systems for ~ usage on a teleconh ' -network and, more pardcularly, to systems for monitoring network usage in real dme.
S ''~ "~.Jundof the Invendon There are cmrently many situations in which telecommunications ~c~ . ~c are usedby indi~ls without authorization. This unauthorized use places a large financial burden on the endq which owns the network or pays for use of the network. Certain telecommu - - - - o h. ' , such as those n~ ~. J~k.~t which allow access to network fi~ s 10 through the use of an authorizadon code or toll-free ~ one number ("800 number"), are pardcularly suscepdble to such unauthorized use. A Software Defined N ~.J.k (SDN) is one examp!e of such a t~c~o----wnicadons netvork. A SDN is a network in which sharedtransmission and i,.. ' ~ lE facilides are configured under son~ control through the use of a database to provide a network customer (hereafter referred to as "the ' ' sr") with the IS capabilities of a private network. SDNs having a "remote access" capability allow access to the software-defined private network facilides from off ~ .J.I~ ~an;c - This feature is usefuL for exa nple, for allowing a busin~ r - - t~A~ " g outside c~ ~F ~y p~ es to gain access to the company's private network. Though useful and convenient, this remote access capability may present a security ris',c to the ne~vork customer (hereafter refer ed to as "the 20 subssriber") who is responsible for paying for network usage. In pardcular, the same authonzadon code that gives the businessperson access to the network can be used by unauth~ized users to gain access to the network.
Cu~rent methods for detecdng and prevendng unauthorized use of a con ' '~
network have not adoquately addressed the ~ For example, systems which detect fraud 2S based on data obtained at the end of the billing cycle do not provide i Jfr- - Iy timely information. By the dme the in~ ~ - bcco--~s a. ' b!c to the owner of the private network, large amounts of fraudulent usage could already have o.,c~-~d. Other methods for daling with the problem of unauthoriLed use involve automadcally denying or ~ ring access to the network when abnonna1 use is i~ A Systems which use this technique may 30 annoy vAlid users of the network whose authorized calls are blosked inadvertently. Also, ystems which automadcally deny acsess encourage ..&L.~" seeking access to the network ~ ~ t ~ ' - -r; ~ }
2 2 1 ~
o try other authorizadon codes or points of entry to the network. Such systems do not provide a means for catching unauthorized users.
Summarv of the Invention Inawed networlc security is p.u.id~d in accordance with the invendon by i g S in real dme one or more chalacterisdcs or attdbutes of telephone calls that are placed through the network and nodfying the subscriber, in real dme, when the attdbutes are indicadve of r~ r-~~ fraudulentnetworlcusage. The ~ ,oncenodfiedofthe~ mlusage, is in a posidon to take steps to minimize unauthorized networlc usage. For example, the ~ I ~iter can selc~el~ block network usage, deny access to the network on a call-by-call 10 basis, ~ trace the call to catch the unauthorized user while the call is sdll in progress.
In an e%emplary embodiment of the invendon, thresholds indicadve of a~ r -' network usage are established by: t rihe-5 Calls placed in the network chargeable to a subscriber are m~nitored on an ongoing basis. In particular, selected attributes of a call in-progress are obtained or dGdved from data ~ v.;~xl in real dme from the billing record for 15 the call. The attdbutes of the call are ~,.~sscd to determine whether those attributes exceed one or more of the established thresholds set by the s~Jbs- ~ il~. . If a threshold is e ccr~-~
the ~ er is immediately nodfied so that the: b~ ikr can authorize and direct ~ ~ -prevendve action with respect to the call or othenvise modify access to the s~bs--i~,. s network Alt~ ly, some pre-authorized acdon, such as blccLing b~ . calls, can 20 be talcen automadcally and without ~: ~ e the br~ ' when a threshold is e-c~
Brief Desc'r~ - of the Drawinoc In the drawings~
FIG. 1 is a simplified blocl~ diagram of an illustradve e---bc~ nt of a comm - ~netwadc which includes a networlc usage monitoring system coa~ .t~d in accordance with 25 the principles of the invendon;
FIG. 2 is a bloclt diagram of the format of a typical record stored in the fraudmonitoring ~ ss~ of FIG. l; and FIGs. 3 and 4 are flow charts of an exemplary process for determining in real dme whether the atlributes of a call indicate abnormal network usage.
Detailed r~e--'Pq :;
Referring now to the J~,g~, FIG. 1 shows a cr 1~ network 10 which illustradvely is an SDN configured for a ~,bs(-i~,. C~mm~lnications network 10 includes ' ' 3 2 1 ~
' hree ~' ~e~c - custoiner p.~ s which belong to the ' ~brr, namely, subscriber locations 12, 14, and 16. Sl~b ' ~c - Y 12, 14, and 16 are interc- ~stP~ through an int~ gc (IXC) netwo~ic 18. IXC netwodc 18 includes IXC ~ s 20, 22, and 24, a ~ - ~ 25 f~ implementing the SDN, a processing rneans 26 for collecting billing (referred 5 to ~ as "billing data CQ~ 26"), and a processing means 28 for analyz~ng aspects of the billing data to detect z ' ~cr--~ ~' netwarlc usage (h( _d~. referrcd to as "fraud - - ~1 g p~.~s~r 28").
The principles of the ~ ~ - - will be illustrated by d~ibing the process by which the attributes of a i l~p~ - - call, placed by a calling party at b~ r-her locadon 12 to a called 10 party at subscriber locadon 14, are monitoled to detect abnonnal usage of network 10. In this exampb, a call placed from a telephone stadon 30 at subscriber locadon 12 is e-b-~d through a private branch exchange (PBX) 32 and routed through IXC switches 20 and 22 of IXC network 18 to subscriber locadon 14. At ~S~ibçr location 14, the call passes via a PBX 34 to the called party at i l ~h~ ~ stadon 36. Remote access to network 10 is plo.idcd lS to callers outside of the nctwork, for exarnple, at a l~:h~' ~ne stadon 37, via PBX 32. - ;-Billing data C~ ~tl~r 26 collects from IXC switch 20 data that will be used for purpose of billing the call placed from t~'e~ e stadon 30. Billing data cQIlect~r 26 receives the data from IXC switch 20 and generates a call detail record which contains all or some pordon of the data ~ce;~ from IXC switch 20. A ~' ~e - call detail record is 8 ~ for each and -20 every billed call. Billing data coll~b,, 26 g a~cs the call detail record in real dme. As used herein, a record is said to be generated in "real dme" if the record is generated either soon after the call has terminated or whilc the call is in-progress. (A call is said to be "terminated" when the c; ~ between the calling and called pardes is broken.) Billing data co~ 26 can be any suitable or convenient ~ e~ g means which collects 2S informadon about a call in real dme. One suitable embodiment of billing data coll~r~or 26 is d~,-;~d in commody-owned, copending U.S. patent a~ r Serial No.
