Title of Invention	A SYSTEM AND A METHOD FOR IMPROVING FRAUD DETECTION WITHIN A TELECOMMUNICATIONS NETWORK
Abstract	A method and system for detecting fraud in a telecommunications network matches information on individual calls to a series of rules (18). For each rule r, a threshold T r is defined, and if the fit of an individual call to that rule is better than T r' an alarm is generated. All call records resulting in alarms are stored within a positive matching file. Likewise, calls which just fail to meet the criteria, within a given tolerance level 8, are stored in a separate negative matching file. The entries in the positive and negative matching files are then checked by skilled operators to determine which in fact represent true fraud. On the basis of those validations, a decision module within the system automatically calculates and implements the necessary changes to the thresholds Tr by means of a feedback

Title of Invention

A SYSTEM AND A METHOD FOR IMPROVING FRAUD DETECTION WITHIN A TELECOMMUNICATIONS NETWORK

Abstract

A method and system for detecting fraud in a telecommunications network matches information on individual calls to a series of rules (18). For each rule r, a threshold T r is defined, and if the fit of an individual call to that rule is better than T r' an alarm is generated. All call records resulting in alarms are stored within a positive matching file. Likewise, calls which just fail to meet the criteria, within a given tolerance level 8, are stored in a separate negative matching file. The entries in the positive and negative matching files are then checked by skilled operators to determine which in fact represent true fraud. On the basis of those validations, a decision module within the system automatically calculates and implements the necessary changes to the thresholds Tr by means of a feedback

