A Model For Rule Based Fraud Detection in Telecommunication
A Model For Rule Based Fraud Detection in Telecommunication
A Model For Rule Based Fraud Detection in Telecommunication
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
www.ijert.org 1
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
Our goal was to create a fraud management system Credit card numbers can be stolen by various
that was powerful enough to handle the many means (e.g., ―shoulder surfing‖— looking over
different types of fraud that we encountered and someone’s shoulder at a bank of payphones, say) and
flexible enough to potentially apply to things we had used to place calls masquerading as the cardholder.
not seen yet. We next provide examples of some
common varieties of fraud in the telecommunications 3. Data mining for fraud detection
world. Call detail records are generated in real time and
therefore will be available almost immediately for
2.1. Subscription fraud. data mining. This can be contrasted with billing data,
Subscription fraud happens when someone signs which is typically made available only once per
up for service (e.g., a new phone, extra lines) with no month. Call detail records are not used directly for
intent to pay. In this case, all calls associated with data mining, since the goal of data mining
the given fraudulent line are fraudulent but are applications is to extract knowledge at the customer
level, not at the level of individual phone calls. Thus,
consistent with the profile of the user.
the call detail records associated with a customer
2.2. Intrusion fraud. must be summarized into a single record that
This occurs when an existing, otherwise legitimate describes the customer’s calling behaviour. The
account, typically a business, is compromised in choice of summary variables is critical in order to
some way by an intruder, who subsequently makes obtain a useful description of the customer. Below is
or sells calls on this account. In contrast to a list of features that one might use when generating
subscription calls, the legitimate calls may be a summary description of a customer based on the
interspersed with fraudulent calls, calling for an calls they originate and receive over some time
anomaly detection algorithm. period P:
2.3. Fraud based on loopholes in technology. 1. Average call duration
Consider voice mail systems as an example. Voice 2. Percentage of no-answer calls
mail can be configured in such a way that calls can 3. Percentage of calls to/from a different area code
be made out of the voice mail system (e.g., to return 4. Percentage of weekday calls (Monday – Friday)
a call after listening to a message), as a convenience 5. Percentage of daytime calls (9am – 5pm)
for the user. However, if inadequate passwords are 6. Average number of calls received per day
used to secure the mailboxes, it creates vulnerability 7. Average number of calls originated per day
2.4. Social engineering. 8. Number of unique area codes called during P
Instead of exploiting technological loopholes, These eight features can be used to build a customer
social engineering exploits human interaction with profile. Such a profile has many potential
the system. In this case the fraudster pretends to be applications
someone he or she is not, such as the account holder,
or a phone repair person, to access a customer’s 4. Requirement of knowledge based
account. expert system in telecom:
2.5. Fraud based on new technology. Issues to look at when designing our Fraud
Using new technology, such as Voice Over IP Management System are:
fraudsters realized that they could purchase the 1. The collection and the format of the input data
service at a low price and then resell it illegally at a 2. The identification of fraud indicators
higher price to consumers who were unaware of the 3. The fraud detection technique
new service, unable to get it themselves, or 4.1. The collection and the format of the
technologically unsophisticated. Detecting this input data
requires monitoring and correlating telephony usage, Collecting data for analysis is the first step in the
IP traffic and ordering systems. fraud detection process. Typically, CDRs (call detail
2.6. Fraud based on new regulation. records) generated by network elements such as
In 1996, the FCC modified payphone telephone switches for billing purposes, are the main
compensation rules, requiring payphone operators to source of input data for current FRAUD
be compensated by the telecommunication providers. MANAGEMENT SYSTEM
This spawned a new type of fraud—payphone
owners or their associates placing spurious calls from 4.2. The identification of fraud indicators
payphones to toll-free numbers simply to bring in Fraud indicators are details about the service
compensation income from the carriers. usage that may indicate that fraud is perpetrated. In
2.7. Masquerading as another user. the traditional voice networks usual indicators of
www.ijert.org 2
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
fraud include long duration calls, large number of data may participate in rule conditions: call details,
calls from the same account and calls to blacklisted customer details and behaviour monitors.
