1. Field of the Invention
The present invention relates to a communication network such as a telecommunications network and more particularly to the method of and apparatus for monitoring communications and communication patterns, for example, to detect fraudulent use of a telecommunications network.
2. Related Art
There are many applications where it would be useful to be able to monitor communication patterns in a network. One such application is for detecting fraud in a telecommunications network. When fraud is perpetrated in a telecommunications network, it is often as a result of an organized ring of activity. However, the ringleader is rarely caught quickly since he will not directly make any fraudulent calls but will use accomplices to do this for him.
Currently the detection of ringleaders of such fraud groups requires a significant amount of analysis which is performed off line using large amounts of gathered data. Since this process is far from real time, the fraud ring exists for longer than is perhaps necessary.
It is an object of the present invention to provide a method of and an apparatus for monitoring communication patterns over a network and for monitoring communications over a network which can be used to detect fraudulent activity within, for example, a telecommunications network.
In accordance with a first aspect the present invention provides a method of monitoring communication patterns over a network, the method comprising:
an initial step of associating a mark with one or more entities in the communication network;
a detecting step of detecting communications between the or each marked entity and at least one further entity; and
a marking step of associating a mark with each further entity that communicates with the or each marked entity.
This aspect of the present invention also provides apparatus for monitoring communication patterns over a network, the apparatus comprising:
initial marking means for associating a mark with one or more entities of the communication network;
detection means for detecting communications between the or each marked entity and at least one further entity; and
marking means for associating a mark with each further entity that communicates with the or each marked entity.
This aspect of the present invention allows for the monitoring of communication patterns by detecting communications between origination and destinations e.g. communication addresses or users. This process acts as a possible fraud marking system to mark each address, node or user in the network to indicate a spread of communications. In a fraud detection system this can be used to indicate a possible site of fraudulent activity.
In one embodiment the mark associated with each marked entity has a value and marking is carried out by associating a mark value with each entity that communicates with an entity previously marked, where the mark value is calculated as a function of the mark value of the previously marked entity. In this way, the xe2x80x98diffusionxe2x80x99 of communications throughout the network from an origination point or entity can be monitored by looking at the values for each entity. Those entities which communicate with marked entities more frequently will accrue a higher value and thus the spread of communications can be monitored with a higher degree of accuracy.
One method of calculating the mark value comprises passing a fraction of the mark value of the previously marked entity to each entity that communicates with the previously marked entity.
In order to generate an average picture of communication activities between marked points in the communication network, the mark values can be made to fade with time. In a fraud detection system this enables the removal of suspicion from legitimate users who may have happened to have made a single call or infrequent calls to a suspicious user.
The mark values used can be calculated in many different ways. If a communication is detected between marked entities, the mark values associated with each of the entities can be changed as a function of the current mark values of the entities.
Points of high network activity e.g. fraudulent activity can be detected by comparing the mark values associated with the entities with a predetermined range, and identifying the or each entity having a mark value associated therewith which is outside the predetermined range. In this way, in a fraud detection system when the fraudulent activity reaches a certain level i.e. the mark values or suspicion values associated with points of the network reach a threshold, then these can be highlighted to allow intervention by operators of a fraud management system.
In a network more than one entity may be initially marked. In order to enable the communication patterns originating from each of the marked entities to be distinguished, the respective marked entities can be initially marked with respective unique marks and each entity that communicates with the or each marked entity is marked with a respective unique mark. In this way the xe2x80x98diffusionxe2x80x99 of communications throughout the network which originate from different points in the network can be distinguished.
In accordance with a second aspect of the present invention there is provided a method of monitoring communications over a network, the method comprising:
a marking step of associating marks with entities in the communication network;
a detecting step of detecting communications between the marked entities; and
a generating step of generating a signal indicative of the detected communications between the marked entities.
This aspect of the present invention also provides apparatus for monitoring communications over a network, the apparatus comprising:
marking means for associating marks with entities in the communication network;
detection means for detecting communications between the marked entities; and
generating means for generating a signal indicative of the detected communications between the marked entities.
In accordance with this aspect communications between marked entities are detected and in a fraud management system communications between marked entities could be indicative of fraudulent activity.
In one embodiment mark values are associated with the entities and the mark values of the entities which are in communication are detected. A value for the communication is generated based on a function of the detected mark values for the communication. The value for the communication can then be compared with a predetermined range and it can be identified whether the value for the communication is outside the predetermined range. In this way, in a fraud detection system, communications between suspicious points in the network can be monitored and if the points in the network are highly suspicious, the communication will also be marked as being highly suspicious and can be brought to the attention of an operator of a fraud management system.
In the communication network in accordance with the present invention entities can include communication nodes as communication originations and/or destinations, e.g. in a telecommunication network the communication nodes comprise telephone numbers. Also, the entities can include purported users who are identified by user related code as communication origination, e.g. in a telecommunications network an entity can comprise a charge card number or a personal number. The user related code may be used at any communication node and since charge cards and personal numbers are particularly prone to fraud, the ability to associate suspicion with such a user related code is important. It is not sufficient to merely associate suspicion with communication nodes since charge cards and personal codes may be used on any communication node for making a fraudulent communication.