real time fraud detection using signalling
TRANSCRIPT
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 1June 16, 2016 | Page 1June 16, 2016 |
REAL TIME FRAUD DETECTION USING SIGNALLING
SPEED AND AGILITY
May 2016
Luis Moura Brás [email protected]
Stephen [email protected]
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 2June 16, 2016 | Page 2June 16, 2016 |
CONTACTSLuis Moura Brás
Stephen Buck
LUIS MOURA BRÁS
FRAUD EXPERT
+351 939 640 388
STEPHEN BUCK
PRODUCT DIRECTOR
+44 7710 468 572
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 3June 16, 2016 |
TOPICS COVERED
1 How is fraud evolving
2
3
5
Real time fraud management
New dimensions on fraud use cases
Benefits of integrated fraud management approach
4 Real time solution architecture
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 4June 16, 2016 |
THE FRAUD IN TELCOMARKET OVERVIEW
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 5June 16, 2016 |
FRAUD LANDSCAPE MOST RELEVANT FRAUD TYPES
The fraud types incidence may vary according to market maturity and ARPU. CFCA report covers the fraud
loss estimations at a global scale (e.g., thus not taking in account differences between region/market
and/or country environmental)
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 6June 16, 2016 |
FRAUD MANAGEMENT SOLUTIONS ADDRESSING INCREASING SOPHISTICATION OF FRAUDSTERS
• Fraudsters understand the time window and act fast – need to trap in real time
• Fraudsters now have access to (SS7) networks – new fraud risks to address
• VoIP/SIP traffic – New forms of bypass and spoofing to address
Real time
INFORMATION
Technology change
(SS7 fraud, SIP)
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 7June 16, 2016 |
WHAT IS THE DIFFERENCE? – A GROSS SIMPLIFICATION SIGNALING V CDRS
RADIO ACCESS NETWORK CORE NETWORK
Eg: BTS/BSC,
NodeB/RNC,
eNodeB
Eg: VLR, MSC, SGSN
SGW, PGW, MME
1. Register location and set up services in VLR
Manage secure, efficient, low error radio
communication
Manage mobility, routing, authentication and
service control
Routing of calls,
data in/out
(Eg: ISUP)
Managing mobility, AAA
etc (eg: MAP)
Control calls, data etc
(eg: CAP)
HLR
AS
VPLMNHPLMN
Eg: Prepay, Policy, AAA
1. No CDRs. HPLMN aware
2. Make call 2. Call info visible and under
control of home. No CDRs yet.3. Terminate call
3. CDRs generated in VPLMN
4. NRTRDE/TAP sent to HPLMN
BSS
Mediation
CDRs
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 8June 16, 2016 |
Both contain:
• Origin, destination,
• Date, time, length of calls, data volumes, text etc
• Cell id
• Primary purpose – control of UE
• Real-time
• Controls calls, data, text – can block/allow/interact
• Some additional information – eg: mobility, device
• Multiple interfaces & protocols with different info
Call Detail Record (CDRs):
WHAT IS THE DIFFERENCE? – A GROSS SIMPLIFICATION SIGNALING V CDRS
• Primary purpose – billing and charging
• Post event
• Low delay at home, but significant delay when roaming
• Some information not easily accessible in signaling – eg: QoS
• Multiple entities write CDRs or equivalent
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 9June 16, 2016 |
REAL-TIME FRAUD DETECTION SYSTEM
INTEGRATED FRAUD MGMT. SOLUTION
evolvedintelligence
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 10June 16, 2016 |
60 live deployments
over 38 customers
worldwide
2 Bn messages
processed per day
35m roamers seen
per day
1.75 TB of
signalling
processed daily
Signalling of 600
operators from
210 countries
daily
10
EvolvedintelligenceCLOUD BASED NETWORK SOLUTIONS
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 11June 16, 2016 |
• Address fraud in real time to reduce fraud window.
• Use signaling information to enrich analysis of activity to improve
detection
REAL TIME FRAUD MANAGEMENT SOLUTION BRINGING NEXT-GENERATION FRAUD DETECTION INTO YOUR BUSINESS
• RAID FMS existing data sources and rules extended with Evolved
Intelligence capability to interact with network in real time
• Faster, sharper and smarter fraud detection capabilities
• Extending CDR analysis to real time (eg: parallel calls, B-numbers, call
symmetry/volume etc) – eg: SIM box detection IRSF, IMEI stuffing
• Identifying signaling fraud (VoIP and SS7) – eg: spamming, CLI spoofing
Why
How
What
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 12June 16, 2016 |
USE CASESFRAUD SCENARIOS
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 13June 16, 2016 |
ROAMING FRAUD USE CASE
$$$$$
FM
S
HPLMN
VPLMN
REAL TIME CONTROL
FLEXIBLE RULES
CAP
EXISTING CAMEL
TRIGGERS (OR NEW)
IMMEDIATE ANALYSIS AND
ACTION:BLOCK CALLS
ASK USER
B NUMBERPARALLELFREQUENT(NOT JUST
CREDIT LIMIT)
SIMPLE TO IMPLEMENT
MINIMAL FRAUD
WINDOW
FASTER ACTION
FEWER FALSE POSITIVES
ALL ROAMERS
NEW SIMS
Real time monitoring and intervention on
