Additional analyze of calls
In some cases, information about calls in Tariscope is insufficient and further analysis of the calls is needed. And it would like to perform the analyze automatically. For example, the security service wants to quickly know about all calls made by company's employees to the fire department, police or ambulance. There are other cases where it is desirable to know about specific outgoing calls, for example, which cost above a certain value, or on calls to phones of competitors. There are a lot of cases, when you want to receive notifications about certain types of calls.
Of course, it will not be the best solution of such tasks to place an employee behind the monitor with Tariscope to monitor calls. But you don't have to do this if you use all the Tariscope features. You can configure Tariscope so that it will be to automatically perform the analysis of call data after the end of each call for compliance with predefined conditions, for example, that we mentioned earlier.
A special case that requires operational tracking is an identification of telephone fraud. Under telephone fraud implies a special type of fraud where unauthorized calls, as a rule, international ones, are performed in a variety of ways at the expense of the company. According to the International Association of CFCA (Communications Fraud Control Association) losses from phone fraud in 2015 are estimated as 38.1 billion of United States dollars.
The identification of fraud is more difficult task than an identification of, for example, calls made to specific telephone numbers, because it is not known in advance to which telephone numbers the calls will be made, when and with which duration. To detect the fraud, it is generally advised to use special systems, in most cases, whose work is based on a comparison of the specific call with a subscriber behavior model. At the moment Tariscope does not contain a fraud detection subsystem, but this does not mean that it has no capacity for its identification. To do this, first and foremost, it should formulate the terms and conditions under which you can assess a call on belonging to fraud. Let's try to do it. Then we configure Tariscope on the basis of this information.
Firstly, we will consider only outgoing international calls costing more than the specified value, as fraud is used significantly less for the local and long distance calls.
Thirdly, you can evaluate the countries in which the call was made. Table 1 lists the top 10 countries where the largest fraud-traffic were terminated for the year 2015 according to CFCA [1]. Provides consolidated data, as well as for the countries of North America, the European Union and the rest of the world. The country with the number 1 terminated the largest fraud among the listed countries. The country with the number of 10 terminated the lowest fraud among the listed countries.
Table 1
| Consolidated data | For North America | For The European Union | For the rest of the world | |
| 1 | Cuba | Cuba | Cuba | Latvia |
| 2 | Somalia | Somalia | United Kingdom | Cuba |
| 3 | Bosnia and Herzegovina | Santa Lucia | Serbia | Lithuania |
| 4 | Estonia | Bosnia and Herzegovina | Estonia | Somalia |
| 5 | Latvia | Sierra Leone | Guiana | Bosnia and Herzegovina |
| 6 | Guiana | Jamaica | Somalia | Estonia |
| 7 | Serbia | Kiribati | African countries | Guiana |
| 8 | Sierra Leone | Tunisia | Albania | Serbia |
| 9 | United Kingdom | Grenada | Algeria | Senegal |
| 10 | Lithuania | United States | The Baltic countries | Sierra Leone |
In some cases, for example, when the Direct inward system access (DISA) is used in PBX, to analyze the call to fraud conditioning you can consider not only where the call was terminated, but where the call was originated. CFCA report mentioned earlier [1] contains the information which is presented in table 2.
Table 2
| Consolidated data | For North America | For The European Union | For the rest of the world | |
| 1 | United States | Philippines | Spain | United States |
| 2 | Pakistan | Pakistan | United Kingdom | Cuba |
| 3 | Spain | Canada | Cuba | Somalia |
| 4 | Cuba | Netherlands | Somalia | Italy |
| 5 | Italy | Spain | Pakistan | Lithuania |
| 6 | Philippines | France | Egypt | Pakistan |
| 7 | Somalia | United States | Austria | Latvia |
| 8 | United Kingdom | India | Switzerland | Spain |
| 9 | Dominican Republic | Nigeria | United States | Tunisia |
| 10 | Egypt | Belgium | Italy | Germany |
Finally, you can evaluate calls to belonging to fraud from subscribers that do not exist in the Tariscope database.