f~ed February 23, 1993, entitbd "Telecommunicadon I'~IT_~.J~I~ Arrangement For Providing Real rlme Access To Call Records," which is hereby incorporated by ,ef~
In ~nce with the ~ fraud monitoring l, ~c,sso~ 28 is p.~.idcd to receive 30 call detail roc~ds, in ceal time, from billing data colL~r~r 26. Fraud ~ _ In~essor can be embodied as a resident application on billing data cQll~r~or 26 or, in the al~.,...at;~
as a separate l>.u~o downstream from billing data cQllect~r 26 (or several billing data CQIl~ Fraud monitoring ~ c 28 uses the call attributes that are stored in a call detail ~ecord as ~ below to derive various indices (e.g., average call duradon for calls 3S made using a selected authorizadon code). Fraud monitoring p.~CSS~l then compares thé call attributes and/orderived indices with ~ thresholds which the: bs iher (perhaps with 4 2~141~;~
he assistance of the t~!~r~ ~ne service p,o.i~.) has previously selected orestablished as being indicative of abno mal network usage. The thresholds are established by the ~.~I,s~ in view of the sl ~ ~ikr's panicular needs or p,~f~ -~ nces When the att~ibutes of a caU being analyzed indicate that the caU , s~ ts an S abnormd use ~ potentially unauthorized use of the networlc (f~ example, an attribute exce,eds a ~ r~d threshold), fraud monitoring processor 28 communicates with: bs ih~r ~ ~ ~e s 16 to alert the - ~s ~ ibCr of the abnormal use. Fraud monitoring I ,- 28id~ ~;rirs to the subscriber premises that the caU is abnormd by communicating direcdy with a bs: iher worlcstation 38. ~Iternatively, fraud monitoring ~ u~,~S3~ 28 ~ ~ through IXC
networlc 18 via interexchange switches 20 and 24, and through a PBX 40 at - bs~
premises 16. PBX 40 then communicates with customer premise equipment, such as a fax machine 42 ~ a printer 44, to give the subscriber nodce in rea1 dme of the a~ r---~ use.
Alternadvely, the ~ - rih~r could be nodfied of abnorrnal use by a tel~ call. The ~k ~ can ~l~ti~ block network usage, deny access to the network on a call-by-call lS basis, trace the caU to catch the unauthorized user while the call is sdll in progress, or take other ar, ~op ~ acdon, such as by nodfying the ~ r - service ~ u.id~. or modifying the SDN database.
In another preferred e_-bs'- ~. the l_~r~ ~~ service l,.u.;der, such as the interexchange carrier, automadcally takes some pre-authori sd action in ~--r~~~ to a threshold being e~rcç~d For example, the s ~ may pre: -' i7P the l I ph~
~e~vice provider to interrupt calls in-prûgress when it is determined (in real dme) that a threshold indicadve of abnormal network usage has been e~ ed~1 Such pre-a ti-ori7~d acdon can be talcen autornadcally, without nodfying or ec ~ m~raneously with notifying the subscriber that a threshold has been e~ce<~kd 2S Once a caU detail record for a call has been ~,.u,e;,~d and it is determined that none of the predetermined thresholds have been e-e~d~, fraud monitoring p u~sso~ 28 will preferably discard its copy of the caU detail record. Discarding reco~ds in this manner minimi_es the storage capacity required within fraud monitoring p ~essûr 28. While the aetual da~ eontained in the record are not necessarily retained, sebcted indices that are affeeted by ~ ealeulated from the data arc maintained. For example, informadon such as the average eaU duradon. the number of calls placed under each authc - ~r code, or other such information is maintained as a "running total."
As mendoned abo~ve, a call detail record is e - ~ either during a call or after the call has terminated. A call detail record that is g ~r -~ after the caU is terminated typically 3S eontains more informadon than a record that is generated while a call is in progress. For exampb, in the former case, the call detail record may include informadon specifying the total 5 211415~
~uration of the call, while in the lat~ case, such information is unavailable. Nevertheless, records formed while a call is in-progress can be analyzed and the information utilized while the caUer is stiU on the line. Such information can be advantageously used, for example, in fraud ~t--- and tracing.
FIG. 2 shows the structure of an exemplary call detail record S0 received by fraud monitonng ~ ~ 28. Call detail record S0 includes one or more key data fields S2 (the contents of which are shown in the drawing as "Record i"), which I c, ~!~ identify the record. Attribute data in each record are designated 54-1 through S4-N, where N indicates the number of different attributes or cha~ 5 of the call which the record ~< 5~ dk 5 In the context of long distance calling, these attributes may include the calling number (54-1), the time of access (54-2), the terrninating (called) number (54-3), the call duradon (54-4), an indication of whether the call was c~ t or incomplete (54-5), the authorization code or 800 number used to gain acc-ss to the network (54-6), the type of ~ g --- lg station (e.g., a pay phone, ordinary ~ e, etc.) (54-7), or other ~ - b~. (54-N) which idendfy the call lS and may be useful in determining whether the call l.r-- an a' .~1 use of the communication network for the subscriber.
The networlc usage monitoring c~. N ~ s of the in~enlion are a~ '~le to several different types of communicadons ~ ~. J~I~S. For example, all calls made from a ~ub ' 's p.~ s can be monitored to detect abnormal usage. Alternadvely, tnonitoring can be limited to situations in which access to r~.~h;~ ,d network f~ es is granted, for example, on the basis of an authorizadon code l,.u.;d~d by the calling party, the calling party's i ':ph~
number, or by dialing an 800 number.
FlGs. 3 and 4 show flow charts of an exemplary method for monitoring network usage in real dme to detect P~ ~- ~~ ~' usage. The process begins on FIG. 3 at step 100, where a real 2S dme call detail record, such as the call detail record of FIG. 2, is received by fraud ;ng .ccs3~r 28. Fraud monitoring p.~c< ~cor 28 first t~ s the call type from the attributes in the call detail record (step 102). For example, the call detail record indicates whether the call is an SDN cellular call, an SDN or remote network access call (e.g., from an off n( ~. J~l!.
location swh as b~:kp' - ~ stadon 37 of FIG. 1) requiring an aulh.,.;~io~ code, or a remote network access call through an 800 number access.
Once the call type is identified, fraud monitodng &.u~e~ 28 detern~ines from the call detail record the calling number, authorizadon code, or originadng 800 number ~ appropriate f~ the call type (step 104). For the purpose of this ill r~ - ~ and the l~-n~ er of FIGs.
REAL-TIME FRAUD MONITORING SYSTEM
Technical Field This ~ ' relates to systems for ~ usage on a teleconh ' -network and, more pardcularly, to systems for monitoring network usage in real dme.
