[go: up one dir, main page]

WO2025090969A1 - Method and system for automated processing and resolution of phone numbers - Google Patents

Method and system for automated processing and resolution of phone numbers Download PDF

Info

Publication number
WO2025090969A1
WO2025090969A1 PCT/US2024/053122 US2024053122W WO2025090969A1 WO 2025090969 A1 WO2025090969 A1 WO 2025090969A1 US 2024053122 W US2024053122 W US 2024053122W WO 2025090969 A1 WO2025090969 A1 WO 2025090969A1
Authority
WO
WIPO (PCT)
Prior art keywords
phone number
call
communication
raw communication
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/US2024/053122
Other languages
French (fr)
Inventor
Matthew Harris
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Opsec Security Group Inc
Original Assignee
Opsec Security Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Opsec Security Group Inc filed Critical Opsec Security Group Inc
Publication of WO2025090969A1 publication Critical patent/WO2025090969A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/436Arrangements for screening incoming calls, i.e. evaluating the characteristics of a call before deciding whether to answer it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2201/00Electronic components, circuits, software, systems or apparatus used in telephone systems
    • H04M2201/18Comparators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/60Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
    • H04M2203/6027Fraud preventions

Definitions

  • the present disclosure relates generally to network security and systems for same. More particularly, the present disclosure pertains to systems and methods for analysis for detecting nodes of communication networks, such as telephone networks, which are being used for fraudulent or malicious purposes.
  • Wire fraud and the use of communication networks for malicious ends is a persistent problem in the field of network security.
  • the high-level, macro trends within the art include an emphasis on interception and interdiction of “phishing,” “spoofing” and other forms of email-based fraud, in which a potential victim receives an electronic communication, typically styled as a communication from a legitimate actor, such as an email, containing a link, attachment or other data vehicle, which, if interacted upon by the recipient, can initiate the installation of malware, or otherwise result in unauthorized access to the recipient’s machine and/or data.
  • a serious problem such attacks present familiar data signatures, such as metadata, file types, and imperfectly spoofed image content (for example, static instances of checkout screens) which are amenable to machine-based analysis.
  • Hybrid telephone fraud presents an under-considered species of fraud utilizing communication networks.
  • Instances of hybrid telephone fraud typically comprise a user being presented, for example, through a website, printed media, or an email from a legitimate or previously-trusted source (for example, an email from a friend’s account which has been hacked) with a phone number to contact.
  • the vehicle containing the fraudulent email appears, or can appear to be, from a legitimate source.
  • calls from the recipient to the received number put the recipient at risk.
  • the call may be used to obtain voice data (sometimes referred to as “vishing”) from the recipient as training data or source material for a malicious actor to “spoof’ or impersonate the recipient.
  • the call may be used as an opportunity for the malicious actor to impersonate a representative of a legitimate entity to obtain credit card data and other information of value to bad actors.
  • hybrid telephone fraud presents technical and practical challenges not fully addressed by the art to date.
  • instances of hybrid telephone fraud can present a greater variety of metadata and data signatures than email-based attacks.
  • the metadata of the email itself may not provide any evidence of the fraud.
  • the fraudulent telephone number is presented via other media, such as a QR code, hard copy mailing or other transmission method which does not use standard messaging protocols, the metadata of the presentation may be absent or vary significantly between presentations.
  • a further layer of technical and practical challenge presented by hybrid telephone fraud resides in the fluidity and velocity with which improvements in telephony and network technology (for example, the advent of virtual SIM cards) enable fraudulent phone numbers to be acquired, retired, and moved back and forth between legitimate and illegitimate actors.
  • the present disclosure provides examples of methods, apparatus, and non-transitory computer- readable media for enhancing the security of voice communication networks against hybrid phone fraud.
  • a method of network monitoring includes, at a processing platform comprising a processor, a first communication interface connected to one or more first networks, and a second communication interface connected to a voice network, receiving, via the first network, a raw communication containing a phone number of the voice network. The method further includes obtaining the phone number contained in the raw communication. The method includes performing obtaining metadata associated with at least one of the raw communication and the obtained phone number. The method includes determining, based on the metadata a threat score associated with the obtained phone number. The method includes determining, based on the threat score, whether to interrogate a network node associated with the obtained phone number.
  • the method includes responsive to determining that the threat score exceeds a threshold value, scheduling a call to the obtained phone number.
  • the method includes calling the obtained phone number according to the schedule.
  • the method includes obtaining call data from a call to the obtained phone number, and determining, based on the call data, whether the phone number is associated with misuse of the voice network.
  • an apparatus includes a first communication interface connected to one or more first networks, a second communication interface connected to a voice network, and a processor.
  • the processor is configured to receive, via the first network, a raw communication containing a phone number of the voice network.
  • the processor is configured to obtain the phone number contained in the raw communication.
  • the processor is configured to obtain metadata associated with at least one of the raw communication and the obtained phone number.
  • the processor is configured to determine, based on the metadata a threat score associated with the obtained phone number.
  • the processor is configured to determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number.
  • the processor is configured to responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number.
  • the processor is configured to call the obtained phone number according to the schedule.
  • the processor is configured to obtain call data from a call to the obtained phone number and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
  • a non-transitory computer-readable medium comprises instructions, which when executed by a processor of an apparatus comprising a first communication interface connected to one or more first networks and a second communication interface connected to a voice network, cause the apparatus to receive, via the first network, a raw communication containing a phone number of the voice network.
  • the instructions When executed by the processor, the instructions further cause the apparatus to obtain the phone number contained in the raw communication, obtain metadata associated with one or more of the raw communication and the obtained phone number, determine, based on the metadata a threat score associated with the obtained phone number, determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number, responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number, call the obtained phone number according to the schedule, obtain call data from a call to the obtained phone number, and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
  • FIG. 1 illustrates a network architecture of a system detecting hybrid telephone fraud according to some embodiments of this disclosure
  • FIG. 2 illustrates, in block diagram format, a system for performing one or more methods according to some embodiments of this disclosure
  • FIG. 3 illustrates operations of an example method for identifying nodes of a voice network associated with hybrid telephone fraud
  • FIGS. 4A and 4B illustrate operations of an example method for identifying nodes of a voice network associated with hybrid telephone fraud
  • FIGS. 5A-5D illustrate example data structures and user interfaces associated with initiating action to take down nodes of a voice network associated with hybrid telephone fraud.
  • hybrid telephone fraud wherein a phone number associated with a fraudulent network node (for example, a smartphone of a malicious actor) is provided in a raw communication (for example, an image, another telephone call, an email, a QR code, or other medium of a heterogenous plurality of communication media), presents unique and under-solved technical problems. For example, one user may receive a voice message with the malicious phone number, another user may receive an email with the malicious number, and a third user may receive a text or SMS message containing the malicious phone number.
  • a phone number associated with a fraudulent network node for example, a smartphone of a malicious actor
  • a raw communication for example, an image, another telephone call, an email, a QR code, or other medium of a heterogenous plurality of communication media
  • malicious actors By publishing and sending raw communications containing fraudulent phone numbers, malicious actors seek to initiate calls to published numbers, from which the malicious actors may obtain voice data (which can be used as training data or for spoofing the recipient’s voice), or more traditionally, to obtain, under false pretenses, the recipient’s personal information, such as credit card number, social security number, or other information of identifying or monetary value.
  • Embodiments according to the present disclosure address these technical challenges and provide methods, apparatus, and non-transitory computer-readable media for enhancing the security of voice networks by timely identifying malicious nodes of the network used to perform hybrid telephone fraud and accelerating the rates and volumes at which malicious nodes of voice networks can be taken down.
  • FIG. 1 discloses a network implementation of an automated processing system 100.
  • the automated processing system 100 referred herein is configured for authenticating one or more phone numbers based on an automated calling and processing of the one or more phone numbers to validate on authenticity of the phone numbers.
  • the automated calls initiated through the automated calling system comprises land line calls, VOIP calls, call through IP lines etc.
  • the automated processing system 100 may comprise one or more physical or cloud computing platforms (for example, physical or cloud servers) connected to a plurality of various communication devices 90a-90n (wherein “n” represents that any number of devices can be connected to automated processing system 100) through a first network 80.
  • Communication devices 90a-90n can include, without limitation, desktop computers, smartphones, network attached scanners, or other apparatus capable of providing raw communications containing phone numbers of interest or images of same via network 80 to automated processing system 100.
  • the communication devices 90a-90n may be used by users to communicate the phone numbers to the automated processing system 100.
  • the communication network 80 may be a wireless network, a wired network, or a combination thereof.
  • the communication network 80 may be implemented as one of the following network types: Local Area Network, LAN, Wireless Personal Area Network, WPAN, Wireless Local Area Network, WLAN, wide area network, WAN, the Internet, and the like.
  • the communication network 80 may either be a dedicated network or a shared network.
  • the shared network represents an association of the different types of networks that use a variety of protocols, for example, MQ Telemetry Transport, MQTT, Extensible Messaging and Presence Protocol, XMPP, Hypertext Transfer Protocol, HTTP, Transmission Control Protocol/Intemet Protocol, TCP/IP, Wireless Application Protocol, WAP, and the like, to communicate with one another.
  • the communication network 80 can include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
  • the automated processing system 100 is configured to receive raw communications from at least one communication device of communication devices 90a-90n.
  • the automated processing system 100 can, in some embodiments, receive the raw communication comprising at least one phone number, directly, via a user interface provided by automated processing system 100.
  • automated processing system 100 receives raw communications containing phone numbers of interest.
  • Automated processing system 100 performs a multi-layered ingestion and analysis to first obtain the phone number from the raw communication, extract metadata of the raw communication, perform a first layer analysis to determine a risk score associated with the number and metadata, and then based on the risk score, determine whether to place an interrogation call to the obtained phone number.
  • the system places an automated call to the phone number to obtain call data, from which a classification (also referred to herein as an “authentication status”) of the phone number as one of valid, fraudulent or undetermined is obtained.
  • a classification also referred to herein as an “authentication status”
  • embodiments according to this disclosure provide at least the following technical and practical benefits: a) conserving network and processor resources associated with contacting numbers associated with potentially fraudulent nodes of the voice network; and b) avoiding any risk of human security personnel’s voices being recorded by fraudulent actors answering interrogation calls.
  • FIG. 2 illustrates, in block diagram format, an example architecture of an automated processing system 100.
  • automatic processing system 100 can include a memory 10, a reception module 11, a first network interface 12, a pre-processing module 13, a processor 14, a call module 15, an identification module 16, an authentication module 17, and a processing module
  • the modules also comprise a voice network interface 19 through which automated processing system 100 can connect to one or more voice networks to send and receive data as part of interrogation calls.
  • the processor 14 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that cause a processor or controller to execute instructions maintained on a non-transitory, computer-readable format.
  • the processor 14 can be configured to fetch and execute computer-readable instructions stored in the memory 10 and control all the modules of the automated processing system 100.
  • Memory 10 and processor 14 can be connected to the plurality of modules 11-19.
  • the memory 10 can serve as a repository for storing data processed, received, and generated by one or more of modules 11-19.