Full Text	A TELECOMMUNICATIONS NETWORK The present invention relates to a telecommunications network and more particularly to a method of, and a system for, improving fraud detection within a telecommunications network. Rule-based fraud detection systems attempt to detect fraudulent usage by comparing details of individual calls over the telecommunications network with a series of one or more predefined rules. If a particular usage of the network (to be referred to throughout this specification as a "call record") triggers one or more of the predefined rules, an alarm is generated, enabling a human operator to take the necessary action. While such systems have had some success in combating fraud, they tend to be labour intensive since the rules tend to be specific to one particular area, and need to be set up and continually maintained by skilled personnel. One set of rules, for example, needs to be set up and maintained to deal with potential mobile 'phone fraud, another set for catling card and credit card fraud, another set for PSTN fraud, and so on. A further serious drawback is that in time fraudsters get to know (deduce) the rules and/or thresholds that are being applied, and can modify their behaviour accordingly (eg "surfing under the thresholds"). For example, if a fraudster knows that he will be detected if he makes a fraudulent international telephone call to a particular number lasting more than thirty minutes, he is likely to start ensuring that all of his calls last for less than that. Conventional systems have difficulty in coping with this, since the rules need to be changed by experienced personnel who are frequently in possession of insufficient information to determine what the effect on the system would be if they were for example to set a reduced time limit of say twenty minutes. It is an object of the present invention at least to alleviate these problems of the prior art. It is a further object to provide a method and system for improving fraud detection within a telecommunications network which can be applied to a variety of specific areas, and which requires less use of skilled personnel to keep the rules up to date. According to a first aspect of the invention there is provided a system for mproving fraud detection within a telecommunications network, the system comprising: (a) means for receiving call records representative of calls on the network; (b) rule-matching means arranged to compare each call record against an alarm-rule and (i) to determine a match if the alarm-rule matches the call record; (ii) to determine a near-match if the alarm-rule just fails to match the call record; (c) validation means for validating the individual matched records and the near-matched records with an indication of expected fraud; and (d) rule-update means arranged to alter the said alarm rule in dependence upon the validated matched and validated near-matched records. The system preferably attempts to detect fraudulent usage by measuring and comparing the parameters values of individual calls, over the telecommunications network, against pre-set thresholds within defined detection rules- Preferably, the rule matching means is arranged to calculate a rule-matching value dependent upon the closeness of match of the call record parameters to the alarm rule, the rule matching means determining a match if the rule matching value exceeds a first threshold parameter of the alarm rule. It will be understood of course that the first threshold parameter merely acts as a limit value, which will be exceeded in the upward-going direction if the rule-matching value increases with the accuracy of the match, and will be exceeded in the downwardly-going direction in the opposite but mathematically equivalent alternative in which the rule-matching value decreases with the accuracy of the match. Typically, the matched records will be Stored in a positive matching file, and the near-matched records in a negative matching file. Entries are stored within the positive matching file if the first threshold parameter is exceeded, by a parameter of the call record and in the negative matching file if a second threshold parameter is exceeded, but the first is not. The second threshold parameter may be defined by the first threshold parameter adjusted by a tolerance value, for example 10%. In this way, the records stored within the negative matching the are representative of calls which almost, but not quite, resulted in an alarm. In a practical arrangement, the system may include a plurality of different rules, each having its own first threshold and tolerance value, The rules may be updated individually, each individual rule being updated in dependence upon the validated matched and validated near-matched records which correspond with that rule. According to a second aspect of the invention there is provided a method of improving fraud detection within a telecommunications network, the method comprising: (a) receiving call records representative of calls on the network; (b) comparing each call record against an alarm rule and (i) determining a match if the alarm rule matches the call record; (ii) determining a near-match if the alarm-rule just fails to match the call record; (c) validating the individual nnatched records and the near-matched records with an indication of expected fraud; and (d) altering the said alarm rule tn dependence upon the validated matched and validated near matched records. The invention may be carried into practice in a number of ways and one specific method and system will now be described, by way of example, with reference to Figure 1 which is a block diagram illustrating the preferred embodiment. The fraud detection system shown may typically be embodied in a computer program running on a dedicated server which is attached to the telecommunications network to be monitored. Depending on the size of the network, there may be a single server, or the system may be duplicated on several servers, spaced apart across the network. All or part of the system could alternatively be hard-coded rather than being embodied by way of a computer program; preferably, the hard-coded modules will be those that need not be updated in use. The system receives information from external sources S1,S2, across the network. In the Figure, the external sources are referenced by the numeral 10, with the broken line 12 indicating that these sources supply Information from outside the server on which the system is operating. The external sources 10 provide information on calls that are being made on the telecommunications network by way of an individual call record for each call. Each call record has a number of key fields, for example (among others} the called number, the calling number, the call length, and the callmg card or credit card number. Depending upon the parameters to be monitored, other key fields may be provided as necessary. The call records are supplied to a data management module 14 which normalises the incoming information and supplies the resultant normalised call records C1 (i being an index identifying the individual calls) to a detection and alarm matching module 16. In the detection and alarm matching module 16 each of the call records C1 is compared against a series of predefined rules within a rule set 18. The individual rules within the rule set are chosen in such a way that the matching of a rule by the call record C1 provides an indication (although not an absolute proof) that fraud may be taking place. For example, one rule might state that fraud is a possibility if the call is an international call being made from a public call box to a country known to be a supplier of illegal drugs. Fraud might also be suspected if the call has been paid for by a charge card and does not fit the call history on that account; a rule might suggest that fraud is taking place, for instance, if a low-usage charge card customer suddenly starts making a long series of international telephone calls to different countries from a public 'phone box. Additional information from an external or internal database 20 may be accessed in order to obtain the necessary information to apply the rules for example, the billing history of the customer, the customer's charge card credit limit (which may vary on a day by day or even on an hourly basis), and so on. Each rule r within the rule-set has associated with it a corresponding threshold value 7,, and the call record C; is tested against the rule in such a way as to provide an indication of the "degree of match" V]. If the rule closely matches the call record, the value of V. will be high, and if the match is poor the value of V, will be low. The value V1 is then tested against the rules threshold Tr, and an alarm is generated if V1 is greater than I,. In the prior art systems, the value of T, would correspond to that threshold level above which the alarms are presented to a human operator for further checking. It will be appreciated that there are numerous way in which the "degree of matching", otherwise indicated by V1 may be determined. One simplistic approach would be to set V1 to 1 if one of the parameters in the rule being tested is satisfied, to 2 if two of the parameters are satisfied and so on, In such a system, the parameters might consist of various "true or false" statements, within the rule, for example that the call is an international call, that it has lasted longer than a certain period, that it has exceeded a certain cost, or that it relates to a particular calling or called address. Since some of the parameters will be more indicative of frauds than others, a more sophisticated approach might be to apply appropriate weightings to each of the- parameters, and to