S ''~ "~.Jundof the Invendon There are cmrently many situations in which telecommunications ~c~ . ~c are usedby indi~ls without authorization. This unauthorized use places a large financial burden on the endq which owns the network or pays for use of the network. Certain telecommu - - - - o h. ' , such as those n~ ~. J~k.~t which allow access to network fi~ s 10 through the use of an authorizadon code or toll-free ~ one number ("800 number"), are pardcularly suscepdble to such unauthorized use. A Software Defined N ~.J.k (SDN) is one examp!e of such a t~c~o----wnicadons netvork. A SDN is a network in which sharedtransmission and i,.. ' ~ lE facilides are configured under son~ control through the use of a database to provide a network customer (hereafter referred to as "the ' ' sr") with the IS capabilities of a private network. SDNs having a "remote access" capability allow access to the software-defined private network facilides from off ~ .J.I~ ~an;c - This feature is usefuL for exa nple, for allowing a busin~ r - - t~A~ " g outside c~ ~F ~y p~ es to gain access to the company's private network. Though useful and convenient, this remote access capability may present a security ris',c to the ne~vork customer (hereafter refer ed to as "the 20 subssriber") who is responsible for paying for network usage. In pardcular, the same authonzadon code that gives the businessperson access to the network can be used by unauth~ized users to gain access to the network.
Cu~rent methods for detecdng and prevendng unauthorized use of a con ' '~
network have not adoquately addressed the ~ For example, systems which detect fraud 2S based on data obtained at the end of the billing cycle do not provide i Jfr- - Iy timely information. By the dme the in~ ~ - bcco--~s a. ' b!c to the owner of the private network, large amounts of fraudulent usage could already have o.,c~-~d. Other methods for daling with the problem of unauthoriLed use involve automadcally denying or ~ ring access to the network when abnonna1 use is i~ A Systems which use this technique may 30 annoy vAlid users of the network whose authorized calls are blosked inadvertently. Also, ystems which automadcally deny acsess encourage ..&L.~" seeking access to the network ~ ~ t ~ ' - -r; ~ }
2 2 1 ~
o try other authorizadon codes or points of entry to the network. Such systems do not provide a means for catching unauthorized users.
Summarv of the Invention Inawed networlc security is p.u.id~d in accordance with the invendon by i g S in real dme one or more chalacterisdcs or attdbutes of telephone calls that are placed through the network and nodfying the subscriber, in real dme, when the attdbutes are indicadve of r~ r-~~ fraudulentnetworlcusage. The ~ ,oncenodfiedofthe~ mlusage, is in a posidon to take steps to minimize unauthorized networlc usage. For example, the ~ I ~iter can selc~el~ block network usage, deny access to the network on a call-by-call 10 basis, ~ trace the call to catch the unauthorized user while the call is sdll in progress.
In an e%emplary embodiment of the invendon, thresholds indicadve of a~ r -' network usage are established by: t rihe-5 Calls placed in the network chargeable to a subscriber are m~nitored on an ongoing basis. In particular, selected attributes of a call in-progress are obtained or dGdved from data ~ v.;~xl in real dme from the billing record for 15 the call. The attdbutes of the call are ~,.~sscd to determine whether those attributes exceed one or more of the established thresholds set by the s~Jbs- ~ il~. . If a threshold is e ccr~-~
the ~ er is immediately nodfied so that the: b~ ikr can authorize and direct ~ ~ -prevendve action with respect to the call or othenvise modify access to the s~bs--i~,. s network Alt~ ly, some pre-authorized acdon, such as blccLing b~ . calls, can 20 be talcen automadcally and without ~: ~ e the br~ ' when a threshold is e-c~
Brief Desc'r~ - of the Drawinoc In the drawings~
FIG. 1 is a simplified blocl~ diagram of an illustradve e---bc~ nt of a comm - ~netwadc which includes a networlc usage monitoring system coa~ .t~d in accordance with 25 the principles of the invendon;
FIG. 2 is a bloclt diagram of the format of a typical record stored in the fraudmonitoring ~ ss~ of FIG. l; and FIGs. 3 and 4 are flow charts of an exemplary process for determining in real dme whether the atlributes of a call indicate abnormal network usage.
Detailed r~e--'Pq :;
Referring now to the J~,g~, FIG. 1 shows a cr 1~ network 10 which illustradvely is an SDN configured for a ~,bs(-i~,. C~mm~lnications network 10 includes ' ' 3 2 1 ~
' hree ~' ~e~c - custoiner p.~ s which belong to the ' ~brr, namely, subscriber locations 12, 14, and 16. Sl~b ' ~c - Y 12, 14, and 16 are interc- ~stP~ through an int~ gc (IXC) netwo~ic 18. IXC netwodc 18 includes IXC ~ s 20, 22, and 24, a ~ - ~ 25 f~ implementing the SDN, a processing rneans 26 for collecting billing (referred 5 to ~ as "billing data CQ~ 26"), and a processing means 28 for analyz~ng aspects of the billing data to detect z ' ~cr--~ ~' netwarlc usage (h( _d~. referrcd to as "fraud - - ~1 g p~.~s~r 28").
The principles of the ~ ~ - - will be illustrated by d~ibing the process by which the attributes of a i l~p~ - - call, placed by a calling party at b~ r-her locadon 12 to a called 10 party at subscriber locadon 14, are monitoled to detect abnonnal usage of network 10. In this exampb, a call placed from a telephone stadon 30 at subscriber locadon 12 is e-b-~d through a private branch exchange (PBX) 32 and routed through IXC switches 20 and 22 of IXC network 18 to subscriber locadon 14. At ~S~ibçr location 14, the call passes via a PBX 34 to the called party at i l ~h~ ~ stadon 36. Remote access to network 10 is plo.idcd lS to callers outside of the nctwork, for exarnple, at a l~:h~' ~ne stadon 37, via PBX 32. - ;-Billing data C~ ~tl~r 26 collects from IXC switch 20 data that will be used for purpose of billing the call placed from t~'e~ e stadon 30. Billing data cQIlect~r 26 receives the data from IXC switch 20 and generates a call detail record which contains all or some pordon of the data ~ce;~ from IXC switch 20. A ~' ~e - call detail record is 8 ~ for each and -20 every billed call. Billing data coll~b,, 26 g a~cs the call detail record in real dme. As used herein, a record is said to be generated in "real dme" if the record is generated either soon after the call has terminated or whilc the call is in-progress. (A call is said to be "terminated" when the c; ~ between the calling and called pardes is broken.) Billing data co~ 26 can be any suitable or convenient ~ e~ g means which collects 2S informadon about a call in real dme. One suitable embodiment of billing data coll~r~or 26 is d~,-;~d in commody-owned, copending U.S. patent a~ r Serial No.