  • the memory 10 can include data generated as a result of the operation of one or more modules 11-
  • the memory 10 can be a computer-readable medium or computer program product known in the art including, such as Static Random-Access Memory, SRAM, and Dynamic Random-Access Memory, DRAM, and/or non-volatile memory, such as Read Only Memory, ROM, Erasable Programmable ROM, EPROM, Electrically Erasable and Programmable ROM, EEPROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • Static Random-Access Memory SRAM
  • Dynamic Random-Access Memory Dynamic Random-Access Memory
  • DRAM Dynamic Random-Access Memory
  • non-volatile memory such as Read Only Memory, ROM, Erasable Programmable ROM, EPROM, Electrically Erasable and Programmable ROM, EEPROM, flash memories, hard disks, optical disks, and magnetic tapes.
  • automated processing system 100 can include a database (not shown) that can include a repository for storing data processed, received, and generated by one or more of modules 11-19.
  • the database also comprises a pre-configured database for storing one or more phone numbers used for the mapping of the at least one phone number received by the automated processing system 100.
  • Interface 12 provides at least one connection to a first network, through which raw communications are initially received by automated processing system 100.
  • the interface 12 can include one or more Application Programming Interface, API, which can interface with other servers and communication devices 90a-90n in FIG. 1 to programmatically import and obtain raw communications and normalize same to one or more file or data formats from which phone numbers and metadata to support a phone number authentication analysis.
  • interface 12 comprises a user interface presented by a display connected to automated processing system 100, through which a user can manually enter a phone number, and where available, other metadata of analytic interest.
  • the voice network interface 19 may also be configured to receive the at least one phone number as a communication from communication devices 90a-90n, from an automated abuse email processing system, or other platform for capturing raw communications (for example, SMS messages, or “honeypot” messages sent over a variety of formats) and providing same to automated processing system 100.
  • the at least one source comprises an Application Programming Interface (API) or portal or an email.
  • API Application Programming Interface
  • the at least one phone number may be received through the interface 12.
  • the pre-processing module 13 is configured to pre-process the at least one phone number.
  • pre-processing module 13 is configured to compare an obtained phone number of analytic interest with one or more phone numbers stored in a preconfigured database or the memory 10.
  • pre-processing module 13 is configured to perform optical character recognition (for example, to recover phone numbers provided as image data in a figure), perform pixel-level analysis (for example to determine if a logo or other graphic in a message has been altered, resized, or bears other indicia of malicious copying and reuse), or read encoded data (for example, QR or other machine-readable codes) in raw communications.
  • optical character recognition for example, to recover phone numbers provided as image data in a figure
  • pixel-level analysis for example to determine if a logo or other graphic in a message has been altered, resized, or bears other indicia of malicious copying and reuse
  • read encoded data for example, QR or other machine-readable codes
  • Pre-processing module can be configured to extract, from a raw communication, metadata associated with the raw communication and one or more phone numbers of analytic interest in the raw communication.
  • Automated processing system 100 can obtain a threat score that is generated by using one or more first Artificial Intelligence (Al) techniques and/or one or more Machine Learning (ML) models.
  • Al Artificial Intelligence
  • ML Machine Learning
  • Metadata obtained by pre-processing module 13 can include details of a service provider associated with the obtained phone number, a geographic location (for example, an area code or country code) associated with the phone number, and a number of instances in which a phone number provided in a raw communication has been previously analyzed.
  • the metadata obtained by preprocessing module 13 can also include a carrier name associated with the number, a responsible organization information (respOrg) for a toll-free number, and information as to a type of line (mobile or fixed line) to which one or more numbers of analytic interest is assigned.
  • the threat score comprises a score assigned to the each of the at least one number by providing metadata and obtained number to a first AI/ML model.
  • Features of the first AI/ML model can include one or more of: a number of times the phone number has been previously analyzed; numerical similarities (for example, a single number difference) between the received number and known fraudulent numbers; whether the phone number is on one or more whitelists of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
  • automated processing system 100 can interrogate the network node (as used herein, the expression “network node” encompasses an electronic device, such as a phone or computer, which is associated with a phone number and configured to receive and place voice calls at the phone number) associated with the phone number by placing a call scheduled and dialed by call module 15 and sent out through voice network interface 19.
  • the call is established through the call module 15.
  • the processor 14 then identifies a call status of the open to call phone number through an identification module 16.
  • call module 15 obtains call data.
  • call data encompasses a recordation of the events and sounds presented to automated processing system 100 during the interrogation call.
  • Examples of call data according to this disclosure include, without limitation, data as to whether the phone number was connected (i.e., was a dial tone heard), whether the call was answered, evidence of re-routing or redirection of the call; evidence of signal degradation associated with the call being answered over a VoIP connection or other potentially lossy pathway; a transcript of the call; voice data of the entity answering the call; and whether the call was answered by a human or a voice recording.
  • Further examples of call data include evidence of the call reaching a busy number, a failed connection, a call disconnected, an out or service and/or range, a not answered number, a no response number.
  • the processor 14 then applies the call data to a second AI/ML model, which is a classifier model trained to output a determination, based on features of the call data, whether dialed number is fraudulent, not fraudulent, or undetermined.
  • a second AI/ML model which is a classifier model trained to output a determination, based on features of the call data, whether dialed number is fraudulent, not fraudulent, or undetermined.
  • the first or second AI/ML models are provided by an authentication module 17, which can include on or more processors (for example, graphic processing units (GPUs) or neural processing units (NPUs) architecturally optimized to implement AI/ML models.
  • processors for example, graphic processing units (GPUs) or neural processing units (NPUs) architecturally optimized to implement AI/ML models.
  • the authenticity status comprises one of a fraudulent phone number or an authentic phone number (may also be referred to as non-fraudulent phone number, legitimate phone number, or the like).
  • the automated processing system (100) filters out numbers which are not strong candidates for the processing and network overhead associated with making interrogation calls and analyzing same.
  • embodiments according to the present disclosure are able to monitor and secure a voice network without imposing undue call burdens on the monitored network.
  • FIG. 3 illustrates operations of an example method 300 for monitoring a voice network for malicious nodes and instances of phone numbers associated with hybrid telephone fraud.
  • the automated processing system comprises the automated processing system (100) as discussed above in FIG. 1 and FIG. 2.
  • a raw communication is received, via a first network, wherein the raw communication contains a phone number of a voice network to which the automated processing platform is connected (for example, via voice network interface 19 in FIG. 2).
  • the raw communication received at operation 305 can be in one of a heterogenous plurality of communication formats, including, without limitation, image fdes, emails, text/SMS messages, encoded communication formats (for example, bar or QR codes), and audio fdes (for example, a voice message inviting a recipient to call a phone number).
  • the processing platform pre-processes the raw communication to obtain the phone number contained in the raw communication.
  • operation 310 may comprise pulling metadata readily available in the raw communication (such as the phone number from which an SMS message was sent, or from which a call leaving a voice message was placed).
  • obtaining the phone number can involve machine-driven analysis (for example, applying optical character recognition to an image or voice to text recognition to an audio recording) to obtain the phone number contained in the raw communication.
  • the processing platform performs further pre-processing of the raw communication to extract additional metadata associated with one or more of the phone number and the raw communication.
  • the metadata obtained at operation 315 can include geographic information associated with the number, a line/device type associated with the number, and a number of instances in which the obtained number has been previously interrogated.
  • the metadata obtained at operation 315 can further include a grammatical or pixel-level analysis of the text and/or images embedded in the raw communication.
  • the processing platform determines a threat score associated with the raw communication and the obtained phone number.
  • the determination of the threat score can, in some embodiments, proceed programmatically according to rules-based logic which increase or decrement a baseline threat score based on the presence or absence of relevant features associated with the phone number. Additionally, or alternatively, the determination of the threat score may be performed, in whole or in part by a first AI/ML model which is trained to associate a threat score value according to a predetermined set of features potentially present in either the raw communication, the phone number or metadata obtained from same.
  • Features of the first AI/ML model can include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties (for example, misspellings, improbable grammatical errors, flagged words), of the raw communication.
  • the processing platform determines, based on the threat score determined at operation 320, whether to interrogate a network node (i.e., call the device connected to the network at the phone number) associated with the phone number.
  • a network node i.e., call the device connected to the network at the phone number
  • the processing platform schedules a call to the network node at the obtained phone number.
  • scheduling the interrogation call at operation 325 can maximize the likelihood that the interrogation call is placed at a time when an innocent (i.e., non-fraudulent) recipient is not awoken, and if the number is associated with fraudulent misuse of a voice network, that one or more malicious actors will be awake to answer the phone.
  • the processing platform places a call (for example, by using call module 15 and voice network interface 19 in FIG. 2) to the phone number.
  • the processing platform obtains call data from the call to the phone number.
  • call data comprises data evincing what happened when the processing platform attempted to call the telephone number.
  • Examples of call data include, without limitation, session initiation protocol (SIP) / Q.850 status codes, call duration, whether the recipient terminated the call, whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
  • SIP session initiation protocol
  • Q.850 status codes evincing what happened when the processing platform attempted to call the telephone number.
  • call data include, without limitation, session initiation protocol (SIP) / Q.850 status codes, call duration, whether the recipient terminated the call, whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues
  • operation 345 the processing platform determines, based on the call data, whether the phone number is associated with fraud or misuse of the voice network.
  • operation 345 can be performed programmatically, and according to a predefined workflow of rules, such as a set of rules which increment or decrement a fraud score based on the presence or absence of factors in the call data. Additionally, or alternatively, in some embodiments, operation 345 can be performed in whole or in part, by providing the call data to a second AI/ML model comprising a classifier trained to classify, based on features of the call data, whether the phone number is fraudulent, non-fraudulent or undetermined.
  • the processing platform can perform any number of follow-on operations, including, without limitation, storing the number as non-fraudulent, or initiating action to deactivate the number based on the call data and determination obtained at operation 345.
  • FIGS. 4A and 4B illustrate operations of a method 400 for targeted interrogation of a voice network to test for network nodes and phone numbers associated with hybrid telephone fraud, according to various embodiments of this disclosure.
  • At block 402 at least one phone number is received by the automated processing system 100.
  • Ingestion at block 402 can, in some embodiments, also include passing received SMS/text messages through a “honeypot system” to screen for messages purporting to be from reputable actors (for example, well-known e-commerce and websites, online payment platforms and the like), instructing the recipient to call a number.
  • the “honeypot system” can perform additional layers of contextual analysis on the received message to search for indicia of inauthenticity.
  • the “honeypot system” implements one or more AI/ML models to perform the contextual analysis.
  • the at least one phone number is received in connection with a raw communication.
  • the at least one phone number can be received from one or more devices (for example, communication devices 90a-n in FIG. 1) configured to capture and forward raw communications for further analysis of phone numbers embedded therein.
  • devices for example, communication devices 90a-n in FIG. 1
  • ingestion sources include, without limitation, specifically configured APIs by which automated processing system 100 posts requests for new raw communications, or an email inbox, from which raw communications containing phone numbers for further analysis can be received.
  • the at least one phone number is extracted from an image of the abuse email body, by, for example, using one or more of: OCR and text extraction.
