Conference PaperPDF Available

Fraud Detection for Voice over IP Services on Next-Generation Networks

Authors:

Abstract and Figures

The deployment of Next-Generation Networks (NGN) is a challenge that requires integrating heterogeneous services into a global system of All-IP telecommunications. These networks carry voice, data, and multimedia traffic over the Internet, providing users with the information they want in any format, amount, device, place or moment. Still, there are certain issues, such as the emerging security risks or the billing paradigms of the services offered, which demand deeper research in order to guarantee the stability and the revenue of such systems. Against this background, we analyse the security requirements of NGN and introduce a fraud management system based on misuse detection for Voice over IP services. Specifically, we address a fraud detection framework consisting of a rule engine built over a knowledge base. We detail the architecture of our model and describe a case study illustrating a possible fraud and how our system detects it, proving in this way, its feasibility in this task.
Content may be subject to copyright.
Fraud Detection for Voice over IP Services on
Next-Generation Networks
Igor Ruiz-Agundez, Yoseba K. Penya, and Pablo Garcia Bringas
University of Deusto
Bilbao, Basque Country
{igor.ira,yoseba.penya, pablo.garcia.bringas}@deusto.es
http://www.deusto.es
Abstract. The deployment of Next-Generation Networks (NGN) is a challenge
that requires integrating heterogeneous services into a global system of All-IP
telecommunications. These networks carry voice, data, and multimedia traffic
over the Internet, providing users with the information they want in any format,
amount, device, place or moment. Still, there are certain issues, such as the emerg-
ing security risks or the billing paradigms of the services offered, which demand
deeper research in order to guarantee the stability and the revenue of such sys-
tems. Against this background, we analyse the security requirements of NGN and
introduce a fraud management system based on misuse detection for Voice over
IP services. Specifically, we address a fraud detection framework consisting of a
rule engine built over a knowledge base. We detail the architecture of our model
and describe a case study illustrating a possible fraud and how our system detects
it, proving in this way, its feasibility in this task.
Key words: Next-Generation Networks, Fraud Detection, Voice over IP ser-
vices, Security requirements
1 Introduction
Next-Generation Networks (NGN) do not belong to the past, and neither solely do they
to the far future. This special kind of net has been evolving over the last years, paral-
lel to the evolution the Internet, and, nowadays, they are one of the backbones of the
so-called Future Internet. Therefore, telecommunication network operators are chal-
lenged to shift their current networks to NGN by creating an integrated global system
that supplies heterogeneous services across network providers, network backbones, and
geographical regions [1].
More accurately, NGN is a broad term describing the telecommunication core and
access networks that will be deployed in the next years. They have been progressing to
carry voice, data, and multimedia traffic over common transmission links and routers
using a packet-based transport method [2]. Their aim is to provide users with the infor-
mation they want, in any format, device, place or moment and at any quantity [3]. NGN
are characterised by the following main features:
Packet-based transfer of all the data
Separation of control functions
Decoupling and aggregation of services providing technologically-independent open
interfaces
Broadband capabilities with quality of service (QoS) and transparency
User mobility and diverse identification schemes with an unified service perception
Some of the services enabled by the apparition of these networks, such as voice
telephony or call centres, were already present within traditional telecommunication
networks but not in an integrated way, unifying simultaneously all of them. More-
over, NGN also facilitate novel services such as multimedia, virtual private networks,
e-commerce, distributed virtual reality, and data connectivity [4]. Unfortunately, the
charging models and specifications are not yet completely defined.
In this way, the deployment of NGNs poses a new scenario of risks and security
problems. Together with classical security risks (e.g. denial of service (DoS), sniffing,
spoofing or spam), which are already adapted to NGN’s special conditions, brand new
threats will emerge. Standing out in this latter group, fraud is considered to be the most
harmful.
Fraud from employees, consumers, third-party, computer crime, insurance or finan-
cial fraud increases every year [5]. More accurately, in our target area, telecommunica-
tions, the increment reached the 52% from 2003 to 2005 [6].
In order to face these risks, Fraud Management Systems (FMS) detect and analyse
fraud and suggest counteractions. Traditional FMS, however, are service specific and
depend on the underlying network infrastructure. As NGN introduce new services and
infrastructures, FMS need to evolve too. They help in the identification of fraud signals
using an automate procedure of deceit detection. The also raise alerts and countermea-
sures based on pre-defined rules.
The FMS collect data from multiple formats and sources, adapting the data to be
treated by the system by filtering and assembling processes. When data is normalised,
the detection step starts generating alerts on suspicious cases. The detection can be
performed by different techniques of Artificial Intelligence.
Against this background, the contribution of this paper is three-fold: First, we present
the security requirements of NGN and detail a taxonomy of fraud on telecommunica-
tions. Second, we propose an approach that uses a standard rule engine to support fraud
detection based on the knowledge provided by an expert on the service to be protected.
Last but not least, we describe a case experiment that tests our FMS’s ability against
fraud attempts and we discuss the obtained results.
The remainder of the paper is structured as follows. Section 2 introduces the re-
lated work on security requirements on NGN and defines different approaches to face
fraud using a Fraud Management System. Section 3 describes the proposed system ar-
chitecture and its specific requirements. It details a fraud management system based on
misuse detection for Voice over IP services of the NGN. Section 4 presents a case study
for the evaluation of the system architecture. Finally, Section 5 concludes and draws the
avenues of future work.