f~ed February 23, 1993, entitbd "Telecommunicadon I'~IT_~.J~I~ Arrangement For Providing Real rlme Access To Call Records," which is hereby incorporated by ,ef~
In ~nce with the ~ fraud monitoring l, ~c,sso~ 28 is p.~.idcd to receive 30 call detail roc~ds, in ceal time, from billing data colL~r~r 26. Fraud ~ _ In~essor can be embodied as a resident application on billing data cQll~r~or 26 or, in the al~.,...at;~
as a separate l>.u~o downstream from billing data cQllect~r 26 (or several billing data CQIl~ Fraud monitoring ~ c 28 uses the call attributes that are stored in a call detail ~ecord as ~ below to derive various indices (e.g., average call duradon for calls 3S made using a selected authorizadon code). Fraud monitoring p.~CSS~l then compares thé call attributes and/orderived indices with ~ thresholds which the: bs iher (perhaps with 4 2~141~;~
he assistance of the t~!~r~ ~ne service p,o.i~.) has previously selected orestablished as being indicative of abno mal network usage. The thresholds are established by the ~.~I,s~ in view of the sl ~ ~ikr's panicular needs or p,~f~ -~ nces When the att~ibutes of a caU being analyzed indicate that the caU , s~ ts an S abnormd use ~ potentially unauthorized use of the networlc (f~ example, an attribute exce,eds a ~ r~d threshold), fraud monitoring processor 28 communicates with: bs ih~r ~ ~ ~e s 16 to alert the - ~s ~ ibCr of the abnormal use. Fraud monitoring I ,- 28id~ ~;rirs to the subscriber premises that the caU is abnormd by communicating direcdy with a bs: iher worlcstation 38. ~Iternatively, fraud monitoring ~ u~,~S3~ 28 ~ ~ through IXC
networlc 18 via interexchange switches 20 and 24, and through a PBX 40 at - bs~
premises 16. PBX 40 then communicates with customer premise equipment, such as a fax machine 42 ~ a printer 44, to give the subscriber nodce in rea1 dme of the a~ r---~ use.
Alternadvely, the ~ - rih~r could be nodfied of abnorrnal use by a tel~ call. The ~k ~ can ~l~ti~ block network usage, deny access to the network on a call-by-call lS basis, trace the caU to catch the unauthorized user while the call is sdll in progress, or take other ar, ~op ~ acdon, such as by nodfying the ~ r - service ~ u.id~. or modifying the SDN database.
In another preferred e_-bs'- ~. the l_~r~ ~~ service l,.u.;der, such as the interexchange carrier, automadcally takes some pre-authori sd action in ~--r~~~ to a threshold being e~rcç~d For example, the s ~ may pre: -' i7P the l I ph~
~e~vice provider to interrupt calls in-prûgress when it is determined (in real dme) that a threshold indicadve of abnormal network usage has been e~ ed~1 Such pre-a ti-ori7~d acdon can be talcen autornadcally, without nodfying or ec ~ m~raneously with notifying the subscriber that a threshold has been e~ce<~kd 2S Once a caU detail record for a call has been ~,.u,e;,~d and it is determined that none of the predetermined thresholds have been e-e~d~, fraud monitoring p u~sso~ 28 will preferably discard its copy of the caU detail record. Discarding reco~ds in this manner minimi_es the storage capacity required within fraud monitoring p ~essûr 28. While the aetual da~ eontained in the record are not necessarily retained, sebcted indices that are affeeted by ~ ealeulated from the data arc maintained. For example, informadon such as the average eaU duradon. the number of calls placed under each authc - ~r code, or other such information is maintained as a "running total."
As mendoned abo~ve, a call detail record is e - ~ either during a call or after the call has terminated. A call detail record that is g ~r -~ after the caU is terminated typically 3S eontains more informadon than a record that is generated while a call is in progress. For exampb, in the former case, the call detail record may include informadon specifying the total 5 211415~
~uration of the call, while in the lat~ case, such information is unavailable. Nevertheless, records formed while a call is in-progress can be analyzed and the information utilized while the caUer is stiU on the line. Such information can be advantageously used, for example, in fraud ~t--- and tracing.
FIG. 2 shows the structure of an exemplary call detail record S0 received by fraud monitonng ~ ~ 28. Call detail record S0 includes one or more key data fields S2 (the contents of which are shown in the drawing as "Record i"), which I c, ~!~ identify the record. Attribute data in each record are designated 54-1 through S4-N, where N indicates the number of different attributes or cha~ 5 of the call which the record ~< 5~ dk 5 In the context of long distance calling, these attributes may include the calling number (54-1), the time of access (54-2), the terrninating (called) number (54-3), the call duradon (54-4), an indication of whether the call was c~ t or incomplete (54-5), the authorization code or 800 number used to gain acc-ss to the network (54-6), the type of ~ g --- lg station (e.g., a pay phone, ordinary ~ e, etc.) (54-7), or other ~ - b~. (54-N) which idendfy the call lS and may be useful in determining whether the call l.r-- an a' .~1 use of the communication network for the subscriber.
The networlc usage monitoring c~. N ~ s of the in~enlion are a~ '~le to several different types of communicadons ~ ~. J~I~S. For example, all calls made from a ~ub ' 's p.~ s can be monitored to detect abnormal usage. Alternadvely, tnonitoring can be limited to situations in which access to r~.~h;~ ,d network f~ es is granted, for example, on the basis of an authorizadon code l,.u.;d~d by the calling party, the calling party's i ':ph~
number, or by dialing an 800 number.
FlGs. 3 and 4 show flow charts of an exemplary method for monitoring network usage in real dme to detect P~ ~- ~~ ~' usage. The process begins on FIG. 3 at step 100, where a real 2S dme call detail record, such as the call detail record of FIG. 2, is received by fraud ;ng .ccs3~r 28. Fraud monitoring p.~c< ~cor 28 first t~ s the call type from the attributes in the call detail record (step 102). For example, the call detail record indicates whether the call is an SDN cellular call, an SDN or remote network access call (e.g., from an off n( ~. J~l!.
location swh as b~:kp' - ~ stadon 37 of FIG. 1) requiring an aulh.,.;~io~ code, or a remote network access call through an 800 number access.
Once the call type is identified, fraud monitodng &.u~e~ 28 detern~ines from the call detail record the calling number, authorizadon code, or originadng 800 number ~ appropriate f~ the call type (step 104). For the purpose of this ill r~ - ~ and the l~-n~ er of FIGs.
3 and 4, it will be assumed that the call was placed using an aulh~ ~ P~q code, and that fraud 3S monitoring processor 28 has obtained that authorizadon code from the call detail record.
Fraud monitoring processor 28 then determines from the call detail record the terminadng 6 2 1 1 ~
~, ' number (or terminating NPA/country code) of thc call (step 106).
At this point in the process, fraud ~ O~;-lg p vcessol 28 begins to analyze the call attributes. For cxampb, the ~ Ol d~te- - - - s. in step 108, whether thc call is a c~ . ' call, that is, whether the call has been answered If the call has been complcted, fraud monitonng ~ ~ 28 ~ . ts a counter which maintains a count of ,~: d calls for the particular authorization code under which the call was placed (step 110). If the call is incomplete, that is, the call is l n._ x' by the called party, f~ e ~ C~SSol 28 increments a counter which maintains a count of ~ - - l~lc ~ calls for the auth ~ - - code under which the call was placed (step 112). Fraud monitonng ~ 28 also derives for the authorization code the percentage of incomplete calls (stcp 118). The incomplete call percentage is calculated using information held by counters and obtained in steps 110 and 112.
