FAST – Fraud Management & Revenue Assurance

The FAST Application is a break-through,  high performance transactional storage, analysis and evaluation platform with strong focus on functions for Fraud Management, Revenue Assurance, Customer Experience Management & Churn Prediction.

FAST realizes 4th Generation Fraud Management with an highly effective rule & case manager,  powerful data mining technologies, semi-automatic threshold settings and astonishing real-time detection technologies making the system in all areas truely fast.

Making unlimited complex detection at the same time simple, interactive on compact HW  – this is FAST.

Fraud Management

Fraud Detection Coverage

FAST allows to detect a large set Fraud Types in Mobile, Fixed and IP Networks covering basically any fraud scenario, amongst others it can detect:

• Interconnect Abuse
• SIMBOX fraud
• Illegal IMEI use
• IMEI Reprogramming, SIM Stuffing
• Subscription Fraud
• Roaming Fraud
• International Revenue Share Fraud
• Call Conference/ Multi-Party Calls / Parallel Transactions
• Call Forwarding Fraud
• Premium Rate Service (PRS)
• SIM Card Cloning
• Mobile Malware
• Proxy Fraud
• PBX Hacking
• Call Selling
• Inbound Roaming Fraud Risk to VPMN
• Social Engineering
• M-Commerce Provider PRS Fraud
• M-to-M Fraud

Transaction Storage Engine

Key component of the FAST application is a powerful InMemory DataBase, which is based on proprietary storage algorithms and SQL for efficient, massively parallel and extremely fast storage, access and processig of generic xDRs and any related enrichment data.

xDRs are accessible very quickly by different access dimensions and as such allow to analyse subscriber or Network behavior from different views: E.g. from MSISDN view, from B-Number point of View, or from more network oriented views (Cell or Switch related).

Fraud Detection Core Functions

To detect a broad range of different fraud types FAST provides a very powerful fraud detection engine.

This engine allows to cover and combine a set of multi-dimensional analysis requirements,e.g.:

  • Access to basically any attribute of  transactions (calls,sms, data,..)
  • Aggregated subscriber behaviour, like sum of costs, sum of events,…
  • Taking into account usage of different services
  • Time dependencies between services. E.g first Scenario 1, then Scenario 2
  • The Subscriber Space: new or old subscriber, good or bad payment behavior
  • Different time dimensions in the observation: from minutes, over hours and days to weeks and possibly months.

The challenge is to offer a maximum detection scope and providing computational results in a near-real-time fashion even for extreme high data volumes.

As a consequence a hierarchy of rules is provided – all in realtime:

XDR Limit Rule

The Rule XDR Alarm supports the supervision of subscribers in freely configurable time intervals.
These time intervals can reach from 60 minutes up to 30 days.

With an XDR Limit Rule the occurrence of a set of specific XDR Patterns can be observed, or cost conditions can be formulated. High frequency usage of specific services (premium service, roaming, international,..) , multiple dialling of a set of listed numbers can be detected.

For the Limit XDR Alarm the evaluation basis is the full set of Attributes from the FAST related standard xDR, combined here with a frequency or cost condition in a configurable time interval.

With the Rule XDR Alarm typical queries, like

• “Who called number +49494419* at least 10 times during the last 12 hours”
• “who made more than 20 calls in Cell 2494”
• “who roamed in Canada and made more than 10 calls to Egypt”

can easily be formulated.

Rule Aggregated Alarm:

The Rule Aggregated Alarm is applied on aggregated call behaviour.

For this purpose the FDA application provides a large set of specific aggregation attributes.
Examples are here e.g. the number of Calls, number of international Calls, total costs for all calls, total costs for national, international, premium, roaming calls and many more.

In addition for this alarm a broad range of specific attributes and functions is available, which in many cases quickly lead to the detection of potentially fraudulent behaviour. E.g. the number of different cells being used, the call diversity exposed, average usage during night, or day. The Usage of subsequent dialling numbers (…21,…22,…23), or the number of parallel calls are other attributes, which provide valuable fraud related information.

The Rule Aggregated Alarm allows the simple combination of the available attributes in mathematical formulates (+,-,/,%,*, AND, OR, NOT, &, ||,..) as well as the combination of the attributes or formulas with predefined functions, e.g. like regular expressions, list lookups, string manipulations etc.

Here an example for the Rule Based alarm:

Within a 12 Hour Period: (National Costs > 50 €) OR (International Dialling > 30 €) OR (INCOMING CALLS < 2) and (CALL DIVERSITY > 0.9) and (MORE THAN 50 CALLS OUTGOING MADE)

Profiler Alarm:

The customer profile is an important method to derive behavioural attributes for Fraud Detection.

Daily xDR information is collected in the system and aggregated on daily, weekly and (multi-)monthly level.
The xDR information is split into the most important traffic/usage factors, like:

• National Revenue
• International Revenue
• Premium Service Revenue
• Roaming Service Revenue
• Value Added Service Revenue
• Data Services Revenue

Additional differentiators are:

• Minutes of Use (Voice)
• Number of SMS
• Data Volumes

Since the initial usage is logged, the “network age”, as well as other behavioural factors (Private or Business Usage, Low Volume/High Volume Use, non-regular/regular Roamer) can be derived and are available for alarm evaluation.

