WO2007031980A1 - Authentication of calls in packet networks - Google Patents

Authentication of calls in packet networks Download PDF

Info

Publication number
WO2007031980A1
WO2007031980A1 PCT/IL2005/000996 IL2005000996W WO2007031980A1 WO 2007031980 A1 WO2007031980 A1 WO 2007031980A1 IL 2005000996 W IL2005000996 W IL 2005000996W WO 2007031980 A1 WO2007031980 A1 WO 2007031980A1
Authority
WO
WIPO (PCT)
Prior art keywords
call
packets
network
billing system
mediation device
Prior art date
Application number
PCT/IL2005/000996
Other languages
French (fr)
Inventor
Danny Shporer
Original Assignee
Mts Mer Telemanagement Solutions Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mts Mer Telemanagement Solutions Ltd. filed Critical Mts Mer Telemanagement Solutions Ltd.
Priority to PCT/IL2005/000996 priority Critical patent/WO2007031980A1/en
Publication of WO2007031980A1 publication Critical patent/WO2007031980A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates generally to call services in a packet network.
  • VoIP voice over IP services
  • PSTN public switched telephone network
  • VoIP services offer a competitive alternative to traditional telephone services.
  • VoIP services that are connected to the Internet provide a mobility which is generally not provided by traditional telephone services.
  • users of VoIP services can use the same telephone number and pay the same rates regardless of their geographical location as long as they have access to the Internet.
  • VoIP services have led to an increase in the desire of miscreants to take advantage of these services, for example using the infrastructure provided by a service provider to call without paying.
  • An aspect of an embodiment of the invention relates to a method and apparatus for detecting fraudulent calls in an IP based packet network.
  • a mediation device is installed at key points in the network.
  • the mediation device monitors packets of the network to detect call packets providing the details of the call participants.
  • the mediation device queries a billing system comprising a database provided by the service provider to authenticate the call. If the call fails authentication the mediation device attempts to block packets of the call.
  • the mediation device monitors all packets in the network. Alternatively, the mediation device randomly monitors packets or periodically monitors packets.
  • the mediation device authenticates all call packets. Alternatively, the mediation device authenticates specific call packets.
  • the mediation device communicates with the billing system over the network.
  • the mediation device uses a direct connection to communicate with the billing system.
  • the mediation device instructs a fire wall to block packets of the call or packets transmitted or received from the call participants.
  • the blocking is performed for a specific time interval, for example 1-10 minutes.
  • the mediation device blocks the call itself.
  • the mediation device assists in verifying call duration.
  • a method of detecting fraud in a packet network comprising, monitoring communication packets in the network, detecting one or more packets of a call, determining the identity of one or more participants of the call from the detected packets; transmitting a query with the determined identity to a billing system for authentication; and waiting for a response from the billing system.
  • the monitoring comprises monitoring all packets in the network.
  • the monitoring comprises randomly monitoring packets in the network.
  • the monitoring comprises periodically monitoring packets in the network.
  • the detecting comprises detecting specific types of call packets.
  • the detecting comprises detecting call initialization packets.
  • the determining is at least of the identity of the call initiator.
  • the dete ⁇ nining is at least of the identity of the call receptor.
  • the determining is of the identity of all call participants.
  • the billing system is adapted to authenticate that a client is registered for initiating calls.
  • the billing system is adapted to authenticate that a client is registered for receiving calls.
  • the billing system is adapted to authenticate that the call is registered.
  • the transmitting is over a direct connection.
  • the monitoring continues while waiting for a response from the billing system.
  • the monitoring continues after commencing the waiting.
  • the method further comprises selectively instructing a firewall to block future call packets of the call responsive to the authentication.
  • the firewall blocks packets of a call until a termination packet is detected for the call.
  • the firewall blocks packets of a call for a selected time interval.
  • a system for detecting fraud calls in a packet network comprising, a mediation device that detects call packets in the network and determines one or more caller identities, a billing system that comprises a database of registered clients that are authenticated to conduct calls, a firewall that is adapted to block call packets from being transmitted between two or more clients, wherein the mediation device queries the billing system to authenticate the determined call participant identities; and wherein the mediation device instructs the firewall to block communications from a remote communication device responsive to the status of authentication received from the billing system.
  • the mediation device is positioned in the network between the firewall and a communication device that initiates the call.