Assuming the call detail record was generated after termination of a call, the call detail r?~ will include the call duradon (also referred to herein as the "holding dme"). In this case, fraud monitoring ~ ,cessol 28 will ~ ~ a counter which maintains a record of the total call duradon, i.e., the total usage, for the au~ code under which the call was inidated (step 114). Fraud monitoring l,.~ss~ 28 also will derive the average holding time for calls placed using the authorization code (step 116).
Referring now to FIG. 4, fraud monitoring l, ~es~. 28 then ~ s, from infonnation contained in thc call detail record, the ~ _ ~ e NPA or country code of the call (step 120). The ~ esY,- deterrnincs whetha this is the first appearance of this NPA or country code for this authorization code (step 122). If it is the first appearance, the ~).~ess~r increments a counter (step 124) that tracks the number of ~ '~c~e ~ NPAs and country codes from which calls have been made using the authorization code. If instead it is the second or later appearance of an NPA/country code, processing continues to step 126.
2S Having obtained or derived the various stadsdcal values for a caJI, fraud ~ ring processor 28 compares the stadsdcal values with thresholds ~ -?~ sly established by the ?i bscr~?t~ f~theauthorizadoncode(step126). AblC~--'netwo*usageis~~ if any of the stadsdcal values e~coed one or more of the p~ thresholds. As shown in step 128, for e~mp1e, if the total number of calls, total number of minutes of call duration, the number of incomplete calls, or the number of ~;ff~.~,-'l NPAs/country codes exceed the prodetermined thresholds established by the L ~~ for that auth~ ~ --- code, the subscriber is nodfied of the ?~ ~amq1 network usage (step 130). Similarly, as shown in step 132, fraud monitoring p ~ 28 can determine whether the average holding dme is above or bebw the bounds of the threshold for average holding dme for the pardcular au~
3S code. If so, the subscriber is nodfied (step 134).
It is to be un~.~l~od that although various indices and calculadons have been 7 2II~Ir~5 L~.i~d above as being calculated for a given authodzadon code, the indices couldalternatively be calculated based on the calling number (e.g., calculate average holding time f~ calls placed from a particular calling number), the 800 number used to gain access to the n~ ~.J~ or the subscdber's calls as a whole. Similarly, the thtesholds set by the: kcrikr S to indicate abnormal network usage can be s,~if;cd individually for each autho~izadon code, calling number, ~ 800 number used to access the networL or can be "~;f~d by the ' s ~- in a mcre universal manner. It also is vithin the ssope of the invention to derive and, ~ separate indices and thresholds f~ calls placed to selected h ~ ' _ Ir - lS
As used herein, Nterminating locations" ~ ' ' s, for example, ~ ~ ;ng '-rs 10 ter g NPAs and terminating country codes.
Of course, one skilled in the art will al r ~ ~I that criteria other than those d< ~ - ik~
in FlGs. 3 and 4 could be used to detetmine whether there is abnotmal net~vork usage without depardng from the scope or spirit of the ~ ._ - For . ' . fraud monitonng ~, .ce;.~
28 could be corllfigured to nodfy the b ~-~r in real dme ~ ~ a call is placed to a 15 country code that is on a list of prohibited country codes.
In accordance with another feature of the Invendon, eash of the stadsdcal values and counted values A~ 5~ .ikd above can be cbared or reset after a y~,A~ uined period of time as selected by the subscriber. This enables the s '~ sc~ to monitor the network usage for a patticular calling number or access code on any ~ 1-_ - - basis. For ~ 'e. the calls 20 made under a selected access code can be monitored on a daily basis if a 2~hour period would provide useful il r ~ -_ tO the bs~ ly, the calls made under that access code could be monitored on a weekly or monthly basis.
It will be understood that the foregoing is merely illustradve of the principles of the invendon, and that various modificadons can be made by those skilled in the art without 2S depardng from the ssope and spi it of the invention.
Fraud monitoring processor 28 then determines from the call detail record the terminadng 6 2 1 1 ~
~, ' number (or terminating NPA/country code) of thc call (step 106).
At this point in the process, fraud ~ O~;-lg p vcessol 28 begins to analyze the call attributes. For cxampb, the ~ Ol d~te- - - - s. in step 108, whether thc call is a c~ . ' call, that is, whether the call has been answered If the call has been complcted, fraud monitonng ~ ~ 28 ~ . ts a counter which maintains a count of ,~: d calls for the particular authorization code under which the call was placed (step 110). If the call is incomplete, that is, the call is l n._ x' by the called party, f~ e ~ C~SSol 28 increments a counter which maintains a count of ~ - - l~lc ~ calls for the auth ~ - - code under which the call was placed (step 112). Fraud monitonng ~ 28 also derives for the authorization code the percentage of incomplete calls (stcp 118). The incomplete call percentage is calculated using information held by counters and obtained in steps 110 and 112.
Assuming the call detail record was generated after termination of a call, the call detail r?~ will include the call duradon (also referred to herein as the "holding dme"). In this case, fraud monitoring ~ ,cessol 28 will ~ ~ a counter which maintains a record of the total call duradon, i.e., the total usage, for the au~ code under which the call was inidated (step 114). Fraud monitoring l,.~ss~ 28 also will derive the average holding time for calls placed using the authorization code (step 116).
Referring now to FIG. 4, fraud monitoring l, ~es~. 28 then ~ s, from infonnation contained in thc call detail record, the ~ _ ~ e NPA or country code of the call (step 120). The ~ esY,- deterrnincs whetha this is the first appearance of this NPA or country code for this authorization code (step 122). If it is the first appearance, the ~).~ess~r increments a counter (step 124) that tracks the number of ~ '~c~e ~ NPAs and country codes from which calls have been made using the authorization code. If instead it is the second or later appearance of an NPA/country code, processing continues to step 126.
2S Having obtained or derived the various stadsdcal values for a caJI, fraud ~ ring processor 28 compares the stadsdcal values with thresholds ~ -?~ sly established by the ?i bscr~?t~ f~theauthorizadoncode(step126). AblC~--'netwo*usageis~~ if any of the stadsdcal values e~coed one or more of the p~ thresholds. As shown in step 128, for e~mp1e, if the total number of calls, total number of minutes of call duration, the number of incomplete calls, or the number of ~;ff~.~,-'l NPAs/country codes exceed the prodetermined thresholds established by the L ~~ for that auth~ ~ --- code, the subscriber is nodfied of the ?~ ~amq1 network usage (step 130). Similarly, as shown in step 132, fraud monitoring p ~ 28 can determine whether the average holding dme is above or bebw the bounds of the threshold for average holding dme for the pardcular au~
3S code. If so, the subscriber is nodfied (step 134).
