The Detection of Fraud in Mobile Phone Networks

P. Barson†, S. Field†, N. Davey*, G. McAskie†, R. Frank*.

† BNR Europe Limited, London Road, Harlow, Essex, UK, CM17 9NA
* School of Information Sciences, University of Hertfordshire, Hatfield, Herts. AL10 9AB

P.Barson@bnr.co.uk, S.D.H.Field@bnr.co.uk, N.Davey@herts.ac.uk, G.McAskie@bnr.co.uk,

R.Frank@herts.ac.uk

Abstract

1. Introduction

Mobile phone fraud is the unauthorised use of the telecommunications network accomplished
through deception. Mobile phone fraud is an enormous problem for network providers and
their users: in some local areas it is estimated that more than half the use is fraudulent. In this
paper we report on the use of a supervised feed-forward neural net to detect anomalous use.
Some of the characteristics of mobile phone fraud problem mainly in the changing pattern of
use of the phone suggests a neural computational solution to this problem. Also a neural
network solution is desirable because generalisation from a data set of normal and fraudulent
use is required in order to identify new fraud.

As with many applications of neural nets, the major problem here has been finding a
representation of the data that adequately captures its relevant aspects. The issue is complicated
here as we need to identify sequential temporal patterns as fraudulent. Our solution is described
in Section 3. Section 2 describes the problem of fraudulent use of cellular phones, and gives a
brief overview of other systems to tackle it. A description of our neural net model follows,
together with the initial results, which are discussed in the context of our ongoing work.

2. Background

2.1 Mobile communications

There are currently two types of mobile phone communication available. One operates on
analogue networks, in which speech is sent as a continuous wave signal, and the other uses
digital transmission, in which the traffic is in the form of a rapid stream of binary pulses. In
Britain, the most heavily subscribed systems use the analogue networks. With both types, at the
beginning of transmission an identifying signal is transmitted with the voice data to enable
access onto the telecommunications network. With digital systems this identification signal is
encrypted. The identifying signal contains information about the mobile phone account,
allowing the network equipment to keep track of the call, maintain the connection between the
two parties whilst the users are mobile, and also to perform billing activities. Analogue systems
are more vulnerable to fraud as it is not possible to encrypt the identification codes that are
transmitted along with the voice data.

2.2 Mobile phone fraud

Fraudulent use within mobile communications networks is costing the industry millions of
dollars each year. In 1994, the estimated cost to the US industry was approximately $482
million, representing 3.7% of revenues [CTIA, 1995]. In Britain, costs are estimated at anything
between $300-$600 million, and with more than 4 million users and subscription currently
rising by 80% each year, this figure may increase substantially. As with any type of fraud, it is
difficult to provide precise estimates of the cost to the industry as some fraud may never be
detected. Equally, some operators are reluctant to provide figures of the costs as it may provide
information which would enable the fraudsters to target their efforts at particular operators.

There are several types of mobile phone fraud, including:

• Phone cloning - gaining access to the network by emulating the identification code of
another genuine mobile phone. Here, unauthorised handsets are used which operate on
authentic identification codes. The data contained on a mobile phone chip is copied from
one mobile phone and embedded into another. This type of fraud results in multiple
occurrences of the phone unit where the users may or may not be aware that they are using
a clone. The identification codes are collected by fraudsters from public places, with the use
of a scanner. This activity can be carried out in a number of ways, including airport
terminals and placing a scanner in a stationary vehicle next to a busy road. No fraud of this
type has yet been discovered with a digital mobile phone, as the identification codes are
encrypted.

• Subscription fraud - using false identification details when subscribing to a mobile phone
network. This type of fraud is often not spotted until a bill is not paid. The mobile phone in
question may also be cloned, leading to more than one instance of a phone using the same
account.

• Phone theft - when a legitimate phone is either lost or stolen and is being used by an
unauthorised user. Again, the stolen mobile phone may also be cloned. In Britain alone,
approximately 15,000 mobile phones are currently being stolen every month. [Bannister,
95]

Different geographical locations suffer from differing levels of fraudulent usage of the phone
networks. For instance, in Los Angeles as a whole, it has been estimated that 30% of all calls
made are fraudulent [Alspector, 95]. In the Port Authority area of New York, it has been
estimated that this figure rises to 60%.

2.3 Fraud detection

There are a number of difficulties associated with identifying fraud, namely:

• Fraud is dynamic by nature: fraudulent behaviour will change over time.

• The size of the problem area is vast, due to the number of users on a network, and the
number of calls made.

• Some forms of fraud are known about and recognisable, however, it is also important to
identify novel forms of fraud.

