1. Patent Search
  2. Details

FRAUDELENT SUBSCRIPTION DETECTION

20200396616 · 2020-12-17

    Inventors

    Cpc classification

    International classification

    Abstract

    Arrangements are provided for identifying a second fraudulent subscription replacing a first fraudulent subscription. A method is performed by a fraudulent subscription detection system. The method includes obtaining notification of the first fraudulent subscription having been identified in a SIM box. The method comprises obtaining historical network data of the first fraudulent subscription. The method com includes prises generating a model based on the historical network data. The method includes identifying the second fraudulent subscription replacing the first fraudulent subscription in the SIM box upon providing live network data as input to the model. The method includes providing an identification of the second fraudulent subscription to at least one of a subscription manager entity and a user interface of a Manual Analysis component.

    Claims

    1. A method for identifying a second fraudulent subscription replacing a first fraudulent subscription, the method being performed by a fraudulent subscription detection system, the method comprising: obtaining notification of the first fraudulent subscription having been identified in a SIM box; obtaining historical network data of the first fraudulent subscription; generating a model based on the historical network data; identifying the second fraudulent subscription replacing the first fraudulent subscription in the SIM box upon providing live network data as input to the model; and providing an identification of the second fraudulent subscription to at least one of a subscription manager entity and a user interface of a Manual Analysis component.

    2. The method according to claim 1, wherein the historical network data is used to generate the model to have characteristics of the first fraudulent subscription.

    3. The method according to claim 2, wherein the characteristics pertain to at least one of mobile equipment identifier, subscription identifier, geographical location, and calling pattern of the first fraudulent subscription.

    4. The method according to claim 1, wherein identifying the second fraudulent subscription involves comparing feature vectors of any subscriptions generated from the live network data with a feature vector built from the historical network data for the first fraudulent subscription.

    5. The method according to claim 4, wherein identifying the second fraudulent subscription involves classifying, according to the comparing, each of the any subscriptions as one of legitimate and fraudulent.

    6. The method according to claim 1, wherein identifying the second fraudulent subscription comprises: determining an individual score for each subscription generated from the live network data, the score relating to each subscription being a fraudulent subscription; and comparing the highest individual score to a first threshold.

    7. The method according to claim 6, wherein a set of candidate subscriptions are generated by the model, and wherein the individual score only is determined for each of the candidate subscription.

    8. The method according to claim 6, wherein the second fraudulent subscription is the subscription having highest score, and wherein the highest score is above the first threshold.

    9. The method according to claim 6, wherein, when the highest individual score is not above the first threshold, identifying the second fraudulent subscription further comprises: comparing the highest individual score to a second threshold, the second threshold being lower than the first threshold; and obtaining, when the highest individual score is higher than the second threshold, manual input from the user interface of the Manual Analysis component for identifying the second fraudulent subscription as one of the subscriptions having their score above the second threshold.

    10. The method according to claim 1, wherein a first timer is started upon obtaining the notification, and wherein the second fraudulent subscription is identified before expiration of the first timer.

    11. The method according to claim 1, wherein a second timer is started upon obtaining the notification, and wherein when the second fraudulent subscription is identified before expiration of the second timer, the model is kept for identifying a third fraudulent subscription replacing the second fraudulent subscription.

    12. The method according to claim 1, wherein a second timer is started upon obtaining the notification, and wherein when the second fraudulent subscription is not identified before expiration of the second timer, a new model is generated for identifying a third fraudulent subscription replacing the second fraudulent subscription.

    13. The method according to claim 1, wherein the notification is obtained from a SIM box detector.

    14. The method according to claim 13, wherein the SIM box detector utilizes at least one of a test call generator service, a fraud management system, and a machine learning, ML, algorithm to identify the first fraudulent subscription.

    15. (canceled)

    16. The method according to claim 1, wherein the historical network data represents at least one of a call detail record, a customer relationship management record, and mobile network data of the first fraudulent subscription.

    17. The method according to claim 1, wherein a set of subscriptions are generated by the fraudulent subscription detection system, and wherein the live network data represents at least one of a call detail record, a customer relationship management record, and mobile network data of the set of subscriptions.

    18. The method according to claim 17, wherein the live network data comprises initial signalling for setting up the set of subscriptions.

    19. The method according to claim 1, further comprising: forwarding the notification of the first fraudulent subscription to the subscription manager entity.