calculate V1 on that basis. Other more complex arrangements could of course be envisaged, subject only to the module 16 producing as an output a value V\| which gives some indication of the likelihood of the current call being fraudulent, based upon the particular rule being tested. threshold has just been missed). These may be called the "near-matched records". Both the positive matching file 22 and the negative matching file 24 are ordered according to their respective ratios Q1+ Q1. Accordingly, the positive matching file 22 may be thought of as a series of records giving rise to fraud alarms, whereas the negative matching tile represents those records which have almost but not quite triggered alarms. In each case, the files are ordered so that The most likely fraudulent cases are at the start. While the entire positive matching file is preferably presented, to allow for the analysis of alarms, not all of the negative matching file need be presented, For example, presenting only those records which are grouped around the mean value of Q1 will improve efficiency, Alternatively, only the call records carrying significant cost values can be presented. Both the negative and the positive matching files are passed (as indicated by the circled numeral 1) to a fraud operator support module 30, allowing the files to be viewed and analysed by human operators 32. The operators 32 use their experience of fraud detection to validate the entries in the positive and negative matching files 22,24, each entry being given a code according to whether it is considered by the operator to represent true fraud or not. Ideally, alt of the entries in the positive matching tile 22 should represent fraudulent calls, and all the entries in the negative matching file should represent non-fraudulent calls, but in practice there will be both fraudulent and non-fraudulent entries within both of the files because of inaccuracies in the rule set 18. In order to assist their analysis of what is and what is not fraud, the operators 32 may call on additional information provided from internal or external sources 34. This may include, for example, the name and address of the customer, the billing history, the account history, the pattern of frauds which has been seen in the past, and so on, The fraud operator support 30 may include a series of graphical analysis tools enabling the operators to view the alarms and the files 22,24 in a variety of useful ways. It may also include an expert system and/or neural nets to assist the operators in making their analysis; the fraud operator support may even operate without user intervention simply being programmed to validate the records for example on the basis of a neural net analysis. The annotations/validations of the files 22,24 are passed bacK to the alarm analysis module 28 the primary purpose of which is to provide automatic feedback for adjusting the rule set 18. The alarm analysis module computes two ratios X,,Y, for ench rule r, where: Xr = the ratio of the number of validated frauds in the positive matching file to the total number of alarms generated by rule r in the positive matching file, and Yr - The ratio of the number of validated frauds in the negative matching file to the total number of alarms generated by rule r in the positive matching file. Tho value of Xr represents one measure of the performance of rule r, in that the higher Xr is the better, The value of Yr is another measure of the performance of rule r, but here the lower the value of Yr the better. It will be understood that in order to improve (Increase) the value of X1, the value of T. needs to be increased: to improve (decrease) the value of Y1 the threshold Tt needs to be decreased. The values x1, Y1 are then applied to a decision module 35 which uses the values within a function f which will automatically increase or decrease the threshold T, for the rule r, as follows: δTr - f(X„ Y,, cost) where "cost" represents the cost of the fraud going undetected. The appropriate change to Tr is made by a rule adjust module 36, which alters the rule set 18, thereby further improving the detection and alarm matching within the module 16, It will be understood by the skilled man that it is not essential to the operation of this invention in its broadest form for the function f to be exactly as described. Other parameters could be extracted from the files 22,24 and the validated records within them, other than the values Xr and Yr previously described. In one alternative, Xr could represent the ratio of the number of validated alarms to the number of false positives, whereas Y^ could represent the ratio of the number of tuples stored in the negative matching file which are true indications of fraud, to the total number of tuples in the negative matching file. Alternatively, entirely different parameters could be constructed which may include information from internal or external sources such as the database 29. Weights WX, WV may be associated with Xr, Yr respectively. If cost information is used as part of the function f, that may be calculated by looking at The individual costs for each separate record (for example the cost of each individual call). One convenient cost parameter that may be included within f is the speed at which the potential losses due to fraud are increasing. If the losses are rising rapidly, one needs to be more drastic than one might otherwise be in changing the rule thresholds. One convenient way of doing this would be to plot a moving average over time of the total valtdated frauds that the system is detecting. The first derivative of this graph may be incorporated as a parameter within f, ensuring that the thresholds are more aggressively changed when losses are most rapidly increasing. In other embodiments, cost need not be a feature of the function f. but other practical considerations could be included, for example the ease with which a particular fraud can be dealt with. The skilled man will be able to decide many appropriate functions f, by trial and error, curve fitting or otherwise, to provide suitable feedback to the rule adjust module 36: typically, the function f will be designed so that the threshold values Tr are more aggressively changed for potentially expensive frauds. In one embodiment, the decision module 35 may receive information on the rules directly from the current rule-set 18, thereby providing an additional level of feedback. In one form of the invention, the function f does not automatically increase or decrease the threshold Tr, but instead recommends to the operators the changes that should be made. In one preferred embodiment, the recommendations may be presented to a fraud analyst (having higher responsibility than the fraud operators). If the analyst accepts the appropriate recommendation, then the change to T, is made by the rule tuning module 36, which alters the ruleset 18, thereby further improving the detection and alarm generation within the module 16. One option for the function f is as follows; (a) If Xr is >80%: Then DO NOTHING - good performance (and set the weight Wx = 0) ELSE RECOMMEND Tr to be increased (b) If Y, is Then DO NOTHING - good performance (and set the weight Wy = 0) ELSE RECOMMEND T, be decreased. Where Wx and Wy are the weights attached respectively to Xr and Yr. The weights W;, and Wy may be set by monitoring and plotting the values Xr and Vf with time, and penodically computing the ratios dX/dt and dY/dt for each time interval. These ratios will be called a and b respectively. Then a method to set the weights Wx. Wy may be carried out as follows: For W,: (a) low (0.1-0.3) IF a(t2)> a(t1) > 0 ; t2> t1; - indication of good performance therefore weak support for increasing Tr; (b) high (0.8-0,9) IF a(t2) 0 ; t2>t1; - indication of bad performance therefore strong support to increase Tr and similarly for Wv. (a) low (0.1-0.3) IF b(t2) 0 ; t2> t1; - indication of good performance therefore weak support to decrease Tr (b) high (0.8-0.9) IF b(t2)> b(t1) > 0 ; t2> t1; - indication of bad performance therefore strong support for decreasing Tr. In addition one can think about joint effect of Xf and Yf dynamics to be captured as following: IF [(a - 0) or (a is decreasing) ] and (b is increasing] THEN very strong support to decrease the threshold Tr or IF la IS increasing) and l(b = 0) or (b is decreasing)] THEN very strong support to increase the threshold Tr. The output of the decision module 35 is passed to the rule-adjust module 36 which effects the rule changes to the rule set 18, Information from the decision module 35 and the rule adjust module 36 is provided to the fraud operator support module 30, to enable the operators 32 to view the current state of the system. Provision may also be provided for the fraud analysis or for the operators to directly intervene in the decisions of the decision module 35, or in the rule adjust module 36, for example by altering some user-definable parameters within the function f. The operators may for instance find it convenient for the system to operate slightly differently at weekends, when the volume of calls is likely to be lower, than it is during the week. Also, certain types of fraud might be more prevalent at certain times of the week or at certain times of day, and user-changeable parameters, or automatically-changing parameters may be provided within the function f to allow for this. Also, provision may be made for the fraud operator support module to have direct access to the rule set 18, thereby enabling the operators and/or analysts to see exactly which rules are currently being applied, and to change them manually if necessary. In one version of the system, the feedback loop may be entirely automated, with the rule