Fraud Detection Module

Andrei Daniel Datcu

   <datcuandrei@gmail.com>

   Copyright © 2014 OpenSIPs Foundation
   Revision History
   Revision $Revision: 1 $ $Date$
     __________________________________________________________

   Table of Contents

   1. Admin Guide

        1.1. Overview

              1.1.1. Monitorized Stats
              1.1.2. Fraud rules

        1.2. Dependencies

              1.2.1. OpenSIPS modules
              1.2.2. External libraries or applications

        1.3. Exported Parameters

              1.3.1. db_url (string)
              1.3.2. table_name (string)
              1.3.3. rid_col (string)
              1.3.4. pid_col (string)
              1.3.5. prefix_col (string)
              1.3.6. start_h (string)
              1.3.7. end_h (string)
              1.3.8. days_col (string)
              1.3.9. cpm_thresh_warn_col (string)
              1.3.10. cpm_thresh_crit_col (string)
              1.3.11. calldur_thresh_warn_col (string)
              1.3.12. calldur_thresh_crit_col (string)
              1.3.13. totalc_thresh_warn_col (string)
              1.3.14. totalc_thresh_crit_col (string)
              1.3.15. concalls_thresh_warn_col (string)
              1.3.16. concalls_thresh_crit_col (string)
              1.3.17. seqcalls_thresh_warn_col (string)
              1.3.18. seqcalls_thresh_crit_col (string)

        1.4. Exported Functions

              1.4.1. check_fraud(user, number, profile_id)

        1.5. Exported MI Functions

              1.5.1. show_fraud_stats
              1.5.2. fraud_reload

        1.6. Exported Events

              1.6.1. E_FRD_WARNING
              1.6.2. E_FRD_CRITICAL

   List of Examples

   1.1. Set the “db_url” parameter
   1.2. Set the “table_name” parameter
   1.3. Set “rid_col” parameter
   1.4. Set “pid_col” parameter
   1.5. Set “prefix_col” parameter
   1.6. Set “start_h” parameter
   1.7. Set “end_h” parameter
   1.8. Set “days_col” parameter
   1.9. Set “cpm_thresh_warn_col” parameter
   1.10. Set “cpm_thresh_crit_col” parameter
   1.11. Set “calldur_thresh_warn_col” parameter
   1.12. Set “calldur_thresh_crit_col” parameter
   1.13. Set “totalc_thresh_warn_col” parameter
   1.14. Set “totalc_thresh_crit_col” parameter
   1.15. Set “concalls_thresh_warn_col” parameter
   1.16. Set “concalls_thresh_crit_col” parameter
   1.17. Set “seqcalls_thresh_warn_col” parameter
   1.18. Set “seqcalls_thresh_crit_col” parameter

Chapter 1. Admin Guide

1.1. Overview

   This module provides a way to prevent some basic fraud attacks.
   Alerts are provided through return codes and events.

1.1.1. Monitorized Stats

   Basically, this module watches the following parameters:
     * Total calls
     * Calls per minute
     * Concurrent calls
     * Number of sequential calls
     * Call duration

   Each of the above parameters is monitored for every user and
   every called prefix separately. The stats are altered whenever
   the check_fraud function is called. The function assumes a new
   call is made, and checks the called number against all the
   rules from the supplied profile. The rule's prefix is
   considered to be the called prefix which along with the
   provided user will be used to monitor values for the 5
   parameters.

1.1.2. Fraud rules

   A rule is a set of two thresholds (warning and critical
   thresholds) for each of the five parameters (as described
   above) and is only available for a specified prefix. Further
   more, a rule will only match between the indicated hours in the
   indicated days of the week (similarly to a dr rule). A fraud
   profile is simply a group of fraud rules and is used to only to
   limit the list of rules to match when calling the check_fraud
   function.

1.2. Dependencies

1.2.1. OpenSIPS modules

   The following modules must be loaded before this module:
     * drouting
     * dialog

1.2.2. External libraries or applications

   The following libraries or applications must be installed
   before running OpenSIPS with this module:
     * none.

1.3. Exported Parameters

1.3.1. db_url (string)

   Database where to load the rules from.