2 Related work
Technology and security advance in parallel; this reason complicates foreseeing future
risk scenarios and, consequently, the ways to face them. As the technology evolves, so
do the security needs. Many taxonomies [7] [8] have tried to classify these threats with
different terminology. In this way, we consider that security risks can be catalogued by
their effect on the system or the client.
For instance, the system may suffer a service continuity interruption, ranging from
attacks as Denial of Service (DoS) or physical attacks to the network or service provider
hardware. Moreover, there may be abuses based on logical attacks such as insufficient
validation of the services or abuses of functionality (using a service for not expected
task). This latter thread is related with information disclosures due to predictable re-
source location, information leakage, or directory indexing.
Furthermore, intrusions may compromise network systems by executing unautho-
rised commands, taking advantage from architectural or design vulnerabilities. Privacy
of the clients or the stored data may be exposed too by several techniques like sniffing,
spoofing, spamming or phising. Access to services can be bypassed with authentica-
tion attacks (e.g. brute force or password inference) or with authorization attacks (e.g.
credential prediction or insufficient authorization schemes).
Note that we focus here on the possible risks that fraud can cause to service providers,
customers and stakeholders. Fraud is defined as “a deliberate act of obtaining access
to services and resources by false pretences and with no intention of paying” [9]. Other
authors [10] define fraud as the intentional act of giving a false statement about an
important fact. Whenever such false statement is believed by the victim (a person or
an organization), the victim relies and acts upon the untrue representation and, finally,
it suffers loss of money or property as a result of relying and acting upon this untrue
representation. There are also definitions of fraud [11] that provide formal analyses of
notions of fraud using modal operators.
2.1 Approaches to face fraud
Dealing with fraud is a very complex task mainly due to its transversal nature to the
operators structure [12]. Traditional fraud techniques are evolving and adapting to the
new network infrastructure. We have to consider them because basic ideas remain des-
pite the underlying technology. Moreover, we have to focus on the specific risks around
the NGN. Although there is not a standard procedure for classifying the different types
of fraud on NGN there have been some attempts [13] to do it.
Deception in telecommunications include subscription frauds, where the cheater ac-
cesses the services without being subscribed. Users can also suffer line or identify theft,
being charged for services used by others. Telecommunication operators can oversee
users that exceed their download quote and rate performing illegal service redistribu-
tion, sometimes for an economic profit. Finally, cloning or unauthorised access to ser-
vices may lead to compromising privacy.
Anyway, the most common types of fraud on telecommunications are subscription
fraud and identity theft [14]. After those, voice mail fraud and calling card fraud pre-
vail. The analysis of the different fraud techniques points out that the tendency is a
convergence of the fraud, which increases the complexity of its detection [2].
Fraud Management Systems have proved to be a suitable tool to detect fraud in
different networks with diverse techniques: self-organising maps (SOM) [2], general
data mining [15], rule-based systems [16], profiling through Artificial Intelligence tech-
niques like neural networks or decision trees [12], based on the hierarchical regime-
switching models [17], Bayesian networks [18], fuzzy rules [19] or other data mining
techniques [20]. There also exist works on how to discover new rules to detect fraud in
telecommunications [21] and on the privacy concerns of applying detection techniques
to users data [22]. Nevertheless, to our knowledge, there is none that works on fraud
detection for VoIP services in NGN with use cases.
3 Misuse detection for Fraud Management Systems
Misuse detection in the scope of fraud prevention protects a system from already known
fraudulent techniques or attacks [23]. An expert defines the already known vulnerabili-
ties and takes measures to cover these eventualities. Other techniques, based on statisti-
cal measures of user behaviour, need to train the systems over a length of time to reach
to a certain success threshold.
On the contrary, one of the main advantages of misuse detection is that it does not
need any data processing training [24]. On the other hand, the main drawback of this
approach is that the expert needs to define the vulnerabilities that the system can manage
in advance. Nevertheless, the expert can look for known patterns of abuse that might
occur by increasing the main sensibility of the system. These patterns depend on the
problem environment and the knowledge of the expert is crucial.
3.1 The system architecture
Figure 1 shows the general architecture of the Fraud Management System. The service
consumer uses the service elements (e.g. IPTV, VoIP, WLAN, etc.), which generate
vendor specific billing data. If needed, this data is transcoded into Internet Protocol
Detail Record (IPDR) format and captured by the recorder. When required, these IPDR
entries can be stored or transmitted to the business support system.
The FMS is hosted in this business support system and receives data in IPDR format
for its analysis, starting in this way the fraud detection process. Each IPDR is sent to
the rule engine that contains the expert knowledge on fraud in order to detect possible
violations using misuse detection techniques. If the FMS suspects a possible fraud, it
reports the incident to the response module. As seen in section 3.3, this final module can
trigger a fraud notification alarm to the system operator or it can block all the present
and future connections of a suspicious client.
3.2 The Internet Protocol Detail Record
The Internet Protocol Detail Record (IPDR) intends to be the standard protocol for
exchanging service usage and for managing control information between IP networks,
Fig. 1. Schematic architecture of the system
hosting elements and operations or business support systems. It provides a standardised
framework that enables Next-Generation Network providers to operate efficiently [25].
This standard is defined by the Internet Protocol Detail Record Organization and
the TeleManagement Forum. It is designed to enable cost-effective usage measurement
and exchange for next-generation services across the entire value chain.
Moreover, the IPDR covers the billing requirements of NGN providing converged
billing, avoiding provider dependence and reducing the required interfaces. Real-time
billing is allowed, and therefore charging is performed faster. Finally, it offers great
flexibility to represent existing and future services with scalability possibilities.
