DE19850640A1 - Revision procedure for the detection of fraud cases in networks - Google Patents

Abstract

Various items of recorded data corresponding to respective events are evaluated in order to see if the entries contain matching information in a telecommunication system such as an intelligent network with the purpose of discovering irregularities, especially manipulations carried out by inside perpetrators, during pricing.

Description

Fraud in telecommunications networks is of a magnitude enough that is no longer neglected by the network operators can be.

The subject of the application relates to a procedure for determination irregularities, in particular manipulation the charge, in telecommunications networks, in particular Intelligent networks, connection networks, transport networks, management Networks and exchanges, therefore a recording File such as B. a log file is then evaluated, whether there is an indication of an irregularity.

There are currently various software tools that are used by professionals These are also known as tools for the detection of be fallacies. Such tools are based on various technologies such as the rule-based approach or neural networks etc. These techniques are used to evaluate calls CDR (Call Detail Records) or Signaling data of the CCS7 signaling system. To Auswer Today, log files are only used for applications and commands or tools that evaluate each log file separately.

It is currently very difficult technically for the network operators rig to detect most fraud cases so early that the damage done remains small. In particular there is for the staff of network operators and telecommunications Service providers ways of fraud using conventional methods are not to be discovered.

The subject of the application is based on the problem of an au to specify a automatable revision procedure, with which already early suspicions for special fraud cases and Manipulations in networks can be detected.  

The problem is caused by the characteristics of the Oberbe handle-outlined object by the characteristics of the kenn drawing part of claim 1 solved.

The procedure according to the application, in which a regulable based on multiple log files in particular such fraud and manipulations are recognized, by the staff of the network operators and telecommunications ons service providers are caused. With the registration In contrast to conventional processes, modern processes that are based on a separate evaluation of calls Details files based on CDR and signaling data, the inconsistencies regardless of calls already made (possibly even before the first intended call) are provided, the network operator before transferring a Attacker / fraudster at best no loss of revenue Has.

Advantageous further developments of the object of registration are specified in the subclaims.

The subject of registration is hereinafter referred to as execution example to the extent necessary for understanding hand explained in more detail by figures. Show:

Fig. 1 is a schematic representation of an arrangement for He elucidating the management of intelligent networks services and

Fig. 2 is a schematic representation of an arrangement for he elucidating the service flow with intelligent networks.

In the figures, the same designations denote the same elements ment.

In the intelligent networks services management shown in Fig. 1, the data processing device of a subscriber or an operator SU / OP (for: Subscriber / Operator) via a network LAN / DCN (for: Local Area Network / Data Communication Network) or Internet / Intranet connected to the service processing point SMP (for: Service Management Point) of an intelligent network. The service processing point SMP is connected via a network LAN / DCN (for: Local Area Network / Data Communication Network) to a service control point SCP (for: Service Control Point).

In the service flow shown in FIG. 2 with intelligent networks, a subscriber terminal TE, such as. B. a telephone, connected to a local exchange OV, which is connected to a switching center with an integrated service switching point SP / SSP (for: Switching Point / Service Switching Point). The exchange SP / SSP is with a peripheral device IP (for: Intelli gent Peripheral), for. B. for announcements, a service control point SCP and, as indicated by the arrow ( 4 ), connected to a further exchange SP (for: switching point). The switching center SP / SSP and the service control point SCP form the essential elements of an intelligent network IN.

With the automated inspection procedure according to the registration Using a rule-based approach, several Log files early on for special suspicions Fraud cases and manipulations in networks are recognized. The procedure in particular eliminates such fraud cases and tampering detected by the staff of the network operator caused.

A revision in the sense of the application consists of two Share: logging and audit.

Logging is the gathering of information about the use of a system. Depending on the system, all activ activities (inputs and outputs) in the system, all data-changing  Entries, all attempted protection violations etc. on one Recording file that can also be used as a log file in specialist circles is drawn, saved. Log files can be system or written specifically for the application. The anmel The revision procedure according to the invention uses that of the systems already created log files.

An audit is the evaluation of these log files specified criteria (e.g. all entries between 10 and 12 Clock). An audit always takes place with a time delay for logging instead. Traditionally, each log file is separate evaluated.

The subject of registration takes advantage of the knowledge that information about the same Er event are saved (redundant information) or ge stored information from several pieces of information have different or different logs derived (dependent information mations). In particular, the manipulation / deletion of fee-relevant information in cross-check with others Log files obviously.

With reference to FIG. 1, the classic service flow in the Intelligent Network (IN) is assumed. First of all, a new IN service is set up using the service processing point SMP. For this purpose, a subscriber SU is first assigned a service number and possibly the tariff, e.g. B. for 0190/123456 with tariff DM 3.60 per min. Then the actual destination call numbers for this 0190 are entered either by the operator or by the subscriber himself. The 0190 number, the actual destination numbers and the tariff are sent to the service control point SCP.