It is to be un~.~l~od that although various indices and calculadons have been 7 2II~Ir~5 L~.i~d above as being calculated for a given authodzadon code, the indices couldalternatively be calculated based on the calling number (e.g., calculate average holding time f~ calls placed from a particular calling number), the 800 number used to gain access to the n~ ~.J~ or the subscdber's calls as a whole. Similarly, the thtesholds set by the: kcrikr S to indicate abnormal network usage can be s,~if;cd individually for each autho~izadon code, calling number, ~ 800 number used to access the networL or can be "~;f~d by the ' s ~- in a mcre universal manner. It also is vithin the ssope of the invention to derive and, ~ separate indices and thresholds f~ calls placed to selected h ~ ' _ Ir - lS
As used herein, Nterminating locations" ~ ' ' s, for example, ~ ~ ;ng '-rs 10 ter g NPAs and terminating country codes.
Of course, one skilled in the art will al r ~ ~I that criteria other than those d< ~ - ik~
in FlGs. 3 and 4 could be used to detetmine whether there is abnotmal net~vork usage without depardng from the scope or spirit of the ~ ._ - For . ' . fraud monitonng ~, .ce;.~
28 could be corllfigured to nodfy the b ~-~r in real dme ~ ~ a call is placed to a 15 country code that is on a list of prohibited country codes.
In accordance with another feature of the Invendon, eash of the stadsdcal values and counted values A~ 5~ .ikd above can be cbared or reset after a y~,A~ uined period of time as selected by the subscriber. This enables the s '~ sc~ to monitor the network usage for a patticular calling number or access code on any ~ 1-_ - - basis. For ~ 'e. the calls 20 made under a selected access code can be monitored on a daily basis if a 2~hour period would provide useful il r ~ -_ tO the bs~ ly, the calls made under that access code could be monitored on a weekly or monthly basis.
It will be understood that the foregoing is merely illustradve of the principles of the invendon, and that various modificadons can be made by those skilled in the art without 2S depardng from the ssope and spi it of the invention.
Claims (9)
1. A method for monitoring usage of a communications network to detect abnormal usage thereof, the method comprising the steps of:
receiving in real time a plurality of predetermined attributes of a telephone call;
processing the plurality of attributes to identify abnormal usage; and notifying a subscriber in real time of the occurrence of the abnormal usage.
receiving in real time a plurality of predetermined attributes of a telephone call;
processing the plurality of attributes to identify abnormal usage; and notifying a subscriber in real time of the occurrence of the abnormal usage.
2. The invention as described in claim 1 wherein the plurality of predetermined attributes are received while the call is in-progress.
3. The invention as described in claim 1 wherein the processing step comprises:
comparing selected ones of the plurality of attributes with corresponding predetermined thresholds, the predetermined thresholds being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if any of the selected ones of the plurality of attributes exceeds its corresponding predetermined threshold.
comparing selected ones of the plurality of attributes with corresponding predetermined thresholds, the predetermined thresholds being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if any of the selected ones of the plurality of attributes exceeds its corresponding predetermined threshold.
4. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls originating from a predetermined originating telephone number.
5. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined authorization code.
6. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined 800 number.
7. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed to a predetermined termination location.
8. The invention as described in claim 1 wherein the processing step comprises:
processing at least one of the attributes to derive at least one additional value indicative of a pattern of network usage;
comparing the additional value with a predetermined threshold, the predeterminedthreshold being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if the additional value exceeds the predetermined threshold.
processing at least one of the attributes to derive at least one additional value indicative of a pattern of network usage;
comparing the additional value with a predetermined threshold, the predeterminedthreshold being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if the additional value exceeds the predetermined threshold.
9. The invention as described in claim 1 further comprising the step of modifying, in real time, access to the network in response to feedback from the subscriber.10. The invention as described in claim 9 wherein the modifying step comprises automatically blocking a subsequent telephone call having predetermined attributes specified by the subscriber.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US4078593A | 1993-03-31 | 1993-03-31 | |
US040,785 | 1993-03-31 |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2114155A1 CA2114155A1 (en) | 1994-10-01 |
CA2114155C true CA2114155C (en) | 1998-01-27 |
Family
ID=21912936
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002114155A Expired - Lifetime CA2114155C (en) | 1993-03-31 | 1994-01-25 | Real-time fraud monitoring system |
Country Status (8)
Country | Link |
---|---|
US (1) | US5706338A (en) |
EP (1) | EP0618713B1 (en) |
JP (1) | JP3723235B2 (en) |
KR (1) | KR940023085A (en) |
AU (1) | AU5767194A (en) |
CA (1) | CA2114155C (en) |
DE (1) | DE69427317T2 (en) |
TW (1) | TW225623B (en) |
Families Citing this family (75)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5420910B1 (en) * | 1993-06-29 | 1998-02-17 | Airtouch Communications Inc | Method and apparatus for fraud control in cellular telephone systems utilizing rf signature comparison |
US6643362B2 (en) * | 1998-11-19 | 2003-11-04 | Global Crossing, Ltd. | Call-processing system and method |
CA2215361C (en) * | 1995-03-30 | 2001-01-23 | British Telecommunications Public Limited Company | Detecting possible fraudulent communications usage |
US7369650B1 (en) | 1995-05-16 | 2008-05-06 | At&T Corp. | Service and information management system for a telecommunications network |
DE19521485A1 (en) | 1995-06-13 | 1996-12-19 | Deutsche Telekom Ag | Method and device for the transmission of confidential connection establishment and service information between subscriber end devices and one or more digital switching centers |
DE19521484A1 (en) * | 1995-06-13 | 1996-12-19 | Deutsche Telekom Ag | Method and device for authenticating subscribers to digital switching centers |
