An Investigative Model for Illegal VoIP Business Operator



Similar documents
Battling illegal call operations with Fraud Management Systems

Management Summary for Unified Communications IP PBX

Least Cost Router Dialer / Calling Card Auto Dialer Manual

Easy Plug-in installation (Free to move from phone to phone)

WHAT THE FRAUD? A Look at Telecommunications Fraud and Its Impacts

Using Data Mining for Mobile Communication Clustering and Characterization

ATA: An Analogue Telephone Adapter is used to connect a standard telephone to a high-speed modem to facilitate VoIP and/or calls over the Internet.

Intelligent Home Automation and Security System

Using reporting and data mining techniques to improve knowledge of subscribers; applications to customer profiling and fraud management

Security and Risk Analysis of VoIP Networks

PATTON TECH NOTES What are FXS and FXO?

Internet Telephony Terminology

International Dialing and Roaming: Preventing Fraud and Revenue Leakage

4. H.323 Components. VOIP, Version 1.6e T.O.P. BusinessInteractive GmbH Page 1 of 19

Access Mediation: Preserving Network Security and Integrity

Using Asterisk with Odin s OTX Boards

FURTHER READING: As a preview for further reading, the following reference has been provided from the pages of the book below:

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

Contents. Specialty Answering Service. All rights reserved.

Intranet Security Solution

Asterisk Calling Card & Billing System

Parlay i60 - Application

Standard Features What it does Price Exc VAT Price Inc VAT Page. Number Withhold Allows you to withhold your number Free Free 2

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

fraud & billing For example, Layer4 will identify: Compliance of telecom operators with service level agreements

Parlay i60 - Application

Tech Note. Introduction. Definitions. What are FXS and FXO?

Glossary of Telco Terms

Concept Note. powering the ROC. PBX Hacking.

Softswitch & Asterisk Billing System

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Version 1.0. Edited by June Lee. Last updated 08 Sept 05

Gateways and Their Roles

Using Artificial Intelligence in Intrusion Detection Systems

The following is a list of the features available with the managed Intersoft IP Telephony Services.

Methods for Lawful Interception in IP Telephony Networks Based on H.323

VoIP-PSTN Interoperability by Asterisk and SS7 Signalling

1. Public Switched Telephone Networks vs. Internet Protocol Networks

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

ABC SBC: Software Defined Communication Networks. FRAFOS GmbH

Performance Management and Fault Management. 1 Dept. of ECE, SRM University

WHITE PAPER. Gaining Total Visibility for Lawful Interception

TOTAL RECALL MAX Potential Connection Diagrams CALL RECORDING. Product Specifications YOU NEED TOTAL RECALL MAX

STINGA ISDN. Monitor & Simulator. Protocol Analyzers & Simulators for Traditional, Fixed Mobile, Converged and Next Generation Networks

VoIP QoS. Version 1.0. September 4, AdvancedVoIP.com. Phone:

Multimedia Service Platform

WAN Technology. Heng Sovannarith

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

Prevention of Spam over IP Telephony (SPIT)

( ETSI Ad Hoc Group on Fixed/Mobile Convergence - Final Report - 11 March 1998) (1) Telecom Italia, V. di Valcannuta 250, Rome (Italy)

CONSULTATION. National Numbering Plan Review. A short Consultation issued by the Telecommunications Regulatory Authority 28 August 2007

Lavastorm Analytics and Mobistar Reducing Mobistar s Fraud Risk Profile with Real-time Analytics and Collaboration

How the ETM (Enterprise Telephony Management) System Relates to Session Border Controllers (SBCs) A Corporate Whitepaper by SecureLogix Corporation

Solving the SMS Revenue Leakage Challenge

MANUAL HOW AND TO WHOM SELL VOIP

Integration of Voice over Internet Protocol Experiment in Computer Engineering Technology Curriculum

Telephone Charging System

Three Ways to Reduce Exposure to Bypass Fraud The Risk Management Group

Countermeasure for Detection of Honeypot Deployment

Testing IVR Systems White Paper

Preprocessing Web Logs for Web Intrusion Detection

driving business with next generation intelligent networks Your business technologists. Powering progress

A Model-based Methodology for Developing Secure VoIP Systems

VOICE SOLUTIONS NGN. Telephone-Handbook NEXT GENERATION NETWORK. UAN: (051) /Nayatel

AUTOMATIC BILLING SYSTEM FOR CISCO ANALOG TELEPHONE ADAPTOR ATA 186/188

Third Party Data Session Control in the Evolved Packet System

SINGTEL BUSINESS DIGITAL LINE (BDL) ADD-ON USER GUIDE

VoIP: Enterprise Adoption Trends in India and Grey Market Traction in India. Shubham Jaiswal

Voice over IP is Transforming Business Communications

A Call Conference Room Interception Attack and its Detection

Telco Depot IP-PBX Software Features

Automatic Monitoring & Detection System (AMDS) for Grey Traffic

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Is Skype Safe for Judges?

