7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 1/32
Real-Time Analysis andPrevention of Carrier Fraud
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 2/32
Carrier Fraud Business Backgroud
Fraud if one of the key reasons for carrier revenue loss
Subex study for 2012 shows that over 6 billion USD or 3% of total business volumeis lost due to interconnect fraud
Carriers are noticing increase of interconnect fraud
Various fraud scenarios are often facilitated by complex environment Large number of interconnect carriers included in traffic transit
Difficulties in credit risk assesment
Evolution of new services and product offerings
Regulatory framework
Rate variations for same service on different level of interconnects
'XHWRPDUNHWFRPSHWLWLRQWKHOHYHORI³DFFHSWDEOHORVV´LVSUDFWLFDOO\QRQH[LVWLQJ
Carriers are focusing on quick detection and prevention of carrier fraud
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 3/32
Common Carrier Fraud Scenarios
Carrier own
networkSIM-box
Hacked PBX
Traffic generation
Re-filing
Tromboning
Boomeranging
False answer
Late releaseRoaming fraud
Premium callback
DoS attacks
Interconnect and roaming partner networks
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 4/32
Typical Fraud Management Process
Passive servicedata analytics
Active test callgeneration
Analyze
Casemanagement
Clarification
Conclusion
Evaluate Legal action Technical
blocking
Act
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 5/32
Delay
Actionscope
Passive servicedata analytics
Active test callgeneration
Analyze
Casemanagement
Clarification
Conclusion
Evaluate Legal action Technical
blocking
Act
Challenges in the Process
Delay
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 6/32
Process Challenges - Delay
Network elements often provide service usage data with delay
Time needed to collect data
Usually this data needs to move through some other processing stages (primarilymediation) before it is available for fraud analysis
Time required for fraud analysis
Delay until executing technical action
Time to resolve issue bilaterally with interconnected carrier
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 7/32
Process Challenges ± Scope of Action
Legal and regulatory limitations
Limitation of blacklisting on network elements
Carriers causing fraud are often not connected directly
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 8/32
Process Challenges ± Scope of Action
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 9/32
Heksagon Approach
Core Network
Real-time capabilities achieved
through call control interfaces to
core network
Advanced analytical system
evaluating traffic patterns, profile
deviations, analyzing test calls
and supporting case management
I n t e g
r a t e d a n a l y t i c a l a n d
r e a l - t i m e s o
l u t i o n
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 10/32
Main Features
Processing of real-time data stream from HexRT
Combination with offline data (network elements, mediation, roaming data, IT systems)
Constant analytical evaluation of all collected data for deviations from standard patterns,trends and long-term averages
Matching of collected data with out-of-the box and user defined scenarios
Detection of potential fraud violation cases
Case management workflow support
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 11/32
Graphical Fraud Scenario Designer
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 12/32
Processing Features
Combination of real-time and near-real-time service usage data
Real-time feed from HexRT (call-control and RADIUS/DIAMETER)
Raw CDR data from switches
xDR data from SMS-C and platforms
Signalling information from monitoring systems
Test call information
Multi stage data correlation
Stage 1: all events belonging to one session on one network elements
Stage 2: same session across all affected network elements (call path, etc.)
Stage 3: unrelated session but corresponding to a specific fraud scenario (e.g.
³ZDQJLUL´
Evaluation of events corresponding to all active fraud scenarios
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 13/32
Analytical Features
Ad-hoc analytics of events through OLAP reporting and dashboards
Evaluation of cases according to:
Fixed thresholds
Deviation from average values Variations from traffic profiles
Standard processed scenarios:
From service usage data: re-filing, SIM box detection, tromboning, hacked PBX,
WUDIILFJHQHUDWLRQSUHPLXPFDOOEDFN³ZDQJLUL´'R6DWWDFNVERRPHUDQJLQJ
roaming fraud Additionaly from test call data: false answer, late release
Custom defined scenarios
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 14/32
Fraud Analytics
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 15/32
Handling of Detected Cases
Notification and alerting in case of detected cases
Support of evaluation and decision workflow through case management
Manual application of updated rules to HexRT based on confirmed fraud cases fraud expert confirms action to apply parameters corresponding to detected case to
the real-time platform
Automatic application of additional rules to HexRT
for scenarios which require very fast reaction and for which detection process can
clearly identify fraud parameters (e.g. Wangiri, DoS attacks, hacked PBX)
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 16/32
Case Management
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 17/32
High Level Architecture
Call Control
Service
Quality
Measurement
Fraud
Screening
and Active
Testing
Dynamic
Routing
Management
INAP/CAMEL/SIP
DIAMETER RADIUS
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 18/32
Main Features
Module is connected to core network either using SS7 CAP/INAP or SIP protocol
Each call is forwarded to HexRT platform which provides information how to process on
switch
Evaluation of call parameters
Low level evaluation of number matching, nummeration check,
nature of address control, etc.