US5875236A (en) * | 1995-11-21 | 1999-02-23 | At&T Corp | Call handling method for credit and fraud management |
US5805686A (en) * | 1995-12-22 | 1998-09-08 | Mci Corporation | Telephone fraud detection system |
US5815807A (en) * | 1996-01-31 | 1998-09-29 | Motorola, Inc. | Disposable wireless communication device adapted to prevent fraud |
NL1002269C2 (en) * | 1996-02-07 | 1997-08-08 | Nederland Ptt | Telecommunication system, fraud signaling device and working method. |
NL1002543C2 (en) * | 1996-03-06 | 1997-03-21 | Nederland Ptt | Usage monitor for communication system. |
US6377672B1 (en) | 1996-03-29 | 2002-04-23 | British Telecommunications Public Limited Company | Fraud monitoring in a telecommunications network |
GB9606792D0 (en) * | 1996-03-29 | 1996-06-05 | British Telecomm | A telecommunications network |
US5903831A (en) * | 1996-06-07 | 1999-05-11 | Telefonaktiebolaget Lm Ericsson (Publ) | System and method of preventing fraudulent call transfers in a radio telecommunications network |
US20040185830A1 (en) * | 1996-08-08 | 2004-09-23 | Joao Raymond Anthony | Apparatus and method for providing account security |
GB9620082D0 (en) * | 1996-09-26 | 1996-11-13 | Eyretel Ltd | Signal monitoring apparatus |
FI103847B1 (en) * | 1996-10-10 | 1999-09-30 | Nokia Telecommunications Oy | Preventing abuse of call forwarding service |
US5937043A (en) * | 1996-11-27 | 1999-08-10 | Mciworldcom, Inc. | Mechanism for a system and method for detecting fraudulent use of collect calls |
US5953653A (en) * | 1997-01-28 | 1999-09-14 | Mediaone Group, Inc. | Method and system for preventing mobile roaming fraud |
US6327352B1 (en) * | 1997-02-24 | 2001-12-04 | Ameritech Corporation | System and method for real-time fraud detection within a telecommunications system |
US6430286B1 (en) * | 1997-04-22 | 2002-08-06 | At&T Corp | Service and information management system for a telecommunications network |
US6393113B1 (en) * | 1997-06-20 | 2002-05-21 | Tekno Industries, Inc. | Means for and methods of detecting fraud, lack of credit, and the like from the SS# 7 system network |
GB2327318A (en) * | 1997-07-14 | 1999-01-20 | Ericsson Telefon Ab L M | A method of tracing anonymous telephone calls |
GB9715497D0 (en) * | 1997-07-22 | 1997-10-01 | British Telecomm | A telecommunications network |
US6226364B1 (en) * | 1997-12-08 | 2001-05-01 | Bellsouth Intellectual Property Management Corporation | Method and system for providing prepaid and credit-limited telephone services |
JP3335898B2 (en) * | 1998-01-08 | 2002-10-21 | 株式会社東芝 | Private branch exchange system and its private branch exchange. |
US6157707A (en) * | 1998-04-03 | 2000-12-05 | Lucent Technologies Inc. | Automated and selective intervention in transaction-based networks |
US6163604A (en) * | 1998-04-03 | 2000-12-19 | Lucent Technologies | Automated fraud management in transaction-based networks |
US6763098B1 (en) * | 1998-06-01 | 2004-07-13 | Mci Communications Corporation | Call blocking based on call properties |
JP4501280B2 (en) * | 1998-12-09 | 2010-07-14 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Method and apparatus for providing network and computer system security |
US7133511B2 (en) * | 1998-12-11 | 2006-11-07 | Securelogix Corporation | Telephony security system |
US6249575B1 (en) | 1998-12-11 | 2001-06-19 | Securelogix Corporation | Telephony security system |
US6760420B2 (en) * | 2000-06-14 | 2004-07-06 | Securelogix Corporation | Telephony security system |
US6687353B1 (en) | 1998-12-11 | 2004-02-03 | Securelogix Corporation | System and method for bringing an in-line device on-line and assuming control of calls |
US6735291B1 (en) * | 1998-12-11 | 2004-05-11 | Securelogix Corporation | Virtual private switched telephone network |
US6226372B1 (en) | 1998-12-11 | 2001-05-01 | Securelogix Corporation | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities |
FI107983B (en) | 1998-12-23 | 2001-10-31 | Nokia Networks Oy | Detecting and preventing fraudulent use in a telecommunications network |
ATE321400T1 (en) * | 1999-01-25 | 2006-04-15 | Siemens Ag | METHOD FOR IMPLEMENTING PERFORMANCE FEATURE CONTROL IN A COMMUNICATIONS DATA NETWORK |
US6873617B1 (en) * | 1999-02-03 | 2005-03-29 | Tekno Industries, Inc. | Means for and methods of “in-progress” fraud, billing and maintenance in a SS#7 network of high speed data links |
US6526389B1 (en) * | 1999-04-20 | 2003-02-25 | Amdocs Software Systems Limited | Telecommunications system for generating a three-level customer behavior profile and for detecting deviation from the profile to identify fraud |
US6442265B1 (en) * | 1999-05-06 | 2002-08-27 | At&T Corp | Method for detecting and reducing fraudulent telephone calls |
JP3584838B2 (en) * | 2000-02-22 | 2004-11-04 | 日本電気株式会社 | Packet monitoring system, packet monitoring method, and recording medium recording program thereof |
FI109259B (en) * | 2000-03-17 | 2002-06-14 | Nokia Corp | Tracing a malicious invitation |
US7236954B1 (en) | 2000-05-22 | 2007-06-26 | Verizon Business Global Llc | Fraud detection based on call attempt velocity on terminating number |
US6947532B1 (en) | 2000-05-22 | 2005-09-20 | Mci, Inc. | Fraud detection based on call attempt velocity on originating number |
US6850606B2 (en) * | 2001-09-25 | 2005-02-01 | Fair Isaac Corporation | Self-learning real-time prioritization of telecommunication fraud control actions |
US6597775B2 (en) * | 2000-09-29 | 2003-07-22 | Fair Isaac Corporation | Self-learning real-time prioritization of telecommunication fraud control actions |
US8150013B2 (en) * | 2000-11-10 | 2012-04-03 | Securelogix Corporation | Telephony security system |
US20020138427A1 (en) * | 2001-03-20 | 2002-09-26 | Trivedi Prakash A. | Systems and methods for communicating from an integration platform to a billing unit |
US20020161711A1 (en) * | 2001-04-30 | 2002-10-31 | Sartor Karalyn K. | Fraud detection method |
WO2003010946A1 (en) | 2001-07-23 | 2003-02-06 | Securelogix Corporation | Encapsulation, compression and encryption of pcm data |
US10562492B2 (en) * | 2002-05-01 | 2020-02-18 | Gtj Ventures, Llc | Control, monitoring and/or security apparatus and method |
US7302250B2 (en) * | 2003-01-13 | 2007-11-27 | Lucent Technologies Inc. | Method of recognizing fraudulent wireless emergency service calls |
US7971237B2 (en) * | 2003-05-15 | 2011-06-28 | Verizon Business Global Llc | Method and system for providing fraud detection for remote access services |
US7774842B2 (en) * | 2003-05-15 | 2010-08-10 | Verizon Business Global Llc | Method and system for prioritizing cases for fraud detection |
US7783019B2 (en) * | 2003-05-15 | 2010-08-24 | Verizon Business Global Llc | Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds |
US7817791B2 (en) * | 2003-05-15 | 2010-10-19 | Verizon Business Global Llc | Method and apparatus for providing fraud detection using hot or cold originating attributes |