As fraud detection is closely related to billing, IPDR is also used for fraud detection
[26]. Since it is the most adequate format to represent the obtained data, it is the base
of the fraud detection analysis.
IPDRs are mainly generated at the end of each call or connection resulting in ei-
ther a normal or abnormal completion of the call. Alternatively, they may be generated
during the progress of call or connection. This generation is triggered by events at the
beginning of a call, the answer of a call, during long calls, etc.
According to its service specifications [25], IPDR is capable of collecting usage
characteristics of any IP-based network or application service. All service specifications
have five common attributes in their records. The first one describes the person in charge
of the usage of a service, defining user identification. The second attribute tells when
a certain service is used. The third attribute defines what service is being measured
(e.g. quality of service, state information, event codes, connection state, etc.). The next
attribute contents information to allow traceability by providing context, source, and
destination, defining in this way the place the service is consumed. The final attribute
informs about the reason that triggered the event.
Even though IPDR specifies services for Internet Protocol Television (IPTV), Public
Wireless LAN (WLAN) access, Streaming Media (SM), Voice over IP (VoIP) or any
other service specified by the service designer, in this paper we focus on the service
specification of VoIP.
Specifically, a VoIP call is started by a calling party or initiator and received by one
or more call parties or recipients. The participating elements for the call include service
elements, gatekeepers, and endpoints or users.
The VoIP IPDRs contain the identifiers of all call participants, the time the call was
started and ended, the call progress state, the final call completion codes for each call,
and the call payment type. Section 4 presents real examples of VoIP IPDR.
3.3 Task environment of the system
We will define the task environment as shown in Table 1, which outlines the challenge
we are facing: defining the Performance, Environment, Actuator and Sensors (also
known as PEAS) [27]. First, we specify the performance measure of the system. We
will consider that the actions performed by the system will be resolved with efficacy
if we are able to detect fraudulent data records in our system. In the case of the effi-
ciency, we will consider that the problem is resolved efficiently if we are able to detect
a fraud in our system with the maximum certainty, with the minimum possible compu-
tational cost, and with the minimum response time. However, maximum certain ability
and minimum possible cost may be goals in conflict, so there are trade-offs involved.
Second, we will study our knowledge about the environment. We know that our
environment is formed by the specification of the IPDR. The previous Section 3.2 gives
a detailed description of this data records and in Section 4.2 and Section 4.3 we present
two separate examples of this records. This data is encoded in XML format and it is
transferred to an environment class created with an object-oriented representation. We
also know the effects that the possible actions may have in the system. So far, the FMS
can send a fraud notification alarm to the system operator or block all the present and
future connections of a suspicious client.
Third, we will study FMS actuators, which send a notification alarm and block
connections. Sensors, on the contrary, are the information that the system receives from
the out site. In our case, the inputs are the set of IPDRs that the system collects from the
billing information. Section 4.1 describes how the dataset of the performed experiments
is obtained.
Table 1. PEAS description of the task environment for the Fraud Management System based on
Misuse Detection for Next-Generation Networks
Agent Type Fraud Management System
Performance Measure
Fraud detection
Certainty
Computational cost
Response time
Environment Specification of the IPDR
Actuators Notification alarm
Blocking connections
Sensors IPDR collector
3.4 The structure of the system
So far, we have described the FMS from the point of view of its behaviour. Now, we
will address the design of the program that implements the system function by mapping
perceptions into actions. We also know that our FMS works on a computing device or
architecture. This architecture provides perceptions from the sensors to run an appro-
priate process that chooses which actuator to run from the available ones.
The skeleton of our system is based on agent programs, also known as autonomous
software programs [28], which uses the current perceptions as input from the sensors
and returns an action to the actuators. This agent selects an action to perform on the
basis of the current perception, the current IPDR. We can catalogue the agent as a
simple reflex agent because its decision making is based only on the current input data
[27].
Listing 1.1 shows the program of the agent. Even though the proposed agent is very
simple, it works according to the performance measure, because the decision making is
made only on the basis of the current perception (the environment is fully observable).
1// KB, a knowledge base. Based on rules, a set of conditionaction rules t,
2// a counter, initially 0, indicating time
3// @param p,
4// @return Action
5public Action KBAGENT(Percept percept) {
6TELL(KB, makePerceptSentence(percept,t));
7action = ASK(KB, makeActionQuery(t));
8TELL(KB, makeActionSentence(action,t));
9t=t+1;
10 return Action;
11 }
Listing 1.1. Knowledge-based FMS
3.5 Rule engine
Our system uses an existing framework, Drools, that provides a full set of tools to
define our knowledge base. Drools is a rule engine that uses a rule-based approach to
implement an expert system and can be more accurately classified as a production rule
system.
The term rule engine is sometimes considered ambiguous [29] because any system
using rules, in any form, can be seen as a rule engine. Nevertheless, we understand
it as a full production rule system, this is, a Turing-complete system that represents
knowledge with propositional and first-order logic (which is sufficiently expressive to
represent a good deal of common-sense knowledge [27]). The core of the system is an
inference engine that processes rules and facts by matching them with production rules
in order to infer conclusions.
The production rules include a condition clause and an actions clause that will trig-
ger when the conditions clause happens to be true. In our experiment, the person in
charge of defining the rules is an expert in the domain of the security in telecommuni-
cations. Therefore, these rules are defined with previous knowledge and are limited to
the scope of the misuse detection in this specific domain. Anomaly detection, or other
boundary cases, is not under the scope of this experiment.