Profiler alarms allow to monitor longterm subscriber behaviour.

Profiler reference data can be linked with other alarms to enrich the data to be analysed.

Time Dimensions and Aggregation Dimensions for Rule Definitions

FAST supports basically any supervision interval: be it hours, days or weeks.

Views on activities can follow the standard approach: e.g. from a subscribes perspective, or aggregating onto a customer view. However network oriented views (per cell, per switch) are easily supported.


Case Manager

The FAST-All-In-One Case Manager provides a quick access to the most critical cases, provides a set of drill-downs onto subscriber behavior in short,mid and longterm traffic patterns.

Quick counter-actions can be applied in seconds.

A simple life-cycle workflow manager keeps complexity of case management to a minimum


SVM/Neuronal Engine

FAST contains a smart module.

Via an integrated R-Module the usage of “Support Vector Module” learning technologies is supported.

Get Case Information, decide on Fraud or Non-fraud and the hidden SVM Module analyses and learns decisions from the past to improve the prediction for the future.

SVM technology is provided on an-industry-stable level. Complexity of the computation is hidden by the user-interface, and probability indicators are provided to the customer as Case Scoring enhancement.


Smart Reporting  

In many cases a Fraud Analyst has an initial feeling about some base fraud scenarios in a network.

But does he know in detail, what is going on in the network ?

Also for Revenue Assurance purposes a detailed understanding of network streams, high usage and low volume times is important.

To provide a potentially deep view into the network streams and traffic the SmartReport module is made available. It allows to analyse the traffic; here some examples of potential analysis questions are listed:

  • what is the most busy cell in the network
  • What is the most used international destination?
  • What is the hourly number of calls from Cell25 to the capital city?
  • Which is the most frequently dialled number in the network
  • From which sources are most of the incoming SMS sent.
  • How many long duration calls are being made
  • Is there any hot cell, from which most of the fraud comes
  • Are there any peaks or dips in network traffic
  • Which carriers are used for incoming traffic and what are peak times
  • How many calls of a duration of more than 3 hours are made?

Integration of SmartReport with the R Programming Language – high end Evaluations

FAST is linked to the “R Programming Language”. Via the User Interface the result data of the TrafMiner queries can be interpreted via th R-Programming language. Within the FAST environment access to the powerful evaluations of R and thousands of “R” script packages” are possible.

This approach provides a huge analysis space, which not only provides powerful mathematical evaluations, but also a large library of graphical displays and even computational packages.

Here a set of core features of the R Programming language:

  • „R“ language is an interpreter, not compiler. As such very quickly formulas or data manipulations can be executed.
  • Scripts can be saved and executd, so that powerful analysis scenarios can be executed on schedule
  • R programming language provides very simple complexities (e.g. like a calculator) as well as access to a large set of packages
  • R is Object oriented and has Vector and Matrix Data types which are mapped with the tabular output from TrafMiner.
  • R provides hundreds of functions: max, min, average, length,….

R provides a set of graphical options to provide a large set of different graphs.


Revenue Assurance Functions

In the Revenue Assurance domain, FAST provides a set of core analysis modules:

  • xDR Leakage Analysis
  • Prepaid Verification
  • Provisioning Cross-Check
  • Rating Verification
  • Interconnect Verification

XDR Leakage Analysis

Focus in this area is to identify unexpected loss/leakage of xDR data in the Rating & Billing chain.

The module has the following key functions:

Flexible configuration of multiple Streams to “Compare Streams”

  • Flexible filtering of input data for Compare Streams with FDAL.
  • Flexible data enrichment for Compare Streams
  • Configuration of compare functionality
  • Reporting: Single Report, Aggregated Daily, Weekly, Monthly reconciliation reports
  • Missmatch of xDRs, Monetary Mismatch Value
  • Support of different Mismatch categories

Multiple Leakage Controls can be defined, e.g. to control the complex Rating & Billing Chain, to concentrate on single components, or to focus on individual data streams (Prepaid, Postpaid)

Rating Verification

The FAST-Rating Engine can emulate the computation of xDR prices and compare the emulated prices with the prices actually exposed in the xDRs.

The Rating Engine can support almost any type of tariff modell, is not limited in the number of tariff models and can also integrate budget, bundle oriented price structures.


Prepaid Verification

With the prepaid verification module the error free and complete processing of transaction by a prepaid system can be controlled and verified.

Verifications typically require the provisioning of Dumps of Subscriber balances including all processed xDRs as well as Refills or Voucher transactions for the concernend period.

This module verifies is all transaction are correctly assigned to subscriber buckets so that consequentially all balances do not exposes unprocessed transactions.

Any differences on subscriber level, individual bucket level or generic sysetm faults will be reported.


Provisioning Verification

This module verifies if all observed subscribers transactions are in line with the provisioned services.

E.g. a subscriber is “roaming” outside the Home country, but the HLR does not assign this service for the specific subscriber. Or, a subscriber uses a GPRS service, but there is no GPRS service configured in the Billing System. Any of such configurational contradictions would be identified and reported.

This service requires the import of subscribed services to the FAST application.