طراحی یک سیستم تخصصی برای تشخیص کلاهبرداری در شبکه های مخابراتی خصوصی
|کد مقاله||سال انتشار||مقاله انگلیسی||ترجمه فارسی||تعداد کلمات|
|17715||2009||11 صفحه PDF||سفارش دهید||محاسبه نشده|
Publisher : Elsevier - Science Direct (الزویر - ساینس دایرکت)
Journal : Expert Systems with Applications, Volume 36, Issue 9, November 2009, Pages 11559–11569
Telecommunications fraud not only burdens telecom provider’s accountings but burdens individual users as well. The latter are particularly affected in the case of superimposed fraud where the fraudster uses a legitimate user’s account in parallel with the user. These cases are usually identified after user complaints for excess billing. However, inside the network of a large firm or organization, superimposed fraud may go undetected for some time. The present paper deals with the detection of fraudulent telecom activity inside large organizations’ premises. Focus is given on superimposed fraud detection. The problem is attacked via the construction of an expert system which incorporates both the network administrator’s expert knowledge and knowledge derived from the application of data mining techniques on real world data.
Telecommunications fraud can be simply described as any activity by which telecommunications service is obtained without intention of paying (Gosset & Hyland, 1999). This kind of fraud has certain characteristics that make it particularly attractive to fraudsters. The main one is that the danger of localization is small. This is because all actions are performed from a distance, which in conjunction with the mess topology and the size of networks makes the process of localization time-consuming and expensive. Additionally, no particularly sophisticated equipment is needed, if one is needed at all. The simple knowledge of an access code, which can be acquired even with methods of social engineering, makes the implementation of fraud feasible. Finally, the product of telecommunications fraud, a phone call, is directly convertible to money (Hoath, 1998). Several categories of telecommunications fraud have been reported. The main are the technical fraud, the contractual fraud, the hacking fraud, and the procedural fraud (Gosset & Hyland, 1999). Technical, contractual and procedural fraud usually burdens the telecom service provider, while hacking fraud also harms the subscriber. The latter may happen in the form of the superimposed fraud where the fraudster (hacker) uses the service in parallel with the subscriber and burdens his account. All fraud cases can actually be viewed as fraud scenarios, which are related to the way the access to the network was acquired. Detection techniques tailored to one case may fail to detect other types of fraud. For example, velocity traps, which can identify the use of a cloned cell phone, will fail to detect a case of contractual fraud. So, fraud detection focuses on the analysis of users’ activity. The related approaches are divided into two main subcategories, the absolute analysis and the differential one. The first searches for limits between legal and fraudulent behavior, while the second tries to detect extreme changes in the user’s behavior. In both cases, analysis is achieved by means of statistical and probabilistic methods, neural networks and rule-based systems. In Moreau and Vandewalle (1997) the use of indicators of excessive usage is being criticized as they may not only imply fraud but they may also point to the best customers. A comparison of probabilistic methods with those that use rules is given in Taniguchi, Haft, Hollmen, and Tresp (1998). In 1999, Fawcett and Provost (1997), proposed a combination of rules and profile extraction, in order to detect fraud. The outputs of their system are combined via a trained linear model in order to produce alarms. Rosset et al. report encouraging results from the use of rules that are exported with a variant of the C4.5 algorithm (Rosset, Murad, Neumann, Idan, & Pinkas, 1999). Alves et al. propose two anomaly detection methods based on the concept of signatures for the detection of superimposed fraud (Alves et al., 2006). The appropriate feature extraction procedure is dealed with in Dong et al. (2004). In a previous work (Hilas & Sahalos, 2006), the author of the present paper concluded to a user behavior characterization model that gives good results towards superimposed fraud detection. The use of expert systems towards fraud detection has either not been published or is referred to under different names (Liao, 2005) with the most common one being “data mining”. There is however a limited bibliography in relative subjects such as intrusion detection in computer systems (Jackson et al., 1991 and Sebring et al., 1988), user profiling for credit card fraud detection (Kokinnaki, 1997), auto insurance fraud (Belhadji & Dionne, 1997), or consumer behavior analysis (Adomavicius & Tuzhilin, 1999). Some recent publications combine data mining or expert systems approaches towards telecom churn prediction (Wei and Chiu, 2002 and Shin-Yuan Hung and Yen, 2006) and subscription fraud detection (Estevez, Held, & Perez, 2006). In the present paper a rule-based expert system is presented which aims to the detection of superimposed fraud cases in the telecommunications network of a large organization. Rules are induced by both using the network administrator’s expert knowledge and by applying data mining methods on real world data. The paper proceeds as follows. In the next chapter the telecommunications environment in which the expert system will operate is presented. In the third chapter the expert system’s operating characteristics and specifications are outlined. In Chapter 4 a brief analysis of prior data mining analysis of the data in hand is given, while the structure of the expert system is presented with the use of flow charts in Chapter 5. Experimental results are given in Chapter 6. In the last chapter conclusions are drawn.
