Additional analyze of calls
In some cases, receiving information about calls processed in Tariscope is not enough and additional data analysis is required, which we would like Tariscope to perform automatically. For example, a company's security service would like to promptly know about all calls made by employees from departmental PBX phones to the fire department, police, or ambulance. Another example is when it is desirable to know about all outgoing calls, the cost of which is above a certain amount, or about calls to (from) phones from the "blacklist". You can think of a whole range of other cases when it is necessary to promptly receive notifications about certain calls.
Of course, it would not be the best solution to such tasks to put an employee behind a monitor with Tariscope to monitor such calls. But this is not necessary if you use all the capabilities of Tariscope. Tariscope can be configured so that after each call it will automatically perform additional analysis of the call data for compliance with pre-set conditions, for example, as we mentioned earlier, the execution of a call to some specific phone numbers by any employee of the company.
A special case that requires operational tracking is the detection of telephone fraud. Telephone fraud refers to a certain type of fraud, when unauthorized calls, usually international, are made by various means at the expense of the company. In 2023, according to the international association CFCA (Communications Fraud Control Association), losses from telephone fraud will amount to about 38.95 billion US dollars [1].
Fraud detection is significantly more difficult than, for example, detecting calls to specific phone numbers, since it is not known in advance which numbers are called, when, and for how long. To detect fraud, it is usually recommended to use special systems, which in most cases are based on comparing a specific call with the behavior model of a specific subscriber, group of subscribers, and the company as a whole. Tariscope has such a fraud detection subsystem, but this subsystem is not included in the basic license for Tariscope and must be purchased in addition to the basic license.
At the same time, even without purchasing such a subsystem, Tariscope makes it possible to detect suspicious calls that may be fraudulent. In this article, we will consider how to do this.
First, we will consider only outgoing international calls costing more than a given amount, since fraud is much less common for long-distance and even more so for city calls.
Secondly, of the specified calls in the first condition, the most suspicious calls with signs of fraud should be considered those that are made during non-working hours, on weekends and holidays.
Thirdly, you can evaluate the countries where the call was made. It is believed that the largest number of fraudulent calls are made to countries in the Caribbean, as well as Asia and Africa.
And, finally, you can evaluate calls for fraud from subscribers whose data is not available in the Tariscope database.
Now let's look at how the search for calls with some of the above features can be implemented in the Tariscope system.
In the Tariscope Observer service settings, there is a feature to execute scenarios when certain events occur. To do this, in the Data Collection/Observer menu branch of the Tariscope system, select the Observer Management menu item. The Data Collection/Observer page appears, an example of which is shown in Figure 1.
Figure 1
Select the row of the required Observer, if you have several, and click on the Edit icon on the toolbar. In the menu that appears, select the Observers’ scripts item. As a result, the Observers’ scripts page appears, an example of which is shown in Figure 2.
Figure 2
This window contains a list of events, upon the occurrence of which Tariscope can launch the script associated with this event. Possible reaction to such events:
- Data source connected.
- Data source disconnected.
- Change class of service.
- Group state changed.
- Periodic action.
- New call.
- Database unavailable.
To analyze calls for fraud, select the New call event in the Event list, and select the file containing the fraud analysis script in the Script list. Scripts supplied with Tariscope are installed by default in the C:\ProgramData\Tariscope\ObserverScripts folder.
After selecting the desired scenario, save the settings (Figure 2).
Scripts must be written in C#. Among the scripts supplied with Tariscope is the fraud.cs file. It allows you to send a message either to the email address specified in the script or to the email address specified in the Tariscope settings, about outgoing international calls lasting more than 150 seconds, which are made in the time period: from 19:00 to 08:00 or on weekend. These parameters can be changed, deleted or added by the Tariscope administrator.
To write new scripts or edit existing ones, it is desirable to have an understanding of C# programming, as well as of creating SQL queries
If you are not confident in your abilities, contact SoftPI technical support, as an incorrectly written script can damage the Tariscope system. Script writing by SoftPI is not included in warranty or post-warranty support services and is performed for a separate fee.
The structure of all scripts used in Tariscope is the same. Each script implements the IScript interface.
There are two methods in this interface:
- Init method. This method is called once during script startup, when the Tariscope Observer service compiles and initializes this script.
- Main method. It performs operations related to a specific event. The Parameters object is passed to the Main method.
- When a script is initialized, it is passed the IScriptHost interface, which allows the script to perform some operations. For example, send an email message.