    20. A fraudulent subscription detection system for identifying a second fraudulent subscription replacing a first fraudulent subscription, the fraudulent subscription detection system comprising processing circuitry, the processing circuitry being configured to cause the fraudulent subscription detection system to: obtain notification of the first fraudulent subscription having been identified in a SIM box; obtain historical network data of the first fraudulent subscription; generate a model based on the historical network data; identify the second fraudulent subscription replacing the first fraudulent subscription in the SIM box upon providing live network data as input to the model; and provide an identification of the second fraudulent subscription to at least one of a subscription manager entity and a user interface of a Manual Analysis component.

    21. (canceled)

    22. The fraudulent subscription detection system according to claim 20, wherein identifying the second fraudulent subscription comprises: determining an individual score for each subscription generated from the live network data, the score relating to each subscription being a fraudulent subscription; and comparing the highest individual score to a first threshold.

    23-24. (canceled)

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0031] The inventive concept is now described, by way of example, with reference to the accompanying drawings, in which:

    [0032] FIG. 1 is a schematic diagram illustrating a communications system according to embodiments;

    [0033] FIG. 2 schematically illustrates an existing SIM-box detection system;

    [0034] FIG. 3 schematically illustrates a fraudulent subscription detection system in mirror mode according to an embodiment;

    [0035] FIG. 4 schematically illustrates a fraudulent subscription detection system in inline mode according to an embodiment;

    [0036] FIGS. 5, 7, 8, and 9 are flowcharts of methods according to embodiments;

    [0037] FIG. 6 is a block diagram of a fraudulent subscription detection system according to an embodiment;

    [0038] FIG. 10 is a signalling diagram according to an embodiment;

    [0039] FIG. 11 is a schematic diagram showing functional units of a fraudulent subscription detection system according to an embodiment;

    [0040] FIG. 12 is a schematic diagram showing functional modules of a fraudulent subscription detection system according to an embodiment; and

    [0041] FIG. 13 shows one example of a computer program product comprising computer readable storage medium according to an embodiment.

    DETAILED DESCRIPTION

    [0042] The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like elements throughout the description. Any step or feature illustrated by dashed lines should be regarded as optional.

    [0043] Examples of existing SIM-box detection approaches and their related issues have been disclosed above.

    [0044] The embodiments disclosed herein therefore relate to mechanisms for identifying a second fraudulent subscription replacing a first fraudulent subscription. In this respect, a fraudulent subscription could be interpreted as a subscription used for SIM box fraud. In order to obtain such mechanisms there is provided a fraudulent subscription detection system 220, a method performed by the fraudulent subscription detection system 220, a computer program product comprising code, for example in the form of a computer program, that when run on a fraudulent subscription detection system 220, causes the fraudulent subscription detection system 220 to perform the method.

    [0045] FIGS. 3 and 4 illustrate how the herein disclosed fraudulent subscription detection system 220 could be provided in an existing SIM-box detection systems, such as the existing SIM-box detection system illustrated in FIG. 2. FIG. 3 gives an example of an embodiment using mirror mode. FIG. 4 gives an example of an embodiment using inline mode.

    [0046] In mirror mode, notifications for each identified SIM-box subscription are passed directly from the SIM-box Detector 210 to the Subscription Manager 290 as before, and at the same time these messages are also mirrored to the herein disclosed fraudulent subscription detection system 220. This embodiment leaves the pre-existing detection system largely unaffected, allowing immediate termination of SIM-box subscriptions identified both by the original SIM-box Detector 210, exactly as before, and by the herein disclosed fraudulent subscription detection system 220.

    [0047] In inline mode, the herein disclosed fraudulent subscription detection system 220 is provided interposed between the SIM-box Detector 210 and the Subscription Manager 290, and might therefore be configured to actively forward notifications from the SIM-box Detector 210 to the Subscription Manager 290, possibly, and, in some cases, advantageously, incurring additional delay. This delay may be useful to ensure that the replacement detector for the freshly identified SIM-box subscription is operational before the freshly identified SIM-box subscription is terminated.