The rules are stored in a production memory and the facts, or input data, in a work-
ing memory. Facts are asserted in the working memory, where they may then be modi-
fied or retracted. If the system has a large number of rules, many rules may happen to
be true. In this case, an agenda manages the execution order of the rules in conflict.
4 Case study
In this section, we describe the experiment performed with the FMS. Section 4.1 presents
the design of this case study. Section 4.2 details a legitimate use case example. Section
4.3 describes a fraudulent use case example. Finally, section 4.4 discusses the results of
the experiments.
4.1 Design
The purpose of this experiment is the definition of a case study based methodology
[30] which can be applied to any fraudulent scenario. We have considered that there are
prefixed use case scenarios on the use of the VoIP services. The input data to the FMS
follows the schema of the service specifications [31].
VoIP service sessions have two or more participants over a partial or complete
Internet-based connection. The session or call is started by one of the participants (call
initiator) and it is received by one or more participants (call recipients). The call is man-
aged by different elements, such as services, gatekeepers and endpoints (or end users).
These sessions can be IP to IP, Public switched Telephone Network (PSTN) to IP, IP
to PSTN, cellular to IP or any other combination. In each use case the resulting IPDR
is different but maintains a fixed structure. Based on this structure, we have inferred
general use cases for each scenario.
Each structure has the same flow and the same IPDR attributes. In our experiments,
we are only interested in the IPDRs; hence, we have studied the attributes involved in
each use case. These attributes have a wide range of possible valid values and their
presence is known beforehand.
In this way, based on the structure of each use case, we study the attributes and their
possible values in order to simulate the content of the IPDR and obtain valid data for
our experiment.
4.2 Legitimate use
One of the use cases we have considered in our experiment is the legitimate use of the
VoIP services. In particular, we have performed a use case in which the call initiator has
a cellular phone and the call recipient has an IP telephone [31]. The basic flow of this
example is similar to the one presented in Section 4.3.
Listing 1.2 shows an example of the IPDR for this use case. In our scope of fraud
detection, the main attributes of this record are the destination identification, the unique
call identification, the personal identification number, the start access time and end time,
the call duration, the average latency and the incoming codec.
1<IPDR>
2<IPDRCreationTime>20090707T13:21:08.031+02:00</IPDRCreationTime>
3<seqNum>1</seqNum>
4<subscriberID>Vendor Phone1027365692</subscriberID>
5<hostName>author.gateway.123</hostName>
6<ipAddress>192.168.1.197</ipAddress>
7<startTime>20090707T18:29:35.448+02:00</startTime>
8<endTime>20090707T18:51:31.448+02:00</endTime>
9<timeZoneOffset>60</timeZoneOffset>
10 <callCompletionCode>CC</callCompletionCode>
11 <originalDestinationId>5550660023</originalDestinationId>
12 <uniqueCallId>52s70uj515072954xspx7b86x2a23q66</uniqueCallId>
13 <imsiIngress>445594063997989</imsiIngress>
14 <esnIngress>49916516</esnIngress>
15 <disconnectReason>NormalCallClearing</disconnectReason>
16 <ani>5554670100</ani>
17 <pin>6333276</pin>
18 <serviceConsumerType>EU</serviceConsumerType>
19 <startAccessTime>20090707T18:29:14.448+02:00</startAccessTime>
20 <callDuration>1337000</callDuration>
21 <averagePacketLatency>105</averagePacketLatency>
22 <type>V</type>
23 <feature>H</feature>
24 <incomingCodec>G726</incomingCodec>
25 <ipAddressEgressDevice>192.168.1.205</ipAddressEgressDevice>
26 <portNumber>4724</portNumber>
27 <homeLocationIdEgress>MT43AGR5</homeLocationIdEgress>
28 </IPDR>
Listing 1.2. Cellular to IP use case IPDR
4.3 Fraudulent use
In order to test our FMS against illegitimate use we implemented one of the classical
telephone service fraud, inspired on the blue box phreaking tool.
This tool is an electronic device that simulates a telephone operator’s dialling con-
sole [32]. Originally it was used to replicate telephone tones to switch log-distance calls
and to route the user’s call bypassing the normal switching mechanism. The main use
of the blue box was to make free telephone calls. These systems are nowadays based on
digital technologies and they do not use in-band signalling, which the blue box origi-
nally emulated. Nevertheless, for the purpose of our experiment, we have assumed that
the essential idea of this tolls is still working in spite of the underlying technology has
changed.
Based on this box principle, we address the following scenario. There is a client
that is going to commit fraud in a voice service call. We suppose that he makes a phone
call and does not pay for it, or at least he pays less time of consumption than the real
amount he really has consumed.
Figure 2 illustrates the basic flow of this example. It starts with the call of the client
to the local access number for the gateway (1). The gateway queries a network element
that verifies the subscribers account (2-3). The user is asked to enter a PIN and a desti-
nation phone number (4-5). After that, the gateway consults the gatekeeper on ways to
route the call and establishes a connection between the terminal and gateway (6). The
gateway places the call to the PSTN by out-pulsing the destination number (7). At this
point, the client tries to commit fraud by deceiving the gateway and by making it think
that he hangs down (8). However, the connection is still alive and the fraudulent user is
able to maintain a conversation with the destination number without being charged or
being charged less than what it should.
Fig. 2. Fraudulent use case
Listing 1.3 shows the IPDR of this use case. The main attributes that indicate fraud
in this record are the start access time, the end time, and the call duration. The goal
of this fraud is to falsify the ending time of the call, making it briefer than it real was.
Nevertheless, and in this use case, the call duration will represent the real call duration
value. If we use these three variables and analyse non correspondences between them,
we are able to detect fraudulent use cases.