set 18 continually being updated as a result of the decisions of the decision module 35. Depending on the computational complexity, which of course depends upon the number of call records and on the number and complexity of the rules, the rules may either be adjusted continually in real time, or may alternatively be updated on a "batch" basis. In another version of the system, the rule set is updated only when requested by a signal sent by a human operator 32 to the rule adjust module 36, or by a signal automatically generated by the fraud operator support module 30, Further information may be obtained by considering the distribution of the various individual values of Q1 for the validated fraud records within the negative matching file. These represent calls which the operators consider to be fraudulent, but which are not currently being correctly trapped by the system and placed in the positive matching file. If it is found that most of the values of Qj" are much less than the value of W, it is probable that the value of the tolerance (0r) is too great. The value could then be reduced, so reducing the number of entries in the negative matching file, but without losing many truly fraudulent entries. On the other hand, if the values of Qi of the validated fraudulent entries are spread out fairly equally across the range from 0 to (-) to or if they tend to increase as one approaches (-) it can be concluded that a substantial number of fraudulent calls are falling outside the (-) limit, and so are not being trapped either within the positive or within the negative matching file. This would suggest that the value of H, needs to be Increased. In this way, the value of the tolerance (-) may be altered, either automatically or as requested by an operator, to provide further tuning to the system. As with alterations to Tr, the value of (-) may be changed in accordance with a function which depends on the validated matched and near-matched records. The decision module 35 may determine the amount and direction of the necessary change, providing instructions to the rule-edjust module 36. It will be understood of course that the various modules shown in Figure 1 are entirely exemplary, and that in other embodiments some of these modules may 5 be combined with others, or arranged differently. we claim A system for improving fraud detection within a telecommunications network. the system comprising: (a) means for receiving call records representative of calls on the network; (b) rule-matching means arranged to compare each call record against an claim-rule and . (i) to determine a match if the alarm-rule matches the call record; (li) to determine a near-match if the alarm-rule just fails to match the all record; (c) validation means for validating the individual matched records and the -matched records with an indication of expected fraud; and (d) rule-update means arranged to alter the said alarm rule in dependence upon the validated matched and validated near-matched records., A system as claimed in Claim 1 in which the rule-matching means is arranged to calculate a rule-matching value dependent upon the closeness of match of the call record to the alarm rule, the rule-matching means determining a match if the rule-matching value exceeds a first threshold parameter of the alarm rule. 3. A system as claimed in Claim 2 in which the rule-matching means determines a near-match if the rule-matching value exceeds a second threshold parameter of the alarm rolern A system as claimed in Claim 3 in which the second threshold parameter is defined by the first threshold parameter adjusted by a tolerance value. 5. A system as claimed in any one of Claims 2 to 4 in which the rule update means is arranged to alter the first threshold parameter of the alarm rule. 6. A system as claimed in Claim 3 or Claim 4 in which the rule update means is arranged to alter the second threshold parameter of the alarm rule. 7. A system as claimed in Claim 6 in which the rule update means is arranged to alter the second threshold parameter in dependence upon the distribution of rule matching values of the near-matched records. 8. A system as claimed in any one of the preceding claims in which the rule update means is arranged to alter the alarm rule in further dependence upon an estimated fraud cost. 9. A system as claimed in Claim 8 in which the rule update means is arranged to alter the alarm rule in dependence upon the rate at which the estimated fraud cost is changing. 10. A system as claimed in any one of the preceding claims in which the rule update means is arranged automatically to alter the alarm rule. 11. A system as claimed in any one of Claims 1 to 9 in which the rule update means is arranged to alter the alarm rule only on receipt of a user update request. 12. A system as claimed in any one of the preceding claims in which the matched records are stored in a positive matching file and the near matched records are stored in a negative matching file. 13. A system as claimed in any one of the preceding claims when dependent upon Claim 2 in which the positive and negative matching files are ordered according to the rule matching values of the respective record. 14. A system as claimed in any one of the preceding claims in which the rule matching means is arranged to compare each call against the alarm rule in dependence upon external database information. 15. A system as claimed in any one of the preceding claims in which the validation means includes means for automatically providing an indication of expected fraud for each record. 16. A system as claimed in any one of Claims 1 to 14 in which the validation means includes validation input means for receiving a user-validation of each record. 17. A system as claimed in any one of the preceding claims in which rule matching means is arranged to compare each call record against a plurality of alarm rules, the rule update means being arranged to alter each said alarm rule individually. 18. A system as claimed in Claim 1 7 in which the rule update means is arranged to alter each individual alarm rule in dependence upon the validated matched and near-matched records which correspond to the said individual alarm rule. 19. A telecommunications network including a system as claimed in any one of the preceding claims. 20. A method of improving fraud detection within a telecommunications network, the method comprising: (a) receiving call records representative of calls on the network; (b) comparing each call record against an alarm rule and (i) determining a match if the alarm rule matches the call record; (ii) determining a near-match it the alarm-rule just tails to match the cell record; (c) validating the individual matched records and the near-matched records with an indication of expected fraud; and (d) altering the said alarm rule in dependence upon the validated matched and validated near-matched records. 21. A method as claimed in Claim 20 including Calculating a rule-matching value in dependence on the closeness of match of the call record to the alarm rule, and determining a match if the rule matching value exceeds a first threshold parameter of the alarm rule. 22. A method as claimed in Claim 21 including determining a near match if the rule matching value exceeds a second threshold parameter of the alarm rule. 23. A method as claimed in Claim 22 in which the second threshold parameter is defined by the first threshold parameter adjusted by a tolerance value. 24. A method as claimed in any one of Claims 21 to 23 including altering the first threshold parameter of the alarm rule. 25. A method as claimed in Claim 22 or Claim 23 including altering the second threshold parameter of the alarm rule. 26. A method as claimed in Claim 25 including altering the second threshold parameter in dependence upon the distribution of rule matching values of the near-matched records. 27. A method as claimed in any one of Claims 20 to 26 including altering the alarm rule in further dependence upon an estimated fraud cost. 28. A method as claimed in Claim 27 including altering the alarm rule in dependence upon the rate at which the estimated fraud cost is changing. 29. A method as claimed in any one of Claims 20 to 28 including automatically altering the alarm rule. 30. A method as claimed in any one of Claims 20 to 28 including altering the alarm rule only on receipt of a user-update request. I i i 31. A method as claimed in any one of Claims 20 to 30 including storing the matched records in a positive matching file and the near-matched records in a negative matching life. 32. A method as claimed in any one of Claims 22 to 31 when dependent upon Claim 21 including ordering the positive and negative matching files according to the rule matching values of the respective records. 33. A method as claimed in any one of Claims 20 to 32 including comparing each call against the alarm rule in dependence upon external database information, 34. A method as claimed in any one of Claims 20 to 33 including automatically providing an indication of expected fraud for each record. 35. A method as claimed in any one of Claims 20 to 33 including providing uber-validaiion uf each record. 36. A method as claimed in any one of Claims 20 to 3b including comparing each call record against a plurality of alarm rules, and altering each said alarm rule individually. 37. A method as claimed in Claim 36 including altering each individual alarm rule in dopendence upon the validated matched and near-matched records which correspond to the said individual alarm rule, 38o A system for improving fradu detection within a telecommunications network, substantially as hereinabove described and illustrated with reference to the accompanying drawings,

