Identification Of Malicious Activity Based On Analysis Of Travel Path Of A Mobile Device

Abstract

A method for identification of malicious activity based on analysis of a travel path of a mobile device through multiple geographic areas includes receiving at least three location data associated with the mobile communication device, the first location data comprising indication of the geographic area of the mobile subscriber and a receipt timestamp; determining the actual travel time of the mobile subscriber from the first geographic area and the third geographic area based on a difference between timestamps of the first location data and the third location data; determining a minimum transition time for the subscriber of the mobile device to move from the first geographic area to the third geographic area; and identifying a malicious activity based on comparison of the actual travel time and the minimum transition time wherein actual travel time is less than minimum transition time between the first geographic area and the third geographic area.

Claims

1. A method for analysis of a travel path of a mobile device of a mobile subscriber moving through a plurality of geographic areas a banking application to detect fraud or a suspicious transaction associated with the subscriber, the method comprising: a) receiving “n” number of location data associated with said mobile device, each of “n” location data comprising an indication of the geographic area of the mobile subscriber G.sub.n and a receipt timestamp T.sub.n; b) determining the actual travel time t.sub.actual of the mobile subscriber from a geographic area G.sub.n and a subsequently visited geographic area G.sub.n+a based on a difference between timestamps T.sub.n and T.sub.n+a, wherein a≥2; c) determining a minimum transition time t.sub.min for the subscriber of the mobile device to move from the geographic area G.sub.n to the subsequently visited geographic area G.sub.n+a through the travel path; d) comparing the actual travel time t.sub.actual and the minimum transition time t.sub.min wherein t.sub.actual<t.sub.min; and e) identifying a suspicious activity based on said comparison wherein the suspicious activity is at least one received spoofed location data wherein the suspicious activity is a fraud or a suspicious transaction associated with a bank card or account of the subscriber.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0031] The invention will be more clearly understood from the following description of an embodiment thereof, given by way of example only, with reference to the accompanying drawings, in which: —

[0032] FIG. 1 exemplarily illustrates a travel path of a mobile subscriber in accordance with some embodiments of the present invention;

[0033] FIG. 2 exemplarily illustrates a travel path of a mobile subscriber in accordance with some embodiments of the present invention;

[0034] FIG. 3 is a flow chart illustrating an embodiment of the inventive method for identification of malicious activity based on analysis of a travel path of a mobile device of a mobile subscriber moving through a plurality of geographic areas;

[0035] FIG. 4 is a diagram illustrating an architecture of a mobile telephone network, in accordance with some embodiments of the present invention; and

[0036] FIG. 5 is a functional block diagram illustrating the primary components of a mobile switching centre (MSC) for identification of malicious activity based on analysis of a travel path of a mobile device of a mobile subscriber moving through a plurality of geographic areas in accordance with some embodiments of the present invention.

DETAILED DESCRIPTION OF THE DRAWINGS

[0037] FIG. 1 exemplarily illustrates a travel path of a mobile subscriber in accordance with some embodiments of the present invention. Each hexagonal area represented in FIG. 1 is a predefined geographic area e.g. the hexagonal area represented labelled as 101.

[0038] The mobile device of the subscriber sends location data when a subscriber registers to a mobile phone network of the geographic area. For example, in pre-existing telecom protocols, there are specific packets that indicates an update/change in the current location of a subscriber. The following list is an example, without presumption of being exhaustive, of such packets: in SS7 Protocol—UpdateLocation, UpdateLocationGPRS, optionally SendAuthenticationInfo may be used; in Diameter (4G) protocol—Update-Location-Request packets and in 5G—equivalent packets. Other location data can also be used. For example, the protocols that the method and system of the invention can use comprises one or more of the following protocols: SS7, Diameter, 5G, GTP (data), ISUP (voice), SIP (voice). For illustrative purposes the SS7 protocol is described in more detail below.

[0039] These packets contain a field that can indicate what geographic area the subscriber is in. For SS7, this field could be a Global Title (GT), which is a form of a phone number that indicates what network node the subscriber's phone is currently registered to. Location information can be derived from the numbering plan of the network node's GT. For example, if an UpdateLocation packet was received with a Source or registered GT field of +353861234567, then by analysing the Telephone Country Code +353, a system would know that the node was based in Ireland.

[0040] For Diameter this could be a Host or Realm address field, which indicates what network node or network the subscriber's phone is currently registered to. For example, if an UpdateLocation-Request packet was received with a source or registered Host or Realm address that contained MCC 272, then by analysing the Mobile Country Code 272, a system would know that the node was based in the geographic area of Ireland.