  • the mediation device is positioned in the network between the firewall and a communication device that receives the call.
  • Fig. 1 is a schematic illustration of a network, according to an exemplary embodiment of the invention.
  • FIG. 2 is a schematic illustration of an alternative configuration of a network, according to an exemplary embodiment of the invention.
  • Fig. 3 is a flow diagram of the process of handling an authorized call, according to an exemplary embodiment of the invention.
  • Fig. 4 is a flow diagram of the process of handling a fraudulent call, according to an exemplary embodiment of the invention.
  • Fig. 1 is a schematic illustration of a network 100, according to an exemplary embodiment of the invention.
  • network 100 comprises multiple clients or client networks, which are interconnected over an IP based network 170, for example the Internet.
  • IP based network 170 for example the Internet.
  • network 170 is a private network interconnecting clients to a service provider, with or without providing the clients with direct access to the internet.
  • a client requesting access to VoIP services is connected over a network to the service provider.
  • a client may be a single user or may be a network with many users, for example a LAN. Additionally, the client connection may be over cables or wireless.
  • a client location may comprise a firewall 160 to protect the client network, a router 150 to route communication from the client network to network 170 and one or more switches or hubs 130 to connect multiple client stations at the client site.
  • the client station 190 is optionally a personal computer, a PDA, a smart phone or an IP telephone.
  • the client station may be a standard communication device, such as an analog telephone, a fax machine or a standard PSTN system which is connected via a gateway 180 to the client network.
  • the service provider provides a gatekeeper 140 to handle address translation and control call allocation.
  • the service provider additionally provides a billing system 120, which comprises a database that is updated with details of all subscribers to the VoIP service, for example client identity and charge plan.
  • billing system 120 keeps track of client usage of the service, the client's billing charges and payments.
  • billing system 120 is combined with gatekeeper 140 or there is a direct connection between them.
  • billing system may be connected to the gatekeeper over a network, for example a LAN, WAN (e.g. the Internet).
  • the service provider provides a mediation device 110 to monitor the packets in the network and authenticate call packets with billing system 120.
  • mediation device 110 is positioned at the client location.
  • mediation device 110 may monitor packet traffic between router 150 and switch 130 or between router 150 and firewall 160.
  • mediation device 110 may monitor packet traffic between switch 130 and each communication device 190.
  • the monitoring position is selected to monitor packets in an unencrypted form to simplify mediation device 110.
  • mediation device 110 may monitor encrypted packets.
  • mediation device 110 is a dedicated device, which monitors packets, for example a personal computer programmed for the task or a special circuit.
  • mediation device 110 is optionally a circuit or element that is installed in communication devices 190, switch 130, router 150 and/or firewall 160.
  • the service provider may require installation of mediation device 110 at the location of every subscriber, for example by supplying a dedicated router 150 or dedicated communication device 190 for use with the service.
  • mediation device 110 is optionally, installed at an Internet Service Provider (ISP) to monitor all incoming traffic from clients.
  • ISP Internet Service Provider
  • Fig. 2 is a schematic illustration of an alternative configuration of a network 200, according to an exemplary embodiment of the invention.
  • IP based network 270 is optionally a private network controlled by the VoIP service provider that connects between clients, for example by direct cables, satellite, wireless transmissions, leased lines from a telephony service provider or any other type of connection.
  • network 200 optionally all communication packets are routed under the control of the service provider.
  • mediation device 110 is installed in network 270 under control of the service provider.
  • mediation device 110 is positioned to monitor communication packets between router 150 and switch 130 in network 270.
  • any other enabling layout may be used to allow mediation device 110 to monitor the packets in the network.
  • more than one meditation device 110 is used by the service provider.
  • one mediation device 110 monitors multiple communication paths in network 170 and/or network 270.
  • Fig. 3 is a flow diagram 300 of the process of handling an authorized call, according to an exemplary embodiment of the invention.
  • an authorized client e.g. B
  • initiates (310) a call for example by lifting the receiver of a VoIP telephone and dialing the number of another authorized client (e.g. A).
  • the call is routed (320) via gatekeeper 140 to receive the address of the other client station and optionally, authenticate (330) the callers.
  • mediator device 110 detects (340) packets associated with the call based on the contents of communication packets.
  • VoIP calls are setup using the H.323 protocol or SIP protocol.