numbers. These indicators are used to create fraud Behaviour monitors are summations of number,
rules or signatures that are characteristics of a fraud duration or rated value of calls over a certain time
type. Fraud rules need to be updated continuously as window (e.g., the daily number of calls to mobile
fraud types evolve. An alternative to defining fraud phones at off-peak hours). Any population of
signatures is the creation of customer profiles. A calls can be monitored. For identifying superimposed
customer profile defines the individual pattern of fraud, ―normalized‖ monitors can be used. These
normal usage for a customer. By comparing the monitors denote the measured value in terms of
current usage to the stored profile, fraud can be standard deviations from the average value. High
detected without the need for specifying rules for value of such monitor indicates an extreme increase
specific fraud scenarios. Our suggestion is therefore in usage, and can be used in a superimposed fraud.
to create a service profile that describes how the
service is normally used by the average user. This In the fraud analysis context, the generated rules
service profile is also used to create service specific will be used as alarm-setters for suspected fraud.
fraud rules used to detect suspicious events. The Therefore, we would like to generate rules that are
profile will answer questions such as: how much is appropriate for this task, rather than for standard
usually spent on this service, at what time and for machine learning tasks such as classification or
how long is the service usually used? Answers to scoring.
these questions enable the creation of groups of users In rule-based fraud management systems,
for a specific service. For instance, it is possible to the alarms (or alerts) are usually not treated
create different profiles for different times of the day individually but rather combined at the customer
or week (e.g. peak time, night, and week-end). The level into ―cases‖ of suspected fraud. Thus, K alerts
billing records are then sent to the relevant group generated for the same customer result in only one
profile based on the time of the service usage. The case being created, while K alerts generated for K
service profiles are stored in modules that can be different customers, result in K different cases being
added and removed from the Fraud Management created. If we just count the number of true alarms
System as needed. (i.e., alerts that are actually fraudulent) and false
alarms, the two situations would be identical. Thus, it
4.3 The fraud detection technique is generally true that accuracy should be computed at
Various data analysis techniques are in use by Fraud the customer (case) level - the ―higher‖ of the two
Management Systems. The most recurrent levels mentioned above. The success of a fraud rule
techniques are threshold-based, rules-based and is determined by how many really fraudulent cases
the use of neural networks. In threshold-based were identified and how many cases were false
fraud analysis, details about the call (e.g. call alarms.
duration) are compared to fixed criteria called
triggers. If the value of the call detail exceeds that Example for rules may be:
trigger, an alarm is generated. Threshold based Credit-rating=C AND daily international calls
detection tools are simple, efficient but only work duration> 2hrs => alert
well for detecting the extremes of fraudulent events Deposit= X AND normalized-daily-duration
as triggers are usually set to high values. In rules- standard deviations >4 = > alert
based analysis, fraud patterns are defined as rules
and call records are analysed against these rules to The alerts are gathered into cases (a case for each
spot fraud. Call detail records include sufficient account) together with account data and Call Detail
information to describe the important characteristics Records. The cases are the starting point of the
of each call. At a minimum, each call detail record manual investigation process, where a human analyst
will include the originating and terminating phone determines for each case whether it is actually
numbers, the date and time of. fraudulent or not. Within a rule based system the
performance of each individual rule is secondary in
importance. The main issue is, of course, the
5. Rule Based Fraud Detection: performance of the rule-set selected for use in the
Many commercial fraud analysis applications system. Our ultimate goal in the rule-discovery
based on rules. In a rule based fraud detection
process should be to select a rule-set.
system, fraud patterns are defined as rules. Rules
may consist of one or more conditions. When all
conditions are met, an alert is raised. Three types of
www.ijert.org 3
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
5.1 Frame work for Rule based model to working on bi-level data is that the ―size of
We must first tackle the problem of ―where the groups‖ concept has to be defined with respect to the
patterns live‖. There are at least two separate levels level at which the attribute being split belongs. So,
of data, and sometimes more. One level is the when splitting on a customer-level attribute, the
customer data, Examples of such attributes are amount of customers of each class found in each
customer’s age, ethnicity and family status, price ―leaf’ is counted. When splitting on a behaviour-
plan and telephone model. The second level is what level attribute we should count the number of
we have termed “behavior’‘-level data. This term instances of behaviour (i.e. the number of ―records‖)
refers to usage characteristics in a short time frame of each class in each ―leaf’.