  • the automated processing system (100) checks if the at least one phone number is a known-good number by mapping the at least one number with one or more numbers stored in a preconfigured database.
  • the automated processing system 100 marks the number as legitimate which in turn marks the number as the closed number for which calling is not required.
  • the automated processing system 100 marks the known- good number as not requiring any further present action, and can send an electronic notification to a user of the status of the number.
  • the automated processing system 100 checks if the at least one phone number is a previously called number.
  • the automated processing system 100 marks the number as a duplicate number which in turn marks the number as the closed number for which calling is not required.
  • the automated processing system 100 marks the closed phone as a completely processed number not requiring any human intervention.
  • the automated processing system 100 marks the number as an open to call phone number and collects metadata about the open to call phone number. The metadata is used for generating the threat score. The threat score is then assigned to the open to call phone number.
  • the automated processing system 100 determines a time of calling before initiating or establishing the call to the open to call phone number.
  • the automated processing system 100 pauses the call until correct timing hours, such as during normal business hours.
  • the automated processing system may initiate the call to the open to call phone number during the correct timing hours and determine if the call has been initiated successfully. In certain embodiments, the system can, based on contextual evidence in the metadata regarding the number suggesting that the number is associated with an SMS system, send a text or SMS message to the number.
  • the number may be marked to be requeued for second and further attempts at an interrogation call. After a threshold number of interrogation calls have been unsuccessfully placed, the number is marked as completely processed and no human intervention is required (for example, at block 454).
  • the automated processing system 100 determines if the call is picked up or received by a user.
  • the automated processing system verifies if the call has already been attempted for a predefined number of times, for example, the predefined number of times may comprise 3 attempts.
  • the automated processing system requeues the number for calling after a predefined period of time.
  • the predefined period of time may be customized in the automated processing system.
  • blocks 416-426 may be repeated until a predefined number of attempts of calling are exhausted.
  • the automated processing system verifies if a phone number has reached a predetermined limit for a number of call attempts, at which point, the automated processing system then identifies the call status as not answered or no response at block 436 and marks the phone number as a closed number.
  • the automated processing system marks the phone number, which is now the closed number as not requiring any further present action (including, without limitation, human intervention).
  • the automated processing system checks in case the number identified as busy (in block 418) contains any evidence. In case of no evidence, blocks 424 onwards are repeated for a predetermined number of times. In case of evidence, the block 452 is executed and call data, such as number, metadata, customer provided evidence, and a transcript are stored and an alert generated for further processing (for example, human review, or to be provided as data in support of initiating action against the network node associated with the phone number).
  • call data such as number, metadata, customer provided evidence, and a transcript are stored and an alert generated for further processing (for example, human review, or to be provided as data in support of initiating action against the network node associated with the phone number).
  • the automated processing system then starts recording/capturing transcription and determines if the transcript is less than or equal to a threshold time (for example, 30 seconds).
  • a threshold time for example, 30 seconds.
  • the automated processing system maintains connection for 30 seconds while recording the transcription, plays recorded greeting if needed, and then simultaneously ends the transcription and terminates the call.
  • the automated processing system stores the transcription to a database in the automated processing system.
  • the automated processing system checks if the transcript indicates if the phone number to which the call was place has been disconnected. At block 440, if the transcript indicates that the call was not received, the number is marked as disconnected and is marked as completely processed at block 454.
  • the call status may be identified based on the presence or absence of a call transcript from the call.
  • the presence or absence of a call transcript can be determined based on a Session Initiation Protocol (SIP) response code of the call.
  • the response transcript can comprise at least one of: words or phrases confirming disconnection or retirement of the at least one phone number. For example, the presence of phrases such as: call disconnected, phone number no longer in service, the phone number not in service, the phone number cannot be reached, the call cannot be completed, sorry the phone number you requested cannot be dialed, check the number and dial again, are indicative of disconnected numbers, which, at least presently, cannot be associated with hybrid telephone fraud.
  • the authentication module 17 determines the authenticity status of the at least one phone number.
  • the authenticity status can be a classification of the phone number as one of: fraudulent, not fraudulent, or undetermined.
  • the processor 18 can process the at least one phone number according to the authenticity status.
  • the automated processing system checks if the transcript indicates that the interrogation call went to voice mail. If no, then at block 444, automated processing system confirms if the call duration is a predetermined period of time, such as less than 3 seconds.
  • the automated processing system determines whether the voice mail message suggests the incidence of fraud. If no fraud is indicated, then blocks 424 onwards are repeated. If yes, then at block 444, the automated processing system checks if the call duration is less than 3 seconds. If the call duration is more than 3 seconds, then the automated processing system determines at block 448 if the call transcript proves fraud and, if yes, at block 450 the automated processing system marks the number as fraud. [0079] At block 450, the automated processing system checks if the transcript evinces any fraud, and at block 452, the automated processing system present the number, the metadata, customer-provided evidence, and transcript to analyst for human verification.
  • the identifications can be readily applied to initiate action to disable or block the network node(s) associated with misuse or hybrid telephone fraud. While it is possible to automatically takedown and phone numbers associated with malicious network nodes, from a technical and practical standpoint, it can often be advantageous to make the outputs of the processing platform human-visible either before or after initiating action against the number. As one example of the practical desirability of making the logic underlying a phone number takedown accessible, consider the case of a phone number associated with a mobile phone in a geographic location associated with a present emergency (for example, flooding or a hurricane).
  • FIG. 5 A illustrates an example of a human-readable user interface 500 reporting information of an analysis of an analyzed phone number.
  • UI 500 includes fields reporting a customer name and email address of a customer associated with the phone number, a submission type of the phone numbers, a name of an organization who has provided the phone numbers for determining its authenticity status, attachments/screenshots indicating the authenticity or processing status of the open to call phone numbers.
  • UI 500 includes action buttons 501, wherein, even if action (or inaction - i.e., doing nothing) regarding the phone number, can be initiated automatically, a user can review the data record associated with the number, and through action buttons 501, initiate action according to her best human judgment. In this way, situations such as a takedown of a phone number associated with a device in an emergency zone can be preempted.
  • FIG. 5B illustrates a further example of a user interface 520 for presenting the obtained metadata as well as an image of a raw communication 521 to facilitate human override of action initiated in response to a fraud determination, and to provide transparency into the operation of one or more AI/ML models collaborating on the analysis of raw communications and phone numbers obtained from same.
  • FIG. 5C illustrates a human-readable version of a data structure 540 (for example, a takedown request ticket) which can be transmitted from automatic processing system 100 to a control node (for example, a mobile management entity “MME” of 4G or LTE wireless network) to disable an identified fraudulent node.
  • FIG. 5D illustrates an example user interface 550 permitting a user of automated processing system 100 to send a communication to a customer indicating that a ticket has been created for the takedown of a phone number associated with hybrid telephone fraud.
  • the shutdown ticket may be populated in the customer portal/API and the Anti-Fraud Security Operations Center analyst may allow to track disconnection progress of the phone number until the phone number has been disconnected and marked as the closed phone number.
  • Examples of methods according to this disclosure include methods comprising, responsive to determining that the phone number is associated with misuse of the voice network, initiating action to deactivate the phone number.
  • Examples of methods according to this disclosure include methods, wherein determining the threat score comprises providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
  • AI/ML artificial intelligence/machine learning
  • Examples of methods according to this disclosure include methods, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
  • Examples of methods according to this disclosure include methods, wherein determining, based on the call data, whether the phone number is associated with misuse of the voice network comprises providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
  • Examples of methods according to this disclosure include methods, wherein features of the second AI/ML model include one or more of: whether an answer was received from calling to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
  • Examples of methods according to this disclosure include methods, wherein performing further pre-processing of the raw communication to obtain metadata associated with the raw communication and the obtained phone number comprises at least one of: performing optical character recognition (OCR) of the raw communication, identifying one or more internet protocol (IP) addresses associated with the raw communication, or performing pixel-level analysis of one or more images embedded in the raw communication.
  • OCR optical character recognition
  • IP internet protocol
  • Examples of apparatus according to this disclosure include apparatus, wherein the processor is further configured to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
  • Examples of apparatus according to this disclosure include apparatus, wherein the processor is configured to determine the threat score by providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
  • AI/ML artificial intelligence/machine learning
  • Examples of apparatus according to this disclosure include apparatus, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
  • Examples of apparatus according to this disclosure include apparatus, wherein the processor is configured to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
  • Examples of apparatus according to this disclosure include apparatus, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
  • Examples of apparatus according to this disclosure include apparatus, wherein the processor is further configured to perform further pre-processing of the raw communication to obtain metadata associated with the raw communication and the obtained phone number by performing at least one of: performing optical character recognition (OCR) of the raw communication, identifying one or more internet protocol (IP) addresses associated with the raw communication, or performing pixel-level analysis of one or more images embedded in the raw communication.
  • OCR optical character recognition
  • IP internet protocol
  • non-transitory computer-readable media examples include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
  • non-transitory computer-readable media examples include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to determine the threat score by providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
  • AI/ML artificial intelligence/machine learning
  • non-transitory computer-readable media examples include non-transitory computer-readable media wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
  • non-transitory computer-readable media examples include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent or undetermined.
  • non-transitory computer-readable media examples include non-transitory computer-readable media, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
  • any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses.
  • Each virtual apparatus may comprise a number of these functional units.
  • These functional units may be implemented via processing circuitry, which can include one or more microprocessor or microcontrollers, as well as other digital hardware, which can include digital signal processors, DSPs, special-purpose digital logic, and the like.
  • the processing circuitry may be configured to execute program code stored in memory, which can include one or several types of memory such as read-only memory (ROM), random-access memory, RAM, cache memory, flash memory devices, optical storage devices, etc.
  • Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein.
  • the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method includes receiving, via a network (80), a raw communication containing a phone number of a voice network (305). The method includes obtaining the phone number in the raw communication (310), obtaining metadata associated with at least one of the raw communication and the obtained phone number (315), determining, a threat score associated with the obtained phone number (32), determining, based on the threat score, whether to interrogate a network node (325, 90a-90n), responsive to determining that the threat score exceeds a threshold value, scheduling a call to the obtained phone number (330), calling the obtained phone number according to the schedule (335), obtaining call data from a call to the obtained phone number (340) and determining, based on the call data, whether the phone number is associated with fraud (345).