  • mediation device 110 performs authentication of calls from any call packet, for example using the source and destination addresses of the packet.
  • billing system 120 is updated by gatekeeper 140 with translation tables if needed to match between IP addresses and user identifications.
  • authentication is performed only for initialization packets, termination packets or other specific packets of a call since authentication of other packets would be redundant, more complex and/or problematic since some packets may not contain the required details needed to identify the caller and/or call receiver.
  • mediator device 110 reconstructs a higher level message from multiple packets in order to extract the identities and/or addresses of the call participants.
  • the information needed for authentication comprises the identity of the client that initiated the call and the identity of the client that is receiving the call.
  • a packet that only identifies one of the clients is authenticated for the identified client.
  • only the call initiator needs to be authenticated since the initiator pays for the call.
  • calls can be transmitted to clients of other service providers or to clients of non VoIP systems.
  • all participants need to be registered at the service provider in order to use the service.
  • some call packets may identify more than two participants, for example in a conference call.
  • mediation device 110 authenticates all participants.
  • mediation device 110 transmits the client details to billing system 120 to authenticate (350) the call, for example by checking that the client is listed in the billing system data base and/or that the client pays for the service and there is no reason to prevent the client from receiving service.
  • mediation device 110 may be combined with billing system 120 or have a direct connection to billing system 120, for example in a network 270 to eliminate the need for transmitting authentication requests.
  • the call is an authorized call
  • a positive answer is received from billing system 120 and the call continues (360) since no further action is taken by mediation device 110.
  • no answer is received from billing system 120, for example due to packet loss or problems with billing system 120, no further action is taken.
  • mediation device 110 may be programmed to respond as if the call is a fraudulent call as will be described below.
  • the response if no answer is received may depend on the type of call, for example a call that is expensive for the service provider may be dealt with, while other calls will be ignored.
  • unauthorized services by a registered client for example a registered client that is using a service that was not authorized for his/her use such as a voice subscriber conducting a video call.
  • Some methods of fraud can be detected by mediation device 110 from the packets themselves without querying billing system 120, for example a call initialization packet using the H.323 protocol, which is not directed to the gatekeeper. However some methods of fraud can only be determined by checking with billing system 120. Additionally, some packets using certain protocols can only be authenticated by billing system 120.
  • Fig. 4 is a flow diagram 400 of the process of handling a fraudulent call, according to an exemplary embodiment of the invention.
  • a client initiates a call (410) that circumvents the gatekeeper, for example by programming communication device 190 to initiate a call directly between clients.
  • the initialization is the same as in an authorized call such as described in association with Fig. 3 - (320) and (330) and the fraud starts at a later stage for example by faking call termination while continuing the conversation as described above.
  • mediation device 110 monitors communication packets in the network and detects (420) packets of a call.
  • mediation device 110 is programmed to detect specific types of call packets, for example call initialization packets and/or call termination packets. Alternatively, mediation device 110 detects all call packets or substantially all call packets.
  • mediator device 110 checks (430) the authentication of the call. In some cases mediation device 110 is able to detect immediately that the call is fraudulent and does not need to transmit the identities of the participants to billing system 120. Alternatively, mediation device 110 transmits a query regarding the identity of the callers to billing system 120 for authentication. In some embodiments of the invention, billing system 120 authenticates that the clients are registered and approved to receive the service from the service provider. Optionally, billing system 120 authenticates that the clients do not have outstanding debt.
  • billing system 120 is notified of billing details while a call is in progress.
  • mediation device 110 is able to confirm if a call is currently being charged to the client, in order to identify fraudulent calls which managed to bypass the standard charge process.
  • mediation device 110 and/or billing system 120 query gatekeeper 140 to verify details that are only known to the gatekeeper, for example in some configurations details of billing of calls in progress.
  • mediation device 110 monitors all packets in the network. Alternatively, mediation device 110 monitors packets randomly or periodically, for example every few seconds.
  • mediation device 110 handles a single call at a time, ignoring any other packets until resolving authentication for the packet being handled.
  • mediation device 110 deals with more than one packet as detected according to its ability, for example mediation device 110 may have a limitation on the number of open queries it can handle.
  • mediation device 110 will initiate queries up to the number it can handle and postpone or skip any further checking until it closes some of the open queries for example after receiving a response or after timing out due to a lack of response.