[0041] Equivalent analysis could be performed on other packets within these protocols, or on packets within new protocols, but the basis is to take information from the received packet, to infer what geographic areas the subscriber's phone is currently or purportedly based in.

[0042] The unit of geographic area does not have to strictly be based on a country level, if the received information allows a smaller geographic area to be determined, then that could be used. For example, an SS7 UpdateLocation packet could be received with a source or registered GT of +1 (907) 123 4567. Then by analysing the Telephone Country Code +1 (US) and the area code (907) Alaska, a system would know that the node was based in Alaska, United States. This information could come both from public sources, or if the internal network node information of an operator is available to the system.

[0043] In an embodiment, any Telecom signalling packet that indicates or updates a subscriber location, which can be matched to a geographic area, can be used to indicate a change of geographic area, and can be compared against the previous geographic areas.

[0044] Therefore, any location data in accordance with the claimed invention may comprise any data packet or signal which may be used to determine the geographic area within which a mobile phone is located. Also, the time of receipt of said data packet or signal may be used as the timestamp.

[0045] Thus FIG. 1 exemplarily illustrates a mobile subscriber moving through the geographic areas i.e. the mobile device of the subscriber transmits a first location data at time T.sub.1 when the subscriber is within the geographical area G.sub.1. Similarly, the mobile phone of the subscriber transmits a second location data at time T.sub.2 when the subscriber is within the geographical area G.sub.2. Similarly, the mobile phone of the subscriber transmits a third location data at time T.sub.3 when the subscriber is within the geographical area G.sub.3. To avoid further repetition, the n.sup.th location data is transmitted by the mobile device of the subscriber at time T.sub.n when the subscriber is within the geographical area G.sub.n.

[0046] FIG. 2 is similar to FIG. 1 exemplarily illustrates a travel path of a mobile subscriber where the geographic areas through which a subscriber travels are countries of Europe.

[0047] FIG. 3 is a flow chart illustrating an embodiment of the inventive method for identification of malicious activity based on analysis of a travel path of a mobile device of a mobile subscriber moving through a plurality of geographic areas which is explained below with reference to FIG. 1 and FIG. 2.

[0048] The method of analysis of a travel path of a mobile device of a mobile subscriber comprises the steps of:

[0049] a) receiving 301 “n” number of location data associated with said mobile device, each of “n” location data comprising an indication of the geographic area of the mobile subscriber G.sub.n and a receipt timestamp T.sub.n. As mentioned above and illustrated in FIG. 1 and FIG. 2 “n” number of location data are received e.g. the first packet at time T.sub.1 which comprises an indication for geographical area G.sub.1 . . . and a n.sup.th packet received at time T.sub.n which comprises an indication for geographical area G.sub.n.

[0050] b) determining 302 the actual travel time t.sub.actual of the mobile subscriber from a geographic area G.sub.n and a subsequently visited geographic area G.sub.n+a based on a difference between timestamps T.sub.n and T.sub.n+a, wherein a≥2. For example, the actual travel time of the subscriber from the geographical area G.sub.1 (G.sub.n for n=1) to G.sub.3 (G.sub.n+a at n=1 and a=2) is T.sub.3−T.sub.1. Therefore, t.sub.actual=T.sub.n+a−T.sub.n.

[0051] c) determining 303 a minimum transition time t.sub.min for the subscriber of the mobile device to move from the geographic area G.sub.n to the subsequently visited geographic area G.sub.n+a through the path followed from G.sub.n to G.sub.n+a (i.e. a sum transition times between each G.sub.n to G.sub.n+1 . . . to G.sub.n+a).

[0052] In an embodiment the t.sub.min between two geographical area may be computed as per the following process in accordance with some of the embodiments of the present invention. [0053] I) generating a database of geographical data, containing the description of the shape of geographic area objects for each geographic unit or location (e.g. each country in the world). This geographic shape object could be defined in a series or ways, at a minimum it could be a bounding box encompassing the country, but equally it could be a more accurate country bounding polygon, all the way to a fully accurate country shape with every border point modelled. [0054] II) estimating the minimum admissible travelling time between two geographic areas (e.g. countries). This is based on: [0055] i. Finding the minimum distance between the defined geographic areas for all the possible couples of countries (if they are overlapping or bordering, then the distance is 0). The minimum distance between the two countries may be computed using Haversine Distance or Great Circle Distance; [0056] ii. The estimated maximum speed of a typical passenger aircraft is obtained using statistical analysis of various speeds of passenger aircrafts. [0057] iii. Combining these distance and speed, estimating the minimum admissible travelling time t.sub.min between geographic areas.

[0058] d) identifying 304 a malicious activity based on comparison of the actual travel time t.sub.actual and the minimum transition time t.sub.min wherein t.sub.actual<t.sub.min.