1<IPDR>
2<IPDRCreationTime>20090707T13:21:08.078+02:00</IPDRCreationTime>
3<seqNum>3</seqNum>
4<subscriberID>Vendor Phone573460227</subscriberID>
5<hostName>author.gateway.123</hostName>
6<ipAddress>192.168.1.210</ipAddress>
7<startTime>20090707T20:42:36.053+02:00</startTime>
8<endTime>20090707T20:56:42.053+02:00</endTime>
9<timeZoneOffset>60</timeZoneOffset>
10 <callCompletionCode>CC</callCompletionCode>
11 <originalDestinationId>5556809802</originalDestinationId>
12 <uniqueCallId>12l93my315463231rmoi2h61q7z54l47</uniqueCallId>
13 <imsiIngress>861425764477418</imsiIngress>
14 <esnIngress>59148223</esnIngress>
15 <disconnectReason>NormalCallClearing</disconnectReason>
16 <ani>5559065415</ani>
17 <pin>2315855</pin>
18 <serviceConsumerType>EU</serviceConsumerType>
19 <startAccessTime>20090707T20:41:40.053+02:00</startAccessTime>
20 <callDuration>66666666</callDuration>
21 <averagePacketLatency>80</averagePacketLatency>
22 <type>V</type>
23 <feature>H</feature>
24 <incomingCodec>G711Alaw</incomingCodec>
25 <ipAddressEgressDevice>192.168.1.244</ipAddressEgressDevice>
26 <portNumber>15745</portNumber>
27 <homeLocationIdEgress>OS38SJT3</homeLocationIdEgress>
28 </IPDR>
Listing 1.3. Fraudulent use case IPDR
Listing 1.4 shows a rule to detect this fraudulent use of a phone service. It is based
on the incoherence of the call duration time. For this case, it checks that the difference
between the start access time and the ending time have the same value as the call dura-
tion attribute. If the values are not equal the system detects a fraudulent use of the voice
service.
Other rules could be applied to this IPDR, looking for other fraud evidences. The at-
tributes subscriberID, callCompletionCode, incomingCodec or any other could be com-
bined in many different ways creating new heuristic rules to feed the FMS.
1rule ”Incoherent CallDuration time”
2when
3// Variable declaration
4$ipdrVoIPType : EnlargeIPDRVoIPType( )
5// Get the call duration and check that does NOT equals to endTimestartAccessTime
6eval(!($ipdrVoIPType.getCallDuration().equals($ipdrVoIPType.checkCallDuration())))
7then
8System.err.print( ”Alert! Incoherent CallDuration time for the IPDR with ” );
9System.err.print( ”seqNum ” + $ipdrVoIPType.getSeqNum() + ” and uniqueCallId ” +
$ipdrVoIPType.getUniqueCallId() );
10 end
Listing 1.4. Incoherent call duration time detection rule
4.4 Results
In order to assess the validity of the proposed architecture in section 3.1, we have per-
formed different kinds of tests in our test-bed environment. Since synthetic fraud data
has been proved to be more suitable than authentic data when it comes to testing and
training of fraud detections systems [33], we have tested a representative subset of VoIP
IPDR records, both legitimate and fraudulent cases from a generated dataset. This gen-
eration followed a structured process to ensure the data validity.
Table 2 shows a partial outcome, with three data records, of a bigger execution
result. The system inserts a VoIP IPDR record into the system for its analysis. Once
the system performs the analysis, it reports the result based on the expert knowledge
represented within the rule-set.
Table 2. Execution results
Sensors Actuators
uniqueCallId Other parameters Notification alarm
52s70uj5-1507-2954-xspx-7b86x2a23q66 See IPDR in Listing 1.2 no action
12l93my3-1546-3231-rmoi-2h61q7z54l47 See IPDR in Listing 1.3 triggered
55r56gz4-3990-6841-xywy-4b38l1e72i58 Yet another IPDR no action
In the case of these experiments, if the call duration is coherent, the system informs
that the record is valid. In case of an incoherent call duration, the system prompts an
alert and takes the pertinent measures through its actuators as described in section 3.3.
Since the results confirm that the proposed system is valid to perform misuse detec-
tion for Voice over IP services, the architecture design is ratified. Therefore, the fraud
management system works as expected detecting fraud based on the expert knowledge.
The system expansion is guaranteed by adding more rules by the domain expert. Other
rules would use different attributes and relations, enabling new detection capabilities.
5 Conclusion
In this paper, we introduce a misuse-detection-based system to detect fraud on Voice
over IP services on Next-Generation Networks, in order to improve fraud management
systems for NGN. We believe that detecting potential security risks contributes to the
deployment of these networks by providing extra stability. Besides, the investments on
infrastructures and development by telecommunication operators are stepped up.
This approach relies on a previous analysis of NGN security requirements. To this
end, we present the related work on security requirements on NGN and define different
approaches to face fraud.We have also studied all the existing specifications of IPDR,
from the Internet protocol television to the Voice over IP. We believe that misuse de-
tection is the best approach to build a fraud management system that controls these
risks. Our analyses show that this paradigm is suitable and is able to react when a fraud
attempt occurs.
Future work will focus on the automatic modelling of more use cases and on the
automatic generation of new detection rules. Furthermore, as the architectural design
of our fraud management system is modular, we intend to spread the system detection
capabilities to other services besides the Voice over IP services.