  • firewall 160 when a fraudulent call is detected, mediation device 110, notifies (440) firewall 160 to block the fraudulent call.
  • firewall 160 is set to block the packets of a specific call or block a specific client.
  • firewall 160 blocks the call initiator or call receiver from transmitting packets.
  • firewall 160 blocks the reception of packets by the call initiator or call receiver. In either case at least one side of the call will not received since the call packets are blocked. As a result the clients will not be able to have a conversation and will terminate the call. In some embodiments of the invention, both sides are blocked by firewall 160.
  • firewall 160 will continue to block the call until mediator device 110 detects (450) a call termination packet for the call.
  • mediator device 110 upon detecting a call termination mediation device 110 instructs (460) firewall 160 to remove the block.
  • mediation device 110 instructs (460) firewall 160 to remove the block after a predetermined time interval, for example after about 1-10 minutes or about 1-60 seconds, since the clients would be expected to terminate the call if nothing can be heard. In any case mediation device 110 can re-block the call if it is detected again.
  • mediation device 110 also serves as a firewall and is able to block packets (e.g. erase them or return them) and not only monitor them, for example monitor device 110 may be optionally combined with router 150, switch 130, firewall 160 or communication device 190.
  • monitor device 110 may be optionally combined with router 150, switch 130, firewall 160 or communication device 190.
  • it instead of notifying firewall 150 to block a client, it will erase fraudulent packets of a call once determining that a call is fraudulent.
  • mediation device 110 supports instructing specific firewalls 160.
  • mediation device 110 can be programmed to instruct other firewalls 160.
  • mediation device 110 updates billing system 120 and/or gatekeeper 140 with the details of monitored calls in order to assist in verifying billing of the detected calls and/or allow billing of calls that would otherwise go undetected.
  • billing system 120 and/or gatekeeper 140 build a list of client identities used for fraudulent calls.
  • calls detected with a client from this list may be automatically blocked or checked with more scrutiny, for example by checking payment history of the client.

Abstract

A method of detecting fraud in a packet network (170), including, monitoring (110) communication packets in the network (170), detecting one or more packets of a call, determining the identity of one or more participants (190) of the call from the detected packets, transmitting a query with the determined identity to a billing system (120) for authentication, and waiting for a response from the billing system (120).

Description

AUTHENTICATION OF CALLS IN PACKET NETWORKS
FIELD OF THE INVENTION
The present invention relates generally to call services in a packet network.
BACKGROUND OF THE INVENTION
In recent years there has been an increase in the bandwidth and transfer rate of standard networks, for example the standard transmission rate in local area networks (LANs) has increased from 1 OMBPS to IOOMBPS or even 1000MBPS. The standard connection speed to the Internet has increased from 10-lOOKBPS to 1-lOMBPS. Applications which were previously too slow and unfeasible have become a reality. An example of such an application is point to point or point to multipoint voice and/or video communication.
Currently a growing number of businesses are providing commercial telephone call services using internet protocol based networks. These services are generally referred to as voice over IP services (VoIP). The service provider typically supplies address translation services and optionally, connectivity between different types of call service networks, for example between the IP based network and a public switched telephone network (PSTN). Typically VoIP services offer a competitive alternative to traditional telephone services. VoIP services that are connected to the Internet provide a mobility which is generally not provided by traditional telephone services. Typically, users of VoIP services can use the same telephone number and pay the same rates regardless of their geographical location as long as they have access to the Internet.
The growing popularity of VoIP services has led to an increase in the desire of miscreants to take advantage of these services, for example using the infrastructure provided by a service provider to call without paying.
US publication 2002/0188712 to Caslin et al. the disclosure of which is incorporated herein by reference, describes a fraud monitoring system that analyzes records of usage activity and applies fraud pattern detection algorithms to detect patterns indicative of fraud.
US patent 6,701,439 to Dunn the disclosure of which is incorporated herein by reference, describes a method of call rejection provided for use in connection with a data network.
PCT publication WO 02/17036 the disclosure of which is incorporated herein by reference, describes a processor architecture for processing data packets representing VoIP calls in a packet switched network.