Full Text

A TELECOMMUNICATIONS NETWORK
The present invention relates to a telecommunications network and more particularly to a method of, and a system for, improving fraud detection within a telecommunications network.
Rule-based fraud detection systems attempt to detect fraudulent usage by comparing details of individual calls over the telecommunications network with a series of one or more predefined rules. If a particular usage of the network (to be referred to throughout this specification as a "call record") triggers one or more of the predefined rules, an alarm is generated, enabling a human operator to take the necessary action. While such systems have had some success in combating fraud, they tend to be labour intensive since the rules tend to be specific to one particular area, and need to be set up and continually maintained by skilled personnel. One set of rules, for example, needs to be set up and maintained to deal with potential mobile 'phone fraud, another set for catling card and credit card fraud, another set for PSTN fraud, and so on. A further serious drawback is that in time fraudsters get to know (deduce) the rules and/or thresholds that are being applied, and can modify their behaviour accordingly (eg "surfing under the thresholds"). For example, if a fraudster knows that he will be detected if he makes a fraudulent international telephone call to a particular number lasting more than thirty minutes, he is likely to start ensuring that all of his calls last for less than that. Conventional systems have difficulty in coping with this, since the rules need to be changed by experienced personnel who are frequently in possession of insufficient information to determine what the effect on the system would be if they were for example to set a reduced time limit of say twenty minutes.
It is an object of the present invention at least to alleviate these problems of the prior art.
It is a further object to provide a method and system for improving fraud detection within a telecommunications network which can be applied to a variety of specific areas, and which requires less use of skilled personnel to keep the rules up to date.

According to a first aspect of the invention there is provided a system for mproving fraud detection within a telecommunications network, the system comprising:
(a) means for receiving call records representative of calls on the network;
(b) rule-matching means arranged to compare each call record against an alarm-rule and
(i) to determine a match if the alarm-rule matches the call record; (ii) to determine a near-match if the alarm-rule just fails to match the call record;
(c) validation means for validating the individual matched records and the near-matched records with an indication of expected fraud; and
(d) rule-update means arranged to alter the said alarm rule in dependence upon the validated matched and validated near-matched records.
The system preferably attempts to detect fraudulent usage by measuring and comparing the parameters values of individual calls, over the telecommunications network, against pre-set thresholds within defined detection rules- Preferably, the rule matching means is arranged to calculate a rule-matching value dependent upon the closeness of match of the call record parameters to the alarm rule, the rule matching means determining a match if the rule matching value exceeds a first threshold parameter of the alarm rule. It will be understood of course that the first threshold parameter merely acts as a limit value, which will be exceeded in the upward-going direction if the rule-matching value increases with the accuracy of the match, and will be exceeded in the downwardly-going direction in the opposite but mathematically equivalent alternative in which the rule-matching value decreases with the accuracy of the match.
Typically, the matched records will be Stored in a positive matching file, and the near-matched records in a negative matching file. Entries are stored within the positive matching file if the first threshold parameter is exceeded, by a parameter of the call record and in the negative matching file if a second threshold parameter is exceeded, but the first is not. The second threshold parameter may be defined by the first threshold parameter adjusted by a tolerance value, for

example 10%. In this way, the records stored within the negative matching the are representative of calls which almost, but not quite, resulted in an alarm.
In a practical arrangement, the system may include a plurality of different rules, each having its own first threshold and tolerance value, The rules may be updated individually, each individual rule being updated in dependence upon the validated matched and validated near-matched records which correspond with that rule.
According to a second aspect of the invention there is provided a method of improving fraud detection within a telecommunications network, the method comprising:
(a) receiving call records representative of calls on the network;
(b) comparing each call record against an alarm rule and
(i) determining a match if the alarm rule matches the call record; (ii) determining a near-match if the alarm-rule just fails to match the call record;
(c) validating the individual nnatched records and the near-matched records with an indication of expected fraud; and
(d) altering the said alarm rule tn dependence upon the validated matched and validated near matched records.
The invention may be carried into practice in a number of ways and one specific method and system will now be described, by way of example, with reference to Figure 1 which is a block diagram illustrating the preferred embodiment.
The fraud detection system shown may typically be embodied in a computer program running on a dedicated server which is attached to the telecommunications network to be monitored. Depending on the size of the network, there may be a single server, or the system may be duplicated on several servers, spaced apart across the network. All or part of the system could alternatively be hard-coded rather than being embodied by way of a computer program; preferably, the hard-coded modules will be those that need not be updated in use.
The system receives information from external sources S1,S2, across the network. In the Figure, the external sources are referenced by the numeral 10,

with the broken line 12 indicating that these sources supply Information from outside the server on which the system is operating.
The external sources 10 provide information on calls that are being made on the telecommunications network by way of an individual call record for each call. Each call record has a number of key fields, for example (among others} the called number, the calling number, the call length, and the callmg card or credit card number. Depending upon the parameters to be monitored, other key fields may be provided as necessary.
The call records are supplied to a data management module 14 which normalises the incoming information and supplies the resultant normalised call records C1 (i being an index identifying the individual calls) to a detection and alarm matching module 16.
In the detection and alarm matching module 16 each of the call records C1 is compared against a series of predefined rules within a rule set 18. The individual rules within the rule set are chosen in such a way that the matching of a rule by the call record C1 provides an indication (although not an absolute proof) that fraud may be taking place. For example, one rule might state that fraud is a possibility if the call is an international call being made from a public call box to a country known to be a supplier of illegal drugs. Fraud might also be suspected if the call has been paid for by a charge card and does not fit the call history on that account; a rule might suggest that fraud is taking place, for instance, if a low-usage charge card customer suddenly starts making a long series of international telephone calls to different countries from a public 'phone box. Additional information from an external or internal database 20 may be accessed in order to obtain the necessary information to apply the rules for example, the billing history of the customer, the customer's charge card credit limit (which may vary on a day by day or even on an hourly basis), and so on.
Each rule r within the rule-set has associated with it a corresponding threshold value 7,, and the call record C; is tested against the rule in such a way as to provide an indication of the "degree of match" V]. If the rule closely matches the call record, the value of V. will be high, and if the match is poor the value of V, will be low. The value V1 is then tested against the rules threshold Tr, and an alarm is generated if V1 is greater than I,. In the prior art systems, the value of T,