Description

METHOD AND SYSTEM FOR AUTOMATED PROCESSING AND RESOLUTION OF PHONE NUMBERS
TECHNICAL FIELD
[0001] The present disclosure relates generally to network security and systems for same. More particularly, the present disclosure pertains to systems and methods for analysis for detecting nodes of communication networks, such as telephone networks, which are being used for fraudulent or malicious purposes.
BACKGROUND
[0002] Wire fraud and the use of communication networks for malicious ends is a persistent problem in the field of network security. The high-level, macro trends within the art include an emphasis on interception and interdiction of “phishing,” “spoofing” and other forms of email-based fraud, in which a potential victim receives an electronic communication, typically styled as a communication from a legitimate actor, such as an email, containing a link, attachment or other data vehicle, which, if interacted upon by the recipient, can initiate the installation of malware, or otherwise result in unauthorized access to the recipient’s machine and/or data. While still a serious problem, such attacks present familiar data signatures, such as metadata, file types, and imperfectly spoofed image content (for example, static instances of checkout screens) which are amenable to machine-based analysis.
[0003] “Hybrid” telephone fraud, presents an under-considered species of fraud utilizing communication networks. Instances of hybrid telephone fraud typically comprise a user being presented, for example, through a website, printed media, or an email from a legitimate or previously-trusted source (for example, an email from a friend’s account which has been hacked) with a phone number to contact. Importantly, the vehicle containing the fraudulent email appears, or can appear to be, from a legitimate source. However, calls from the recipient to the received number put the recipient at risk. In some examples, the call may be used to obtain voice data (sometimes referred to as “vishing”) from the recipient as training data or source material for a malicious actor to “spoof’ or impersonate the recipient. Additionally, or alternatively, the call may be used as an opportunity for the malicious actor to impersonate a representative of a legitimate entity to obtain credit card data and other information of value to bad actors.
[0004] Such hybrid telephone fraud presents technical and practical challenges not fully addressed by the art to date. For example, unlike conventional email-based fraud, instances of hybrid telephone fraud can present a greater variety of metadata and data signatures than email-based attacks. For example, when a legitimate contact’s email has been hacked and used as a vehicle for transmitting a fraudulent phone number, the metadata of the email itself may not provide any evidence of the fraud. Similarly, where the fraudulent telephone number is presented via other media, such as a QR code, hard copy mailing or other transmission method which does not use standard messaging protocols, the metadata of the presentation may be absent or vary significantly between presentations. A further layer of technical and practical challenge presented by hybrid telephone fraud resides in the fluidity and velocity with which improvements in telephony and network technology (for example, the advent of virtual SIM cards) enable fraudulent phone numbers to be acquired, retired, and moved back and forth between legitimate and illegitimate actors.
[0005] While some degree of tracking and policing malicious nodes of a telephone network (i.e., phone numbers associated with fraud operations) by human-performed means (for example, having human security professionals call each number) is possible, such approaches are impractical, slow, and ineffective for at least the following reasons. First, such approaches court the risk of the human security professionals’ voices being recorded and maliciously repurposed. Second, even if aggressively scaled, such approaches fail to solve the technical challenges associated with the heterogeneity of presentation vehicles for malicious phone numbers and ingesting data across the wide spectrum of potential data forms that can serve as vehicles for presenting malicious phone numbers to victims. Third, such human-performed approaches are inefficient and may present instances of over-or-under monitoring, depending on whether humans test every embedded phone number, or an arbitrary, human-selected subset of phone numbers presented for analysis. Thus, hardening voice communication networks against hybrid phone fraud remains a source of technical challenges and opportunities for improvement in the art.
SUMMARY
[0006] The present disclosure provides examples of methods, apparatus, and non-transitory computer- readable media for enhancing the security of voice communication networks against hybrid phone fraud.
[0007] According to some embodiments, a method of network monitoring includes, at a processing platform comprising a processor, a first communication interface connected to one or more first networks, and a second communication interface connected to a voice network, receiving, via the first network, a raw communication containing a phone number of the voice network. The method further includes obtaining the phone number contained in the raw communication. The method includes performing obtaining metadata associated with at least one of the raw communication and the obtained phone number. The method includes determining, based on the metadata a threat score associated with the obtained phone number. The method includes determining, based on the threat score, whether to interrogate a network node associated with the obtained phone number. The method includes responsive to determining that the threat score exceeds a threshold value, scheduling a call to the obtained phone number. The method includes calling the obtained phone number according to the schedule. The method includes obtaining call data from a call to the obtained phone number, and determining, based on the call data, whether the phone number is associated with misuse of the voice network.
[0008] According to some embodiments, an apparatus includes a first communication interface connected to one or more first networks, a second communication interface connected to a voice network, and a processor. The processor is configured to receive, via the first network, a raw communication containing a phone number of the voice network. The processor is configured to obtain the phone number contained in the raw communication. The processor is configured to obtain metadata associated with at least one of the raw communication and the obtained phone number. The processor is configured to determine, based on the metadata a threat score associated with the obtained phone number. The processor is configured to determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number. The processor is configured to responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number. The processor is configured to call the obtained phone number according to the schedule. The processor is configured to obtain call data from a call to the obtained phone number and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
[0009] According to some embodiments, a non-transitory computer-readable medium comprises instructions, which when executed by a processor of an apparatus comprising a first communication interface connected to one or more first networks and a second communication interface connected to a voice network, cause the apparatus to receive, via the first network, a raw communication containing a phone number of the voice network. When executed by the processor, the instructions further cause the apparatus to obtain the phone number contained in the raw communication, obtain metadata associated with one or more of the raw communication and the obtained phone number, determine, based on the metadata a threat score associated with the obtained phone number, determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number, responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number, call the obtained phone number according to the schedule, obtain call data from a call to the obtained phone number, and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
[0010] Other advantages may be readily apparent to one having skill in the art. Certain embodiments may have none, some, or all of the recited advantages.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] The foregoing will be apparent from the following more particular description of the example embodiments, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the example embodiments.
[0012] FIG. 1 illustrates a network architecture of a system detecting hybrid telephone fraud according to some embodiments of this disclosure;
[0013] FIG. 2 illustrates, in block diagram format, a system for performing one or more methods according to some embodiments of this disclosure;
[0014] FIG. 3 illustrates operations of an example method for identifying nodes of a voice network associated with hybrid telephone fraud;
[0015] FIGS. 4A and 4B illustrate operations of an example method for identifying nodes of a voice network associated with hybrid telephone fraud; and
[0016] FIGS. 5A-5D illustrate example data structures and user interfaces associated with initiating action to take down nodes of a voice network associated with hybrid telephone fraud. DETAILED DESCRIPTION
[0017] Aspects of the present disclosure will be described more fully hereinafter with reference to the accompanying drawings. The method and the automated processing system disclosed herein can, however, be realized in many different forms and should not be construed as being limited to the aspects set forth herein. Like numbers in the drawings refer to like elements throughout.
[0018] The terminology used herein is for the purpose of describing particular aspects of the disclosure only and is not intended to limit the invention. It should be emphasized that the term “comprises/comprising” when used in this specification is taken to specify the presence of stated features, integers, steps, or components, but does not preclude the presence or addition of one or more other features, integers, steps, components, or groups thereof. As used herein, the singular forms “a,” “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise.
[0019] Embodiments of the present disclosure will be described and exemplified more fully hereinafter with reference to the accompanying drawings. The solutions disclosed herein can, however, be realized in many different forms and should not be construed as being limited to the examples set forth herein.
[0020] It will be appreciated that when the present disclosure is described in terms of a method, it may also be embodied in one or more processors and one or more memories coupled to the one or more processors, wherein the one or more memories store one or more programs that perform the steps, services and functions disclosed herein when executed by the one or more processors.
[0021] For consistency and convenience of cross-reference, any elements common to more than one figure are numbered similarly.
[0022] As noted elsewhere in this disclosure, hybrid telephone fraud, wherein a phone number associated with a fraudulent network node (for example, a smartphone of a malicious actor) is provided in a raw communication (for example, an image, another telephone call, an email, a QR code, or other medium of a heterogenous plurality of communication media), presents unique and under-solved technical problems. For example, one user may receive a voice message with the malicious phone number, another user may receive an email with the malicious number, and a third user may receive a text or SMS message containing the malicious phone number. By publishing and sending raw communications containing fraudulent phone numbers, malicious actors seek to initiate calls to published numbers, from which the malicious actors may obtain voice data (which can be used as training data or for spoofing the recipient’s voice), or more traditionally, to obtain, under false pretenses, the recipient’s personal information, such as credit card number, social security number, or other information of identifying or monetary value.