roaming calls to reduce fraud window
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 14June 16, 2016 |
SS7 FRAUD (SPAMMING, SPOOFING ...)USE CASE
HPLMN
SPAM
EVESDROP CALLS AND MESSAGES
MAP/CAP, Diameter etc
TRACK LOCATION
SPOOF USER AND SEND MESSAGES
BLOCK SERVICE
IDENTIFY DEVICE
HACK VOICEMAIL
DIVERT CALLS TO PREMIUM
MODIFY SERVICE FLAGS
(EG:PREPAY)
http://www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking/
http://www.cbsnews.com/videos/hacking-your-phone/
FM
S
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 15June 16, 2016 |
HPLMN
VALIDATE ADDRESS
CHECK MESSAGE
MAP/CAP, Diameter etc
CHECK PLAUSIBILITY
CHECK FOR SPOOFING,
CONSISTANCY AND SOURCE
OK FROM THIS ADDRESS (VPLMN,
HPLMN, ROAM PARTNER)
PROTECT PRIVACY
REDUCE FRAUD
PREVENT SPAM AND DOS
VELOCITYTIMINGSTATE
SS7 FRAUD (SPAMMING, SPOOFING ...)USE CASE
Validate address, sender and purpose of
signalling messages to minimise signalling fraud
FM
S
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 16June 16, 2016 |
IMEI STUFFINGUSE CASE
$$$$$
HPLMN
VPLMN
REAL TIME CONTROL
FLEXIBLE RULES
MONITOR ALL ROAMERS
IMMEDIATE ANALYSIS AND
ACTION :BLOCK CALLS
ASK USER
INTL B NUMBERNOT HOME/LOCAL
FREQUENTIMEI CHANGECREDIT LIMIT
SIMPLE TO IMPLEMENT
MINIMAL FRAUD
WINDOW
FASTER ACTION
FEWER FALSE POSITIVES
MONITOR INTL SIGNALING
CAMEL (GTPc)
Identify in real time unusual call pattern and
IMEI change to limit fraud loss from stolen SIMs
FM
S
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 17June 16, 2016 |
SIM BOX AND BYPASSUSE CASE
HPLMN
REAL TIME CONTROL
FLEXIBLE RULES
TRIGGER ON FLEXIBLE SET
OF IMSI
IMMEDIATE ANALYSIS AND
ACTION :BLOCK CALLS
ASK USER
CALL & TXT VOLUME
MO/MT BALANCEFIXED LOCATION
IMEICLI
RISK TRADEOFF
REDUCED FRAUD
WINDOW
FEWER FALSE POSITIVES
NEW IMSIRISKY TARIFF
IMSI SCAN
Monitor calling behavour on target IMSI to identify
and block SIM box
FM
S
CAP
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 18June 16, 2016 |
INTEGRATED FRAUD MGMT. SOLUTION
ARCHITECTURE
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 19June 16, 2016 |
RAID + ENGINE: ARCHITECTUREIMPLEMENTATION OPTIONS
Rule
DefinitionFRAUD SERVICES
INTEGRATION
USERINTERFACES
Mediation Network
We
Do
RA
IDE
vo
lve
d I
nte
llig
ence
EN
GIN
E
Detection and Correlation
Alarm Scoring
Rule Execution Engine Analysis
Service / Rule execution
Message and dialogue handling
Signalling Stack and Network Interface
KPI and reporting
Signalling Logs
Alarms
High Availability
Case Mgmt., KPI and reporting KPI and reporting
Event Analysis
Signalling Logs
Event records
and Alarms
Provisioning
(Rules, IMSI etc)
Rules
CRM etc
• Rules run in FMS;
• Easy (EDR v CDR) integration;
• Post event Detection (minutes);
• Some limits on use cases;
• Defines the fraud rules;
• Loads event records into RAID
FMS;
• Correlates with other events;
• Executes rules to identify fraud;
• Portal for KPI, reporting and
analysis for both systems;
• Integrates into network;
• Manages interception of appropriate
message flows for relevant IMSI /
MSISDN;
• Traps and records events;
Post event - Near real time
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 20June 16, 2016 |
RAID + ENGINE: ARCHITECTUREIMPLEMENTATION OPTIONS
Rule
DefinitionFRAUD SERVICES
INTEGRATION
USERINTERFACES
Mediation Network
We
Do
RA
IDE
vo
lve
d I
nte
llig
ence
EN
GIN
E
Detection and Correlation
Alarm Scoring
Rule Execution Engine Analysis
Service / Rule execution
Message and dialogue handling
Signalling Stack and Network Interface
KPI and reporting
Signalling Logs
Alarms
High Availability
Case Mgmt., KPI and reporting KPI and reporting
Event Analysis
Signalling Logs
Event records
and Alarms
Provisioning
(Rules, IMSI etc)
Rules
CRM etc• Rules devolved to ENGINE;
• Real time detection & interaction
• Real time action;
• Post event as required;
• Defines the fraud rules;
• Loads event records into RAID
FMS;
• Correlates with other events;
• Executes additional rules;
• Portal for KPI, reporting and
analysis for both systems;
• Integrates into network;
• Manages interception of appropriate
message flows for relevant IMSI /
MSISDN;
• Devolved rules to identify and act on
fraud in real time;
Signalling Rules
Rules
Real time
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 21June 16, 2016 |
REAL TIME FRAUD MGMT. SOLUTION
BENEFITS
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 22June 16, 2016 |
NEXT-GENERATION FRAUD MANAGEMENT SYSTEM GAINS FOR THE MOBILE NETWORK OPERATOR
• Early fraud detection
• Immediate action
• Fewer false positives
• Improved insight into fraud behavior
• Reduced fraud window. Reduced loss
• Improved customer satisfaction
• Improved reaction time to new threats=
WeD
o T
echnolo
gie
s ©
2015 –
confidential
info
rmation
. A
ll rights
reserv
ed.
Page 23June 16, 2016 |