The fraud.cs script listing is below:
using Microsoft.Data.SqlClient;
using SoftPI.Tariscope.WebAdministration.Observer.Scripting.Interfaces;
using SoftPI.Tariscope.WebAdministration.Observer.Scripting.Models;
using System;
using SoftPi.Tariscope.DAL;
public class FraudScanner : IScript
{
private IScriptHost Host;
private bool NeedFinish = false;
//
//
********************************************************************************************
//
private int MAX_CALL_DURATION_S = 150;
private int CALLTYPE_INTERNATIONAL = 5;
private TimeSpan BEGINNING_OF_WORK = TimeSpan.Parse("08:00:00");
private TimeSpan END_OF_WORK = TimeSpan.Parse("19:00:00");
//
//
*********************************************************************************************
//
public void Init(IScriptHost host)
{
this.Host = host;
host.Close += OnClose;
NeedFinish = false;
}
private void OnClose(ref bool Cancel)
{
return;
}
public void Main(object Parameters)
{
NewCallActionParameters actionParameters = (NewCallActionParameters)Parameters;
try
{
this.Host.AddEvent("New call processing, ID= " + actionParameters.Id);
using (SqlConnection cn = new SqlConnection(this.Host.DatabaseConnectionString))
{
cn.Open();
CallItems CallItems = CallItems.Instance(cn);
SqlCommand cmd = CallItems.GetCommand("SELECT ID, Originator, Dialnumber,
CallDateTime, CallSeconds, CallType FROM viCalls WHERE ID=@callid>");
cmd.Parameters.AddWithValue("@callid", actionParameters.Id);
using (SqlDataReader rs = cmd.ExecuteReader())
{
if (rs.Read())
{
if (rs.GetInt16(5) == CALLTYPE_INTERNATIONAL &&
rs.GetInt32(4) > MAX_CALL_DURATION_S &&
(((rs.GetDateTime(3).TimeOfDay > END_OF_WORK ||
rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK)) ||
(rs.GetDateTime(3).DayOfWeek == DayOfWeek.Sunday ||
rs.GetDateTime(3).DayOfWeek == DayOfWeek.Saturday)))
this.Host.SendMail("", "Fraud Detection system", "Suspicious call detected. ID=" + actionParameters.Id + " CallDateTime=" + rs.GetDateTime(3) + " Call duration=" + rs.GetInt32(4));
}
}
}
}
catch (Exception ex)
{
this.Host.AddEvent("Error running script: " + ex.ToString());
}
}
}
For someone who is not familiar with programming, the above script code may seem completely incomprehensible. In fact, this is not entirely true. In the code, those lines that can be changed if necessary are highlighted in red.
Consider the first four highlighted lines:
private int MAX_CALL_DURATION_S = 150;
private int CALLTYPE_INTERNATIONAL = 5;
private TimeSpan BEGINNING_OF_WORK = TimeSpan.Parse("08:00:00");
private TimeSpan END_OF_WORK = TimeSpan.Parse("19:00:00");
These lines declare four variables:
- MAX_CALL_DURATION_S. This is the duration of the call, which is 150 seconds, or 2 minutes and 30 seconds. You can change this value to any positive integer or 0.
- CALLTYPE_INTERNATIONAL. This is the call type for international calls used in Tariscope. Its value is 5. If you are only going to consider international calls, do not change this value. If you are interested in other calls, you can determine their value from the document Tariscope 4.6. Database schema.
- BEGINNING_OF_WORK. This is the start time of the workday, which here is 8 a.m. You can change this value to any other real-world start time.
- END_OF_WORK. This is the end time of the workday, which here is 7 PM. You can change this value to any other real-world end time value.
The next highlighted line:
SELECT ID, Originator, Dialnumber, CallDateTime, CallSeconds, CallType FROM viCalls WHERE ID=@callid>
This is a SQL query to the viCalls view to retrieve from it the current call specified by the condition ID=@callid, where @callid is a parameter that contains the ID of the last call that was processed in the Observer. This SQL query allows you to retrieve the following fields:
- ID. Record ID.
- Originator. The phone number from which the call was made.
- Dialnumber. The phone number to which the call was made.
- CallDateTime. Date and time of the call.
- CallSeconds. Call duration in seconds.
- CallType. Call type.
If necessary, it is possible to obtain other call parameters from the list of viCall view fields.
The following highlighted part of the script analyzes the data for compliance with the specified conditions:
(rs.GetInt16(5) == CALLTYPE_INTERNATIONAL &&
rs.GetInt32(4) > MAX_CALL_DURATION_S &&
(((rs.GetDateTime(3).TimeOfDay > END_OF_WORK ||
rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK)) ||
(rs.GetDateTime(3).DayOfWeek == DayOfWeek.Sunday ||
rs.GetDateTime(3).DayOfWeek == DayOfWeek.Saturday)))
This code is used in the if statement as a condition for matching data. It consists of the following conditions:
rs.GetInt16(5) = CALLTYPE_INTERNATIONAL
The value of the 5th field of the query is taken (this is the CallType field in the SQL query). The field count starts from 0. The field value is compared with the value of the CALLTYPE_INTERNATIONAL variable. That is, this condition allows you to detect whether this call is international.
rs.GetInt32(4) > MAX_CALL_DURATION_S
The value of the 4th field of the SQL query (the CallSeconds field) is taken. The value count starts from 0. The field value is compared with the value of the MAX_CALL_DURATION_S variable.