References
1. Mao, Z., Douligeris, C.: A distributed database architecture for global roaming in next-
generation mobile networks. IEEE/ACM Trans. Netw. 12(1) (2004) 146–160
2. Bella, M.B., Eloff, J., Olivier, M.: A fraud management system architecture for next-
generation networks. Forensic Sci Int 185(1) (March 2009) 51–58
3. Liu, Y., Liang, X.: New regulations to the next generation network. In: Communications
and Mobile Computing, 2009. CMC ’09. WRI International Conference on. Volume 2. (Jan.
2009) 172–174
4. Crimi, J.C.: Next Generation Network (NGN) services. In: Telcordia Technologies. (2000)
5. KPMG Forensic: Fraud survey. http://www.kpmg.com/
6. Communications Fraud Control Association: Global telecom revenues increase 12% and
fraud increases 52% from 2003-2005. http://www.cfca.org/ (2006)
7. Web Application Security Consortium: Threat classification. http://www.webappsec.org/
8. Howard, J., Longstaff, T.: A common language for computer security incidents. Technical
Report Sandia Report: SAND98-8667, Sandia National Laboratories (1998)
9. Kvarnstrom, H., Lundin, E., Jonsson, E.: Combining fraud and intrusion detection - meeting
new requirements. In: Fifth Nordic Workshop on Secure IT systems (NordSec2000). (2000)
10. Simmons, M.R.: Recognizing the elements of fraud.
http://www.facilitatedcontrols.com/fraud-investigation/fraudwww.shtml (1995)
11. Mcnamara, P., Firozabadi, B.S., hua Tan, Y., Lee, R.M.: Formal definitions of fraud. In:
Norms, Logics and Information Systems - New Studies in Deontic Logic and Computer
Science, IOS Press (1999) 275–288
12. Cortesao, L., Martins, F., Rosa, A., Carvalho, P.: Fraud management systems in telecommu-
nications: A practical approach. (April 2005)
13. Bihina Bella, M.A., Olivier, M.S., Eloff, J.H.P.: A fraud detection model for Next-Generation
Networks. In Browne, D., ed.: Southern African Telecommunication Networks and Applica-
tions Conference 2005 (SATNAC 2005) Proceedings. Volume 1., Champagne Castle, South
Africa (September 2005) 321–326
14. Communications Fraud Control Association: Announces results of world wide telecom fraud
survey. http://www.cfca.org/ (3 2003)
15. Alves, R., Ferreira, P., Belo, O., Lopes, J., Ribeiro, J., Cortesao, L., Martins, F.: Discovering
telecom fraud situations through mining anomalous behavior patterns. In: Workshop on
Data Mining for Busines Applications, 12th ACM SIGKDD International Conference on
Knowledge Discovery Data Mining. (August 2006)
16. McGibney, J., Hearne, S.: An approach to rules-based fraud management in emerging con-
verged networks. In: IEEE/IEI Irish Telecommunications Systems Research Symposium.
(2003)
17. Hollm´
en, J., Tresp, V.: Call-based fraud detection in mobile communication networks using
a hierarchical regime-switching model. Advances in Neural Information Processing Systems
(1999) 889–895
18. Kou, Y., Lu, C., Sirwongwattana, S., Huang, Y.: Survey of fraud detection techniques. In:
Proceedings of IEEE Intl Conference on Networking, Sensing and Control. (2004)
19. Est´
evez, P., Held, C., Perez, C.: Subscription fraud prevention in telecommunications using
fuzzy rules and neural networks. Expert Systems with Applications 31(2) (2006) 337–344
20. Weiss, G.: Data mining in telecommunications (2005)
21. Rosset, S., Murad, U., Neumann, E., Idan, Y., Pinkas, G.: Discovery of fraud rules for
telecommunications—challenges and solutions. In: KDD ’99: Proceedings of the fifth ACM
SIGKDD international conference on Knowledge discovery and data mining, New York, NY,
USA, ACM (1999) 409–413
22. Lundin, E., Jonsson, E.: Anomaly-based intrusion detection: privacy concerns and other
problems. Computer Networks 34(4) (2000) 623–640
23. Jones, A., Sielken, R.: Computer system intrusion detection: A survey. University of Vir-
ginia, Computer Science Department, Tech. Rep (1999)
24. Kumar, S., Spafford, E.: A pattern matching model for misuse intrusion detection. In: In
Proceedings of the 17th National Computer Security Conference. (1994)
25. TeleManagement Forum: IPDR Service Specification. Design Guide. http://tmforum.org/
edn. (September 2008)
26. McGibneya, J., Schmidtb, N., Patelb, A.: A service-centric model for intrusion detection in
next-generation networks. Computer Standards & Interfaces 27(5) (2005) 513–520
27. Russell, S., Norvig, P.: Artificial Intelligence: A Modern Approach. Prentice Hall (2003)
28. Wooldridge, M., Jennings, N.: Intelligent agents: Theory and practice. Knowledge engineer-
ing review 10(2) (1995) 115–152
29. Chisholm, M.: How to Build a Business Rules Engine Extending Application Functionality
through Metadata Engineering. Elsevier Inc. (2004)
30. Kitchenham, B., Pickard, L., Pfleeger, S.: Case studies for method and tool evaluation. IEEE
software 12(4) (1995) 52–62
31. TeleManagement Forum: Service Specification - Voice over IP (VoIP). http://tmforum.org/
edn. (November 2004)