Now let's look at how you can implement a search of calls with the above signs in Tariscope.
The configuration of the Tariscope Observer service contains an opportunity to run a script when a specific event is occurred. To do this, in the configuration tree of Tariscope, it should select the desired Tariscope Observer service. Depending on the source of the calls the Tariscope window for this mode will be different. Figure 1 shows the Tariscope window in case collecting calls data from the FTP server.
Figure 1
The window contains the Script button. Click on this button. The Tariscope Observer scripts window appears as shown in Figure 2.
Figure 2
This window contains a list of events at which Tariscope can run the script associated with this event.
There are the following events:
- Data source connected.
- Data source disconnected.
- Subscriber COS change.
- Group COS change.
- Periodic action.
- New call was received.
- Database connection error.
To analyze calls for conditioning them to fraud, choose the event: New call was received. Then, click on the button "...". In the window that appears, select the files that contains the script to analyze a call to belonging to fraud. Scripts that are supplied with Tariscope are installed in the folder by default:
…Program Files (x86)\SoftPI\Tariscope4\Scripts
Scripts can be written in Visual Basic.Net (VB.Net) or C#. You can see only VB.Net scripts among the scripts delivered with the Tariscope. Files with these scripts have the 'vb' extension. There is a file of fraud.vb in the Scripts folder. It allows you to send a notice to the email address specified in the script or email address specified in the Tariscope settings on the outgoing international calls with duration more than 150 seconds.
To create new scripts or edit existing ones, naturally, it is desirable to have an understanding of programming in VB.Net or C# and how to create SQL queries.
If you are not sure of your abilities, better to contact SoftPI because an incorrectly written script can harm the Tariscope system. Creating scripts is not included in the warranty service and it is performed at an additional fee.
The structure of all the scripts that are used in Tariscope is the same. Every script implements the Iscript interface.
This interface has two methods:
- the Init method. This method is called once during the script runs when the Tariscope Observer compiles and initializes this script.
- the Main method. It contains operations which are related with a specific event. The Parameters object, which is different for each type of event, is passed into the method.
When initializing a script, the IscriptHost class is passed in it, which allows the script to execute some operations. For example, to send an email notification.
A listing of the script is shown below.
Option Strict Off
Imports System
Imports System.Data
Imports SoftPi.Tariscope.Common
Imports SoftPI.Tariscope.Observer
Imports System.Windows.Forms
Imports Microsoft.VisualBasic
Imports System.IO
Imports System.Collections
Imports System.Collections.Generic
Imports SoftPI.Tariscope
Public Class FraudScanner
Implements IScript
Private Host As IScriptHost
Private NeedFinish As Boolean = False
'
'
Private MAX_CALL_DURATION_S As Integer = 150
Private CALLTYPE_INTERNATIONAL As Integer = 5
'
'
Public Sub Init(ByVal host As IScriptHost) Implements IScript.Init
Me.Host = host
AddHandler host.Close, AddressOf OnClose
NeedFinish = False
End Sub
Private Sub OnClose(ByRef Cancel As Boolean)
Return
End Sub
Public Sub Main(ByVal Parameters As Object) Implements IScript.Main
Dim actionParameters As NewCallActionParameters = DirectCast(Parameters, NewCallActionParameters)
Try
Me.Host.AddEvent("New call processing, ID=" & actionParameters.Id)
Using cn As SqlClient.SqlConnection = New SqlClient.SqlConnection(Me.Host.DatabaseConnectionString)
cn.Open()
Dim CallItems As DAL.CallItems = DAL.CallItems.Instance(cn)
Dim cmd As SqlClient.SqlCommand = CallItems.GetCommand("SELECT ID, Originator, Terminator, CallDateTime, CallSeconds, CallType FROM viCalls WHERE ID=@callid")
cmd.Parameters.AddWithValue("@callid", actionParameters.Id)
Using rs As SqlClient.SqlDataReader = cmd.ExecuteReader()
If rs.Read() Then
If rs.GetInt16(5) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(4) > MAX_CALL_DURATION_S Then
Me.Host.SendMail("", "Fraud Detection system", "Suspicious call detected. ID=" & actionParameters.Id & " CallDateTime=" & rs.GetDateTime(3) & " Call duration=" & rs.GetInt32(4))
End If
End If
End Using
End Using
Catch ex As Exception
Me.Host.AddEvent("Error running script:" & ex.ToString)
End Try
End Sub
The code above for a man far from programming may seem very difficult one to understand. Actually that's not quite true. In the text of script, the lines of the code, in which you can make changes if it is necessary, are highlighted in red.