• Rapid identification of fraud is needed: losses from a given case of fraud tend to grow
exponentially [Bliss & Decembrele, 1993].

• Some forms of fraud are particualrly costly and should therfore should be the subject iof
special attention e.g. international phone calls.

• Customer transparency. A customer should not see the fraud detection system in action.
The anomaly detection system should not be automatic but act as a filter and intelligent
assistant to a human fraud investigator. Security checks should be made by the fraud
investigator before a phone is cut off.

Detecting fraudulent use can be seen as identifying behavioural changes associated with a
particular mobile phone account. Thus, the requirement is to identify pattern of use changes of a
phone. The normal behaviour pattern may be modelled using a statistical analysis of the long-
term use of the phone, which is can then be compared with the more recent pattern of use. A
difference between recent and historical calling behaviour may indicate fraud.

2.4 Previous work

Neural networks have previously been used to detect fraud in a number of similar domains,
including credit card fraud and calling card fraud.

2.4.1 Calling Card fraud

The work carried out in detecting calling card fraud -- the fraudulent use of a calling card
account in order to avoid paying for calls [Yuhas, 1993; Connor, et al, 1995] -- is quite similar
to our work. If users use a calling card account to make calls they are vulnerable to fraud, as it is
all too simple to discover the calling card number and its associated PIN. Neural network
approaches to detecting calling card fraud involve establishing an historical pattern of behaviour
for a user, and then comparing recent behaviour with that historical behaviour. If the recent
behaviour is significantly different, then it may be possible to recognise this as fraud. Both
unsupervised clustering [Yuhas,1993] and supervised feedforward networks [Connor, et al.
1995] have been used in this area.

Also noteworthy is the knowledge based approach to cellular phone fraud detection of Davis
[Davis 1992] in which a rule based sytem is described.

2.4.2 Credit card fraud

HNC Inc. have developed a neural network based credit card fraud detection system which in
June 1994 was being used to analyse over 50 million accounts. It had already been used to save
credit card companies over $50 million.

Visa International estimated that credit card fraud amounted to 0.2 percent of world-wide Visa
card business in 1993, resulting in a total amount lost of $655 million [Norton, 1995]. Visa
International have developed a neural network system which learns a pattern of behaviour for
each user. It can then detect when this behaviour pattern deviates from normal usage. Every
account holder will exhibit behaviour that differs at some point or other, for instance when a
significant event in a person's life, such as a wedding, approaches. Visa's neural network allows
for the users behaviour to change over time, and is also being used to collate information on
patterns of fraud, which can then lead to a reduction in the time taken to detect fraudulent
behaviour.

3 A Neural Computation Solution

3.1 Overview

Whenever a completed phone call is made a call detail record (CDR) is created. Depending on
the operation currently being performed the structure of these will vary, however for our
investigations we have produced a generic record which encapsulates all the salient features
which are required. These include: account number, telephone number, date and time of call, the
duration, the originating area and receiving area, as well as a number of other fields. These
records therefore constitute an enormous database within which anomalous use must be
detected.

The type of problem here is unusual and difficult, as it mixes both static classification and
temporal prediction. Anomalous use has to be classified as such, but only in relation to an
emerging temporal pattern. Over a period of time an individual phone will generate a
macroscopic pattern of use, in which, for example, intercontinental calls may be rare; however
within this overall pattern there will inevitably be violations: on a particular day the phone may
be used for several intercontinental calls.
Against this background anomalous use can be identified as belonging to one of two types:

• The pattern is intrinsically fraudulent - it will almost never occur in normal use. This type is
relatively easy to detect.
• The pattern is anomalous only relative to the historical pattern established for that phone

In order to detect fraud of the second type it is necessary for a neural network to have
knowledge of both the historical, macro, behaviour of the phone and the recent micro behaviour.
We have chosen to present both of these pieces of information as input vectors to the net. The
output then is a two bit representation of the credibility of these two inputs when taken together.
Note that this method also copes quite adequately with fraud of the first type since this should
be evident regardless of the historical behaviour. The overall process is visualised in Figure 1

Usage
A window of
recent use

Time

Figure 1. A simplified view of phone use against time. In reality the usage vector is not a
scalar but belongs to a multi-dimensional space. To detect anomalous use of the unit a
window is taken over the most recent activity and this is validated against the historical profile
by the neural net.