US7035387B2 (en) * | 2004-02-24 | 2006-04-25 | Tekelec | Methods and systems for detecting and mitigating intrusion events in a communications network |
KR100643281B1 (en) * | 2004-10-09 | 2006-11-10 | 삼성전자주식회사 | Apparatus, system and method for security service in home network |
US9167471B2 (en) * | 2009-05-07 | 2015-10-20 | Jasper Technologies, Inc. | System and method for responding to aggressive behavior associated with wireless devices |
GB2432993A (en) * | 2005-12-01 | 2007-06-06 | Marconi Comm Ltd | Combating fraud in telecommunication systems |
US8160218B2 (en) * | 2006-09-22 | 2012-04-17 | Alcatel Lucent | Event driven call generation |
WO2015152930A1 (en) * | 2014-04-03 | 2015-10-08 | Hewlett-Packard Development Company, L.P. | Modifying a priority for at least one flow class of an application |
US10111102B2 (en) * | 2014-11-21 | 2018-10-23 | Marchex, Inc. | Identifying call characteristics to detect fraudulent call activity and take corrective action without using recording, transcription or caller ID |
JP6032774B1 (en) | 2015-12-21 | 2016-11-30 | Necプラットフォームズ株式会社 | Telephone exchange system, telephone exchange method, telephone exchange program, telephone exchange, management terminal |
US10607008B2 (en) | 2017-02-09 | 2020-03-31 | International Business Machines Corporation | Counter-fraud operation management |
WO2019190438A2 (en) * | 2017-12-29 | 2019-10-03 | Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇ | Ott bypass fraud detection by using call detail record and voice quality analytics |
US10785214B2 (en) | 2018-06-01 | 2020-09-22 | Bank Of America Corporation | Alternate user communication routing for a one-time credential |
US10785220B2 (en) | 2018-06-01 | 2020-09-22 | Bank Of America Corporation | Alternate user communication routing |
US10855666B2 (en) | 2018-06-01 | 2020-12-01 | Bank Of America Corporation | Alternate user communication handling based on user identification |
US10798126B2 (en) | 2018-06-01 | 2020-10-06 | Bank Of America Corporation | Alternate display generation based on user identification |
US10972472B2 (en) | 2018-06-01 | 2021-04-06 | Bank Of America Corporation | Alternate user communication routing utilizing a unique user identification |
US11153435B2 (en) | 2019-09-24 | 2021-10-19 | Joseph D. Grabowski | Method and system for automatically blocking robocalls |
US10805458B1 (en) | 2019-09-24 | 2020-10-13 | Joseph D. Grabowski | Method and system for automatically blocking recorded robocalls |
US11483428B2 (en) | 2019-09-24 | 2022-10-25 | Joseph D. Grabowski | Method and system for automatically detecting and blocking robocalls |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4182934A (en) * | 1978-09-26 | 1980-01-08 | Bell Telephone Laboratories, Incorporated | Method and apparatus for detecting irregular telephone calls |
US4811378A (en) * | 1986-08-29 | 1989-03-07 | American Telephone And Telegraph Company, At&T Bell Laboratories | Toll fraud control |
US4799255A (en) * | 1987-01-30 | 1989-01-17 | American Telephone And Telegraph Company - At&T Information Systems | Communication facilities access control arrangement |
US4761808A (en) * | 1987-03-18 | 1988-08-02 | Sheldon Howard | Time code telephone security access system |
US5144649A (en) * | 1990-10-24 | 1992-09-01 | Gte Mobile Communications Service Corporation | Cellular radiotelephone credit card paystation method |
US5223699A (en) * | 1990-11-05 | 1993-06-29 | At&T Bell Laboratories | Recording and billing system |
US5163086A (en) * | 1990-12-31 | 1992-11-10 | At&T Bell Laboratories | Telephone network credit card calling apparatus and method of operation to determine validation and fraudulent use of credit cards in placing telephone calls |
US5353335A (en) * | 1992-08-03 | 1994-10-04 | At&T Bell Laboratories | Multilingual prepaid telephone system |
US5357564A (en) * | 1992-08-12 | 1994-10-18 | At&T Bell Laboratories | Intelligent call screening in a virtual communications network |
US5345595A (en) * | 1992-11-12 | 1994-09-06 | Coral Systems, Inc. | Apparatus and method for detecting fraudulent telecommunication activity |
-
1993
- 1993-07-13 TW TW082105570A patent/TW225623B/en active
-
1994
- 1994-01-25 CA CA002114155A patent/CA2114155C/en not_active Expired - Lifetime
- 1994-03-08 AU AU57671/94A patent/AU5767194A/en not_active Abandoned
- 1994-03-23 EP EP94302068A patent/EP0618713B1/en not_active Expired - Lifetime
- 1994-03-23 DE DE69427317T patent/DE69427317T2/en not_active Expired - Lifetime
- 1994-03-30 JP JP08272594A patent/JP3723235B2/en not_active Expired - Fee Related
- 1994-03-30 KR KR1019940006503A patent/KR940023085A/en not_active Application Discontinuation
-
1996
- 1996-07-25 US US08/686,460 patent/US5706338A/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
EP0618713A3 (en) | 1998-07-29 |
AU5767194A (en) | 1994-10-06 |
DE69427317T2 (en) | 2001-10-31 |
JP3723235B2 (en) | 2005-12-07 |
DE69427317D1 (en) | 2001-07-05 |
EP0618713A2 (en) | 1994-10-05 |
CA2114155A1 (en) | 1994-10-01 |
JPH06350698A (en) | 1994-12-22 |
KR940023085A (en) | 1994-10-22 |
US5706338A (en) | 1998-01-06 |
EP0618713B1 (en) | 2001-05-30 |
TW225623B (en) | 1994-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2114155C (en) | Real-time fraud monitoring system | |
CA2185591C (en) | Call handling method for credit and fraud management | |
JP2003534724A (en) | Fraud detection in termination numbers based on speed when attempting a call | |
JPH07212460A (en) | Security system for discontinuing fraudulent telephone speech | |
JPH07212502A (en) | Controlling system for accessing resource | |
US7372949B1 (en) | System and method for call redirect detection and treatment | |
US6556669B2 (en) | International origination to domestic termination call blocking | |
US20030063725A1 (en) | Method and system for using bad billed number records to prevent fraud in a telecommunications system | |
CA2393747A1 (en) | Telephone fraud detection and prevention | |
US6404871B1 (en) | Termination number screening | |
CA2449706A1 (en) | Service management system blocking | |
US6590967B1 (en) | Variable length called number screening | |
US6618475B2 (en) | Domestic origination to international termination country set logic | |
Field et al. | Techniques for telecommunications fraud management | |
JP2004530389A (en) | ISN call blocking | |
EP0995302B1 (en) | Monitoring a communication network | |
AU2003204506B2 (en) | Monitoring a communication network | |
Stoermann | Novel Techniques for Fraud Detection in Mobile Telecommunication Networks | |
CA2509932A1 (en) | Charging for prepaid subscribers in a telecommunications system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKEX | Expiry |
Effective date: 20140127 |