Consider the first two selected lines:
Private MAX_CALL_DURATION_S As Integer = 150
Private CALLTYPE_INTERNATIONAL As Integer = 5
These lines declare two Integer variables: MAX_CALL_DURATION_S and CALLTYPE_INTERNATIONAL. And they are given specific values. The variable MAX_CALL_DURATION_S is set to the value of the call duration (150 seconds = 2 minutes 30 seconds). This variable is used for comparison with the duration of each international call. All calls with duration more than this value should be considered to belong to fraud. The value in 150 seconds can be replaced with any other value. To select exactly international calls the CALLTYPE_INTERNATIONAL variable is used. It is assigned a value of 5, that means the CallType field corresponds to international calls. In order to understand where this value is taken you should refer to the document "Tariscope 4. x. Database schema", a description of the Calls table.
The next selected row:
SELECT ID, Originator, Terminator, CallDateTime, CallSeconds, CallType FROM viCalls WHERE ID=@callid
SQL query string are formed here. The query allows you,to get the following fields of the viCalls view for the current call:
- ID. The identifier of entry.
- Originator. The phone number from which the call was made.
- Terminator. The telephone number to which the call was made.
- CallDateTime. Date and time of the call.
- CallSeconds. Call duration in seconds.
- CallType. Type of call.
If necessary, you can obtain other call parameters from the list of fields of the view (see the document "Tariscope 4. x. Database schema").
The next selected line of the script performs data analysis for compliance with the specified conditions:
rs.GetInt16(5) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(4) > MAX_CALL_DURATION_S
It is used in an IF statement as a condition for comparison. It consists of two conditions:
- rs.GetInt16(5) = CALLTYPE_INTERNATIONAL
Takes the value of the 5-th field of the query (the CallType field in SQL query). Counting fields begins with 0. The field value is compared with the value of the variable CALLTYPE_INTERNATIONAL. I.e. this condition allows you to identify whether this call is an international one. - rs.GetInt32(4) > MAX_CALL_DURATION_S
Takes the value of the 4-th field of the SQL query(CallSeconds). The countdown begins with 0. The field value is compared with the value of the variable MAX_CALL_DURATION_S.
Both conditions are combined with AND logical operator. The action that is specified after the Then operator will be executed only when both conditions are executed. This action is a send of an e-mail message that is defined by the following expression:
Me.Host.SendMail("", "Fraud Detection system", "Suspicious call detected. ID=" & Parameters & " CallDateTime=" & rs.GetDateTime(3) & " Call duration=" & rs.GetInt32(4))
Me.Host.SendMail () is a function that sends an e-mail message. This function has three parameters that are inside the parentheses, separated by commas:
- The first parameter specifies the e-mail address where the message is sent. If this parameter is empty ("") as shown in the above expression, then the email address is used that is provided in the Tariscope configuration → Notifications and mail. If you would like to send a message to another address than specified in these settings or you have not configured this parameter in Tariscope, then you should set this address, for example, "This email address is being protected from spambots. You need JavaScript enabled to view it.".
- The second parameter is the subject of the e-mail message. In this script, this is "Fraud Detection system". Optionally, you can replace this it.
- The third parameter is the content of the message body. In this script, this is: "Suspicious call detected. ID=" & Parameters & " CallDateTime=" & rs.GetDateTime(3) & " Call duration=" & rs.GetInt32(4).
Consider this line in more detail.
Part of a string "Suspicious call detected. ID=" & Parameters can be replaced, for example, the following:"Detected a suspicious call with ID = "& Parameters. The value of this identifier is contained in Parameters..