[0023] Addressing hybrid telephone fraud presents several unique technical and practical problems. First, while calls by human fraud investigators can often identify actual or suspected fraudulent phone numbers, such calls pose the risk of malicious actors obtaining voice and name information of the human fraud investigators, which is undesirable. Second, technical advances in access to telephony networks and re-routing calls allow malicious actors to rapidly change phone numbers, making it difficult for human investigators to timely detect fraud. Third, by its nature, raw communications used for hybrid telephone fraud can be conducted over a variety of formats, presenting data ingestion and normalization challenges. Embodiments according to the present disclosure address these technical challenges and provide methods, apparatus, and non-transitory computer-readable media for enhancing the security of voice networks by timely identifying malicious nodes of the network used to perform hybrid telephone fraud and accelerating the rates and volumes at which malicious nodes of voice networks can be taken down.
[0024] FIG. 1 discloses a network implementation of an automated processing system 100. The automated processing system 100 referred herein is configured for authenticating one or more phone numbers based on an automated calling and processing of the one or more phone numbers to validate on authenticity of the phone numbers. In an example, the automated calls initiated through the automated calling system comprises land line calls, VOIP calls, call through IP lines etc.
[0025] As depicted in FIG. 1, the automated processing system 100 may comprise one or more physical or cloud computing platforms (for example, physical or cloud servers) connected to a plurality of various communication devices 90a-90n (wherein “n” represents that any number of devices can be connected to automated processing system 100) through a first network 80. Communication devices 90a-90n can include, without limitation, desktop computers, smartphones, network attached scanners, or other apparatus capable of providing raw communications containing phone numbers of interest or images of same via network 80 to automated processing system 100. In some examples, the communication devices 90a-90n may be used by users to communicate the phone numbers to the automated processing system 100.
[0026] In an example implementation, the communication network 80 may be a wireless network, a wired network, or a combination thereof. The communication network 80 may be implemented as one of the following network types: Local Area Network, LAN, Wireless Personal Area Network, WPAN, Wireless Local Area Network, WLAN, wide area network, WAN, the Internet, and the like. The communication network 80 may either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, MQ Telemetry Transport, MQTT, Extensible Messaging and Presence Protocol, XMPP, Hypertext Transfer Protocol, HTTP, Transmission Control Protocol/Intemet Protocol, TCP/IP, Wireless Application Protocol, WAP, and the like, to communicate with one another. Further, the communication network 80 can include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
[0027] The automated processing system 100 is configured to receive raw communications from at least one communication device of communication devices 90a-90n. The automated processing system 100 can, in some embodiments, receive the raw communication comprising at least one phone number, directly, via a user interface provided by automated processing system 100.
[0028] As described in greater detail elsewhere in this disclosure, automated processing system 100 receives raw communications containing phone numbers of interest. Automated processing system 100 performs a multi-layered ingestion and analysis to first obtain the phone number from the raw communication, extract metadata of the raw communication, perform a first layer analysis to determine a risk score associated with the number and metadata, and then based on the risk score, determine whether to place an interrogation call to the obtained phone number. In cases where the risk score exceeds a threshold value, and placing an interrogation call is warranted, the system places an automated call to the phone number to obtain call data, from which a classification (also referred to herein as an “authentication status”) of the phone number as one of valid, fraudulent or undetermined is obtained. As such, embodiments according to this disclosure provide at least the following technical and practical benefits: a) conserving network and processor resources associated with contacting numbers associated with potentially fraudulent nodes of the voice network; and b) avoiding any risk of human security personnel’s voices being recorded by fraudulent actors answering interrogation calls.
[0029] FIG. 2 illustrates, in block diagram format, an example architecture of an automated processing system 100.
[0030] Referring to the illustrative example of FIG. 2, automatic processing system 100 can include a memory 10, a reception module 11, a first network interface 12, a pre-processing module 13, a processor 14, a call module 15, an identification module 16, an authentication module 17, and a processing module
18. The modules also comprise a voice network interface 19 through which automated processing system 100 can connect to one or more voice networks to send and receive data as part of interrogation calls.
[0031] The processor 14 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that cause a processor or controller to execute instructions maintained on a non-transitory, computer-readable format. Among other capabilities, the processor 14 can be configured to fetch and execute computer-readable instructions stored in the memory 10 and control all the modules of the automated processing system 100.
[0032] Memory 10 and processor 14 can be connected to the plurality of modules 11-19. The memory 10 can serve as a repository for storing data processed, received, and generated by one or more of modules 11-19. The memory 10 can include data generated as a result of the operation of one or more modules 11-
19. The memory 10 can be a computer-readable medium or computer program product known in the art including, such as Static Random-Access Memory, SRAM, and Dynamic Random-Access Memory, DRAM, and/or non-volatile memory, such as Read Only Memory, ROM, Erasable Programmable ROM, EPROM, Electrically Erasable and Programmable ROM, EEPROM, flash memories, hard disks, optical disks, and magnetic tapes.
[0033] While not shown in the figure, automated processing system 100 can include a database (not shown) that can include a repository for storing data processed, received, and generated by one or more of modules 11-19. The database also comprises a pre-configured database for storing one or more phone numbers used for the mapping of the at least one phone number received by the automated processing system 100.
[0034] Interface 12 provides at least one connection to a first network, through which raw communications are initially received by automated processing system 100. The interface 12 can include one or more Application Programming Interface, API, which can interface with other servers and communication devices 90a-90n in FIG. 1 to programmatically import and obtain raw communications and normalize same to one or more file or data formats from which phone numbers and metadata to support a phone number authentication analysis. In some embodiments interface 12 comprises a user interface presented by a display connected to automated processing system 100, through which a user can manually enter a phone number, and where available, other metadata of analytic interest.
[0035] In some examples, the voice network interface 19 may also be configured to receive the at least one phone number as a communication from communication devices 90a-90n, from an automated abuse email processing system, or other platform for capturing raw communications (for example, SMS messages, or “honeypot” messages sent over a variety of formats) and providing same to automated processing system 100. The at least one source comprises an Application Programming Interface (API) or portal or an email. The at least one phone number may be received through the interface 12.
[0036] The pre-processing module 13 is configured to pre-process the at least one phone number. In some embodiments, pre-processing module 13 is configured to compare an obtained phone number of analytic interest with one or more phone numbers stored in a preconfigured database or the memory 10. In some embodiments, pre-processing module 13 is configured to perform optical character recognition (for example, to recover phone numbers provided as image data in a figure), perform pixel-level analysis (for example to determine if a logo or other graphic in a message has been altered, resized, or bears other indicia of malicious copying and reuse), or read encoded data (for example, QR or other machine-readable codes) in raw communications.
[0037] Pre-processing module can be configured to extract, from a raw communication, metadata associated with the raw communication and one or more phone numbers of analytic interest in the raw communication. Automated processing system 100 can obtain a threat score that is generated by using one or more first Artificial Intelligence (Al) techniques and/or one or more Machine Learning (ML) models.
[0038] In some embodiments, metadata obtained by pre-processing module 13 can include details of a service provider associated with the obtained phone number, a geographic location (for example, an area code or country code) associated with the phone number, and a number of instances in which a phone number provided in a raw communication has been previously analyzed. The metadata obtained by preprocessing module 13 can also include a carrier name associated with the number, a responsible organization information (respOrg) for a toll-free number, and information as to a type of line (mobile or fixed line) to which one or more numbers of analytic interest is assigned.
[0039] In some embodiments, the threat score comprises a score assigned to the each of the at least one number by providing metadata and obtained number to a first AI/ML model. Features of the first AI/ML model can include one or more of: a number of times the phone number has been previously analyzed; numerical similarities (for example, a single number difference) between the received number and known fraudulent numbers; whether the phone number is on one or more whitelists of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication. [0040] After the pre-processing of the at least one phone number, automated processing system 100 can interrogate the network node (as used herein, the expression “network node” encompasses an electronic device, such as a phone or computer, which is associated with a phone number and configured to receive and place voice calls at the phone number) associated with the phone number by placing a call scheduled and dialed by call module 15 and sent out through voice network interface 19. The call is established through the call module 15. The processor 14 then identifies a call status of the open to call phone number through an identification module 16. Upon initiation of the call, call module 15 obtains call data. As used in this disclosure, the expression “call data” encompasses a recordation of the events and sounds presented to automated processing system 100 during the interrogation call. Examples of call data according to this disclosure include, without limitation, data as to whether the phone number was connected (i.e., was a dial tone heard), whether the call was answered, evidence of re-routing or redirection of the call; evidence of signal degradation associated with the call being answered over a VoIP connection or other potentially lossy pathway; a transcript of the call; voice data of the entity answering the call; and whether the call was answered by a human or a voice recording. Further examples of call data include evidence of the call reaching a busy number, a failed connection, a call disconnected, an out or service and/or range, a not answered number, a no response number.
[0041] The processor 14 then applies the call data to a second AI/ML model, which is a classifier model trained to output a determination, based on features of the call data, whether dialed number is fraudulent, not fraudulent, or undetermined.
[0042] In certain embodiments, the first or second AI/ML models are provided by an authentication module 17, which can include on or more processors (for example, graphic processing units (GPUs) or neural processing units (NPUs) architecturally optimized to implement AI/ML models.
[0043] In some examples, the authenticity status comprises one of a fraudulent phone number or an authentic phone number (may also be referred to as non-fraudulent phone number, legitimate phone number, or the like).