would correspond to that threshold level above which the alarms are presented to a human operator for further checking.
It will be appreciated that there are numerous way in which the "degree of matching", otherwise indicated by V1 may be determined. One simplistic approach would be to set V1 to 1 if one of the parameters in the rule being tested is satisfied, to 2 if two of the parameters are satisfied and so on, In such a system, the parameters might consist of various "true or false" statements, within the rule, for example that the call is an international call, that it has lasted longer than a certain period, that it has exceeded a certain cost, or that it relates to a particular calling or called address. Since some of the parameters will be more indicative of frauds than others, a more sophisticated approach might be to apply appropriate weightings to each of the- parameters, and to calculate V1 on that basis. Other more complex arrangements could of course be envisaged, subject only to the module 16 producing as an output a value V| which gives some indication of the likelihood of the current call being fraudulent, based upon the particular rule being tested.

threshold has just been missed). These may be called the "near-matched records".
Both the positive matching file 22 and the negative matching file 24 are ordered according to their respective ratios Q1+ Q1. Accordingly, the positive matching file 22 may be thought of as a series of records giving rise to fraud alarms, whereas the negative matching tile represents those records which have almost but not quite triggered alarms. In each case, the files are ordered so that The most likely fraudulent cases are at the start. While the entire positive matching file is preferably presented, to allow for the analysis of alarms, not all of the negative matching file need be presented, For example, presenting only those records which are grouped around the mean value of Q1 will improve efficiency, Alternatively, only the call records carrying significant cost values can be presented.
Both the negative and the positive matching files are passed (as indicated by the circled numeral 1) to a fraud operator support module 30, allowing the files to be viewed and analysed by human operators 32. The operators 32 use their experience of fraud detection to validate the entries in the positive and negative matching files 22,24, each entry being given a code according to whether it is considered by the operator to represent true fraud or not. Ideally, alt of the entries in the positive matching tile 22 should represent fraudulent calls, and all the entries in the negative matching file should represent non-fraudulent calls, but in practice there will be both fraudulent and non-fraudulent entries within both of the files because of inaccuracies in the rule set 18. In order to assist their analysis of what is and what is not fraud, the operators 32 may call on additional information provided from internal or external sources 34. This may include, for example, the name and address of the customer, the billing history, the account history, the pattern of frauds which has been seen in the past, and so on, The fraud operator support 30 may include a series of graphical analysis tools enabling the operators to view the alarms and the files 22,24 in a variety of useful ways. It may also include an expert system and/or neural nets to assist the operators in making their analysis; the fraud operator support may even operate without user intervention simply being programmed to validate the records for example on the basis of a neural net analysis.

The annotations/validations of the files 22,24 are passed bacK to the alarm analysis module 28 the primary purpose of which is to provide automatic feedback for adjusting the rule set 18. The alarm analysis module computes two ratios X,,Y, for ench rule r, where:
Xr = the ratio of the number of validated frauds in the positive matching file to the total number of alarms generated by rule r in the positive matching file, and
Yr - The ratio of the number of validated frauds in the negative matching file to the total number of alarms generated by rule r in the positive matching file.
Tho value of Xr represents one measure of the performance of rule r, in that the higher Xr is the better, The value of Yr is another measure of the performance of rule r, but here the lower the value of Yr the better.
It will be understood that in order to improve (Increase) the value of X1, the value of T. needs to be increased: to improve (decrease) the value of Y1 the threshold Tt needs to be decreased.
The values x1, Y1 are then applied to a decision module 35 which uses the values within a function f which will automatically increase or decrease the threshold T, for the rule r, as follows:
δTr - f(X„ Y,, cost) where "cost" represents the cost of the fraud going undetected. The appropriate change to Tr is made by a rule adjust module 36, which alters the rule set 18, thereby further improving the detection and alarm matching within the module 16,
It will be understood by the skilled man that it is not essential to the operation of this invention in its broadest form for the function f to be exactly as described. Other parameters could be extracted from the files 22,24 and the validated records within them, other than the values Xr and Yr previously described. In one alternative, Xr could represent the ratio of the number of validated alarms to the number of false positives, whereas Y^ could represent the ratio of the number of tuples stored in the negative matching file which are true indications of fraud, to the total number of tuples in the negative matching file. Alternatively, entirely different parameters could be constructed which may include information from internal or external sources such as the database 29. Weights WX, WV may be associated with Xr, Yr respectively.

If cost information is used as part of the function f, that may be calculated by looking at The individual costs for each separate record (for example the cost of each individual call). One convenient cost parameter that may be included within f is the speed at which the potential losses due to fraud are increasing. If the losses are rising rapidly, one needs to be more drastic than one might otherwise be in changing the rule thresholds. One convenient way of doing this would be to plot a moving average over time of the total valtdated frauds that the system is detecting. The first derivative of this graph may be incorporated as a parameter within f, ensuring that the thresholds are more aggressively changed when losses are most rapidly increasing. In other embodiments, cost need not be a feature of the function f. but other practical considerations could be included, for example the ease with which a particular fraud can be dealt with. The skilled man will be able to decide many appropriate functions f, by trial and error, curve fitting or otherwise, to provide suitable feedback to the rule adjust module 36: typically, the function f will be designed so that the threshold values Tr are more aggressively changed for potentially expensive frauds. In one embodiment, the decision module 35 may receive information on the rules directly from the current rule-set 18, thereby providing an additional level of feedback.
In one form of the invention, the function f does not automatically
increase or decrease the threshold Tr, but instead recommends to the operators the
changes that should be made. In one preferred embodiment, the
recommendations may be presented to a fraud analyst (having higher responsibility than the fraud operators). If the analyst accepts the appropriate recommendation, then the change to T, is made by the rule tuning module 36, which alters the ruleset 18, thereby further improving the detection and alarm generation within the module 16.
One option for the function f is as follows;
(a) If Xr is >80%:
Then DO NOTHING - good performance (and set the weight Wx = 0) ELSE RECOMMEND Tr to be increased
(b) If Y, is Then DO NOTHING - good performance (and set the weight Wy = 0) ELSE RECOMMEND T, be decreased.