(rs.GetDateTime(3).TimeOfDay > END_OF_WORK ||
rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK))
This condition uses the value of the 3rd query field, the CallDateTime field. It checks whether the call time falls between the end of a business day and the beginning of the next business day.
(rs.GetDateTime(3).DayOfWeek == DayOfWeek.Sunday ||
rs.GetDateTime(3).DayOfWeek == DayOfWeek.Saturday)
This is an alternative call time condition that all international calls longer than 150 seconds that are made on Saturday or Sunday must meet.
Using the logical operators && and ||, you can consider the call's compliance with the required conditions differently.
If the result of the check is true, then the command to send an email notification about this call is executed.
this.Host.SendMail("", "Fraud Detection system", "Suspicious call detected. ID=" + actionParameters.Id + " CallDateTime=" + rs.GetDateTime(3) + " Call duration=" + rs.GetInt32(4));
this.Host.SendMail() – This is a function that sends an email message. This function has three parameters, which are enclosed in parentheses and separated by commas:
- The first parameter specifies the email address to which the message is sent. If this parameter is empty (""), as indicated in the above expression, then the email address specified on the Notification and mailing setting page is used. If you want to send messages to a different address than the one specified on this settings page or you have not configured this parameter in Tariscope, then you should specify this address in quotes, for example, "This email address is being protected from spambots. You need JavaScript enabled to view it.".
- The second parameter is the subject of email. In this scenario, this parameter is "Fraud Detection system". If desired, you can replace this parameter with, for example, "Received a call with signs of fraud" or some other.
- The third parameter is the content of the message text. In this scenario, it is:
"Suspicious call detected. ID=" + actionParameters.Id + " CallDateTime=" + rs.GetDateTime(3) + " Call duration=" + rs.GetInt32(4) .
You can change the text of this line.
The SQL query line discussed above contains a request for two more parameters: Originator and Dialnumber. Accordingly, their values can also be displayed in the body of the email. To do this, add the following line:
“ The call was made from ” & rs.GetInt32(1) “ to telephone number “ & rs.GetInt32(2)
If you modify the SQL query, then in the message it is possible to display information about the subscriber from whose number the call was made, the name of the settlement where the call was made, and other information.
Now let's return to our conditions for detecting calls that can be suspected of being fraudulent. First, let's add an analysis of the call cost. To do this, in the place of the script where the variables discussed above were set, we will add the variable MAX_CALL_COST, for which we will set the value of the call cost, starting from which the call can be considered suspicious. For example, let it be a value of 5.0 USD. That is, the script should react to any call whose cost is more than 5.0 USD.
private decimal MAX_CALL_COST = 5.0;
Now you need to modify the SQL query to get information about the cost of the call. To do this, use the description of the viCalls view in the document of Tariscope 4.x. Database schema to find the required field. This is the Cost field. Then the query should look like this:
SELECT ID, Originator, Dialnumber, CallDateTime, CallSeconds, CallType, Cost FROM viCalls WHERE ID=@callid>
If we are not interested in the duration of the call, then we can exclude the CallSeconds field from the query. And now, having received the data on the call using this SQL query, we should analyze it for compliance with the conditions that interest us: an international call with a cost of more than 10 hryvnias. To do this, the line where the analysis is performed should be written as follows:
(rs.GetInt16(5) = CALLTYPE_INTERNATIONAL &&
rs.GetInt32(4)> MAX_CALL_DURATION_S &&
rs.GetDecimal(6) > 5.0) &&
(((rs.GetDateTime(3).TimeOfDay > END_OF_WORK ||
rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK)) ||
(rs.GetDateTime(3).DayOfWeek == DayOfWeek.Sunday ||
rs.GetDateTime(3).DayOfWeek == DayOfWeek.Saturday))
This line assumes that the CallSeconds field query remains. If it is removed, the value in parentheses in the data analysis line will change, indicating the field number in the query, starting from 0.
Similarly, you can further complicate the conditions for detecting fraudulent calls.
When using scripts for additional call data processing, you should always remember that this use increases the load on the server and can lead to slower processing.
In addition, if call data arrives in Tariscope with a delay, for example, when received via an FTP server, then suspicious call messages will also be generated with a delay.
If the above information is not enough for you to create the necessary script, please contact SoftPI technical support.
Links