[0044] Thus, the automated processing system (100) filters out numbers which are not strong candidates for the processing and network overhead associated with making interrogation calls and analyzing same. In this way, embodiments according to the present disclosure are able to monitor and secure a voice network without imposing undue call burdens on the monitored network.
[0045] In second aspect, FIG. 3 illustrates operations of an example method 300 for monitoring a voice network for malicious nodes and instances of phone numbers associated with hybrid telephone fraud.
[0046] In some embodiments, the automated processing system comprises the automated processing system (100) as discussed above in FIG. 1 and FIG. 2.
[0047] Referring to the illustrative example of FIG. 3, at operation 305, at a processing platform (for example, automated processing system 100 in FIG. 1), a raw communication is received, via a first network, wherein the raw communication contains a phone number of a voice network to which the automated processing platform is connected (for example, via voice network interface 19 in FIG. 2). As noted elsewhere, the raw communication received at operation 305 can be in one of a heterogenous plurality of communication formats, including, without limitation, image fdes, emails, text/SMS messages, encoded communication formats (for example, bar or QR codes), and audio fdes (for example, a voice message inviting a recipient to call a phone number).
[0048] At operation 310, the processing platform (for example, by using pre-processing module 13 in FIG. 2) pre-processes the raw communication to obtain the phone number contained in the raw communication. Depending on the format of the raw communication, operation 310 may comprise pulling metadata readily available in the raw communication (such as the phone number from which an SMS message was sent, or from which a call leaving a voice message was placed). In some embodiments, obtaining the phone number can involve machine-driven analysis (for example, applying optical character recognition to an image or voice to text recognition to an audio recording) to obtain the phone number contained in the raw communication.
[0049] At operation 315, the processing platform performs further pre-processing of the raw communication to extract additional metadata associated with one or more of the phone number and the raw communication. As noted elsewhere in this disclosure, the metadata obtained at operation 315 can include geographic information associated with the number, a line/device type associated with the number, and a number of instances in which the obtained number has been previously interrogated. The metadata obtained at operation 315 can further include a grammatical or pixel-level analysis of the text and/or images embedded in the raw communication.
[0050] At operation 320, the processing platform determines a threat score associated with the raw communication and the obtained phone number. The determination of the threat score can, in some embodiments, proceed programmatically according to rules-based logic which increase or decrement a baseline threat score based on the presence or absence of relevant features associated with the phone number. Additionally, or alternatively, the determination of the threat score may be performed, in whole or in part by a first AI/ML model which is trained to associate a threat score value according to a predetermined set of features potentially present in either the raw communication, the phone number or metadata obtained from same. Features of the first AI/ML model can include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties (for example, misspellings, improbable grammatical errors, flagged words), of the raw communication.
[0051] At operation 325, the processing platform determines, based on the threat score determined at operation 320, whether to interrogate a network node (i.e., call the device connected to the network at the phone number) associated with the phone number. At operation 330, responsive to determining that the threat score exceeds a threshold value, the processing platform schedules a call to the network node at the obtained phone number. Given the possibility that the phone number may be non-fraudulent (i.e., just a person’s phone number) and, regardless of legitimacy, may be answered by a human being, scheduling the interrogation call at operation 325 can maximize the likelihood that the interrogation call is placed at a time when an innocent (i.e., non-fraudulent) recipient is not awoken, and if the number is associated with fraudulent misuse of a voice network, that one or more malicious actors will be awake to answer the phone. [0052] At operation 335, the processing platform places a call (for example, by using call module 15 and voice network interface 19 in FIG. 2) to the phone number.
[0053] At operation 340, the processing platform obtains call data from the call to the phone number. As used in this disclosure, the expression “call data” comprises data evincing what happened when the processing platform attempted to call the telephone number. Examples of call data include, without limitation, session initiation protocol (SIP) / Q.850 status codes, call duration, whether the recipient terminated the call, whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
[0054] At operation 345, the processing platform determines, based on the call data, whether the phone number is associated with fraud or misuse of the voice network. In some embodiments, operation 345 can be performed programmatically, and according to a predefined workflow of rules, such as a set of rules which increment or decrement a fraud score based on the presence or absence of factors in the call data. Additionally, or alternatively, in some embodiments, operation 345 can be performed in whole or in part, by providing the call data to a second AI/ML model comprising a classifier trained to classify, based on features of the call data, whether the phone number is fraudulent, non-fraudulent or undetermined.
[0055] Depending on the classification of the phone number obtained at operation 345, the processing platform can perform any number of follow-on operations, including, without limitation, storing the number as non-fraudulent, or initiating action to deactivate the number based on the call data and determination obtained at operation 345.
[0056] FIGS. 4A and 4B illustrate operations of a method 400 for targeted interrogation of a voice network to test for network nodes and phone numbers associated with hybrid telephone fraud, according to various embodiments of this disclosure.
[0057] Referring to the illustrative example of FIG. 4A, at block 402, at least one phone number is received by the automated processing system 100. Ingestion at block 402 can, in some embodiments, also include passing received SMS/text messages through a “honeypot system” to screen for messages purporting to be from reputable actors (for example, well-known e-commerce and websites, online payment platforms and the like), instructing the recipient to call a number. The “honeypot system” can perform additional layers of contextual analysis on the received message to search for indicia of inauthenticity. In certain embodiments, the “honeypot system” implements one or more AI/ML models to perform the contextual analysis. The at least one phone number is received in connection with a raw communication. As shown in the figure, the at least one phone number can be received from one or more devices (for example, communication devices 90a-n in FIG. 1) configured to capture and forward raw communications for further analysis of phone numbers embedded therein. Examples of such ingestion sources include, without limitation, specifically configured APIs by which automated processing system 100 posts requests for new raw communications, or an email inbox, from which raw communications containing phone numbers for further analysis can be received.
[0058] At blocks 404a and 404b, when the at least one number is received from the source comprising customer abuse email, the at least one phone number is extracted from an image of the abuse email body, by, for example, using one or more of: OCR and text extraction.
[0059] At block 406, the automated processing system (100) checks if the at least one phone number is a known-good number by mapping the at least one number with one or more numbers stored in a preconfigured database.
[0060] At block 408, if the at least one phone number is the known-good number, the automated processing system 100 marks the number as legitimate which in turn marks the number as the closed number for which calling is not required. At block 454, the automated processing system 100 then marks the known- good number as not requiring any further present action, and can send an electronic notification to a user of the status of the number.
[0061] At block 410, if the at least one phone number is not the known-good number, the automated processing system 100 checks if the at least one phone number is a previously called number.
[0062] At block 412, if the at least one phone number is the previously called number then the automated processing system 100 marks the number as a duplicate number which in turn marks the number as the closed number for which calling is not required. At block 454, the automated processing system 100 then marks the closed phone as a completely processed number not requiring any human intervention.
[0063] At block 414, if the at least one phone number is not the previously called number or the duplicate number, then the automated processing system 100 marks the number as an open to call phone number and collects metadata about the open to call phone number. The metadata is used for generating the threat score. The threat score is then assigned to the open to call phone number.
[0064] At block 416, the automated processing system 100 determines a time of calling before initiating or establishing the call to the open to call phone number. The automated processing system 100 pauses the call until correct timing hours, such as during normal business hours.
[0065] At block 420, the automated processing system may initiate the call to the open to call phone number during the correct timing hours and determine if the call has been initiated successfully. In certain embodiments, the system can, based on contextual evidence in the metadata regarding the number suggesting that the number is associated with an SMS system, send a text or SMS message to the number. [0066] At block 418b, if the number is identified as a busy number, the number may be marked to be requeued for second and further attempts at an interrogation call. After a threshold number of interrogation calls have been unsuccessfully placed, the number is marked as completely processed and no human intervention is required (for example, at block 454). [0067] At block 422, the automated processing system 100 determines if the call is picked up or received by a user.
[0068] At block 424, if the call is not picked up or received, the automated processing system verifies if the call has already been attempted for a predefined number of times, for example, the predefined number of times may comprise 3 attempts.
[0069] At block 426, if a number of call attempts remains under a predetermined threshold, then the automated processing system requeues the number for calling after a predefined period of time. The predefined period of time may be customized in the automated processing system.
[0070] At block 426, for all the requeued phone numbers, blocks 416-426 may be repeated until a predefined number of attempts of calling are exhausted.
[0071] At block 424, the automated processing system verifies if a phone number has reached a predetermined limit for a number of call attempts, at which point, the automated processing system then identifies the call status as not answered or no response at block 436 and marks the phone number as a closed number.
[0072] At block 454, the automated processing system marks the phone number, which is now the closed number as not requiring any further present action (including, without limitation, human intervention).
[0073] At block 428, the automated processing system checks in case the number identified as busy (in block 418) contains any evidence. In case of no evidence, blocks 424 onwards are repeated for a predetermined number of times. In case of evidence, the block 452 is executed and call data, such as number, metadata, customer provided evidence, and a transcript are stored and an alert generated for further processing (for example, human review, or to be provided as data in support of initiating action against the network node associated with the phone number).
