1. Fraud Monitor User Guide
  2. Detecting Fraud
  3. About Fraud Detection Rules

About Fraud Detection Rules

The metrics described in this section are based on the fraud scenarios above. Multiple rules may be combined to detect a single fraud scenario. Throughout this section the term subscriber relates to either a single IP address or a single phone number.

Traffic Profile

Once a few days of call data for a single subscriber is available a graph with the time of the day on the x-axis may be generated. The y-axis shows the number of calls or call minutes conducted. Once a fraud attack happens the shape of the graph will change.

Blacklist and Whitelist Entries

A list of specifically allowed and disallowed phone numbers or phone number prefixes can be used to identify fraudulent calls. In case international entries are disallowed by a company policy, an international entry may be an indicator of fraud. The customer may add individual entries to a customer-specific list of disallowed entries.

Depending on whether the system observed an exact entry hit or a prefix match the scores assigned may differ. A prefix match on its own may not directly trigger a critical alarm but when combined with other metrics (for example, the amount of traffic to the suspicious entry) it may generate a critical alarm.

Rules in Fraud Monitor

Fraud Monitor uses rules to detect fraudulent calls. A rule uses multiple metrics and define how values are attributed to each user. Fraud Monitor provides four rules:

Destination-based Traffic Spikes

This rule monitors traffic spikes based on absolute amounts (static rule) or deviations from the typical traffic pattern (dynamic rule).

The destination-based traffic spikes rule can be used to detect fraudulent calls based on traffic spikes. This rule is based on the threshold calculated on the basis of call duration (in minutes). If the parameters of the call match the parameters configured in the rule filter, and if the threshold is crossed, then the destination user of the particular call accumulates points. Once the user-accumulated points cross the threshold, an incident is raised, and an alert is sent to the user by email or SNMP.

In order to receive an email or SNMP notification, the email recipient or SNMP notification must be configured. For more information, see Setting Up Email Notifications.

Destination-based Call Volume

This rule monitors destination traffic spikes based on deviations of Calls per Second (CPS) and Maximum Active Calls (MAC) from a typical traffic pattern (static and dynamic rule).

For each call, Fraud Monitor, monitors the Success Calls Per Second that the destination user has received and compares it to its historical average (Success Calls are when 200OK for INVITE is received).

Simultaneously, it also monitors the Active Calls for that user.

If a configurable threshold is exceeded for either Calls per second OR Max Active Calls, both the source and destination users accumulate points.

Once the user-accumulated points cross the threshold, an incident is raised, and an alert is sent to the user by email or SNMP. To receive an email or SNMP notification, the email recipient or SNMP notification must be configured. For more information, see Setting Up Email Notifications.

This rule can be used to identify possible candidates for blacklisting or redirecting destination numbers.

Source-based Traffic Spikes

This rule monitors traffic spikes based on absolute amounts (static rule) or deviations from the typical traffic pattern (dynamic rule). Fraud Monitor can raise an incident if a specific source user generates unusually high traffic measured by call duration. If a threshold is exceeded, both the source and destination users accumulate points. This rule can be used to identify possible candidates for blacklisting source numbers.

The source-based traffic spikes rule is based on the threshold calculated on the basis of call duration (in minutes). If the parameters of the incoming call match the parameters configured in the rule filter, and if the threshold is crossed, then the source user of the particular call accumulates points. Once the user-accumulated points cross the notification threshold, an incident is raised, and an alert is sent to the user by email or SNMP. In order to receive an email or SNMP notification, the email recipient or SNMP notification must be configured. For more information, see Setting Up Email Notifications. You can define metric rules using call duration to measure the traffic spike.

Source-based Call Volume

This rule monitors traffic spikes based on deviations of Calls per Second (CPS) and Maximum Active Calls (MAC) from the typical traffic pattern (static and dynamic rule).

Fraud Monitor can raise an incident if a specific source user generates unusually high call volume. If a threshold is exceeded, both the source and destination users accumulate points. This rule can be used to identify possible candidates for blacklisting source numbers. The source-based call volume rule is based on the threshold that is calculated on the number of calls per second and the maximum number of active calls. If the parameters of an incoming call match the parameters configured in the rule filter, and if a configurable threshold is crossed, then the source user for that particular call accumulates the point. Once the user-accumulated points cross the notification threshold level, an incident is raised and an alert is sent by email or SNMP. For more information, see Setting Up Email Notifications. In order to receive an email or SNMP notification, the email recipient or SNMP notification must be configured.