SUMMARY OF THE INVENTION
An aspect of an embodiment of the invention relates to a method and apparatus for detecting fraudulent calls in an IP based packet network. In an exemplary embodiment of the invention, a mediation device is installed at key points in the network. The mediation device monitors packets of the network to detect call packets providing the details of the call participants. The mediation device queries a billing system comprising a database provided by the service provider to authenticate the call. If the call fails authentication the mediation device attempts to block packets of the call.
In some embodiments of the invention, the mediation device monitors all packets in the network. Alternatively, the mediation device randomly monitors packets or periodically monitors packets.
In some embodiments of the invention, the mediation device authenticates all call packets. Alternatively, the mediation device authenticates specific call packets.
In some embodiments of the invention, the mediation device communicates with the billing system over the network. Alternatively, the mediation device uses a direct connection to communicate with the billing system.
In some embodiments of the invention, the mediation device instructs a fire wall to block packets of the call or packets transmitted or received from the call participants. Optionally, the blocking is performed for a specific time interval, for example 1-10 minutes.
In some embodiments of the invention, the mediation device blocks the call itself.
In some embodiments of the invention, the mediation device assists in verifying call duration.
There is thus provided in accordance to an exemplary embodiment of the invention a method of detecting fraud in a packet network, comprising, monitoring communication packets in the network, detecting one or more packets of a call, determining the identity of one or more participants of the call from the detected packets; transmitting a query with the determined identity to a billing system for authentication; and waiting for a response from the billing system. Optionally, the monitoring comprises monitoring all packets in the network. Alternatively, the monitoring comprises randomly monitoring packets in the network. In an exemplary embodiment of the invention, the monitoring comprises periodically monitoring packets in the network. Optionally, the detecting comprises detecting specific types of call packets. In an exemplary embodiment of the invention, the detecting comprises detecting call initialization packets. Optionally, the determining is at least of the identity of the call initiator. In an exemplary embodiment of the invention, the deteπnining is at least of the identity of the call receptor. Optionally, the determining is of the identity of all call participants.
In an exemplary embodiment of the invention, the billing system is adapted to authenticate that a client is registered for initiating calls. Optionally, the billing system is adapted to authenticate that a client is registered for receiving calls. In an exemplary embodiment of the invention, the billing system is adapted to authenticate that the call is registered. Optionally, the transmitting is over a direct connection. In an exemplary embodiment of the invention, the monitoring continues while waiting for a response from the billing system. Optionally, the monitoring continues after commencing the waiting. In an exemplary embodiment of the invention, the method further comprises selectively instructing a firewall to block future call packets of the call responsive to the authentication. Optionally, the firewall blocks packets of a call until a termination packet is detected for the call. In an exemplary embodiment of the invention, the firewall blocks packets of a call for a selected time interval.
There is thus further provided a system for detecting fraud calls in a packet network comprising, a mediation device that detects call packets in the network and determines one or more caller identities, a billing system that comprises a database of registered clients that are authenticated to conduct calls, a firewall that is adapted to block call packets from being transmitted between two or more clients, wherein the mediation device queries the billing system to authenticate the determined call participant identities; and wherein the mediation device instructs the firewall to block communications from a remote communication device responsive to the status of authentication received from the billing system. Optionally, the mediation device is positioned in the network between the firewall and a communication device that initiates the call. In an exemplary embodiment of the invention, the mediation device is positioned in the network between the firewall and a communication device that receives the call.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the drawings in which:
Fig. 1 is a schematic illustration of a network, according to an exemplary embodiment of the invention;
Fig. 2 is a schematic illustration of an alternative configuration of a network, according to an exemplary embodiment of the invention;
Fig. 3 is a flow diagram of the process of handling an authorized call, according to an exemplary embodiment of the invention;
Fig. 4 is a flow diagram of the process of handling a fraudulent call, according to an exemplary embodiment of the invention.
DETAILED DESCRIPTION
Fig. 1 is a schematic illustration of a network 100, according to an exemplary embodiment of the invention. In an exemplary embodiment of the invention, network 100 comprises multiple clients or client networks, which are interconnected over an IP based network 170, for example the Internet. In some embodiments of the invention, network 170 is a private network interconnecting clients to a service provider, with or without providing the clients with direct access to the internet.