[0074] Now as shown in FIG. 4B, at block 430, if the call is picked up, or otherwise answered, the automated processing system then starts recording/capturing transcription and determines if the transcript is less than or equal to a threshold time (for example, 30 seconds). At block 432 and 434, the automated processing system maintains connection for 30 seconds while recording the transcription, plays recorded greeting if needed, and then simultaneously ends the transcription and terminates the call. The automated processing system stores the transcription to a database in the automated processing system.
[0075] At block 438, the automated processing system checks if the transcript indicates if the phone number to which the call was place has been disconnected. At block 440, if the transcript indicates that the call was not received, the number is marked as disconnected and is marked as completely processed at block 454.
[0076] In some embodiments, the call status may be identified based on the presence or absence of a call transcript from the call. In some examples, the presence or absence of a call transcript can be determined based on a Session Initiation Protocol (SIP) response code of the call. In some examples, the response transcript can comprise at least one of: words or phrases confirming disconnection or retirement of the at least one phone number. For example, the presence of phrases such as: call disconnected, phone number no longer in service, the phone number not in service, the phone number cannot be reached, the call cannot be completed, sorry the phone number you requested cannot be dialed, check the number and dial again, are indicative of disconnected numbers, which, at least presently, cannot be associated with hybrid telephone fraud. According to the status of the call, the authentication module 17 determines the authenticity status of the at least one phone number. As discussed with reference to FIG. 3, the authenticity status can be a classification of the phone number as one of: fraudulent, not fraudulent, or undetermined. The processor 18 can process the at least one phone number according to the authenticity status.
[0077] At block 442, the automated processing system checks if the transcript indicates that the interrogation call went to voice mail. If no, then at block 444, automated processing system confirms if the call duration is a predetermined period of time, such as less than 3 seconds.
[0078] At block 446, the automated processing system determines whether the voice mail message suggests the incidence of fraud. If no fraud is indicated, then blocks 424 onwards are repeated. If yes, then at block 444, the automated processing system checks if the call duration is less than 3 seconds. If the call duration is more than 3 seconds, then the automated processing system determines at block 448 if the call transcript proves fraud and, if yes, at block 450 the automated processing system marks the number as fraud. [0079] At block 450, the automated processing system checks if the transcript evinces any fraud, and at block 452, the automated processing system present the number, the metadata, customer-provided evidence, and transcript to analyst for human verification.
[0080] As skilled artisans will appreciate, having monitored and identified malicious nodes of a voice network, the identifications can be readily applied to initiate action to disable or block the network node(s) associated with misuse or hybrid telephone fraud. While it is possible to automatically takedown and phone numbers associated with malicious network nodes, from a technical and practical standpoint, it can often be advantageous to make the outputs of the processing platform human-visible either before or after initiating action against the number. As one example of the practical desirability of making the logic underlying a phone number takedown accessible, consider the case of a phone number associated with a mobile phone in a geographic location associated with a present emergency (for example, flooding or a hurricane). In such cases, ensuring that the device associated with the phone number can be used as a tool for calling for help is, at least temporarily, a significantly more pressing concern than vishing. In such cases, making the outputs of the processing platform available for human review presents clear practical advantages. As one example of the technical desirability of making the outputs of the analyses of phone numbers and raw communications human accessible, doing so increases model transparency and facilitates more accurate model training.
[0081] FIG. 5 A illustrates an example of a human-readable user interface 500 reporting information of an analysis of an analyzed phone number. As shown in the figure, UI 500 includes fields reporting a customer name and email address of a customer associated with the phone number, a submission type of the phone numbers, a name of an organization who has provided the phone numbers for determining its authenticity status, attachments/screenshots indicating the authenticity or processing status of the open to call phone numbers. Further, UI 500 includes action buttons 501, wherein, even if action (or inaction - i.e., doing nothing) regarding the phone number, can be initiated automatically, a user can review the data record associated with the number, and through action buttons 501, initiate action according to her best human judgment. In this way, situations such as a takedown of a phone number associated with a device in an emergency zone can be preempted.
[0082] FIG. 5B illustrates a further example of a user interface 520 for presenting the obtained metadata as well as an image of a raw communication 521 to facilitate human override of action initiated in response to a fraud determination, and to provide transparency into the operation of one or more AI/ML models collaborating on the analysis of raw communications and phone numbers obtained from same.
[0083] As noted elsewhere, in embodiments according to this disclosure, automatic processing system 100 can initiate action to shut down a phone number associated with fraudulent misuse of a node of a voice network. FIG. 5C illustrates a human-readable version of a data structure 540 (for example, a takedown request ticket) which can be transmitted from automatic processing system 100 to a control node (for example, a mobile management entity “MME” of 4G or LTE wireless network) to disable an identified fraudulent node. FIG. 5D illustrates an example user interface 550 permitting a user of automated processing system 100 to send a communication to a customer indicating that a ticket has been created for the takedown of a phone number associated with hybrid telephone fraud.. The shutdown ticket may be populated in the customer portal/API and the Anti-Fraud Security Operations Center analyst may allow to track disconnection progress of the phone number until the phone number has been disconnected and marked as the closed phone number.
[0084] Examples of methods according to this disclosure include methods comprising, responsive to determining that the phone number is associated with misuse of the voice network, initiating action to deactivate the phone number.
[0085] Examples of methods according to this disclosure include methods, wherein determining the threat score comprises providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
[0086] Examples of methods according to this disclosure include methods, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
[0087] Examples of methods according to this disclosure include methods, wherein determining, based on the call data, whether the phone number is associated with misuse of the voice network comprises providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
[0088] Examples of methods according to this disclosure include methods, wherein features of the second AI/ML model include one or more of: whether an answer was received from calling to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
[0089] Examples of methods according to this disclosure include methods, wherein performing further pre-processing of the raw communication to obtain metadata associated with the raw communication and the obtained phone number comprises at least one of: performing optical character recognition (OCR) of the raw communication, identifying one or more internet protocol (IP) addresses associated with the raw communication, or performing pixel-level analysis of one or more images embedded in the raw communication.
[0090] Examples of apparatus according to this disclosure include apparatus, wherein the processor is further configured to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
[0091] Examples of apparatus according to this disclosure include apparatus, wherein the processor is configured to determine the threat score by providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
[0092] Examples of apparatus according to this disclosure include apparatus, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
[0093] Examples of apparatus according to this disclosure include apparatus, wherein the processor is configured to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
[0094] Examples of apparatus according to this disclosure include apparatus, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
[0095] Examples of apparatus according to this disclosure include apparatus, wherein the processor is further configured to perform further pre-processing of the raw communication to obtain metadata associated with the raw communication and the obtained phone number by performing at least one of: performing optical character recognition (OCR) of the raw communication, identifying one or more internet protocol (IP) addresses associated with the raw communication, or performing pixel-level analysis of one or more images embedded in the raw communication.
[0096] Examples of non-transitory computer-readable media according to various embodiments of this disclosure include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
[0097] Examples of non-transitory computer-readable media according to various embodiments of this disclosure include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to determine the threat score by providing the metadata to a first artificial intelligence/machine learning (“AI/ML”) model trained to output the threat score based on the metadata.
[0098] Examples of non-transitory computer-readable media according to various embodiments of this disclosure include non-transitory computer-readable media wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more “known good lists” of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
[0099] Examples of non-transitory computer-readable media according to various embodiments of this disclosure include non-transitory computer-readable media containing instructions, wherein, when executed by the processor, the instructions cause the apparatus to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent or undetermined.
[0100] Examples of non-transitory computer-readable media according to various embodiments of this disclosure include non-transitory computer-readable media, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call; and identified words in a transcript of the call.
[0101] Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which can include one or more microprocessor or microcontrollers, as well as other digital hardware, which can include digital signal processors, DSPs, special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which can include one or several types of memory such as read-only memory (ROM), random-access memory, RAM, cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure. [0102] The foregoing description of the specific embodiments will so fully reveal the general nature of the embodiments herein that others can, by applying current knowledge, readily modify and/or adapt for various applications such specific embodiments without departing from the generic concept, and, therefore, such adaptations and modifications should and are intended to be comprehended within the meaning and range of equivalents of the disclosed embodiments. It is to be understood that the phraseology or terminology employed herein is for the purpose of description and not of limitation. Therefore, while the embodiments herein have been described in terms of preferred embodiments, those skilled in the art will recognize that the embodiments herein can be practiced with modification within the scope of the disclosure.