نتیجه گیری انگلیسی
In the present paper an expert system is presented which was build in order to detect fraudulent activity in the telecommunications network of a large organization. Prior to the expert system’s integration with the organization’s CDR databases, calls were examined manually and only after a user’s request. User’s requests usually followed excess billing. The expert system incorporates the network administrator’s knowledge along with common sense observations and knowledge derived from the application of data mining techniques on historic call data. The knowledge is expressed in the form of rules that are described in the paper. When this work was initiated there were already many historical data that had never been examined thoroughly. Several user accounts were selected for examination. Some of them were known defrauded accounts; others were known normal use examples while some of them were selected randomly. The analysis of these user accounts gave interesting clues on how telecommunications fraud is perpetrated within the organization’s network. The expert system was designed to adapt to new data and is programmed to incorporate new rules. When a new fraud case is detected or reported, all the data related to it are analyzed and the outcome is expressed in the form of new rules that are fed back to the system. Appropriate adjustment of existing rules may also be performed. Due to the organization’s profile (a university) there used to be a liberal approach on how telecom services were allowed to the personnel. After the analysis of the problem the first measure against fraud was the adoption of a more strict policy. Now, an employee is given a PAC only if he applies for one. The PAC has limited capabilities, e.g. it can call international destinations only after the explicit request of its owner. Premium rate destinations cannot be reached from the organization’s intranet, especially destinations related to auctions, party lines, erotic lines, etc. There are cases where one must have access to private data in order to analyze a user’s detailed account thoroughly. An appropriate example is the case of a professor who gives his PAC to a graduate student in order to help him with the administrative tasks of a forthcoming conference. The terminal from which the calls originate will probably be in the professor’s laboratory and in this sense it is correlated with him. Even in the extreme case where the student takes advantage of his professor’s trust it is difficult to diagnose a fraud. A more thorough analysis would need details about the called numbers (e.g. called party relation with the PAC’s owner), which is a direct violation of personal privacy. Under these circumstances only the PAC’s owner may authorize the analysis and it is desirable that he can assist throughout the data analysis process. Human factor is often reported as the weak link in many security installations. The telecommunications network of the organization under study is not an exception. The main reason that fraud can be perpetrated in the closed environment of the organization is the end user’s inattention. Users tend to write their personal authorization codes (PAC) in notes that they place in places where they can be freely accessed. Common were the cases of notes sticked under the telephone set. Others reveal their PAC to colleagues, students or friends in order to help them carry out a job. Hence, besides the fraud detection techniques and the strict network policy it is of great importance to educate users on security issues. This will at least protect them against carelessness and a fraudster’s social engineering approach. Efficient detection and limitation of fraud need a centralized fraud management system. The system should administer the maintenance and integrity of all security infrastructures and should be equipped with the ability to act not only against fraudulent actions but against fraudsters as well. There is also need for a sophisticated data collection system whose maintenance and configuration should be easy to implement. The easy and economical integration of new technologies and products is of main concern, while the ability to interchange extracted knowledge with similar systems is a desirable feature. Finally, all incidents should be examined and presented to the system’s administrator in near real-time in order to activate counter-measures and limit the effect of fraud. Future research will focus on the examination of user mobility profiles by means of machine learning techniques. This analysis can be easily extended to study how different login locations may imply fraud in any information system. It is also interesting to study the correlation of user mobility and location with fraud in cellular systems. Social network analysis may also be an interesting approach to fraud detection problems as long as the user privacy issue is solved.