A Protocol Based Packet Sniffer

Dual-tone multi-frequency signaling

Keywords Wimax,Voip,Mobility Patterns, Codes,opnet

Usher Mobile Identity for Higher Education Institutions. Rebecca Parks Associate Product Manager, MicroStrategy

ACL Based Dynamic Network Reachability in Cross Domain

Benefits. Around-the-clock data collection and CDR warehousing ensures data is there when needed

Telecommunications systems (Part 1)

Implementing Cisco Unified Communications Manager Part 1, Volume 1

Mediatrix 3000 with Asterisk June 22, 2011

2 Voice over IP Network

NCAS National Caller ID Authentication System

Wildix Management System (WMS) White Paper

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Transcription:

An Investigative Model for Illegal VoIP Business Operator A. FUAD MD. BANDI, NORAZRINA ABU HARIS, ABD.RAZIF TAMRIN, AZMIRUL HAMZAH NOR HAMZAH, HERMIEWAN HAMDAN, SURIAH HASAN, SAHIRMAN ABDULLAH, MD. DAUD JAAFAR, MD. AZMI KARNAIN, MAZLAN BURHANUDIN TM Research & Development, TMR&D Innovation Center, Lingkaran Teknokrat Timur, 63000, Cyberjaya, Selangor MALAYSIA fuad@tmrnd.com.my, azrina@ tmrnd.com.my, razif@tmrnd.com.my, azmirul@tmrnd.com.my, hermiewan@tmrnd.com.my, suriah@tmrnd.com.my, sahirman@tmrnd.com.my, daud@tmrnd.com.my, azmi@tmrnd.com.my, mazlan@tmrnd.com.my http://www.tmrnd.com.my Abstract Fraud in the world telecommunication is currently become a big threat to the revenue in the industry. This issue is expected to be explored and detected in order to prevent the problem of lost revenue. In fact, Telcos need to develop an application which could investigate and detect the suspicious activity precisely. This paper will focus on designing of fraud detection model to investigate operator that illegally operate VOIP (Voice over Internet Protocol) business. This paper also provides the flow and methods on how to detect the suspicious activity in order to plug revenue leakage. Key-Words: - Fraud, Revenue Leakage, VOIP, PRI, investigation method 1 Introduction Fraud is one of the revenue leakage areas in telecommunication industry. The history of telecommunications crime, including several types of fraudulent activities, has been reviewed. by researchers [3]. Popular example of telecommunication fraud include subscription fraud, prepaid and postpaid fraud, call forwarding telecommunication, cloning fraud and billing and payment fraud. Currently there are few grey issues highlighted such as rerouting massive number, incoming and outgoing interconnect trends, and also suspicious subscriber that pays only minimum rental fees but incur no call revenue. Thus, it can cause lost revenue in the company furthermore it also lowers the customers confidence regarding the security of transaction available. In realizing of bad reputation to telecommunication industry, researchers in TM Research & Development have cooperated with a major telecom company in Malaysia to take possible initiative and better strategies to undertake those matters. In response, our main interest is to study on how to detect and provide proof of such subscriber that illegally operates as VoIP provider. Even though, every possible action may be taken to detect fraud, the real challenge lies in producing solid evidence to convince such regulator of communications and multimedia commissions the threat for the future of incumbent telcos. In fact, in some countries telephone wire tap and dialed number recording systems are used by their law enforcement and security agencies to collect legal evidence [4]. 2 Problem and Issues 2.1 Issues Fraud and Fraud Management System (FMS) has continuously evolved within the telecommunication ISSN: 1790-5117 30 ISBN: 978-960-474-072-7