    [0048] As will be further disclosed below, in both mirror mode and inline mode, the fraudulent subscription detection system 220 receives notifications of identified SIM-box subscriptions from the SIM-box Detector 210 and data relevant to behavioral modeling and detection from various Data Sources 280. As will be further disclosed below, an optional Manual Analysis component 230 might be utilized to pass suspected replacement subscriptions, with substantial but not quite conclusive evidence, to a human expert for further analysis.

    [0049] FIG. 5 is a flowchart illustrating embodiments of methods for identifying a second fraudulent subscription replacing a first fraudulent subscription. The methods are performed by the fraudulent subscription detection system 220. This system 220 could be regarded as a SIM box subscription replacement detection system. The methods are advantageously provided as computer programs 1320.

    [0050] The herein disclosed embodiments aim towards quickly detecting replacement SIM-box subscriptions, in other words, subscriptions that replace recently detected subscriptions used for SIM-box fraud. Hence, the fraudulent subscription detection system 220 is configured to perform step S102:

    [0051] S102: The fraudulent subscription detection system 220 obtains a notification of the first fraudulent subscription having been identified in a SIM box 170.

    [0052] The fraudulent subscription detection system 220 collects data associated with the freshly detected SIM-box subscription (i.e., the first fraudulent subscription). Particularly, the fraudulent subscription detection system 220 is configured to perform step S106:

    [0053] S106: The fraudulent subscription detection system 220 obtains historical network data of the first fraudulent subscription.

    [0054] The fraudulent subscription detection system 220 then analyzes the recent behavior of this SIM-box subscription, and based on this analysis, identifies possible replacements of this freshly detected SIM-box subscription. The recent behavior is analyzed using a model. Particularly, the fraudulent subscription detection system 220 is configured to perform step S108:

    [0055] S108: The fraudulent subscription detection system 220 generates a model based on the historical network data.

    [0056] A separate model tailored to each freshly detected SIM-box subscription is thus built. The model is thus built to characterize the behavior of the freshly detected SIM-box subscription. In general terms, the model is built to identify those components in the input network data (both historical and live) that best distinguish the targeted behavior (i.e. input network data having characteristics of a fraudulent subscription) from the rest. The thus built model is then fed live network data in order to detect a new fraudulent subscription replacing the freshly detected SIM-box subscription. Hence, the fraudulent subscription detection system 220 is configured to perform step S110:

    [0057] S110: The fraudulent subscription detection system 220 identifies the second fraudulent subscription replacing the first fraudulent subscription in the SIM box 170 upon providing live network data as input to the model.

    [0058] The characteristics of the freshly detected SIM-box subscription are captured by the model. Therefore, feeding live network data to the model enables any subscription for which the live network data has characteristics similar to those of the freshly detected SIM-box subscription (i.e., having a behavior similar or even identical to that described by the model) to be identified as a replacement fraudulent subscription.

    [0059] Once the replacement fraudulent subscription (i.e., the second fraudulent subscription) has been detected, a notification thereof is provided. Particularly, the fraudulent subscription detection system 220 is configured to perform step S112:

    [0060] S112: The fraudulent subscription detection system 220 provides an identification of the second fraudulent subscription to at least one of a subscription manager entity 290 and a user interface of a Manual Analysis component 230.

    [0061] That is, the identification is provided either to only the subscription manager entity 290, or to only the user interface of the Manual Analysis component 230, or to both the subscription manager entity 290 and the user interface of the Manual Analysis component 230.

    [0062] Parallel reference is now made to FIG. 6. FIG. 6 schematically illustrates a block diagram of the fraudulent subscription detection system 220. As shown in FIG. 6, the fraudulent subscription detection system 220 comprises a Model Builder 221 and a Replacement Detector 222. For each SIM-box subscription freshly identified by a pre-existing SIM-box detector 210 and obtained by the fraudulent subscription detection system 220 (as in step S102), the Model Builder 221 retrieves recent historical data (as in step S106) from the relevant Data Sources 280, builds a model (as in step S108) specifically for that subscription, and deploys the model to the Replacement Detector 222. The latter feeds live behavioral data (as in step S110) from the same Data Sources 280 to each deployed model to detect replacement SIM-box subscriptions and provides a notification once a replacement SIM-box subscription has been detected (step S112). In this respect, the speed advantage of the replacement detector 222 compared to a generic SIM-box detector 210 derives from the replacement detector 222 analyzing the specific characteristics of a single freshly detected SIM-box subscription in the SIM-box 170 as opposed to a generic model of total SIM-box behavior as used in existing generic SIM-box detectors 210.