   Default value is “NULL”. At least one db_url should be defined
   for the fraud_detection module to work.

   Example 1.1. Set the “db_url” parameter
...
modparam("fraud_detection", "db_url", "mysql://user:passwb@localhost/dat
abase")
...

1.3.2. table_name (string)

   If you want to load the rules from the database you must set
   this parameter as the database name.

   The default value is “fraud_detection”.

   Example 1.2. Set the “table_name” parameter
...
modparam("fraud_detection", "table_name", "my_fraud")
...

1.3.3. rid_col (string)

   The column's name in the database storing the fraud rule's id.

   Default value is “ruleid”.

   Example 1.3. Set “rid_col” parameter
...
modparam("fraud_detection", "rid_col", "theruleid"")
...

1.3.4. pid_col (string)

   The column's name in the database storing the fraud profile's
   id.

   Please keep in mind that a profile is merely a set of rules.

   Default value is “profileid”.

   Example 1.4. Set “pid_col” parameter
...
modparam("fraud_detection", "pid_col", "profile"")
...

1.3.5. prefix_col (string)

   The column's name in the database storing the prefix for which
   the fraud rule will match.

   Default value is “prefix”.

   Example 1.5. Set “prefix_col” parameter
...
modparam("fraud_detection", "prefix_col", "myprefix")
...

1.3.6. start_h (string)

   The column's name in the database storing the the start time of
   the interval in which the rule will match.

   The time needs to be specified as string using the format:
   “HH:MM”

   Default value is “start_hour”.

   Example 1.6. Set “start_h” parameter
...
modparam("fraud_detection", "start_h", "the_start_time")
...

1.3.7. end_h (string)

   The column's name in the database storing the the end time of
   the interval in which the rule will match.

   The time needs to be specified as string using the format:
   “HH:MM”

   Default value is “end_hour”.

   Example 1.7. Set “end_h” parameter
...
modparam("fraud_detection", "end_h", "the_end_time")
...

1.3.8. days_col (string)

   The column's name in the database storing the week days in
   which the fraud rule's interval is available.

   The daysoftheweek needs to be specified as a string containing
   a list of days or intervals. Each day must be specified using
   the first three letters of its name. A valid string would be:
   "Fri-Mon, Wed, Thu"

   Default value is “daysoftheweek”.

   Example 1.8. Set “days_col” parameter
...
modparam("fraud_detection", "days_col", "days")
...

1.3.9. cpm_thresh_warn_col (string)

   The column's name in the database storing the warning threshold
   value for calls per minute.

   Default value is “cpm_warning”.

   Example 1.9. Set “cpm_thresh_warn_col” parameter
...
modparam("fraud_detection", "cpm_thresh_warn_col", "cpm_warn_thresh")
...

1.3.10. cpm_thresh_crit_col (string)

   The column's name in the database storing the critical
   threshold value for calls per minute.

   Default value is “cpm_critical”.

   Example 1.10. Set “cpm_thresh_crit_col” parameter
...
modparam("fraud_detection", "cpm_thresh_crit_col", "cpm_crit_thresh")
...

1.3.11. calldur_thresh_warn_col (string)

   The column's name in the database storing the warning threshold
   value for call duration.

   Default value is “call_duration_warning”.

   Example 1.11. Set “calldur_thresh_warn_col” parameter
...
modparam("fraud_detection", "calldur_thresh_warn_col", "calldur_warn_thr
esh")
...

1.3.12. calldur_thresh_crit_col (string)

   The column's name in the database storing the critical
   threshold value for call duration.

   Default value is “call_duration_critical”.

   Example 1.12. Set “calldur_thresh_crit_col” parameter
...
modparam("fraud_detection", "calldur_thresh_crit_col", "calldur_crit_thr
esh")
...

1.3.13. totalc_thresh_warn_col (string)

   The column's name in the database storing the warning threshold
   value for the number of total calls.

   Default value is “total_calls_warning”.

   Example 1.13. Set “totalc_thresh_warn_col” parameter
...
modparam("fraud_detection", "totalc_thresh_warn_col", "totalc_warn_thres
h")
...