(typically a single day). Typical behavior-level 5.2 Categories of Subscribers
attributes are the number of international calls in a In order to generate a database of known
day and total duration of all calls in a day. They may fraudulent/legitimate cases, it was necessary to
also include ―normalized‖ behaviour monitors formalize the definition of subscribers’
detecting changes in behaviour relative to the history categories. Consequently the following four
of usage by this particular customer. Our goal is to categories of subscribers were defined:
find patterns combining elements from both
levels, giving rules such as the following: ―People Subscription fraudulent. Most of the
who have a particular price plan that makes users in this category do not pay their
international calls expensive and who display a sharp bills at all, but if they do, the
rise in international calls are likely the victims of debt/payment ratio is very high. The line
customer longetevity fraud‖. is typically blocked due to suspicious
behaviour in long distance calls within 6
There are several possible approaches to constructing months after the installation date.
correct bi-level rules. One is based on standard rule- Otherwise fraudulent. Subscribers for
generation procedures completely in favour of more than a year who present a sudden
simpler ad-hoc methods. For example, we could use change in their calling behaviour,
a standard procedure to build rules on customer generating an abnormal rise in their
attributes only, using amount balances with one newer billing accounts.
record per customer, and then run a separate second Insolvent. Subscribers with a total debt
stage with one record per ―behaviour sample‖ to add of less than 10 times their monthly
behaviour attributes to the rules. This naive approach payments, having two or more unpaid
is unlikely to give good results, as it would be bills. This category includes new
limited in its ability to find ―interactions‖ between customers that have never paid their
customer-level and behaviour-level attributes (e.g., bills but whose monthly expenditures
that customers in a certain area are likely to be are similar to average residential lines.
fraudulent if they make many international calls). Normal. Customers with their bills up
Another approach is to modify the existing to date or at most a single unpaid bill for
algorithms to ensure that they count the records less than 30 days after the due date
correctly, taking into account the issue of bi-level
data. We have taken this approach, and have built a
rule generator based on a modification of the C4.5 First, 700 cases were drawn from the repository and
algorithm. classified manually into the four categories described
The relevant changes in the c4.5 algorithm are above. The manual classification procedure was
concentrated in three areas- splitting criterion and assisted by an expert with many years of experience
stopping rule for tree construction and pruning in telecommunication fraud
significance tests. The splitting criterion is used to management. This was a time-consuming procedure
select the ―best‖ greedy split in each stage during since for each case, all the information available in
tree construction. It is based on calculating the the repository had to be examined on the computer
―information content‖ of each of the suggested splits screen.
with regard to the class distribution and choosing the The classification module was designed with a
one with the highest content. The stopping rule hierarchical tree structure, including three layers and
dictates the size of groups we are willing to accept as five nodes, as shown
―leaves‖ in the tree. The goal of using a stopping rule in Fig. 1.
is to prevent the system from creating rules The first layer consists of the root node,
representing small samples with no statistical which discriminates between fraudulent and
generalization ability. For both of these areas the key normal subscribers, but assigns the
www.ijert.org 4
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
insolvent subscribers to any of the two The data set of 700 cases was used to select
groups. the variables of the classification module, as
The second layer has two nodes. Node N/I well as to design fuzzy rules to discriminate
discriminate between normal and insolvent among the categories. As an example, for
cases. Node F/I discriminate between continuous variables, three Gaussian-like fuzzy
fraudulent and insolvent cases. membership functions were defined to measure
The third layer has two nodes that low-risk (LR), medium-risk (MR) and high-risk
discriminate among subscription (HR) of subscription fraud. A total of 54 fuzzy
fraudulent, otherwise fraudulent and rules were defined for the classification module,
insolvent cases. Node I/O distinguishes using 17 variables. Here we present some
between insolvent and otherwise fraudulent. examples. At the root node of the tree-classifier
Node S/O discriminates between shown in Fig. 1, the first three rules generated
subscription fraudulent and otherwise were:
fraudulent.