3.2 Details of the Model

For each user within the network the details gathered from the CDR's are recorded as a
statistical representation; as a user profile. This includes: the proportion of local, national and
international calls, number of units used, number of calls and aver duration for that user, as well
as other details. These are collated over two time periods; historical and recent. The historical
profile must be periodically updated to reflect gradual change in the use pattern of the unit.
Several of the fields are subjected to differing normalisation techniques, in order to maintain no
a-priori preference for one field over another, before the profiles are presented to the network.
Our first experiments have used a Multi-Layered Perceptron network, with 18 input units,
various hidden unit configurations and two output units representing, one to represent valid use
and one for fraudulent use.

4. Experimentation

A telephone network was simulated stochastically, several hundred users made calls according
to predefined characteristics. Individual users belong to one of six basic types, varying from a
low use local individual user to a high use international business user. Within these groups
there is random variation, so that individual users are highly unlikely to have identical
characteristics.
For each user a historical profile is then created, but roughly half of the users are then given
usage patterns for their recent behaviour which are fraudulent. These patterns adhere to one of
several different types, such as a major increase in usage or a large number of intercontinental
calls. The remaining users are given recent behaviour that is concommitant with their historical
pattern. The training set for the neural network is then created from all of these user profiles.

During testing of the network the same set of users is used but now with a different set of
recent patterns, again roughly half are fraudulent.

4.1 Results

Figure 2 shows the networks performance for the fraudelent profiles. A similar graph is
produced which represents normal behaviour. The confidence figure represents the value of the
output node representing valid use subtraced from the value of the node representing fraudulent
use.
The accounts in the lower part of the graph are divided between border-line cases and mis-
classified results. For example the missclassifications on the left of the figure represent low
usage accounts, where it is difficult to detect anomolies due to the paucity of data. Some of the
misclassifications on the right are made up accounts where a high use of intercontinental calls
are made; again it is hard for the net to pick some forms of fraud against this historical
background. Both of these scenarios correspond with common sense expectations.

Figure 2. A visual representation of the network validation.

4.2 Discussion

With the test data we have used it can be seen that the network performs very effectively. Initial
results show the network correctly classifying 92.5% of the data.

Two important and related representational questions underlie this approach. Firstly the size of
the window over which the recent behaviour is taken has a major influence over the performance
of the system. If the window is too large then considerable fraudulent use may take place
before it has sufficient impact on the previous normal use for it to be detected. On the other
hand if the window is too small then normal variation in use may trigger a fraudulent
classification; a delicate balance is required. Related to this is the issue of decaying the
historical data. Clearly the more recent the data the greater the salience it has - our
representation does not currently capture this.
There is another open question: how well will the network deal with fraudulent use of a type it
has never seen before? In this case a supervised MLP may be expected to have difficulty. This
suggests an unsupervised Self Organizing Map neural model. This suggestion is discussed
briefly in the next section. All of these issues are currently being investigated and will be the
subject of a further paper.

6. Conclusion

Against the limited objective of finding anomalous behaviour within our simulated database of
CDRs the representation of changing behaviour and the neural net used perform well. The
approach used is clearly promising, but several major issues are still to be resolved, as described
in section 4.3.

References

Alspector, J., Comments made during invited presentation at International Workshop on

Artificial Neural Networks, Malaga, Spain, 1995. See also Connor, et al, 1995.

Bannister, N., When the mobile phone users want to dial 999 - but can’t, Guardian newspaper,
May 22 1995, pp. 15.

Barson, P., N. Davey, S. Field, R. Frank, & D.S.W. Tansley, Dynamic Competitive Learning
Applied to the Clone Detection Problem, Proc. Int. Workshop on Applications of Neural
Networks to Telecommunications 2 pp234-240, Sweden, Laurence Erlbaum Associates, 1995.

Bliss, M. & K. Decembrele, Fraud: A Complex Problem for Telecommunication Service

Providers, Proc. 16th Annual Pacific Telecommunications Conference, pp651-653, 1993.

CTIA: Cellular Telecoms Industry Association, Proceedings of Fraud Control in

Telecommunications, London, 1995.

Connor, J., L. Brother, & J. Alspector, Neural Network Detection of Fraudulent Calling Card
Patterns, Proc. Int. Workshop on Applications of Neural Networks to Telecommunications 2
pp363-370, Sweden, Laurence Erlbaum Associates, 1995.

Davis, A.,B., Knowledge Based detection of cellular clone fraud, GTE Laboratories Technical
Memorandum TM-0542-04-92-176, 1992.

Kohonen, T. The Self Organising Map, Proceedings of the IEEE, 78(9).

Norton, M., Close to the Nerve, Banking Technology, Dec 1994 - Jan 1995, pp. 28-31.

Yuhas, B., Toll-Fraud Detection, Proc. Int. Workshop on Applications of Neural Networks to
Telecommunications pp239-244, Laurence Erlbaum Associates, 1993.