    [0063] Embodiments relating to further details of identifying a second fraudulent subscription replacing a first fraudulent subscription as performed by the fraudulent subscription detection system 220 will now be disclosed.

    [0064] There could be different ways for the fraudulent subscription detection system 220 to obtain the notification in step S102 of the first fraudulent subscription having been identified in a SIM box 170. As in the illustrative example of FIG. 4, according to an embodiment the notification is obtained from a SIM box detector 210. For finding the original subscriptions used for SIM-box fraud, any pre-existing generic SIM-box detection alternative (as, for example, one of those described above) may be used. Hence, according to an embodiment the SIM box detector 210 utilizes at least one of a test call generator service, a fraud management system, and an ML algorithm to identify the first fraudulent subscription. In this respect, test call generator services might be preferred when the risk of having false positives is to be minimized.

    [0065] As disclosed above, the fraudulent subscription detection system 220 could operate in either mirror mode or in inline mode. When operating in inline mode the fraudulent subscription detection system 220 might actively forward the notification obtained in step S102 to the subscription manager entity 290. Hence, according to an embodiment the fraudulent subscription detection system 220 is configured to perform (optional) step S104:

    [0066] S104: The fraudulent subscription detection system 220 forwards the notification of the first fraudulent subscription to the subscription manager entity 290.

    [0067] Continued reference is made to FIGS. 5 and 6. Parallel reference will be made to the flowchart of FIGS. 7, 8, and 9. Steps in the flowcharts of FIGS. 7, 8, and 9 are marked XY-n for easy reference, where XY are the initials of the component performing a step and n is the numeral for the step, or, in case of steps only performed in optional variants, a letter denoting the variant followed by a dot and the numeral.

    [0068] Further aspects of the Model Builder 221 will now be disclosed with parallel reference to the flowchart in FIG. 7. As depicted in the flowchart of FIG. 7, the start of a new Model Builder instance is triggered by a SIM-box(SUB) event. This event signifies a freshly detected SIM-box subscription SUB and could be generated by a pre-existing SIM-box Detector 210, the Replacement Detector 222, or the Manual Analysis component 230.

    [0069] Each Model Builder instance first retrieves recent historical data for the subscription SUB it is responsible for (i.e. the one whose detection triggered its execution) from the Data Sources 280 in step MB-1. Next, it trains a model based on the retrieved DATA in step MB-2, and sends the resulting MODEL to the Replacement Detector 222 encapsulated in a Deploy(MODEL) event in step MB-3. Then, the Model Builder 221 checks its configuration in step MB-4 to determine if the fraudulent subscription detection system 220 operates in inline mode; and, if so, also forwards its triggering SIM-box(SUB) event to the Subscription Manager 290 in step MB-5. Finally, the instance terminates.

    [0070] If additional SIM-box(SUB) events are received during the execution of some Model Builder 221 instance(s), new instances are started, resulting in multiple Model Builder 221 instances running independently and in parallel, each instance dedicated to handling its own subscription.

    [0071] As an alternative to querying the Data Sources 280 for recent data, the Data Sources 280 could instead constantly send data to the Model Builder 221, which would maintain a collection of recent data while discarding the rest. Thus, when the Model Builder instance is triggered it can then simply process the stored data.

    [0072] One purpose of the historical network data (defining the above retrieved DATA) is to generate a model based on characteristics of the first fraudulent subscription. There could be different types of such characteristics. In some aspects the characteristics pertain to at least one of mobile equipment identifier (such as International Mobile Equipment Identity (IMEI), subscription identifier (such as International Mobile Subscriber Identity (IMSI) or Mobile Station International Subscriber Directory Number (MSISDN)), geographical location, and/or calling pattern of the first fraudulent subscription. The model is thereby tuned to the observed behavior of a specific identified SIM-box based on specific characteristics for the detected SIM-box and is therefore more accurate than the pre-existing generic systems described above.

    [0073] The models built by the Model Builder 221 based on the labeled historical network data for the particular freshly identified SIM-box subscription are used in the Replacement Detector 222 to make predictions for subscriptions based on the live network data.

