The present invention relates to fraud detection methods, apparatuses and systems.
One of the goals of a next generation network is to provide a common, unified and flexible service architecture that can support multiple types of services and management applications over multiple types of transport. The main distinguishing feature of a next generation network is the distributed network intelligence (i.e. distributed functions). Distribution of the functions does not necessarily imply physical separation. Functions in the same location are still considered distributed if the functions are independent of one another.
Distributed networks are sometimes represented using the Open System Interconnection “OSI” model which includes seven layers as shown in FIG. 1. A layer generally includes a group of related functions performed in a given level in a hierarchy of groups of related functions. (Refer to www.webopedia.com; the model according to webopedia is summarized below).
The application layer (layer 7) 102 supports application and end-user processes. Communication partners are identified, quality of service is identified, and constraints on data syntax are identified. Everything at layer 102 is application specific. Layer 102 provides application services for file transfers, e-mail and other network software services.
The presentation layer (layer 6 also known as the syntax layer) 104 provides independence from differences in data representation (e.g. encryption) by translating from application to network format, and vice versa. Layer 104 formats and encrypts data to be sent across network 200, providing freedom from compatibility problems.
The session layer (layer 5) 106 establishes, manages and terminates connections between applications. Layer 106 sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. Layer 106 deals with session and connection coordination.
The transport layer (layer 4) 108 provides transparent transfer of data between end systems or hosts, and is responsible for end-to-end recovery and control. Layer 108 ensures complete data transfer.
The network layer (layer 3) 110 provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of layer 110 as well as addressing, Internetworking, error handling, congestion control and packet sequencing.
At data link layer (layer 2) 112, data packets are encoded and decoded into bits. Layer 112 furnishes transmission protocol knowledge and management and handles errors in the physical layer 114, flow control and frame synchronization. Layer 112 is divided into two sublayers, the media access control (MAC) layer and the logical link control (LLC) layer. The MAC sublayer controls how a computer on network 200 gains access to the data and permission to transmit the data. The LLC layer controls frame synchronization, flow control and error checking.
Physical layer (layer 1) 114 conveys the bit stream—electrical impulse, light or radio signal—through network 200 at the electrical and mechanical level. Layer 114 provides the hardware means of sending and receiving data on a carrier, including defining cables, cards, and physical aspects.
Refer to FIG. 2 which shows another model of a distributed network 200. Instead of dividing up network 200 based on how network 200 operates (as in the OSI model), the model divides network 200 into functions provided to clients 205, namely access to network 200, transportation along network 200, network services (including management services), and login, authorization and security. These functions are provided by elements 201, i.e. equipment that perform the different functions of network 200. FIG. 2 shows non-limiting examples of some of the more common elements 201 for each function.
The access function is provided by access function elements 214 located in an access part 210 (including one or more access networks). Clients 205 (phone, computer users, etc) connect to network 200 using any of a variety of technologies (for example digital subscriber line “DSL”, cable modems, wireless, local multipoint distribution system (LMDS), etc). Access part 210 also provide basic logical definitions in order to initiate the access connection.
The transportation function is provided by transport function elements 216 located mainly in a transport part 230, but sometimes in access part 210 (for example switches between access equipment 205 and edge router 214). The transportation function is concerned with routing the traffic to and/from clients 205 over network 200. Transport part of the network 230 is generally packet based. Transport part 230 may be an international backbone or even a local area network.
Edges 250 (which include edge routers 214 as access elements) are the interfaces between access part 210 and transport part 230.
The network services function are provided by application function elements 218 located in the application part 240 of the networks. Examples of network services include file transfer, database access, etc.
Management functions (for example fault management or provisioning) are provided by management function elements 222 which are located in application part 240 of the network but can provide services to or manage any of parts 210, 230, or 240 (for example collection of information from elements 201 in each of parts 210, 230, and 240).
Login, authorization, and security functions are provided by login, authentication or security function elements 220 located in any of parts 210, 230, or 240.
In order to further clarify the model presented in FIG. 2, network 200 will be also explained in terms of the OSI model. When discussing network parts 210, 230 or 240, or elements 201 of network 200 it should be understood that if a part or element provides the functionality of a certain layer, the part or element also provides the functionality of layers below that layer.
As an example, access part 210 may provide the functionality of data link layer (layer 2) 112; transport part 230 may provide the functionality of data link layer (layer 2) 112, network layer (layer 3) 110 or transport layer (layer 4) 108; and service part 240 may provide the functionality of application layer (layer 7) 102.