industries [3]. Different kinds of detection techniques which cover rule-based and other artificial intelligence techniques have been proposed [4]-[7]. As a fraud fighting tool, FMS is basically engineered to detect and manage frauds in telecommunication services by using Call Data Records (CDR) as input. These collections of records are processed and can be used for the engine to generate profiling customer behaviour and for different kinds of detection technique. Some users use threshold to calculate percentage different of a customer profile of charge, call duration or call frequency. In this case, subscriber that makes call selling or call regeneration pays only minimum monthly rental fees. By using profiling engines such subscriber can be profiled and will trigger an alarm to the particular usage taking place its parameters. This definitely enables service providers to quickly identify irregular subscriber behaviour or unusual patterns of usage. Even though a variety of fraud management systems are available in the market, using different methods to manage fraud criteria, manual verification still needs to be carried out for the detected customer. For instance, the manual testing calls and call tracing via Signalling System 7 (SS7) is conducted to determine a collective data for further investigation. Manual test call verification is conducted to determine whether the subscriber s number detected is actually a server with Interactive Voice Response (IVR) (insert pin, language selection etc.) or tone. Test calls, however, gave various results at different time stages hence it is not actually reliable. Call tracing is conducted to determine the number of traffic handled by a certain subscriber s number within a stipulated time frame in real time. Suspected subscribers are determined through high number of incoming calls and overlapping calls. Since, typical fraud detection system includes only managing certain threshold criteria [4], both manually existing verification mechanisms do not actually produce evidence that the particular subscriber is operating illegal transit, call regeneration or call selling. 2.2 Business Case For a normal case, a home user (A party number) will dial an access number to B party number (Fig.1). In this example, the B party number is basically an ISDN (Integrated Services Digital Network) PRI (Primary Rate Interface) subscriber. ISDN PRI is a telephone network system with a single high-quality connection, typically has 30X64k channels and allows simultaneous calls over each channel in normal operation. Normally the B party number package service only allows their customers and business contacts to dial directly through to staff members, without passing through a switchboard. A Party Number PSTN B Party Number Fig. 1: Normal PSTN (Public Switch Telephone Network) call In case that, if the B party is operating as an unlicensed VoIP business, upon connection to the server, the customer shall then need to key in personal identification number in order to get a dial tone. Somehow, corporate customer of B party number usually uses auto dialler feature to skip the identification process (refer Fig.2). The scenario seems that the B party has intended to make money from direct exploitation of the telecommunications services by transiting or bypassing calls. The activity is known as illegal call regeneration. This situation will definitely contribute huge lost in revenue due to voice minute s leakage. Furthermore, in other point of view, the rental fee or cost of operating VoIP services is much higher than the previous packages. The following example (refer Table 1) shows the telecommunications provider s income, if there is no solution in place. ISSN: 1790-5117 31 ISBN: 978-960-474-072-7

Primary Dialing A Party Number PSTN PRI Service (B Party Number) Illegal Call Regeneration Zone VOIP Network Fig.2: Call via PRI Service Destination C Party Number propose system shall consist of three main modules (refer Fig.3): test call verification, tapping and investigative data analysis. Those modules are purely to investigate whether or not an ASP (Application Service Provider) is providing VoIP using lower rental of PRI service number. At the earlier stage, the system shall be able to filter out the valid subscriber in order to ensure the integrity of investigation. In response to this, for example, if we assume that the cost of a telecom company providing such service is 80% of the rental fee leaving 20% of the amount as profit. Let s say, the rental fee of service A (normal package for ISDN PRI) is RM700 per month and the service type B (operating VoIP business) is RM15,000 and the total number of suspected subscriber service type A illegally operates service type B is reaching up to 300 users. Hence, the table 1 below could well explain the differences of monthly cost and profit if there is no evidence for the law enforcement or Telcos to take legal action on these subscribers. Service Type (Subject Line/ users) Rental Fee per Month Total Rental per Month Cost (80% from Total Rental) Profit (20% from Total Rental) A (300) 700.00 210,000.00 168,000.00 4200.00 B (300) 15,000.00 4,500,000.00 3,600,000.00 900,000.00 Total Differences in Revenue 4,290,000.00 3,432,000.00 858,000.00 Table 1: Example Calculation of Revenue Lost 3 Problem Solution 3.1 Proposed intelligence investigative technique Both Telekom Malaysia(TM) and it subsidiary, TM Research & Development (TMR&D), have cooperated to design a model that complement to FMS which could effectively investigate fraud of illegally non VoIP operator to operate VoIP business. We have suggested an intelligent application to be developed to investigate the suspected number being made by B number. The Test Call verification Tapping Investigative data analysis Fig.3: Modules in Intelligence Investigative Technique Anyhow the process of test call is eventually to discriminate the test result whether it is an Interactive Voice Response (IVR) [11] with pin number request or a strange voice of tone answer. Should the answer of test call of suspected subscriber is IVR with pin number request the ASP is prone to breach the call regeneration clause whereby it only permit for VoIP operators via 1800 numbers. The test call verification module must be able to generate report that, at least, contains the following information: B party number, start time, type of call answered, recording file and etc. For the latter result of test call, a further analysis shall be done to provide solid evidence of call regeneration. The idea is to capture all the DTMF (Dual Tone Multi Frequency) tone carried out by the calling party number (A number) to the suspected number (B party number). (Note: DTMF, also known as touch-tone are the audible sounds you hear when you press keys on your phone) [14]. For this purpose, the tapping process and investigative analysis activity will be accurately executed to provide solid evidence of call regeneration. The tapping device shall perform as mediator type for secondary dialing of the investigated subscriber. It must have the ability to record, translate and analyze DTMF signals from voice traffic into readable call data records. ISSN: 1790-5117 32 ISBN: 978-960-474-072-7