    [0074] There could be different types of historical network data. For example, the historical network data might represent at least one of a call detail record, a customer relationship management record, and mobile network data (such as node event data or packet captures) of the first fraudulent subscription. In this respect, due to lifecycle patterns, only historical network data being a few hours (such as 6, 8, or 12 hours) or a few days old (such as less than a week old) might be considered.

    [0075] There could be different types of live network data. Assuming that a set of subscriptions are generated by the fraudulent subscription detection system 220, the live network data might, for example, represent at least one of a call detail record, a customer relationship management record, and mobile network data (such as node event data or packet captures) of the subscriptions. Alternatively or additionally, the live network data might comprise initial signalling for setting up a new subscription.

    [0076] Either the same type or the different type of data is used in the historical network data and the live network data.

    [0077] According to an embodiment, identifying the second fraudulent subscription involves comparing feature vectors of any subscriptions generated from the live network data with a feature vector built from the historical network data for the first fraudulent subscription. A feature in the feature vector is, in general, a description (e.g. as count, percent, 1/0-value, or average value) of an attribute for subscriptions, where the concrete numbers are extracted from the network data. Identifying the second fraudulent subscription might then involve classifying, according to the comparing, each of the subscriptions as either legitimate or fraudulent.

    [0078] Of special interest for SIM-box fraud detection are those features of the live network data that can be expected to differ between SIM-box and non-SIM-box subscriptions. E.g. a feature defined by the average percentage of outgoing night calls can be extracted from outgoing call records with timestamps allocated during a time period of at least one day. Individual features are engineered by collecting training network data derived from the Data Sources 280, where the collection of features for a particular subscription forms the feature vector of the subscription. Examples of features for SIM-box fraud detection, derived from call detail record fields, are average call duration of outgoing calls, number of locations, number of outgoing calls, number of ingoing calls, number of IMSIs operated per IMEI, and ratio of the number of destinations to the total number of calls.

    [0079] For both the historical network data and the live network data one and the same extractor for feature vectors might be used. The feature vectors are fed to the Model Builder 221 and the Replacement Detector 222, respectively.

    [0080] Before applying an algorithm to build and train the model the subscriptions in the historical network data are labeled either with class labels (e.g. positive or 1 for freshly identified SIM-box and negative or 0 for legitimate subscriptions) in case of classification algorithms, or with probabilities 1 and 0, respectively, in case of regression algorithms.

    [0081] Alternatively, models could also be built by e.g. extracting the set of all mobile equipment identifiers for the target SIM-box 170, computing the average hourly rate (i.e. number of outgoing calls per hour) for target SIM-box 170 and designing some ad hoc rule for weighting matches and distance from average hourly rate.

    [0082] There could be different types of models. Some non-limiting examples of models that could be used are ML models, statistical models, and rule-based models.

    [0083] Predictions derived from ML algorithms such as Random Forest, Neural Networks, Linear Regression or Gradient-Boosted Trees are based on the particular internal procedure and are either 1/0-predictions (for hard predictions from classification algorithms) or score values (between 0 and 1 for regression algorithms or soft predictions from classification algorithms).

    [0084] As an example, according to a naive ad hoc model, scores can be based on matches and distance from average hourly rate for updated subscriptions' count of outgoing calls per hour. The models are used to score all subscriptions continually based on their features extracted from the live network data.

    [0085] Further aspects of the Replacement Detector 222 will now be disclosed with parallel reference to the flowchart in FIG. 8. As shown in the flowchart of FIG. 8, the start of a new Replacement Detector instance is triggered by a Deploy(MODEL) event received from the Model Builder component 221. Each instance makes use of a Lifetime Timer (defining a first timer) and an optional Freshness Timer (defining a second timer), which are set in steps RD-1 and RD-a.1, respectively.

    [0086] The initial value of the Lifetime Timer indicates how long a particular detector instance is allowed to operate without detecting a new replacement subscription. Typically, this value may be on the order of a few days. The expiry of the Lifetime Timer generates an asynchronous Lifetime Expired event, which causes the instance to terminate. Thus, according to an embodiment the first timer is started upon obtaining the notification (in step S102), and the second fraudulent subscription is identified (in step S110) before expiration of the first timer. Likewise, if the first timer expires, the detection is aborted, hence resulting in that the second fraudulent subscription fails to be identified. Handling of the Freshness Timer is synchronous and will be explained in the relevant steps below.