The entry of the service number, the tariff and the destination Phone numbers are assigned to one in the service processing point SMP  Log file (SMP log) written. Likewise, this information logged in the service control point SCP (SCP management log).

With reference to FIG. 2, this new IN service 0190/123456 is now called, then this call is routed to a switching center with service switching point SSP functionality ( 1 ). The service switching point SSP forwards the desired IN number to the service control point SCP ( 2 ), which converts it into the actual destination number. The service control point SCP also determines the charge. This process is logged in the service control point SCP (SCP service log).

The service control point SCP communicates actual call number and charging information to the service switching point SSP ( 3 ). The call is then forwarded to the actual number ( 4 ). The billing information (charging data) is stored in this switching node in a call detail record CDR (for: Call Detail Record), which includes IN service number, destination number, tariff.

The SMP log, SCP management log, SCP services log and calls- Details record CDR form record files.

Between SMP log, SCP management log, SCP services log and Ru fe-details recording file CDR may result. a. following redundancies or dependencies:

There must be a corresponding entry for every entry in the SCP management log Enter the appropriate entry in the SMP log.

SMP log and SCP management log: for each IN service number same destination numbers and tariff information must be saved be safe.

SCP management log and SCP services log: for each IN service Call number must be a destination number equal to that for the redirection selected number, the tariff information must be be equal.  

SCP services log and call details recording CDR: Zu Each SCP log entry must have a call details Record CDR and IN service number, destination number mer, tariff information must be the same.

The audit of the revision procedure according to the registration is based now in two steps:

1. Definition of the evaluation basis

The auditor determines the basis that can be used for the evaluation. This includes which logs should be used for the revision and which rules should be checked during the evaluation. The rules describe the redundant information of different logs or the dependencies on data of one or more logs. It can (but need not) be provided that the selection based on a complete list of all log files generated in the network and all valid rules (ie all possible redundancies and dependencies) between the data stored on the log files follow. The rules are described with the help of logical expressions in which the fields (attributes) of the log file are used as variables, e.g. B.
"For each IN service number (SCP management log) there is an IN service number (SMP log) with IN service number (SCP management log) = IN service number (SMP Log)"
or
"If (IN service number (log entry SMP-Log) = IN service number (log entry SCP management log)) = <the following redundancies must be fulfilled:
Destination numbers (log entry SMP-Log) = destination numbers (log entry SCP-Management-Log)
Tariff (log entry SMP log) = tariff (log entry SCP management log) ".

Basically, rules can apply to one or more logs Respectively.

2nd test run

All selected logs are selected in the test run Rules checked. The deviations from the Re gels (inconsistencies) are logged. Using the proto kolls can be suspicious of fraudulent cases at an early stage oils and system manipulations. Based on this ver moments of thought can then be initiated how to manually correct inconsistencies of responsibility for inconsistencies, improving the Network security etc.

According to the application, a rule-based approach is given with the inconsistency of the data stored on different log files stored data can be determined. These inconsistencies Zen indicate fraud and manipulation at an early stage the network. Crucial in this procedure (opposite Method based on CDR and signaling data), that the inconsistencies are independent of already made An call (possibly even before the first intended call) can be determined. At best, the network operator has before taking an attacker / fraudster no revenue loss; in the other mentioned procedures based on CDR and The network operator must signal signaling data in any case Loss of acceptance before transferring an attacker / fraudster accept.

Is the described revision procedure for logs different? ner systems used at different locations are stored, then the trace removal is also of manipulation and fraud considerably more difficult and much riskier. The revision procedure also has one preventive effect, especially for indoor offenders.

Claims (7)

1. A method for the detection of irregularities, in particular special manipulations in the billing, telecommunications networks, in particular intelligent networks, access networks, transport networks, management networks and switching centers, consequently a recording file is evaluated to determine whether there is an indication of an irregularity is characterized in that at least two recording files are linked on the basis of a predetermined rule and the result of the link is then evaluated as to whether there is an indication of an irregularity. 2. The method according to claim 1, characterized, that a recording file is given by a log file. 3. The method according to any one of the preceding claims, characterized in that a respective recording file is given by one of the following files:
SMP log file,
SCP management log,
SCP services log,
Call details recording CDR,
Log file in transport networks,
Log file in connection networks,
Log file in management networks,
Log file in exchanges. 4. The method according to any one of the preceding claims, characterized, that the link between recording files by a Check whether a particular event / process is in the  Record files are entries that the event / Name the transaction with the same result. 5. The method according to any one of the preceding claims, characterized, that the record files according to a given criteria rium be evaluated. 6. The method according to claim 5, characterized, that the criterion is given by a set period of time is. 7. The method according to any one of the preceding claims, characterized, that the recording files belong to different systems ren.