The next part of the line " CallDateTime=" & rs.GetDateTime(3) will display the date and time of this call. May be more for better readability, if this part of the line replaced by the following: The date and time of the call:" & rs. GetDateTime (3)
And, finally, " Call duration=" & rs.GetInt32(4) allows you to get the call duration.
In the SQL query, which is discussed above, there is a request of other parameters: Originator and Terminator. Accordingly, their values can also be displayed in the body of the email. To do this, add the following line:
“ The call was made from" & rs. GetString(1) "to the number" & rs. GetString(2)
If you modify the SQL query, you can display a subscriber name who made the call, a city name where the call was made, and other information.
Now let's return to our conditions to identify calls that can be suspected as fraud. Let’s add a first analysis of the call cost. To do this, we add the MAX_CALL_COST variable for which we set the value of the call cost that can be seen as suspicious. For example, let it be the value 3. It means the script must respond to any call whose value is greater than 3 (USD, Euro or other currencies).
Private MAX_CALL_COST As Decimal = 3.0
Now you need to add getting information about the cost of the call. To do this, use the description of the viCalls view to find a required field in the document “Tariscope 4.x. Database schema. This field is Cost. Then, the query will be as the following:
SELECT ID, Originator, Terminator, CallDateTime, CallSeconds, CallType, Cost FROM viCalls WHERE ID=@callid
If we are not interested in the call duration, we can exclude the CallSeconds field from the query. And now, having been data using this SQL query, we need to analyze it in relation to the satisfaction of the conditions of interest: international calls with the cost of more than 3. For this line, where the analysis is executed, should be written as follows:
rs.GetInt16(5) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(6) > MAX_CALL_COST
This line assumes that the CallSeconds field is in the query. If it was deleted, a string of data analysis changes the values in brackets that indicate the number of the field in the query, starting with 0:
rs.GetInt16(4) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(5) > MAX_CALL_COST
Now we increase search conditions for calls, which can be seen as fraud. We will analyze the international calls costing more than 3 money units that were made from 7 PM to 8 AM. To do this, we create two variables to the end of working time - END_OF_WORK and to the beginning of working time - BEGINNING_OF_WORK.
Private BEGINNING_OF_WORK As TimeSpan = TimeSpan.Parse("08:00:00")
Private END_OF_WORK As TimeSpan = TimeSpan.Parse("19:00:00")
In the document "Tariscope 4.x. Database schema" we find the CallDateTime field that contains the date and time of the call, and add it to the SQL query:
SELECT ID, Originator, Terminator, CallDateTime, CallSeconds, CallType, Cost FROM viCalls WHERE ID=@callid
To analyze the results of the query, we will use the following expression:
rs.GetInt16(5) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(4) > MAX_CALL_DURATION_S AndAlso (rs.GetDateTime(3).TimeOfDay > END_OF_WORK OrElse rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK)
If we interest in any time at weekends in addition to nonworking time, then the above expression should be a bit more complicate. We add an analysis of calls that were made on Saturday or Sunday:
rs.GetInt16(5) = CALLTYPE_INTERNATIONAL AndAlso rs.GetInt32(4) > MAX_CALL_DURATION_S AndAlso (rs.GetDateTime(3).TimeOfDay > END_OF_WORK OrElse rs.GetDateTime(3).TimeOfDay < BEGINNING_OF_WORK) AndAlso (rs.GetDateTime(3).DayOfWeek=DayOfWeek.Sunday OrElse rs.GetDateTime(3).DayOfWeek=DayOfWeek.Saturday)
Similarly, you can further complicate conditions for identifying calls with signs of fraud.
When using scripts for additional processing of calls data, you should always remember that it's use increases the load on the server and can result in slower processing. In addition, if the data about calls come into the program with a delay, for example, when receiving them via FTP server, the notification of suspicious calls will also be formed with delay.
If the above information is not enough to create the script, contact SoftPI support.
Links
1. http://cfca.org/fraudlosssurvey/2015.pdf
2. Tariscope is a call accounting and billing system
2. Solutions