[0059] In an exemplary embodiment the method of detecting a suspicious transition of a mobile communication device transitioning through at least three geographic areas G.sub.1, G.sub.2 and G.sub.3 i.e. where n=3 and a=2 comprises the following steps:

[0060] a) receiving at least three location data associated with said mobile communication device, said first update packet each packet comprising indication of the geographic area G.sub.1 of the mobile subscriber and a receipt timestamp T.sub.1;

[0061] b) determining the actual travel time t.sub.actual of the mobile subscriber from the first geographic area G.sub.1 and the third geographic area G.sub.3 based on a difference between timestamps of the first location data T.sub.1 and the third location data T.sub.3.

[0062] c) determining a minimum transition time t.sub.min for the subscriber of the mobile device to move from the first geographic area G.sub.1 to the third geographic area G.sub.3 through the second geographical area G.sub.2; and

[0063] d) identifying a malicious/suspicious activity based on comparison of the actual travel time t.sub.actual and the minimum transition time t.sub.min wherein actual travel time is less than minimum transition time between the first geographic area and the third geographic area.

[0064] In a preferred embodiment, the method above described method steps b), c) and d) are repeated for the first “n-a” location data, i.e. iterating through a=2, 3 . . . “n−a”.

[0065] The following exemplarily shows the working of the above inventive method in accordance with a preferred embodiment of the present invention. The below example is not limiting and solely for the purpose of showing the working of the inventive method in the form of an example.

[0066] A subscriber is moving through contiguous countries. It will be appreciated that the invention can operate equally as well for non-contiguous regions where the regions do not necessarily need to bound each other. In the following example the contiguous path is: [0067] 1. Hungary-Austria [0068] 2. Austria-Germany [0069] 3. Germany-Switzerland [0070] 4. Switzerland-France

[0071] So, the total path is Hungary-Austria-Germany-Switzerland-France

TABLE-US-00001 Time (in #Step Movement minutes) 1 Hungary—Austria 4 m 2 Austria—Germany 9 m 3 Germany—Switzerland 5 m 4 Switzerland—France 2 m

[0072] It will be appreciated that all of the above are single-step transitions which are at present evaluated individually. The present invention makes use of that fact that multiple locations can be evaluated.

[0073] The following would be evaluated in accordance to the above described inventive method:

TABLE-US-00002 Minimum Actual Time travel time Is it an t.sub.actual t.sub.min admissible #Step Movement Type (in minutes) (in minutes) movement? 1 + 2 Hungary—Austria—Germany 2-step 4 + 9 = 13 m 5 m Yes (n = 5 and a = 2) 2 + 3 Austria—Germany—Switzerland 2-step 9 + 4 = 14 m 0 m Yes (n = 5 and a = 2) 3 + 4 Germany—Switzerland—France 2-step 5 + 2 = 7 m 0 m Yes (n = 5 and a = 2) 1 + 2 + 3 Hungary—Austria—Germany—Swit- 3-step 4 + 9 + 5 = 18 m 25 m  No zerland (n = 5 and a = 3) 2 + 3 + 4 Austria—Germany—Switzer- 3-step 9 + 5 + 2 = 16 m 0 m Yes land—France (n = 5 and a = 3) 1 + 2 + 3 + 4 Hungary—Austria—Germany—Swit- 3-step 4 + 9 + 5 + 2 = 20 m 29 m  No zerland—France (n = 5 and a = 4)

[0074] It is observed that the trajectory of this subscriber is implausible and therefore suspicious and indicating a malicious activity.

[0075] FIG. 4 is a diagram illustrating a general architecture of a mobile telephone network, in accordance with some embodiments of the present invention. Base Transceiver Stations (BTS) 404, 405 and 406, 407 are in communication with respective Base Station Controllers (BSC) 402 and 403. The BSC controls and manages the BTSs and performs essential functions like routing and handoffs. Further, the BSCs 402, 403 are in communication with the Mobile Switching Centre (MSC) 401 which is responsible for overall management for roaming of the subscriber to different geographical areas.

[0076] FIG. 5 is a functional block diagram illustrating the primary components of a MSC 401, 500 for identification of malicious activity based on analysis of a travel path of a mobile device of a mobile subscriber moving through a plurality of geographic areas in accordance with some embodiments of the present invention. The MSC comprises a processor 501, a memory 502 operatively coupled to the processor 501; and a transceiver 503 operatively coupled to the processor 501. The processor 501 configured to receive “n” number of location data associated with said mobile device through said transceiver 503, each of “n” location data comprising an indication of the geographic area of the mobile subscriber G.sub.n and a receipt timestamp T.sub.n. The processor 501 determines the actual travel time t.sub.actual of the mobile subscriber from a geographic area G.sub.n and a subsequently visited geographic area G.sub.n+a based on a difference between timestamps T.sub.n and T.sub.n+a, where a≥2.

