Alaris Anti Fraud System
Fraud threats to telecom carriers
Modern threats that telecom carriers face are not limited to one particular type. Depending on the type of voice business, structure of traffic, qualification of personnel a telecom carrier may be affected by different types of fraud and it is almost never possible to predict which of them will hit your company tomorrow.
This is why a comprehensive anti-fraud system (Fraud Management System) must be able to adapt to any new threat type that may potentially arise.
This implies that during the integration stage it is impossible to know which objects should be monitored for unwanted activity and what the patterns of such an activity are.
Obviously, if we do not know what to monitor and what to look for the Fraud Management System must monitor ALL objects on a carrier network and be able to automatically identify any fraud-related activity of objects.
Fraud management with BIG DATA technologies
There are two important consequences from these two requirements that turn into serious challenges:
- FMS must be able to process the entire enormous amount of heterogeneous data that a telecom network generates.
- FMS might be based on highly efficient self-learning algorithms to detect a fraud activity of yet unknown nature.
The only possible way to accommodate the amount of data that needs to be handled is to take advantage of the BIG DATA approach to data processing.
“Big data is the term for a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The challenges include capture,curation, storage, search, sharing, transfer, analysis, and visualization. The trend to larger data sets is due to the additional information derivable from analysis of a single large set of related data, as compared to separate smaller sets with the same total amount of data” Wikipedia ©
The second challenge is the know-how of each particular company that provides the FMS services.
Fraud management as a service
Our fraud management system is based on a service model, in which the client – a telecom carrier – streams the data to be analyzed to our cloud based servers.
There is no need to deploy additional servers, no need to invest into costly licenses, the model implies just the «pay-as-you-go» type of investment.
For situations when a carrier – due to its internal policies – cannot afford sending data outside of its domain – it is possible to install our solution inside the carrier network and still take advantage of the «pay-as-you-go» model.
Upon customer request the solution may be install inside the carrier intranet.
How it works
Each network node that is able to provide relevant data to the fraud management system is set to stream this data to our servers – by means of OS native utilities (like rsyslog) or with the help of our agent – that is installed on the monitored nodes. The data does not need to be transformed into any unified form, it can be in the original raw format.
Our servers parse the data, index it, apply search algorithms to detect potential fraud and send notifications to the client personnel in case of fraud detection events.
The search algorithms consist of the following principle stages:
- identification of most common behavior templates (of an end-user, of a partner, of a destination of the calls, etc.)
- correction of the detected profiles by the end user
- detection of non-standard behavior of objects (or on the contrary – detection of the behavioral template of a fraud agent)
- alarming the client on the detected fraud events
One of the most important things to mention is that the search algorithm is able to combine events that are not linked to each other from the human point of view. For example: user self-registration date, location, credit card type can be linked with the calls pattern generated by this user, with the type of equipment used to generate calls, with the time frame during which the calls are made.
SEARCH FORMULA SAMPLE
sourcetype=CDR* type=CLI | stats count AS Views, count(eval(action="purchase")) as Purchases | eval percentage=round(100-(Purchases/Views*100)) | count percentage AS "% Difference"
Such semi-self learning approach can be used to automatically detect new fraud events.
For situations when it is unknown what kind of fraud the network awaits – the system acts the opposite way: all existing traffic is categorized and structured. Any behavior that deviates from the known non-fraud patterns is marked as potentially fraudulent. The end user then decides whether a particular event is fraud or not. Based of that the system automatically creates a “fraud” template and all new data is checked against this pattern as well.