A client requesting access to VoIP services is connected over a network to the service provider. As an example such a client may be a single user or may be a network with many users, for example a LAN. Additionally, the client connection may be over cables or wireless. Optionally, a client location may comprise a firewall 160 to protect the client network, a router 150 to route communication from the client network to network 170 and one or more switches or hubs 130 to connect multiple client stations at the client site. In some embodiments of the invention, the client station 190 is optionally a personal computer, a PDA, a smart phone or an IP telephone. Alternatively or additionally, the client station may be a standard communication device, such as an analog telephone, a fax machine or a standard PSTN system which is connected via a gateway 180 to the client network.
In an exemplary embodiment of the invention, the service provider provides a gatekeeper 140 to handle address translation and control call allocation. Optionally, the service provider additionally provides a billing system 120, which comprises a database that is updated with details of all subscribers to the VoIP service, for example client identity and charge plan. In an exemplary embodiment of the invention, billing system 120 keeps track of client usage of the service, the client's billing charges and payments.
In some embodiments of the invention, billing system 120 is combined with gatekeeper 140 or there is a direct connection between them. Alternatively, billing system may be connected to the gatekeeper over a network, for example a LAN, WAN (e.g. the Internet).
In an exemplary embodiment of the invention, the service provider provides a mediation device 110 to monitor the packets in the network and authenticate call packets with billing system 120. In an exemplary embodiment of the invention, mediation device 110 is positioned at the client location. Optionally, mediation device 110 may monitor packet traffic between router 150 and switch 130 or between router 150 and firewall 160. Alternatively or additionally, mediation device 110 may monitor packet traffic between switch 130 and each communication device 190. Optionally, the monitoring position is selected to monitor packets in an unencrypted form to simplify mediation device 110. However in some embodiments of the invention, mediation device 110 may monitor encrypted packets.
In some embodiments of the invention, mediation device 110 is a dedicated device, which monitors packets, for example a personal computer programmed for the task or a special circuit. Alternatively mediation device 110 is optionally a circuit or element that is installed in communication devices 190, switch 130, router 150 and/or firewall 160.
In some embodiments of the invention, the service provider may require installation of mediation device 110 at the location of every subscriber, for example by supplying a dedicated router 150 or dedicated communication device 190 for use with the service. Alternatively, mediation device 110 is optionally, installed at an Internet Service Provider (ISP) to monitor all incoming traffic from clients.
Fig. 2 is a schematic illustration of an alternative configuration of a network 200, according to an exemplary embodiment of the invention. In the configuration illustrated in Fig. 2, IP based network 270 is optionally a private network controlled by the VoIP service provider that connects between clients, for example by direct cables, satellite, wireless transmissions, leased lines from a telephony service provider or any other type of connection. In network 200, optionally all communication packets are routed under the control of the service provider. In an exemplary embodiment of the invention, mediation device 110 is installed in network 270 under control of the service provider. Optionally, mediation device 110 is positioned to monitor communication packets between router 150 and switch 130 in network 270. Alternatively; any other enabling layout may be used to allow mediation device 110 to monitor the packets in the network. In some embodiments of the invention, more than one meditation device 110 is used by the service provider. Alternatively, one mediation device 110 monitors multiple communication paths in network 170 and/or network 270.
Fig. 3 is a flow diagram 300 of the process of handling an authorized call, according to an exemplary embodiment of the invention. In an exemplary embodiment of the invention, an authorized client (e.g. B) initiates (310) a call, for example by lifting the receiver of a VoIP telephone and dialing the number of another authorized client (e.g. A). Optionally, the call is routed (320) via gatekeeper 140 to receive the address of the other client station and optionally, authenticate (330) the callers.
In an exemplary embodiment of the invention, mediator device 110 detects (340) packets associated with the call based on the contents of communication packets. In some embodiments of the invention, VoIP calls are setup using the H.323 protocol or SIP protocol. However the methods described herein can be practiced using other protocols. In some protocols mediation device 110 performs authentication of calls from any call packet, for example using the source and destination addresses of the packet. Optionally, billing system 120 is updated by gatekeeper 140 with translation tables if needed to match between IP addresses and user identifications.
In some embodiments of the invention, authentication is performed only for initialization packets, termination packets or other specific packets of a call since authentication of other packets would be redundant, more complex and/or problematic since some packets may not contain the required details needed to identify the caller and/or call receiver. Optionally, mediator device 110 reconstructs a higher level message from multiple packets in order to extract the identities and/or addresses of the call participants.
