Fraud detection using heavy hitters: a case study

The high asymmetry of international termination rates, where calls are charged with higher values, are fertile ground for the appearance of frauds in Telecom Companies. In this paper, we present three different and complementary solutions for a real problem called Interconnect Bypass Fraud. This problem is one of the most common in the telecommunication domain and can be detected by the occurrence of abnormal behaviours from specific numbers. Our goal is to detect as soon as possible numbers with abnormal behaviours, e.g. bursts of calls, repetitions and mirror behaviours. Based on this assumption, we propose: (i) the adoption of a new fast forgetting technique that works together with the Lossy Counting algorithm; (ii) the proposal of a single pass hierarchical heavy hitter algorithm that also contains a forgetting technique; and (iii) the application of the HyperLogLog sketches for each phone number. We used the heavy hitters to detect abnormal behaviours, e.g. burst of calls, repetition and mirror. The hierarchical heavy hitters algorithm is used to detect the numbers that make calls for a huge set of destinations and destination numbers that receives a huge set of calls to provoke a denial of service. Additionally, to detect the cardinality of destination numbers of each origin number we use the HyperLogLog algorithm. The results shows that these three approaches combined complements the techniques used by the telecom company and make the fraud task more difficult.