Royal Holloway University of London, England

Katholieke Universiteit of Leuven

Siemens, Munich

Vodafone UK

(peteb,jst)@dcs.rhbnc.ac.uk

A common philosophy in mobile phone fraud detection is that when fraud occurs, there will nearly always be an observable change in the behaviour of the mobile phone. This fundamental principle not only applies to mobile phones but applies to network surveillance in general. Further applications might be intrusion detection of computer networks, fraud detection in future satellite communications, surveying the usage of TTP’s for impostors, and perhaps of most interest from a revenue aspect, the monitoring of network usage for business, marketing and engineering purposes.

When considering the surveillance of mobile phone networks, a large detected change in the behaviour of a subscriber can be treated in two ways. On the one hand the subscribers mobile phone might be the subject of a fraudulent attack or possibly more likely the subscribers personal circumstance may have changed. In the latter case the subscriber becomes a target for what is known as ‘churn’ where a subscriber may move to another network operator providing services closer to his current needs and is often enticed with incentives. Clearly this would be undesirable for the network operator and early detection of signs of dissatisfaction would mean a customer rescue operation could be initiated.

Often one of the first indications that an engineering department receives that a cell site has failed is a terrestrial call from a dissatisfied subscriber obtaining no service. Current behaviour profiling strategies already make use of information relating to cell sites visited during calls. With minimal overhead, a real time detection system could profile the usage of individual cells, instantly relaying warnings if a cell became unserviceable.

In the following section we propose BRUTUS a hybrid detection tool utilising both rule-based and neural network technologies that enable the profiling of both network subscribers and network traffic. This tool could have many applications such as fraud detection, business marketing and engineering within a variety of industries. BRUTUS will provide state-of-the-art surveillance techniques to aid security in electronic commerce and is the subject of a proposed extension to current fraud detection tools, outlined in section 3. In the last section we discuss the intermediate step towards our goal of developing BRUTUS. This is planned to take place in the remaining phase of ASPeCT.

In this section we describe what we believe is the state-of-the-art for a flexible network surveillance system as outlined in the introduction. We begin by proposing the systems architecture for BRUTUS and describe individual components in turn.

Initially raw data from the live network is pre-processed, discarding irrelevant components, and retaining useful features encoded in a suitable format. Following this, if behavioural information concerning the network entity, already exists in the profile database, it is retrieved ready to be updated.

The features of a behaviour profile will depend upon the nature of the application. The presiding technique however is to maintain histories of usage information, relating to the entity, over differing time periods. We refer to the short term past behaviour as the Current Behaviour Profile (CBP) and the long term past behaviour as the Behaviour Profile History (BPH). It is then the task of the detection engine to determine if a significant change in behaviour has occurred. This is known as performing a differential analysis. When the CBP exceeds predetermined thresholds for acceptable network usage over the lifetime of the CBP, alarms can also be raised. This is known as performing an absolute analysis.

In the case of detecting fraud on mobile telecommunications networks[3], behaviour profiles are built from Toll Tickets using features such as Call Start Time and Call Duration. B-numbers and the B-type of a call play an important role in locating the destination of a call. An example of when such features as these are useful is when a fraudster attacks a PABX system. The fraud indicators for this would be many short back-to-back calls to a single land line number, often out of business hours, when a fraudster is trying to guess the authentication code. Cracking the PABX enables the fraudster to dial on internationally or sell information on how to do so.

From our first demonstrator we found that there were two profiling techniques that proved effective, each having its own strengths. The first was to reduce heuristic statistical features from the data, such as caller activity over a given duration, the total duration of calls over a period of time, the variance in call start time and so on. These features were developed with a priori knowledge of what fraud scenarios we would encounter on the network. The second profiling technique used an unsupervised neural network to develop prototypes of call records in order to build statistical behaviour profiles maintained as probability distributions[4]. The strength of this representation is in detecting new fraud scenarios, important for surveying new applications. Furthermore a B-number analysis would be performed to weight the destinations of international calls according to a list of hot destinations for fraudulent calls. Personal call destination profiles are produced by the B-number analysis recording the destinations that the subscriber calls on a regular basis. Clearly a total failure to call any of the regular numbers would enhance evidence that a fraud had occurred.