    [0087] Steps RD-2, RD-3, RD-4, and RD-5 (and, optionally, step RD-b.1, if Manual Analysis is also used) constitute the Replacement Detector's 222 main detection loop, which is repeated until either a relevant subscription is found or the instance gets terminated. Live data from the relevant Data Sources 280 is retrieved in step RD-2. The live data is fed to the model to generate scores for each subscription in step RD-3. The highest scoring subscription NEW_SUB along with the corresponding maximum score MAX_SCORE is found in step RD-4. These steps need not be implemented in a strictly serial fashion. In fact, a person skilled in the art will identify several optimized alternatives, including, without limitation, interleaved and/or parallel approaches.

    [0088] Based on the fed live data the model generates soft predictions, i.e. scores, for all subscriptions continually as it processes the incoming live data (as in step RD-3). Hence, according to an embodiment the fraudulent subscription detection system 220 is configured to perform (optional) steps S110a, S110b as part of identifying the second fraudulent subscription in step S110:

    [0089] S110a: The fraudulent subscription detection system 220 determines an individual score for each subscription generated from the live network data. The score relates to each subscription being a fraudulent subscription.

    [0090] S110b: The fraudulent subscription detection system 220 compares the highest individual score to the first threshold.

    [0091] In some aspects, only a set of candidate subscriptions are generated by the model, and the individual score thus only is determined for each of these candidate subscriptions.

    [0092] Subscriptions for which the scores (or, for simplicity, the highest score) that exceed the first threshold are then considered to be fraudulent (as in step RD-4). That is, according to an embodiment the second fraudulent subscription is the subscription having highest score, where the highest score is above the first threshold.

    [0093] At the end of each main loop iteration (i.e. on occurrence of each of steps RD-2 to RD-5), the Replacement Detector 222 compares MAX_SCORE to its pre-configured SIM-box Threshold (defining the first threshold) in step RD-5. This threshold controls how much evidence, i.e. how high a score, is required for automated action. This threshold could be adjusted similarly to the analogous settings for the traditional FMS or ML approaches to minimize the false positive rate. If the SIM-box Threshold is exceeded, NEW_SUB is reported as defining a replacement subscription to the Subscription Manager 290 via a SIM-box(NEW_SUB) event in step RD-6, and the detection process is restarted at step RD-1, unless the optional Freshness Timer is in use.

    [0094] Particularly, according to an embodiment the second timer is started upon obtaining the notification (as in step S102). When the second fraudulent subscription is identified before expiration of the second timer, the model is kept for identifying a third fraudulent subscription replacing the second fraudulent subscription. Alternatively, when the second fraudulent subscription is not identified before expiration of the second timer, a new model is generated for identifying a third fraudulent subscription replacing the second fraudulent subscription.

    [0095] One rationale for the freshness check implemented by the Freshness Timer in step RD-a.2 is that slower detection, e.g. longer than, say half a day or a full day, may depend on the behavior of the replacement subscription having diverged considerably from that of the original SIM-box subscription. In that case, abandoning the current model and training a new model based on the changed behavior may result in better accuracy and faster detection. Thus, when the Freshness Timer is exceeded, the SIM-box(NEW_SUB) event is also sent to the Model Builder 222 in step RD-a.3, triggering it to build a new model for the replacement subscription, and thus the current instance of the Replacement Detector terminates.

    [0096] When the optional Manual Analysis component 230 is in use, a dynamically configurable Suspect Threshold (defining the second threshold) determines how substantial evidence, i.e. how high a score, is required for involving a human analyst. This threshold should be adjusted based on the availability of experts to further investigate likely replacement subscriptions. Particularly, according to an embodiment the fraudulent subscription detection system 220 is configured to perform (optional) steps S110c, S110d as part of identifying the second fraudulent subscription in step S110, when the highest individual score is not above the first threshold:

    [0097] S110c: The fraudulent subscription detection system 220 compares the highest individual score to the second threshold. The second threshold is lower than the first threshold.

    [0098] S110d: The fraudulent subscription detection system 220 obtains, when the highest individual score is higher than the second threshold, manual input from the user interface of the Manual Analysis component 230 for identifying the second fraudulent subscription as one of the subscriptions having their score above the second threshold.

    [0099] The previously derived MAX_SCORE is compared to the Suspect Threshold in step RD-b.1, and if the threshold is exceeded, the offending subscription is sent for manual analysis via a SIM-box(NEW_SUB) event in step RD-b.2, and the current Replacement Detector instance terminates.