Ideally the investigative data analysis is purposely to analyze the behaviour of suspected target. This module must have the ability to monitor of each incoming and outgoing call progress. For example if the C number is precisely detected in the analysis, it is possible to designate that the evidence on the call regeneration exists and further action shall be taken. 3.2 Intelligence investigative model 3.2.1 The Collection of input data The investigative model should consider the collection of input data. Data should contain a list of suspected B number which is extracted from FMS. Those data most probably has various form and might be difficult to read in our system. We therefore decided to preprocess the data so that all the data input will have a standard format before they can be exported into our system. 3.2.2 Call verification In our research, we shall need to develop an application which shall test the call that has been recorded. Normally, there are two things that should be considered in our application which are screening the suspected number and identify the call progress. In the screening process the will read a list of suspected B number which is provided by user from FMS. Look up table that contains the white list number (i.e. white list is a list of B number which has been filtered out also provided by FMS) is essential in order to filter or screen out any legal B number. The result from screening process shall consist of numbers that need to be verified. During the call progress identification, the system shall be able to perform automatic or mass call in several times so that the integrity of test call result is guaranteed. For better result analysis the call progress shall be recorded accordingly. We are expected the result will consist of three (3) types; IVR, beep and Answered. All the information gathered from call verification progress shall be adequately presented. It must include important attributes such as B number, start time, result category of each attempt, and recording wav file of message. For each row that contains the beep of type answer, the information shall facilitate the next investigation process. 3.2.3 Tapping & investigative analysis activity A tapping device is needed to capture all the beep call progress and translated into a readable format. The device is wired to the line and will perform as mediator for secondary dialing investigation. The tapping device shall be able to record, translate and analyze any signals transmitted over the line. Parameters such as pin number, time stamps and destination number shall be used as proofs of these illegal activities. For the execution, data must be aggregated and structured for the purposes of behavioral analysis and shall produce solid evidence. 4 Conclusion This paper has presented a model to investigate an illegal VoIP business operator. The proposed model has been designed based on research and discussion with Fraud Management in Telekom Malaysia. The model has been proposed by TMR&D but still need more research especially in fraud analysis. Currently the activity of implementing a system from the model is still in progress. Next, the experimentation of work or research will be presented to find out the interesting result. References [1] TMR&D. SPAI_T Software Design Document 2008. [2]TMR&D. Software Requirement Specification 2008. [3] Pablo A. Estévez *, Claudio M. Held and Claudio A. Perez, Subscription Fraud Prevention in Telecommunications using Fuzzy Rules and Neural Networks Department of Electrical Engineering, University of Chile, Casilla 412-3, Santiago, Chile, 2005. [4] Håkan Kvarnström, Emilie Lundin, and Erland Jonsson, Combining fraud and intrusion detection - meeting new requirements, In Proceedings of the ISSN: 1790-5117 33 ISBN: 978-960-474-072-7

fifth Nordic Workshop on Secure IT systems (NordSec2000), Reykjavik, Iceland, 2000. [5] FML, Revenue Assurance Fraud Management Yearbook, 2003. [6] Bourkeche, A., and Notare, M. S. M. A., Behavior-based Intrusion Detection in Mobile Phone System, Journal of Parallel and Distributed Computing, Vol. 62, No. 9. pp.1476-1490, 2002. [7] Burge, P., and Shawe-Taylor, J., An Unsupervised Neural Network Approach Profiling the behavior of mobile phone user for use in fraud detection, Journal of Parallel and Distributed Computing, Vol. 61, No. 7, pp. 915-925, 2001. [8] Shawe-Taylor, J., Howker, K., and Burge, P., Detecting of Fraud in Mobile Telecommunications, Information Security Technical Report, Vol. 4, No. 1, pp. 16-28, 1999. [9] Fawcett, T., and Provost, F. J., Combining Data Mining and Machine Learning for Effective Fraud Detection, Workshop: AI Approaches to Fraud Detection and Risk Management, AAAI Press, pp. 14-19, 1997. [10] Susan Landau, "Security, Wiretapping, and the Internet," IEEE Security & Privacy, vol. 3, no. 6, November/December 2005, pp. 26-33. [11] Angel.com, What is IVR? Available : http://www.angel.com/ivr.jsp, 2008. [12] VoIP Fraud: The Industry's Best-Kept Secret http://voxilla.com/voxilla-stories/voxilla- stories/voip-fraud-the-industrys-best-kept-secret- 380.html [13] M. Sherr, E. Cronin, S. Clark and M. Blaze. "Signaling Vulnerabilities in Wiretapping Systems." IEEE Security and Privacy. November/December 2005. [14] John Iovine, DTMF IR Remote Control System Nuts & Volts Vol. 15, No. 6, June 1995. ISSN: 1790-5117 34 ISBN: 978-960-474-072-7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information