Where Wx and Wy are the weights attached respectively to Xr and Yr.
The weights W;, and Wy may be set by monitoring and plotting the values Xr and Vf with time, and penodically computing the ratios dX/dt and dY/dt for each time interval. These ratios will be called a and b respectively. Then a method to set the weights Wx. Wy may be carried out as follows: For W,:
(a) low (0.1-0.3) IF a(t2)> a(t1) > 0 ; t2> t1; - indication of good performance therefore weak support for increasing Tr;
(b) high (0.8-0,9) IF a(t2) 0 ; t2>t1; - indication of bad performance therefore strong support to increase Tr
and similarly for Wv.
(a) low (0.1-0.3) IF b(t2) 0 ; t2> t1; - indication of good performance therefore weak support to decrease Tr
(b) high (0.8-0.9) IF b(t2)> b(t1) > 0 ; t2> t1; - indication of bad performance therefore strong support for decreasing Tr.
In addition one can think about joint effect of Xf and Yf dynamics to be captured as following:
IF [(a - 0) or (a is decreasing) ] and (b is increasing]
THEN very strong support to decrease the threshold Tr
or
IF la IS increasing) and l(b = 0) or (b is decreasing)]
THEN very strong support to increase the threshold Tr.
The output of the decision module 35 is passed to the rule-adjust module 36 which effects the rule changes to the rule set 18,
Information from the decision module 35 and the rule adjust module 36 is provided to the fraud operator support module 30, to enable the operators 32 to view the current state of the system. Provision may also be provided for the fraud analysis or for the operators to directly intervene in the decisions of the decision module 35, or in the rule adjust module 36, for example by altering some user-definable parameters within the function f. The operators may for instance find it convenient for the system to operate slightly differently at weekends, when the volume of calls is likely to be lower, than it is during the week. Also, certain types of fraud might be more prevalent at certain times of the week or at certain

times of day, and user-changeable parameters, or automatically-changing parameters may be provided within the function f to allow for this. Also, provision may be made for the fraud operator support module to have direct access to the rule set 18, thereby enabling the operators and/or analysts to see exactly which rules are currently being applied, and to change them manually if necessary. In one version of the system, the feedback loop may be entirely automated, with the rule set 18 continually being updated as a result of the decisions of the decision module 35. Depending on the computational complexity, which of course depends upon the number of call records and on the number and complexity of the rules, the rules may either be adjusted continually in real time, or may alternatively be updated on a "batch" basis. In another version of the system, the rule set is updated only when requested by a signal sent by a human operator 32 to the rule adjust module 36, or by a signal automatically generated by the fraud operator support module 30,
Further information may be obtained by considering the distribution of the various individual values of Q1 for the validated fraud records within the negative matching file. These represent calls which the operators consider to be fraudulent, but which are not currently being correctly trapped by the system and placed in the positive matching file. If it is found that most of the values of Qj" are much less than the value of W, it is probable that the value of the tolerance (0r) is too great. The value could then be reduced, so reducing the number of entries in the negative matching file, but without losing many truly fraudulent entries. On the other hand, if the values of Qi of the validated fraudulent entries are spread out fairly equally across the range from 0 to (-) to or if they tend to increase as one approaches (-) it can be concluded that a substantial number of fraudulent calls are falling outside the (-) limit, and so are not being trapped either within the positive or within the negative matching file. This would suggest that the value of H, needs to be Increased.
In this way, the value of the tolerance (-) may be altered, either automatically or as requested by an operator, to provide further tuning to the system. As with alterations to Tr, the value of (-) may be changed in accordance with a function which depends on the validated matched and near-matched

records. The decision module 35 may determine the amount and direction of the necessary change, providing instructions to the rule-edjust module 36.
It will be understood of course that the various modules shown in Figure 1 are entirely exemplary, and that in other embodiments some of these modules may 5 be combined with others, or arranged differently.

we claim
A system for improving fraud detection within a telecommunications network. the system comprising:
(a) means for receiving call records representative of calls on the network;
(b) rule-matching means arranged to compare each call record against an claim-rule and .
(i) to determine a match if the alarm-rule matches the call record; (li) to determine a near-match if the alarm-rule just fails to match the all record;
(c) validation means for validating the individual matched records and the
-matched records with an indication of expected fraud; and
(d) rule-update means arranged to alter the said alarm rule in dependence
upon the validated matched and validated near-matched records., A system as claimed in Claim 1 in which the rule-matching means is
arranged to calculate a rule-matching value dependent upon the closeness of match of the call record to the alarm rule, the rule-matching means determining a match if the rule-matching value exceeds a first threshold parameter of the alarm rule.
3. A system as claimed in Claim 2 in which the rule-matching means
determines a near-match if the rule-matching value exceeds a second threshold
parameter of the alarm rolern
A system as claimed in Claim 3 in which the second threshold parameter
is defined by the first threshold parameter adjusted by a tolerance value.
5. A system as claimed in any one of Claims 2 to 4 in which the rule update means is arranged to alter the first threshold parameter of the alarm rule.
6. A system as claimed in Claim 3 or Claim 4 in which the rule update means is arranged to alter the second threshold parameter of the alarm rule.