In an exemplary embodiment of the invention, the information needed for authentication comprises the identity of the client that initiated the call and the identity of the client that is receiving the call. Optionally, a packet that only identifies one of the clients is authenticated for the identified client. In some embodiments of the invention, only the call initiator needs to be authenticated since the initiator pays for the call. Optionally, calls can be transmitted to clients of other service providers or to clients of non VoIP systems. However, in some embodiments of the invention, all participants need to be registered at the service provider in order to use the service. In some embodiments of the invention, some call packets may identify more than two participants, for example in a conference call. Optionally, mediation device 110 authenticates all participants.
In an exemplary embodiment of the invention, mediation device 110 transmits the client details to billing system 120 to authenticate (350) the call, for example by checking that the client is listed in the billing system data base and/or that the client pays for the service and there is no reason to prevent the client from receiving service.
In some embodiments of the invention, mediation device 110 may be combined with billing system 120 or have a direct connection to billing system 120, for example in a network 270 to eliminate the need for transmitting authentication requests.
In the case that the call is an authorized call, a positive answer is received from billing system 120 and the call continues (360) since no further action is taken by mediation device 110. Optionally, if no answer is received from billing system 120, for example due to packet loss or problems with billing system 120, no further action is taken. Alternatively, if no answer is received, mediation device 110 may be programmed to respond as if the call is a fraudulent call as will be described below. In some embodiments of the invention, the response if no answer is received may depend on the type of call, for example a call that is expensive for the service provider may be dealt with, while other calls will be ignored.
In a VoIP calling system there may be many types of fraudulent calls, for example:
1. using service provider system resources without registering and paying for the service, such as a call from a non authorized client to another client by circumventing the gatekeeper;
2. calling without having the call recorded - although registered, such as a call from an authorized client to another client circumventing the gatekeeper;
3. continuing a call after the client station notifies billing system 120 that the call terminated in order to stop charges; and
4. calling and not paying, such as a client that does not pay or has outstanding unpaid debts to the service provider.
5. using unauthorized services by a registered client, for example a registered client that is using a service that was not authorized for his/her use such as a voice subscriber conducting a video call.
Some methods of fraud can be detected by mediation device 110 from the packets themselves without querying billing system 120, for example a call initialization packet using the H.323 protocol, which is not directed to the gatekeeper. However some methods of fraud can only be determined by checking with billing system 120. Additionally, some packets using certain protocols can only be authenticated by billing system 120.
Fig. 4 is a flow diagram 400 of the process of handling a fraudulent call, according to an exemplary embodiment of the invention. In an exemplary embodiment of the invention, a client initiates a call (410) that circumvents the gatekeeper, for example by programming communication device 190 to initiate a call directly between clients. It should be noted that in some cases of fraud the initialization is the same as in an authorized call such as described in association with Fig. 3 - (320) and (330) and the fraud starts at a later stage for example by faking call termination while continuing the conversation as described above.
In an exemplary embodiment of the invention, mediation device 110 monitors communication packets in the network and detects (420) packets of a call. In some embodiments of the invention, mediation device 110 is programmed to detect specific types of call packets, for example call initialization packets and/or call termination packets. Alternatively, mediation device 110 detects all call packets or substantially all call packets.
In an exemplary embodiment of the invention, mediator device 110 checks (430) the authentication of the call. In some cases mediation device 110 is able to detect immediately that the call is fraudulent and does not need to transmit the identities of the participants to billing system 120. Alternatively, mediation device 110 transmits a query regarding the identity of the callers to billing system 120 for authentication. In some embodiments of the invention, billing system 120 authenticates that the clients are registered and approved to receive the service from the service provider. Optionally, billing system 120 authenticates that the clients do not have outstanding debt.
In some embodiments of the invention, billing system 120 is notified of billing details while a call is in progress. Optionally, mediation device 110 is able to confirm if a call is currently being charged to the client, in order to identify fraudulent calls which managed to bypass the standard charge process. In some embodiments of the invention, mediation device 110 and/or billing system 120 query gatekeeper 140 to verify details that are only known to the gatekeeper, for example in some configurations details of billing of calls in progress.
In some embodiments of the invention, mediation device 110 monitors all packets in the network. Alternatively, mediation device 110 monitors packets randomly or periodically, for example every few seconds.