As an example, access function elements 214 may provide the functionality of data link layer (layer 2) 112; transport function elements 216 may provide the functionality of network layer (layer 3) 110 or transport layer (layer 4) 108; and application function elements 218 and management function elements 222 may provide the functionality of application layer (layer 7) 102. Depending on the specific element, login, authentication or security function elements may provide the functionality of varying layers
In network 200, elements 201 produce data related to network activity. The data produced can be used for different purposes including: network planning, network management, accounting/billing applications etc. For example, in billing applications the data can be used to allow flexible charging mechanisms based on variables such as time-of-day, bandwidth usage, application usage, class of service, etc., or to allow departmental cost allocation within a company.
As an example, assume at least one of transport function elements 216 is a Netflow enabled router, manufactured by Cisco Systems, Inc., headquartered in San Jose, Calif. Router 216 can capture the following IP flow attributes: source IP address, destination IP address, next hop router address input physical interface index, packet count for flow, byte count for flow, start-of-flow time stamp, end-of-flow time stamp, TCP/UDP source port, TCP/UDP destination port, IP protocol, type of service (ToS), TCP flags, source autonomous system number, destination autonomous system number, source subnet mask, and destination subnet mask.
Various attempts have been made to detect fraud in networks. Many of the attempts provide solutions for specific networks such as telephony, wireless etc.
In traditional telephony networks, the intelligence is concentrated in the switches. Each switch holds a subscriber database, performs the routing algorithms, switches voice calls, encodes/decodes the voice channels, provides billing information, alerts and statistics. The switches also provide call detail records (CDRs). In SS7 (Signaling System No. 7) networks, the packet networks that support signaling within the worldwide public switched telephone network, probes may provide CDRs as a substitute or supplement to those provided by the switches. Therefore fraud analysis systems for traditional telephony networks analyze CDRs (call details records) provided by one or more switches with each call described by a single CDR. In SS7 networks, CDRs from both probes and switches are compared in at least one fraud detection system. Note that traditional telephony and telephony with SS7 are examples of networks with concentrated (i.e. non distributed) network intelligence.
WO 0025505 assigned to Intervoice LP, describes fraud detection in a prepaid calling application using a central database.
WO 0067460 assigned to Nortel Networks Ltd., describes how fraud is detected by using profiles to analyze records generated by the telecommunication systems.
EP 0714219 assigned to AT&T, describes how cloning fraud in a cellular/PCS environment is detected on the basis of the time difference between two notification time records having a common identification number.
WO 9913427 assigned to MCI Communications Corp., describes a method of detecting fraud in telecommunication systems (e.g. using calling cards, credit cards, PBX, and cellular phones). The system analyzes records generated by the telecommunication systems using thresholds, profiles, and/or pattern recognition.
U.S. Pat. No. 6,014,557 assigned to BellSouth Intellectual Property Corporation, describes for a wireless network a system of monitoring devices, coupled to existing network or network elements, and adapted to capture certain data regarding user traffic. The captured data is in turn provided to a message processor which collates raw messages received from the data capture devices and produces fraud data.
WO9839899 assigned to McGuire et al, describes how fraud is detected by comparing call information records to thresholds for each call in a telecommunications network.
WO0143402 assigned to MCI describes how fraud is detected in a telephone system by comparing the terminating number of a first call with the originating number of a second call.
EP0805610 assigned to Nokia describes how to detect the use of stolen mobile identification number and electronic serial number information by comparing the last phone number recorded by the radio telephone network with the last phone number recorded in the mobile unit.
U.S. Pat. No. 5,592,530, assigned to Inet, Inc. describes how calling fraud detection is performed by analyzing a composite record from primary and secondary records compiled by monitors on a mated pair of switching nodes in a telephone network
There is thus a widely recognized need for, and it would be highly advantageous to have, methods, systems and apparatuses for detecting fraudulent behavior in distributed networks by comparing the consistency of the data from the network elements. As the variety of charging mechanisms for distributed networks grows, the variety of fraud schemes also increases so as to avoid payment or cause the loss of revenues and/or customers.
There is also a need in the art for fraud detection methods, systems and apparatuses for distributed networks supporting a variety of services and access technologies. There is further a need in the art for methods, systems and apparatuses which can compare different types of data (i.e. different identifying fields and/or value fields) and/or data relating to different amounts of network activity from two or more elements in order to detect fraud. In addition, there is a need in the art for methods, systems and apparatuses to develop rules for determining the consistency of the data from the network elements.