32. Goldstein, E.: The Best of 2600: A Hacker Odyssey (Kindle Edition). Wiley (June 2008)
33. Lundin, E., Kvarnstrom, H., Jonsson, E.: A synthetic fraud data generation methodology.
In: Proceedings of the 4th International Conference on Information and Communications
Security, Springer-Verlag (2002) 277
34. Axelsson, S.: Intrusion detection systems: A survey and taxonomy. Chalmers University of
Technology, Dept. of Computer Engineering, G ¨
oteborg, Sweden, Technical Report 99–15
35. Baluja, W., Llanes, A.: Estado actual y tendencias del enfrentamiento del fraude en las redes
de telecomunicaciones. Ingenier´
ıa Electr´
onica, Autom´
atica y Comunicaciones XXVI (2005)
46–52
36. Bihina Bella, M.A., Eloff, J.H.P., Olivier, M.S.: Using the IPDR standard for NGN billing
and fraud detection. Research in progress paper, http://mo.co.za/abstract/ipdrfraud.htm
(June/July 2005)
37. Choi, M.J., Hong, J.W.K.: Towards management of next generation networks. IEICE Trans
Commun E90-B(11) (2007) 3004–3014
38. Hearne, S., McGibney, J., Patel, A.: Addressing fraud detection and management in next-
generation telecommunications networks. (2004)
39. JBoss: Drools documentation. http://jboss.org/drools/
40. Takuji, T.: Backend systems architectures in the age of the next generation network. NEC
Technical Journal 1(2) (May 2006) 51–55
41. Vincent, J., Mintram, R., Phalp, K., Anyakoha, C.: AI solutions for MDS: Artificial Intelli-
gence techniques for Misuse Detection and localisation in telecommunication environments
(2007)
... A study to detect fraud for Voice-Over IP (VOIP) Services on next-generation networks was conducted by Ruiz-Agundez et al. (2010). The above-mentioned study was useful to view a model for detection in another software category. ...
... The approach taken to generate our data set was based on the approach taken by Islam et al. (2010) and Ruiz-Agundez et al. (2010). These studies were utilized as a foundation for this study; our approach is similar where we generate random clean data (virtual world activity with no occurrences of VPT) and then manually insert dirty data (VPT scenarios). ...
... This section will describe how our framework was tested using a hybrid technique based on research conducted by Islam et al. (2010), and Ruiz-Agundez et al. (2010). Islam et al. (2010) presents the approach of scenario matching or defining a fraud case then looking for occurrences in a data set, and Ruiz-Agundez et al. (Ruiz-Agundez et al., 2010) presents the approach of describing a fraud case study to demonstrate how effective their architecture is at detecting it. ...
Article
Full-text available
Purpose The purpose of this study is to provide a framework to detect and prevent virtual property theft in virtual world environments. The issue of virtual property theft is a serious problem which has ramifications in both the real and virtual world. Virtual world users invest a considerable amount of time, effort and often money to collect virtual property, only to have them stolen by thieves. Many virtual property thefts go undetected and often only discovered after the incident has occurred. Design/methodology/approach This paper presents the design of an autonomic detection framework to identify virtual property theft at two key stages: account intrusion and virtual property trades. Account intrusion is an unauthorized user attempting to gain access to an account and unauthorized virtual property trades are trading of items between two users which exhibit theft characteristics. Findings Initial tests of this framework on a synthetic data set show an 80 per cent detection rate. This framework allows virtual world developers to tailor and extend it to suit their specific requirements. It provides an effective way of detecting virtual property theft while being low maintenance, user friendly and cost effective. Originality/value To the author’s knowledge, there is no detection framework, system or tool that works on virtual property theft detection in virtual world environments without access to authentic virtual world data or attack data (because of privacy issues and unwillingness of virtual world environments companies to collaborate). The topic of virtual property theft, lack of existing labelled data sets, user anonymity, size of virtual world environments data sets and privacy issues with virtual world companies and a number of other critical factors distinguish this paper from previous studies.
... Until recently, a number of researches has focused on fraud detection methods such as [7][8][9]. In [2] and [6], authors present an extensive review and comparison of fraud detection approaches. ...
Conference Paper
Full-text available
Every year, e-service providers report losses of billions of dollars due to fraud. Despite their huge efforts in implementing sophisticated fraud detection systems on top of their e-services, fraud effects seem to be rather increasing than decreasing. As a result, fraud risk assessment has been introduced as a fundamental part of e-service providers’ prevention strategies. In particular, identifying potential fraud risks and estimating their impacts are two essential requirements to prevent fraud risks while developing and delivering e-services to customers. In this paper, we show that fraud patterns can be used to perform fraud risk assessment. We analysed real fraud incidents from an e-service domain – Telecom, and identified six fraud patterns, which are recurrently used to commit fraud. We then use those patterns in the same scenario in order to demonstrate their applicability to fraud risk assessment.
... Future works include performing a proof-of-concept of the presented taxonomy by implementing it in an accounting system. Furthermore, this taxonomy defines the pillars for the developing of accounting related applications such as fraud management systems [34] or data profiling [35] among others. We also planned a validation of the proposed taxonomy, using both direct inspection and validation metrics [36] as well as updating the taxonomy itself if there are substantial changes in the area of Internet accounting. ...
Conference Paper
Voice over IP systems are more and more replacing Public Switched Telephone Network infrastructures. The number of voice telephony installations and the number of Session Initiation Protocol users is constantly increasing. Attacks against Voice over IP systems are becoming more imaginative and many attacks can cause financial damage, e.g., attackers gain money or create costs for the victim. Therefore, the dependency on available and secure Voice over IP systems to conduct secure business is given. We provide an environment to uncover real-world toll fraud attacks by collecting data using a Voice over IP honeynet solution.