We mentioned in the introduction that changes in behaviour can also indicate changes in personal circumstance, such as moving to a new job. Under these circumstances we want to contact the subscriber in order to offer him a service that best suits his new situation. Failure to do this may result in the subscriber shopping around for a more suitable service from a competitor.

If we consider cell sites as the network entity to profile, we can easily build a CBP for each cell. If the system is operating in real time, BRUTUS will detect sudden drops in the activity of cells and be able to warn the appropriate bodies that there is a physical problem on the network. Currently this done using probes on the network however only 10% of cells have active probes. There is also little interpretation of the data.

The detection components of BRUTUS were introduced and detailed in [2] as calculating distances between probability distributions, using supervised learning with multi-layer perceptrons and developing appropriate rules to analyse call record statistics. Under BRUTUS the various detection components will be able to feed information to each other sharing profiling techniques and detection results. For example the supervised learning system will use the Hellinger distance between the elements of the CBP and BPH produced by the unsupervised neural network. The Rule based system may use the detection results of the other two components to add evidence to its analysis. The grand finale of the whole process is the forwarding of alert status’ from the merged detection components to an intelligent monitoring tool capable of combining the alerts and determining what action should be taken.

There are a number of actions the monitoring tool could take. It could send email messages to the fraud team listing the identities of individuals whose suspicious behaviour needs investigating. The marketing department would be notified to contact individuals likely to be targets of ‘churn’ to promote the latest offers. The Engineering department would be informed of the locations of problem cells in the network that need fixing with great urgency. A significant problem that currently consumes considerable resources and could be simplified by a real time analysis of billing records.

Now that we have outlined the potential for the techniques we have been developing, we report on the results of the first demonstrator.

In [2] we present the results of our evaluation of the individual detection modules that would be merged and generalised to form BRUTUS. The experiments verified that each of the components was in itself capable of detecting frauds using datasets of Toll Tickets taken from the Vodafone network. The datasets were divided into two sets. The first contained the Toll Tickets of fraudsters converted from the TACS network into GSM Eurobill fromat. The second dataset was a two months download of Toll Tickets relating to new subscribers to the GSM network.

With a priori knowledge of the data, both the rule based and supervised neural network systems produced the strongest results using heuristic statistical measures as their input. The unsupervised neural network was working with no prior knowledge of the fraud scenarios it would encounter and thus, as expected, produced slightly inferior results. The strength of unsupervised learning is in the development of profiles that maximise information entropy, given discretisation restrictions, in order to facilitate the detection of new fraud scenarios.

The figures below show the detection rates for the three fraud detection tools as receiver operating characteristic curves. These curves show the number of fraudsters that raised alarms versus the number of new subscribers raising alarms when various parameters of the tools were tuned.

Figure 2 - ROC curve for the supervised neural netork FDT.

Figure 3 - ROC curve for the rule based fraud detection tool

Figure 4 - ROC curve for the unsupervised neural network fraud detection tool.

For the first demonstrator experiments, all three detection tools worked within a common framework. The task of the monitoring tool was to store the IMSI’s of subscribers who raised alarms and to extract their Toll Tickets for the two days prior to the fraud occurring. Toll Tickets up to three days after the last alarm had been raised were also stored for the purposes of an audit trail.

In order to work towards our goal of the generalised detection tool (BRUTUS) we need to investigate an intermediate phase. We intend to develop this stage under the scope of ASPeCT. Figure 2 below shows its systems architecture.

The main enhancements are that the unsupervised neural network is now being used in conjunction with a B-number analysis to add features for the supervised neural network and rule based tools to work with. Information is passed on from one component of the system to the next by adding to the encoded Toll Ticket extra fields containing alarm levels, labelled with a tag for identification. It is then up to the next component in the chain as to how this information is used. Each component system still maintains its own database, an undesirable feature which will be removed in BRUTUS. The Monitoring tool will provide a simple summation mechanism in order to prioritise alarms for investigation. There is no scope in this intermediate step to consider profiling cell sites or performing market research. This would take place in the work extension.