1.3.14. totalc_thresh_crit_col (string)

   The column's name in the database storing the critical
   threshold value for the number of total calls.

   Default value is “total_calls_critical”.

   Example 1.14. Set “totalc_thresh_crit_col” parameter
...
modparam("fraud_detection", "totalc_thresh_crit_col", "totalc_crit_thres
h")
...

1.3.15. concalls_thresh_warn_col (string)

   The column's name in the database storing the warning threshold
   value for the number of concurrent calls.

   Default value is “concurrent_calls_warning”.

   Example 1.15. Set “concalls_thresh_warn_col” parameter
...
modparam("fraud_detection", "concalls_thresh_warn_col", "concalls_warn_t
hresh")
...

1.3.16. concalls_thresh_crit_col (string)

   The column's name in the database storing the critical
   threshold value for the number of concurrent calls.

   Default value is “concurrent_calls_critical”.

   Example 1.16. Set “concalls_thresh_crit_col” parameter
...
modparam("fraud_detection", "concalls_thresh_crit_col", "concalls_crit_t
hresh")
...

1.3.17. seqcalls_thresh_warn_col (string)

   The column's name in the database storing the warning threshold
   value for the number of sequential calls.

   Default value is “sequential_calls_warning”.

   Example 1.17. Set “seqcalls_thresh_warn_col” parameter
...
modparam("fraud_detection", "seqcalls_thresh_warn_col", "seqcalls_warn_t
hresh")
...

1.3.18. seqcalls_thresh_crit_col (string)

   The column's name in the database storing the critical
   threshold value for the number of sequential calls.

   Default value is “sequential_calls_critical”.

   Example 1.18. Set “seqcalls_thresh_crit_col” parameter
...
modparam("fraud_detection", "seqcalls_thresh_crit_col", "seqcalls_crit_t
hresh")
...

1.4. Exported Functions

1.4.1.  check_fraud(user, number, profile_id)

   This method should be called each time a given user calls a
   given number. It will try to match a fraud rule within de given
   fraud profile and update the stats (see above). Furthermore,
   the stats will be checked against the rule's thresholds. If any
   of the stats is above it's threhsold value the appropriate
   event will also be raised (see further details below).

   Meaning of the parameters is as follows:
     * user - the user who is making the call. Please keep in mind
       that the user doesn't have to be registered. This string is
       only used do keep different stats for different registered
       users.
     * number - the number the user is calling to.
     * profile_id - the fraud profile id (i.e. the subset of fraud
       rules) in which to try and find a matching fraud rule.

   The meaning of the return code is as follows:
     * 2 - no matching fraud rule was found
     * 1 - a matching rule was found, but there is no parameter
       above the rule's threshlod, i.e - everything is ok
     * -1 - there is a parameter above the warning threhsold
       value. Check the raised event for more info
     * -2 - there is a parameter above the critical threhsold
       value. Check the raised event for more info
     * -3 - something went wrong (internal mechanism failed)

   This function can be used from REQUEST_ROUTE and ONREPLY_ROUTE.

1.5. Exported MI Functions

1.5.1.  show_fraud_stats

   Show the current statistics for a user to a given prefix and
   fraud profile.

   Name: show_fraud_stats

   Parameters:
     * user
     * prefix
     * fraud_profile

1.5.2.  fraud_reload

   Reload the all the fraud rules.

   Name: fraud_reload

   Parameters: none

1.6. Exported Events

1.6.1.  E_FRD_WARNING

   This event is raised whenever one of the 5 monitored parameters
   is above the warning threhsold value

   Parameters:
     * param - the name of the parameter.
     * value - the current value of the parameter.
     * threshold - the warning threshold value.
     * user - the user who initiated the call.
     * called_number - the number that was called.
     * rule_id - the id of the fraud rule that matched when the
       call was initiated

1.6.2.  E_FRD_CRITICAL

   This event is raised whenever one of the 5 monitored parameters
   is above the warning threhsold value

   Parameters:
     * param - the name of the parameter.
     * value - the current value of the parameter.
     * threshold - the warning threshold value.
     * user - the user who initiated the call.
     * called_number - the number that was called.
     * rule_id - the id of the fraud rule that matched when the
       call was initiated