    [0100] Further aspects of the manual analysis will now be disclosed with parallel reference to the flowchart in FIG. 9. The flowchart in FIG. 9 illustrates the workflow of the Manual Analysis component 230, where each investigation is triggered by the receipt of a SIM-box(SUB) event. The human expert's efforts in determining if the suspected subscription corresponds to a SIM-box subscription are encapsulated in step MA-1. If the verdict is positive, the corroborated SIM-box(SUB) event is forwarded to the Model Builder 221 in step MA-2, and unless the fraudulent subscription detection system 220 operates in inline mode, which is checked in step MA-3, the same event is also sent to the Subscription Manager 290 in step MA-4. In inline mode, the Model Builder 221 will forward the event to the Subscription Manager 290 once the new model is built, and hence the Manual Analysis component 230 is then configured to skip this step.

    [0101] Reference is now made to FIG. 10. FIG. 10 is a signalling diagram for identifying a second fraudulent subscription replacing a first fraudulent subscription as performed by the fraudulent subscription detection system 220 according to a particular embodiment based on at least some of the above disclosed embodiments. In FIG. 10 it is assumed that the Model Builder 221 and the Replacement Detector 222 are part of the fraudulent subscription detection system 220.

    [0102] Upon receiving a SIM-box(SUB) event from the SIM-box Detector 210 (step S201), a newly spawned Model Builder instance requests recent historical data for the freshly detected SIM-box subscription from the Data Sources 280 using a GetHistory(SUB) event (step S202). Once the relevant DATA is returned (step S203), the Model Builder 221 trains a MODEL for the freshly detected SIM-box subscription (step S204) and instructs the Replacement Detector 222 to deploy that MODEL by sending a Deploy(MODEL) message (step S205). If the fraudulent subscription detection system 220 runs in inline mode, the original SIM-box(SUB) event is now also forwarded to the Subscription Manager 290 (step S206)Error! Reference source not found. A newly spawned Replacement Detector instance uses the received MODEL to detect replacement SIM-box subscriptions (i.e. a new fraudulent subscription replacing the freshly detected SIM-box subscription) in a live data feed retrieved from the relevant Data Sources 280 (step S207). If a replacement subscription is identified, the Subscription Manager 290 is notified using a SIM-box(NEW_SUB) event (step S209) and the process is repeated until no further detections are made during the preset lifetime of the instance. The latter is signaled by the internal LifetimeExpired event (step S210).

    [0103] When the optional Manual Analysis component 230 is in use, the Replacement Detector instances send subscriptions with substantial evidence of being used in SIM-box fraud but not quite sufficient evidence to warrant automated action (i.e., when the above-defined highest individual score is below the above-defined first threshold but above the above-defined second threshold) for Manual Analysis using a SIM-box(NEW_SUB) event (step S209). If human experts determine that such a subscription is indeed implicated in SIM-box fraud, the event is forwarded to the Model Builder component 221 to initiate training and deployment of a detector (step S211). When the fraudulent subscription detection system 220 is deployed in mirror mode, the same event also is sent to the Subscription Manager 290 (step S212).

    [0104] FIG. 11 schematically illustrates, in terms of a number of functional units, the components of a fraudulent subscription detection system 1120 according to an embodiment. Processing circuitry 1110 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 1310 (as in FIG. 13), e.g. in the form of a storage medium 1130. The processing circuitry 1110 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).

    [0105] Particularly, the processing circuitry 1110 is configured to cause the fraudulent subscription detection system 1120 to perform a set of operations, or steps, as disclosed above with references to FIGS. 5, 7-10. For example, the storage medium 1130 may store the set of operations, and the processing circuitry 1110 may be configured to retrieve the set of operations from the storage medium 1130 to cause the fraudulent subscription detection system 1120 to perform the set of operations. The set of operations may be provided as a set of executable instructions.