7. A system as claimed in Claim 6 in which the rule update means is arranged to alter the second threshold parameter in dependence upon the distribution of rule matching values of the near-matched records.
8. A system as claimed in any one of the preceding claims in which the rule update means is arranged to alter the alarm rule in further dependence upon an estimated fraud cost.
9. A system as claimed in Claim 8 in which the rule update means is arranged to alter the alarm rule in dependence upon the rate at which the estimated fraud cost is changing.
10. A system as claimed in any one of the preceding claims in which the rule update means is arranged automatically to alter the alarm rule.
11. A system as claimed in any one of Claims 1 to 9 in which the rule update means is arranged to alter the alarm rule only on receipt of a user update request.
12. A system as claimed in any one of the preceding claims in which the matched records are stored in a positive matching file and the near matched records are stored in a negative matching file.
13. A system as claimed in any one of the preceding claims when dependent upon Claim 2 in which the positive and negative matching files are ordered according to the rule matching values of the respective record.
14. A system as claimed in any one of the preceding claims in which the rule matching means is arranged to compare each call against the alarm rule in dependence upon external database information.

15. A system as claimed in any one of the preceding claims in which the validation means includes means for automatically providing an indication of expected fraud for each record.
16. A system as claimed in any one of Claims 1 to 14 in which the validation means includes validation input means for receiving a user-validation of each record.
17. A system as claimed in any one of the preceding claims in which rule matching means is arranged to compare each call record against a plurality of alarm rules, the rule update means being arranged to alter each said alarm rule individually.
18. A system as claimed in Claim 1 7 in which the rule update means is arranged to alter each individual alarm rule in dependence upon the validated matched and near-matched records which correspond to the said individual alarm rule.
19. A telecommunications network including a system as claimed in any one of the preceding claims.
20. A method of improving fraud detection within a telecommunications network, the method comprising:

(a) receiving call records representative of calls on the network;
(b) comparing each call record against an alarm rule and
(i) determining a match if the alarm rule matches the call record; (ii) determining a near-match it the alarm-rule just tails to match the cell record;
(c) validating the individual matched records and the near-matched records with an indication of expected fraud; and
(d) altering the said alarm rule in dependence upon the validated matched and validated near-matched records.

21. A method as claimed in Claim 20 including Calculating a rule-matching
value in dependence on the closeness of match of the call record to the alarm rule, and determining a match if the rule matching value exceeds a first threshold parameter of the alarm rule.
22. A method as claimed in Claim 21 including determining a near match if the rule matching value exceeds a second threshold parameter of the alarm rule.
23. A method as claimed in Claim 22 in which the second threshold parameter is defined by the first threshold parameter adjusted by a tolerance value.
24. A method as claimed in any one of Claims 21 to 23 including altering the first threshold parameter of the alarm rule.
25. A method as claimed in Claim 22 or Claim 23 including altering the second threshold parameter of the alarm rule.
26. A method as claimed in Claim 25 including altering the second threshold parameter in dependence upon the distribution of rule matching values of the near-matched records.
27. A method as claimed in any one of Claims 20 to 26 including altering the alarm rule in further dependence upon an estimated fraud cost.
28. A method as claimed in Claim 27 including altering the alarm rule in dependence upon the rate at which the estimated fraud cost is changing.
29. A method as claimed in any one of Claims 20 to 28 including automatically altering the alarm rule.
30. A method as claimed in any one of Claims 20 to 28 including altering the alarm rule only on receipt of a user-update request.

I
i
i
31. A method as claimed in any one of Claims 20 to 30 including storing the
matched records in a positive matching file and the near-matched records in a
negative matching life.
32. A method as claimed in any one of Claims 22 to 31 when dependent upon
Claim 21 including ordering the positive and negative matching files according to
the rule matching values of the respective records.
33. A method as claimed in any one of Claims 20 to 32 including comparing each call against the alarm rule in dependence upon external database information,
34. A method as claimed in any one of Claims 20 to 33 including automatically providing an indication of expected fraud for each record.
35. A method as claimed in any one of Claims 20 to 33 including providing
uber-validaiion uf each record.
36. A method as claimed in any one of Claims 20 to 3b including comparing
each call record against a plurality of alarm rules, and altering each said alarm rule
individually.
37. A method as claimed in Claim 36 including altering each individual alarm
rule in dopendence upon the validated matched and near-matched records which
correspond to the said individual alarm rule,
38o A system for improving fradu detection within a telecommunications network, substantially as hereinabove described and illustrated with reference to the accompanying drawings,

Documents:

660-mas-1997-abstract.pdf

660-mas-1997-assignment.pdf

660-mas-1997-claims duplicate.pdf

660-mas-1997-claims original.pdf

660-mas-1997-correspondance others.pdf

660-mas-1997-correspondance po.pdf

660-mas-1997-description complete duplicate.pdf

660-mas-1997-description complete original.pdf

660-mas-1997-drawings.pdf

660-mas-1997-form 1.pdf

660-mas-1997-form 26.pdf

660-mas-1997-form 3.pdf

660-mas-1997-form 6.pdf

« Previous Patent

Next Patent »

Patent Number

206814

Indian Patent Application Number

660/MAS/1997

PG Journal Number

26/2007

Publication Date

29-Jun-2007

Grant Date

11-May-2007

Date of Filing

27-Mar-1997

Name of Patentee

AZURE SOLUTIONS LIMITED

Applicant Address

FINSBURY CIRCUS HOUSE, 12-15 FINSBURY CIRCUS, LONDON EC2M 7BT

Inventors:

#	Inventor's Name	Inventor's Address
1	MARIUS NICOLAE BUSUIOC	28 HENSLOW ROAD, IPSWICH, SUFFOLK, IP4 5EG

PCT International Classification Number

H04Q7/24

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	9606792.1	1996-03-29	U.K.