LTE/UMTS Traffic Fraud Prevention

With the economic development as well as the development and competition in the mobile communication market, in recent years, the number of mobile phone users in China has increased rapidly. At the same time, fraud occurs and the means are advanced increasingly, which brought approximately more than 3% to 4% loss of the overall operation amount to the telecommunication operation department. In addition, fraud influences the benefits of mobile users, and common users lose confidence in operators' charging accuracy, resulting in bad social effect.

Types of Frauds

1. Technical Fraud

The fraudster takes advantage of incomplete security of the communications network. For example, in a simulated mobile network, MIN/ESN transmitted from a mobile phone to the base station may be intercepted in the air, resulting in off-hook state.

2. Device Fraud

The fraudster uses a stolen or fake mobile phone or SIM card, or reuses a discarded phone. This fraud is very common in the simulated network.

3. Fraud due to Loophole in Business Rules

The telecom operators define that no fee will be charged for an abnormal end of the call, caused by network reasons. The fraudster may interrupt the signal connection between the mobile phone and the base station before the end of the call, causing loss of telephone charges.

4. Roaming Fraud

The fraudster takes advantage of the time delay in the transmission of roaming bill and the difficulty in coordination among the operators in different regions or different countries.

Means and Measures for Preventing Fraud

1. Conflict Detection

Sorting CDRs according to the phone number of served user, call time, call place and the attributes of the calling party and called party, and detecting conflicts in time, places and numbers.

2. Comparison and Matching of Behavior Patterns

Recording the service behavior pattern of each user, including roaming condition, use of international and domestic long-distance services, monthly telephone fee, call time, interval of calls, common call types, call peak time, call destination, special call numbers, etc. Recording the historical behavior patterns, and making a comparison. If an obvious difference is found, it should be deemed as an abnormal behavior. In this condition, the system will perform further trace analysis, and the service administrators may contact customers.

3. Cluster Analysis and Comparison

Classifying a large number of users into several categories by the cluster analysis algorithm according to some quantitative indexes including monthly telephone fee, proportions of long-distance telephone fee and international long-distance telephone fee in the monthly telephone fee, daily average call duration, number of calls, average duration of each call, call time, peak time, etc. Users can select the above-mentioned indexes in accordance with different situations, and define the priority of handling. Setting an optimization threshold according to classification algorithm and statistical evaluation, and comparing current service condition with the threshold. If it exceeds the threshold, do further analysis or contact customers.

4. Control of Maximum Telephone Fees

Setting a maximum telephone fee threshold for each user in the charging center or service management system according to their call logs, credibility, payment methods, etc. Once the monthly accumulated charge of a user exceeds the threshold, an alarm will be given immediately.



Characteristic: The L3 target address is not a real host server address.

Host/URL Fraud Prevention Solutions

1. Acquiring the IP address of actual free service by using DNS query and response packet, and creating a mapping table on the gateway device automatically.

2. During the configuration of gateway rules, restricting that all the L3 addresses of a free service must be the addresses in the mapping table.

3. Visiting the free service. If the target address is one in the mapping table, the free service can be matched. Otherwise, it cannot be matched.

DNS Port Fraud

Fraud Method: Identifying DNS packet through a port as planned by the operator, and setting it as a free rule

Characteristic: The fraud packet is not a real DNS packet

DNS Port Fraud Prevention Solutions

1. Enabling DNS L7 resolving function.

2. The matching rule of the fake DNS packet fails because L7 cannot be identified as DNS service.

DNS Tunnel Fraud

Fraud Method: Sending fraud packet to the fraud DNS server by utilizing DNS free service planned by the operator, making the DNS packet contain real access data, and utilizing the principles of DNS recursive query and iterative query.


1. The Type field of DNS query or response packet is Null or TXT, while a normal DNS packet will not use that Type value.

2. The DNS packet is relatively long due to containing fraud data.

3. The proportion of the DNS packet is larger in DNS Tunnel fraud.

DNS Tunnel Fraud Prevention Solutions

1. Deploying and enabling DNS Tunnel fraud prevention service switch under APN

2. The gateway judges whether the Type value of the DNS packet is Null or TXT according to users

3. If the Type value is Null or TXT, it is deemed as a fraud, and then the packet will be blocked.

Welcome to contact us Contact us