    [0106] Thus the processing circuitry 1110 is thereby arranged to execute methods as herein disclosed. The storage medium 1130 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory. The fraudulent subscription detection system 1120 may further comprise a communications interface 1120 at least configured for communications with other systems, functions, nodes, entities, and devices. As such the communications interface 1120 may comprise one or more transmitters and receivers, comprising analogue and digital components. The processing circuitry 1110 controls the general operation of the fraudulent subscription detection system 1120 e.g. by sending data and control signals to the communications interface 1120 and the storage medium 1130, by receiving data and reports from the communications interface 1120, and by retrieving data and instructions from the storage medium 1130. Other components, as well as the related functionality, of the fraudulent subscription detection system 1120 are omitted in order not to obscure the concepts presented herein.

    [0107] FIG. 12 schematically illustrates, in terms of a number of functional modules, the components of a fraudulent subscription detection system 1120 according to an embodiment. The fraudulent subscription detection system 1120 of FIG. 12 comprises a number of functional modules; an obtain module 1110a configured to perform step S102, an obtain module 1110c configured to perform step S106, a generate module mod configured to perform step S108, an identify module 1110e configured to perform step S110, and a provide module 1110j configured to perform step S112.

    [0108] The fraudulent subscription detection system 1120 of FIG. 12 may further comprise a number of optional functional modules, such as any of a forward module 1110b configured to perform step S104, a determine module 1110f configured to perform step S110a, a compare module 1110g configured to perform step S110b, a compare module 1110h configured to perform step S110c, and an obtain module 1110i configured to perform step S110d.

    [0109] In general terms, each functional module 1110a-1110j may in one embodiment be implemented only in hardware and in another embodiment with the help of software, i.e., the latter embodiment having computer program instructions stored on the storage medium 1130 which when run on the processing circuitry makes the fraudulent subscription detection system 1120 perform the corresponding steps mentioned above in conjunction with FIG. 12. It should also be mentioned that even though the modules correspond to parts of a computer program, they do not need to be separate modules therein, but the way in which they are implemented in software is dependent on the programming language used. Preferably, one or more or all functional modules 1110a-1110j may be implemented by the processing circuitry 1110, possibly in cooperation with the communications interface 1120 and/or the storage medium 1130. The processing circuitry 1110 may thus be configured to from the storage medium 1130 fetch instructions as provided by a functional module 1110a-1110j and to execute these instructions, thereby performing any steps as disclosed herein.

    [0110] The fraudulent subscription detection system 1120 may be provided as a standalone device or as a part of at least one further device. For example, the fraudulent subscription detection system 1120 may be provided in a node of the radio access network or in a node of the core network. Alternatively, functionality of the fraudulent subscription detection system 1120 may be distributed between at least two devices, or nodes. These at least two nodes, or devices, may either be part of the same network part (such as the radio access network or the core network) or may be spread between at least two such network parts. A first portion of the instructions performed by the fraudulent subscription detection system 1120 may be executed in a first device, and a second portion of the of the instructions performed by the fraudulent subscription detection system 1120 may be executed in a second device; the herein disclosed embodiments are not limited to any particular number of devices on which the instructions performed by the fraudulent subscription detection system 1120 may be executed. Hence, the methods according to the herein disclosed embodiments are suitable to be performed by a fraudulent subscription detection system 1120 residing in a cloud computational environment. Therefore, although a single processing circuitry 1110 is illustrated in FIG. 11 the processing circuitry 1110 may be distributed among a plurality of devices, or nodes. The same applies to the functional modules 1110a-1110j of FIG. 12 and the computer program 1320 of FIG. 13 (see below).

    [0111] FIG. 13 shows one example of a computer program product 1310 comprising computer readable storage medium 1330. On this computer readable storage medium 1330, a computer program 1320 can be stored, which computer program 1320 can cause the processing circuitry 1110 and thereto operatively coupled entities and devices, such as the communications interface 1120 and the storage medium 1130, to execute methods according to embodiments described herein. The computer program 1320 and/or computer program product 1310 may thus provide means for performing any steps as herein disclosed.

    [0112] In the example of FIG. 13, the computer program product 1310 is illustrated as an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc. The computer program product 1310 could also be embodied as a memory, such as a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or an electrically erasable programmable read-only memory (EEPROM) and more particularly as a non-volatile storage medium of a device in an external memory such as a USB (Universal Serial Bus) memory or a Flash memory, such as a compact Flash memory. Thus, while the computer program 1320 is here schematically shown as a track on the depicted optical disk, the computer program 1320 can be stored in any way which is suitable for the computer program product 1310.

    [0113] The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept, as defined by the appended patent claims.