Claims

WHAT IS CLAIMED IS:
1. A method of network monitoring, comprising: at a processing platform (100) comprising a processor, a first communication interface (12) connected to one or more first networks (80), and a second communication (19) interface connected to a voice network, receiving, via the first network, a raw communication containing a phone number of the voice network; obtaining the phone number contained in the raw communication; obtaining metadata associated with one or more of the raw communication and the obtained phone number; determining, based on the metadata, a threat score associated with the obtained phone number; determining, based on the threat score, whether to interrogate a network node associated with the obtained phone number; responsive to determining that the threat score exceeds a threshold value, scheduling one or more calls to the obtained phone number; calling the obtained phone number according to the schedule; obtaining call data from a call to the obtained phone number; and determining, based on the call data, whether the phone number is associated with misuse of the voice network.
2. The method of claim 1, further comprising, responsive to determining that the phone number is associated with misuse of the voice network, initiating action to deactivate the phone number.
3. The method of claim 1, wherein determining the threat score comprises providing the metadata to a first artificial intelligence/machine learning (AI/ML) model trained to output the threat score based on the metadata.
4. The method of claim 3, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more known good lists of phone numbers; numerical similarity between the phone number and known fraudulent numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
5. The method of claim 1, wherein determining, based on the call data, whether the phone number is associated with misuse of the voice network comprises providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
6. The method of claim 5, wherein features of the second AI/ML model include one or more of: whether an answer was received from calling to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call, and identified words in a transcript of the call.
7. The method of claim 1, further comprising pre-processing of the raw communication to obtain the metadata associated with the raw communication, wherein performing further pre-processing of the raw communication to obtain metadata associated with the raw communication and the obtained phone number comprises at least one of: performing optical character recognition (OCR) of the raw communication, identifying one or more internet protocol (IP) addresses associated with the raw communication, or performing pixel-level analysis of one or more images embedded in the raw communication.
8. An apparatus (100), comprising: a first communication interface (12) connected to one or more first networks (80); a second communication interface (19) connected to a voice network; and a processor (14), wherein the processor is configured to: receive, via the first network, a raw communication containing a phone number of the voice network; obtain the phone number contained in the raw communication; obtain metadata associated with one or more of the raw communication and the obtained phone number; determine, based on the metadata, a threat score associated with the obtained phone number; determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number; responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number; call the obtained phone number according to the schedule; obtain call data from a call to the obtained phone number; and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
9. The apparatus of claim 8, wherein the processor is further configured to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
10. The apparatus of claim 8, wherein the processor is configured to determine the threat score by providing metadata associated with one or more of the obtained phone number or the raw communication to a first artificial intelligence/machine learning (AI/ML) model trained to output the threat score based on the metadata.
11. The apparatus of claim 10, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed; whether the phone number is on one or more known good lists of phone numbers; domain properties of a sender of the raw communication; a country code of the phone number; and textual properties of the raw communication.
12. The apparatus of claim 8, wherein the processor is configured to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
13. The apparatus of claim 12, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call, and identified words in a transcript of the call.
14. The apparatus of claim 8, wherein the processor is further configured to perform preprocessing of the raw communication to obtain metadata associated with the raw communication, and wherein the further pre-processing comprises: performing at least one of: performing optical character recognition (OCR) of the raw communication; identifying one or more internet protocol (IP) addresses associated with the raw communication; or performing pixel-level analysis of one or more images embedded in the raw communication.
15. A non-transitory computer-readable medium comprising instructions, which when executed by a processor (14) of an apparatus (100) comprising a first communication interface (12) connected to one or more first networks (80) and a second communication interface (19) connected to a voice network, causes the apparatus to: receive, via the first network, a raw communication containing a phone number of the voice network; obtain the phone number contained in the raw communication; obtain metadata associated with at least one of the raw communication and the obtained phone number; determine, based on the metadata, a threat score associated with the obtained phone number; determine, based on the threat score, whether to interrogate a network node associated with the obtained phone number; responsive to determining that the threat score exceeds a threshold value, schedule a call to the obtained phone number; call the obtained phone number according to the schedule; obtain call data from a call to the obtained phone number; and determine, based on the call data, whether the phone number is associated with misuse of the voice network.
16. The non-transitory computer-readable medium of Claim 15, wherein, when executed by the processor, the instructions cause the apparatus to, responsive to determining that the phone number is associated with misuse of the voice network, initiate action to deactivate the phone number.
17. The non-transitory computer-readable medium of Claim 15, wherein, when executed by the processor, the instructions cause the apparatus to determine the threat score by providing the metadata to a first artificial intelligence/machine learning (AI/ML) model trained to output the threat score based on the metadata.
18. The non-transitory computer-readable medium of Claim 17, wherein features of the first AI/ML model include one or more of: a number of times the phone number has been previously analyzed, whether the phone number is on one or more known good lists of phone numbers; domain properties of a sender of the raw communication, a country code of the phone number, and textual properties of the raw communication.
19. The non-transitory computer-readable medium of Claim 15, wherein, when executed by the processor, the instructions cause the apparatus to determine, based on the call data, whether the phone number is associated with misuse of the voice network by providing the call data to a second AI/ML classifier model trained to classify a phone number as fraudulent, not fraudulent, or undetermined.
20. The non-transitory computer-readable medium of Claim 19, wherein features of the second AI/ML model include one or more of: whether an answer was received from the call to the phone number, whether the call was answered with a recorded message, whether the call was a voice mail message, whether the call contained audio cues associated with re-routing or redirection of the call, and identified words in a transcript of the call.
PCT/US2024/053122 2023-10-25 2024-10-25 Method and system for automated processing and resolution of phone numbers Pending WO2025090969A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202363593042P 2023-10-25 2023-10-25
US63/593,042 2023-10-25

Publications (1)

Publication Number Publication Date
WO2025090969A1 true WO2025090969A1 (en) 2025-05-01

Family

ID=95516487

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2024/053122 Pending WO2025090969A1 (en) 2023-10-25 2024-10-25 Method and system for automated processing and resolution of phone numbers

Country Status (1)

Country Link
WO (1) WO2025090969A1 (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217014A1 (en) * 2002-05-17 2003-11-20 Cassandra Mollett Systems and methods for storing and using phone number validations
US20040008838A1 (en) * 2002-07-01 2004-01-15 Nec Infrontia Corportation Telephone system for making call to telephone number read from a sheet
US20070140267A1 (en) * 2003-07-25 2007-06-21 Zte Corporation System and method for implementing multimedia calls across a private network boundary
US20080084983A1 (en) * 2006-10-05 2008-04-10 Yen-Fu Chen Method and system for verifying telephone numbers
US20090136013A1 (en) * 2007-11-19 2009-05-28 Kuykendall Peter A System for obtaining information regarding telephone calls
US20120287823A1 (en) * 2011-05-09 2012-11-15 Chung-Yu Lin Verification method and system for screening internet caller id spoofs and malicious phone calls
US20130024238A1 (en) * 2011-07-19 2013-01-24 Bank Of America Corporation Risk score determination
US20140357245A1 (en) * 2011-05-12 2014-12-04 Smart Hub Pte. Ltd. System and method for displaying an identifier of a source on a recipient device
US20160307199A1 (en) * 2015-04-14 2016-10-20 Samsung Electronics Co., Ltd. System and Method for Fraud Detection in a Mobile Device
US20200045543A1 (en) * 2016-10-16 2020-02-06 Onoff Telecom Method for verifying the validity of a telephone line of a user of a service or of a software application

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217014A1 (en) * 2002-05-17 2003-11-20 Cassandra Mollett Systems and methods for storing and using phone number validations
US20040008838A1 (en) * 2002-07-01 2004-01-15 Nec Infrontia Corportation Telephone system for making call to telephone number read from a sheet
US20070140267A1 (en) * 2003-07-25 2007-06-21 Zte Corporation System and method for implementing multimedia calls across a private network boundary
US20080084983A1 (en) * 2006-10-05 2008-04-10 Yen-Fu Chen Method and system for verifying telephone numbers
US20090136013A1 (en) * 2007-11-19 2009-05-28 Kuykendall Peter A System for obtaining information regarding telephone calls
US20120287823A1 (en) * 2011-05-09 2012-11-15 Chung-Yu Lin Verification method and system for screening internet caller id spoofs and malicious phone calls
US20140357245A1 (en) * 2011-05-12 2014-12-04 Smart Hub Pte. Ltd. System and method for displaying an identifier of a source on a recipient device
US20130024238A1 (en) * 2011-07-19 2013-01-24 Bank Of America Corporation Risk score determination
US20160307199A1 (en) * 2015-04-14 2016-10-20 Samsung Electronics Co., Ltd. System and Method for Fraud Detection in a Mobile Device
US20200045543A1 (en) * 2016-10-16 2020-02-06 Onoff Telecom Method for verifying the validity of a telephone line of a user of a service or of a software application

Similar Documents

Publication Publication Date Title
US12261883B2 (en) Detecting phishing attempts
US10778839B1 (en) Detecting and preventing phishing phone calls through verified attribute analysis
US10657463B2 (en) Bot-based data collection for detecting phone solicitations
Tang et al. Clues in tweets: Twitter-guided discovery and analysis of SMS spam
US11632459B2 (en) Systems and methods for detecting communication fraud attempts
US11115521B2 (en) Systems and methods for authentication and fraud detection
US11722597B2 (en) Dynamically providing safe phone numbers for responding to inbound communications
US20140045456A1 (en) Method and system for preventing illicit use of a telephony platform
US12120148B1 (en) Intelligent anti-phishing management
US20200210956A1 (en) Electronic registered mail methods, apparatus, and system
CN114257688A (en) Telephone fraud identification method and related device
CN111259216B (en) Information identification method, device and equipment
WO2025090969A1 (en) Method and system for automated processing and resolution of phone numbers
CN119624460A (en) Risk identification method, device, electronic equipment and computer program product
CN116488838A (en) Method, device, electronic device, and storage medium for detecting and warning counterfeit accounts
CN117155673A (en) Login verification method and device based on digital human video, electronic equipment and medium
CN114707999A (en) Method and device for determining fraud number
TW201112720A (en) Method of communication device recognition code and dynamic code for network identification and telephone fraud certification
CN113099040A (en) Memory, abnormal calling prevention and control method, device and equipment
Lakshmi et al. Advanced Phishing Website Detection Techniques in Internet of Things Using Machine Learning
CN113286035B (en) Abnormal call detection method, device, equipment and medium
CN116128513B (en) Information verification method, server device and storage medium
CN121098612A (en) Phishing mail detection system and method based on large model
WO2024246711A1 (en) Intelligent anti-phishing management
KR20230102552A (en) Phishing Detection System Using Voice Call and Text Trap Server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24883464

Country of ref document: EP

Kind code of ref document: A1