Article
Full-text available
Voice over Internet Protocol (VoIP) is an emerging communication service that has advanced in ubiquitous computing environments. Although VoIP is inexpensive and offers additional services, there has been little provision for attacks at the weak points. With the advances of Wireless Sensor Network (WSN) technologies, the risk is increasing. Due to the resource constraints of WSN, attacks have become easier, making protection of the network more difficult. In this work, we attempt to distinguish fraud call attacks as outliers from normal calls on the basis of call detail records. We adopted and applied a Local Outlier Factor (LOF) method on real call data, which include actual fraud call attacks. Our results show the outlier detection method can be effective in detecting fraud calls. Moreover, introducing two additional attributes related to fraud call characteristics enhanced the detection performance.
Technical Report
Full-text available
The review of fraud detection techniques in telecommunication services represents a starting point for understanding how to deal with the existing fraud techniques. In this paper, the reported methods for fraud detection in telecommunication services are analyzed, as well as fraud techniques. As a result of research two taxonomies are proposed: one for detection methods and other for fraud techniques. Each fraud detection technique was explained in details, including a scheme describing the detection process. Other fraud detection methods applied to other areas such as credit cards, online auctions, stock market, among others, are also presented. Such methods could be extended to be applied in telecommunication services. Finally, the main problems and difficulties detected in the area of fraud detection in telecommunication services are reported, providing new opportunities for future research.
Conference Paper
The number of Voice over IP systems and the number of Session Initiation Protocol users is constantly increasing. The new Voice over IP infrastructures are connected with the traditional Public Switched Telephone Network and attacks against the phone infrastructure are becoming more imaginative. The attacks can cause financial losses, e.g., attackers steal money or incur costs for the victim. We analyze the current status of toll fraud attacks by analyzing real-world attacks collected in a Voice over IP honeynet solution. Based on the detailed data about real attacks, the creation or adaption of existing prevention mechanisms is possible in order to avoid toll fraud attacks in live environments.
Conference Paper
Full-text available
The issue of virtual property theft in virtual worlds is a serious problem which has ramifications in both the real and virtual world. Virtual world users invest a considerable amount of time, effort and often money to collect virtual property items, only to have them stolen by thieves. Many virtual property thefts go undetected, with thieves often stealing virtual property items without resistance, leaving victims to discover the theft only after it has occurred. This paper presents the design of a detection framework that uses an algorithm for identifying virtual property theft at two key stages: account intrusion and unauthorized virtual property trades. Initial tests of this framework on a synthetic data set show an 80% detection rate with no false positives. This framework can allow virtual world developers to tailor and extend it to suit their specific virtual world software and provide an effective way of detecting virtual property theft while being a low maintenance, user friendly and cost effective.
Article
In the last century, owing to the constant evolution of technologies telecommunication networks have become increasingly robust, being able to support multiple services. These services are part of the heterogeneous network traffic that can be carried through the Internet. Many of these services, including VoIP, are latency sensitive. In other words, this means that their quality depends directly on the network quality of service. Since users tend to become more sensitive with the instability and unavailability of the network, it is important to improve traffic management. A particular type of data that could be used to improve VoIP traffic management is the Internet Protocol Detail Record (IPDR). IPDRs are tickets created by all VoIP call attempts which contain a group of information related to the call history. Because of its full range of information, IPDRs can be used to create VoIP traffic baselines. This paper presents the development of baselines based on IPDRs to support VoIP traffic management in open-access Metropolitan Area Networks (MAN).
Article
Full-text available
In this paper, we give formal analyses of notions of fraud for the aim of verification of trade procedures. A fraud possibility is seen as an undesirable property of a trade procedure which its specification should not satisfy. It is argued that fraud may occur (in a trade pro- cedure) when an agent violates an obligation and he/she also deceives another agent (a controller) about the fulfilment of that obligation. The formal definitions are given using modal operators for obligation, action and belief.
Book
This is the only book that demonstrates how to develop a business rules engine. Covers user requirements, data modeling, metadata, and more. A sample application is used throughout the book to illustrate concepts. The code for the sample application is available online at http://www.refdataportal.com. Includes conceptual overview chapters suitable for management-level readers, including general introduction, business justification, development and implementation considerations, and more.
Article
A report on in rise of spam messages in United States are presented. It was reported that an average e-mail user receives 2200 spam messages every year and is supposed to rise to 3600 by the year 2007. It is suggested that both third party and local real-time blocking lists should be used to cover most eventualities. Textual analysis works on two levels blocking repetitive spam by analysing the contents of messages for known spam headers and blocking generic spam by identifying common key words and phrases.
Article
The services that are projected for the next generation network (NGN) supported ubiquitous society will characteristically develop from the service domain of the individual to include lifestyle and social infrastructure-related services at the community and society levels. The systems for processing the information that is expected to be produced as a result of these changes will need to handle more than ten thousands events per second. Such gigantic systems processing such a massive volume of events must be provided with a new systems architecture based on innovative processing methods that differ from the conventional methods such as batch and online processing.
Conference Paper
Telecommunications fraud, already a major threat in currently specialized networks for voice and data traffic, is expected to increase in upcoming converged networks referred to as Next-Generation Networks (NGNs). Due to some of their key characteristics, such as being based on the Internet Protocol, NGNs create new challenges for effective fraud detection. Besides, as they enable the provision of innovative services, NGNs may also give rise to new fraud scenarios that cannot be addressed by existing fraud management systems (FMS) as these systems are highly service-specific. More appropriate tools are therefore needed for improved NGN fraud detection.