Complex rules defined by combination of low-level filters
Execution of action according to detected scenario No interference, Call release, Call re-route, etc.
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 19/32
Rule Definition
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 20/32
Management of HexRT Rules
Standard out-of-the-box scenarios corresponding to typical fraud types
Re-filing of international traffic
Dynamic scenarios automatically extended by detected cases in HexFraud system
Hacked PBX Traffic generation
3UHPLXPFDOOEDFN³ZDQJLUL´
DoS attack
Custom defined rules created through user interface
Exceptions to standard scenarios
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 21/32
Monitoring Console
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 22/32
Challenges of Described Approach
Corresponding call control interfaces required in core network
Increased complexity of call handling
5LVNRIGLVWXUELQJOLYHWUDIILFGXHWRLQFRUUHFWUXOHGHILQLWLRQ³FDWDVWURSKLF´UXOHVEORFNLQJsignificant portions of traffic are automatically deactivated by system, but rules that
disturb regular traffic in smaller scales are allowed)
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 23/32
Benefits of Described Approach
Effective combination of advanced analytical features with real-time detection and
prevention mechanism
All operational delays reduced to minimum allowing very fast reaction
Possibility to selectively block fraudulent traffic within wider interconnect traffic flow
Collateral benefits:
Better level of visibility and control of interconnect traffic
Improved level of understanding of routing in foreign networks
Detection of SIM boxes and gateways in foreign networks
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 24/32
Deployment Case
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 25/32
OJSC Megafon is one of the leading telecommunication operatators in Russian
Federation currently providing services to more than 64 million subscribers
System HexRT is deployed on international and long-distance mobile and fixed-line
network over 1 year ago
Integration to core network is achived using CAMEL and INAP protocols
Deployed system allows processing of more than 1000 call attempts per second
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 26/32
SSP
STPCarrier
INAP/CAMEL
Core network
Management
modulerules
provisioning within configuration MMLs
INAP/CAMEL
Carrier
Architecture
HexFraud,
HexLCR
HexRT
HexRT
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 27/32
Results
Analyzed scenarios:
Re-filing of international traffic
Invalid national traffic
Traffic generation to premium destinations
Call-EDFNVFKHPHV³ZDQJLUL´
SIM-box traffic termination
Boomeranging
Tromboning
From commercial standpoint complete investment in this project was fully returned within the first
year of operation
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 28/32
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 29/32
Backup slides:Company Introduction
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 30/32
Heksagon Group ± software development company with background in designing, building andimplementing telecommunication IT systems
Specialized in solutions for comprehensive fraud management, routing management and trafficanalysis for telecommunication operators
Headquarters in Cyprus
Main development site in Slovenia
Offices in Cyprus, Slovenia, Russia, Germany
and USA
Company Introduction
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 31/32
ɈȺɈɆɌɌ ± Russia
ɈȺɈMGTS ± Russia
OAO Megafon ± Russia
OAO MTS ± Russia
Callax group ± Germany Dialround ± USA
010012 GmbH ± Germany
CSC Telecom ± Estonia, Lithuania, Latvia
Selected Reference
7/15/2019 Real-Time Analysis and Prevention of Carrier Fraud - By Andraz Oblak - During iCompetences FRR2013
http://slidepdf.com/reader/full/real-time-analysis-and-prevention-of-carrier-fraud-by-andraz-oblak-during 32/32
Heksagon Products
HexLCROptimal Price and Routing
ManagementSystem
HexTrafficMediation and analytics of network traffic data
HexRTReal-time fraud control andprevention
HexFraudDetection and analysis of carrier fraud.