Fig.1
Rule 1: IF (cutomer longetivity is LR) AND (amount balance is LR) THEN
(elapsed time between installation and (Output_RootNode is Node N/I).
blocking data is LR) AND (debt/payment ratio
is LR) AND (phone blocked flag is LR) AND
www.ijert.org 5
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
Rule 2: IF (cutomer longetivity is HR) AND A data mining framework for detecting
(elapsed time between installation and subscription fraud in telecommunication, Hamid
blocking data is HR) AND (debt/payment ratio Farvaresha and Mohammad Mehdi Sepehri
is HR) AND (phone blocked flag is HR) AND
(amount balance is HR) THEN Cerebrus Solutions. (November 2002). Fraud
(Output_RootNode is Node F/I). Primer. Issue 2.3. Available:
http://cerebrussolutions.com/pdf/Fraud_Primer-
Rule 3: IF (amount balance is LR) AND Nov02.pdf
(number of days with unpaid bills is LR) THEN
(Output_RootNode is Node N/I). O. Brad. Cyber Crime: How Technology Makes It
Easy and What to Do About It. Information
The first three rules generated at the Systems Security, vol. 9, issue 6, pp.45-51,
F(Fraudulent)/I(Insolvent) node were: Jan/Feb2001 CFCA. (March 2003).
Rule 4: IF (maximum debt with carriers is HR) ―Communications Fraud Control Association
AND (elapsed time between installation and (CFCA) announces results of worldwide telecom
blocking data is HR) AND (debt/payment ratio fraud survey‖. Available:
is HR) AND (phone blocked flag is HR) AND http://cfca.org/pressrelease/FraudLoss%20%20pres
(amount balance is HR) THEN (Output F/I s %20release%203-03.doc.
Node is Node S/O).
Breiman, L., J. H. Friedman, R. A. Olshen and C. J.
Rule 5: IF (maximum debt with carriers is MR) Stone (1984). Classification and Regression Trees.
AND (debt/payment ratio is MR) AND (amount Chapman Hall.
balance is MR) THEN (Output F/I Node is
Node I/O). Burge, P. and J. Shawe-Taylor (1997). Detecting
Cellular Fraud Using Adaptive Prototypes.
Rule 6: IF (call forwarding traffic is HR) THEN Proceedings of AAAI-97 Workshop on AI
(Output F/I Node is Node S/O). Approaches to Fraud Detection and Risk
Management, Providence, RI, 9- 13.
The proposed model contains a data base
server which collects bi-level data and a control Fawcett, T. and F. Provost (1997). Adaptive Fraud
unit to generate alarms for fraudulent cases. Detection. Data Mining and Knowledge Discovery.
U. Fayyad, H. Mannila and G. Piatetsky-Shapiro
Conclusion: (Eds.), Kluwer Academic Publishers, Boston, CA.
Most of today’s fraud detection tools are either voll,291-316.
rule-based or at least comprise a rule-based
detection component. The proposed model allows Kokkinaki, A. I. (1997). On Atypical Database
detecting the definite frauds with a low rate of false Transactions: Identification of Probable Fraud
alarms. Moreover, this rule-based model can easily using Machine Learning for User Profiling.
provide reasons for an alarm being raised. The rule- Proceedings of IEEE Knowledge and Data
based tool uses the profiling strategy described Engineering Exchange Workshop, 107-l 13.
above and features similar to those of the
supervised neural network. The rules for the Hoath, P. (1998). Telecoms fraud, the gory
triggering of an alarm are designed manually by an details. Computer Fraud & Security,
expert.. In the case of rule discovery for fraud, we 1998(1),10-14.
believe that understanding the unique features and
identifying the points at which the standard tools Hong, S. J., & Weiss, S. M. (2001). Advances
were falling short were the key steps to suggesting in predictive models for data mining. Pattern
a successful alternative approach. Recognition Letters, 22, 55-61.
www.ijert.org 6
International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
Vol. 1 Issue 5, July - 2012
www.ijert.org 7