[0077] The processor further determines a minimum transition time t.sub.min for the subscriber of the mobile device to move from the geographic area G.sub.n to the subsequently visited geographic area G.sub.n+a by computing the distance of the path of travel from G.sub.n to G.sub.n+a (i.e. a sum transition time between each G.sub.n to G.sub.n+1 . . . to G.sub.n+a). In another embodiment the determination of a minimum transition time t.sub.min is based on looking up a database stored in memory 502.

[0078] The processor 501 finally identifies a malicious activity based on comparison of the actual travel time t.sub.actual and the minimum transition time t.sub.min wherein t.sub.actual<t.sub.min. The malicious activity is at least one received spoofed location data.

[0079] Further, the processor is configured to recursively perform the above functions for the first “n−a” location data i.e. iterating through a=2, 3 . . . “n−a”.

[0080] In an exemplary embodiment the processor 501 detects a suspicious transition of a mobile communication device transitioning through at least three geographic areas G.sub.1, G.sub.2 and G.sub.3 i.e. where n=3 and a=2. The processor 501 receives at least three location data associated with said mobile communication device, said first update packet each packet comprising indication of the geographic area of the mobile subscriber and a receipt timestamp. Further, the processor 501 determines the actual travel time of the mobile subscriber from the first geographic area and the third geographic area based on a difference between timestamps of the first location data and the third location data.

[0081] Further, the processor determines a minimum transition time for the subscriber of the mobile device to move from the first geographic area to the third geographic area through the second geographic area and the processor 501 identifies a malicious activity based on comparison of the actual travel time and the minimum transition time wherein actual travel time is less than minimum transition time between the first geographic area and the third geographic area through the second geographic area.

[0082] In another exemplary embodiment the method and system is embodied as a banking application to detect fraud or a suspicious transaction. For example, a duplicated/stolen credit/debit card is used by a fraudster to buy goods in different locations. The legitimate user will continue to use his card for normal transactions. If the sell points associate timestamp and geographic data to the transactions, it is possible to determine if different transactions were made at distances that are physically impossible to have been covered in the given time (because both the legitimate and the fraudster(s) are using the card from different locations).

[0083] In this case the invention is implemented as a software in the service that gets accessed. In one application stolen login credentials of a user are distributed across one or more fraudster. The legitimate user and the fraudster(s) will be accessing the given service. By using the geolocation of the IP address from which the logins are executed and the login time, it is possible to determine the path of such logins. The invention will cover the case where even if the single steps are admissible (the moving between different areas determined by IP geolocation), where one or more of the multi-steps are physically not admissible.

[0084] In another exemplary embodiment the method and system is implemented in tracking systems in cars or containers, or any other sort of tracked piece of physical equipment. For example, if the tracking identify of the real piece of equipment is being faked or is being tampered with the invention can be implemented to detect suspicious activity. This can be done by determining if multi-steps are physically not admissible then a security solution would be aware something suspicious is occurring by calculating and analysing the various travel paths.

[0085] Further, a person ordinarily skilled in the art will appreciate that the various illustrative logical/functional blocks, modules, circuits, techniques/algorithms and process steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or a combination of hardware and software. To clearly illustrate this interchangeability of hardware and a combination of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or a combination of hardware and software depends upon the design choice of a person ordinarily skilled in the art. Such skilled artisans may implement the described functionality in varying ways for each particular application, but such obvious design choices should not be interpreted as causing a departure from the scope of the present invention.

[0086] The process described in the present disclosure may be implemented using various means. For example, the process described in the present disclosure may be implemented in hardware, firmware, software, or any combination thereof. For a hardware implementation, the processing units, or processors(s) may be implemented within one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, micro-controllers, microprocessors, electronic devices, other electronic units designed to perform the functions described herein, or a combination thereof.

[0087] For a firmware and/or software implementation, software codes may be stored in a memory and executed by a processor. Memory may be implemented within the processor unit or external to the processor unit. As used herein the term “memory” refers to any type of volatile memory or nonvolatile memory.

[0088] Furthermore, although elements of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.

[0089] In the specification the terms “comprise, comprises, comprised and comprising” or any variation thereof and the terms include, includes, included and including” or any variation thereof are considered to be totally interchangeable and they should all be afforded the widest possible interpretation and vice versa.

[0090] The invention is not limited to the embodiments hereinbefore described but may be varied in both construction and detail.