In some embodiments of the invention, mediation device 110 handles a single call at a time, ignoring any other packets until resolving authentication for the packet being handled. Alternatively, mediation device 110 deals with more than one packet as detected according to its ability, for example mediation device 110 may have a limitation on the number of open queries it can handle. Optionally, mediation device 110 will initiate queries up to the number it can handle and postpone or skip any further checking until it closes some of the open queries for example after receiving a response or after timing out due to a lack of response.
In an exemplary embodiment of the invention, when a fraudulent call is detected, mediation device 110, notifies (440) firewall 160 to block the fraudulent call. Optionally, firewall 160 is set to block the packets of a specific call or block a specific client. In some embodiments of the invention, firewall 160 blocks the call initiator or call receiver from transmitting packets. Alternatively, firewall 160 blocks the reception of packets by the call initiator or call receiver. In either case at least one side of the call will not received since the call packets are blocked. As a result the clients will not be able to have a conversation and will terminate the call. In some embodiments of the invention, both sides are blocked by firewall 160.
In an exemplary embodiment of the invention, firewall 160 will continue to block the call until mediator device 110 detects (450) a call termination packet for the call. Optionally, upon detecting a call termination mediation device 110 instructs (460) firewall 160 to remove the block. In some embodiments of the invention mediation device 110 instructs (460) firewall 160 to remove the block after a predetermined time interval, for example after about 1-10 minutes or about 1-60 seconds, since the clients would be expected to terminate the call if nothing can be heard. In any case mediation device 110 can re-block the call if it is detected again.
In some embodiments of the invention, mediation device 110 also serves as a firewall and is able to block packets (e.g. erase them or return them) and not only monitor them, for example monitor device 110 may be optionally combined with router 150, switch 130, firewall 160 or communication device 190. Optionally, instead of notifying firewall 150 to block a client, it will erase fraudulent packets of a call once determining that a call is fraudulent.
In some embodiments of the invention, mediation device 110 supports instructing specific firewalls 160. Alternatively or additionally, mediation device 110 can be programmed to instruct other firewalls 160.
In some embodiment of the invention, mediation device 110 updates billing system 120 and/or gatekeeper 140 with the details of monitored calls in order to assist in verifying billing of the detected calls and/or allow billing of calls that would otherwise go undetected. In some embodiments of the invention, billing system 120 and/or gatekeeper 140 build a list of client identities used for fraudulent calls. Optionally, calls detected with a client from this list may be automatically blocked or checked with more scrutiny, for example by checking payment history of the client.
It should be appreciated that the above described methods may be varied in many ways, including omitting or adding steps, changing order of the steps and the type of devices used. It should be appreciated that different features may be combined in different ways. In particular, not all the features shown above in a particular embodiment are necessary in every embodiment of the invention. Further combinations of the above features are also considered to be within the scope of some embodiments of the invention. Section headings are provided for assistance in navigation and should not be considered as necessarily limiting the contents of the section.
It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the present invention is defined only by the claims which follow.

Claims

1. A method of detecting fraud in a packet network, comprising: monitoring communication packets in the network; detecting one or more packets of a call; determining the identity of one or more participants of the call from the detected packets; transmitting a query with the determined identity to a billing system for authentication; and waiting for a response from the billing system.
2. A method according to claim 1, wherein said monitoring comprises monitoring all packets in the network.
3. A method according to claim I5 wherein said monitoring comprises randomly monitoring packets in the network.
4. A method according to claim I5 wherein said monitoring comprises periodically monitoring packets in the network.
5. A method according to claim I5 wherein said detecting comprises detecting specific types of call packets.
6. A method according to claim 5, wherein said detecting comprises detecting call initialization packets.
7. A method according to claim I5 wherein said determining is at least of the identity of the call initiator.
8. A method according to claim 1, wherein said determining is at least of the identity of the call receptor.
9 A method according to claim I5 wherein said determining is of the identity of all call participants.
10. A method according to claim 1, wherein said billing system is adapted to authenticate that a client is registered for initiating calls.
11. A method according to claim 1, wherein said billing system is adapted to authenticate that a client is registered for receiving calls.
12. A method according to claim 1, wherein said billing system is adapted to authenticate that the call is registered.
13. A method according to claim 1, wherein said transmitting is over a direct connection.
14. A method according to claim I5 wherein said monitoring continues while waiting for a response from said billing system.
15. A method according to claim 1, wherein said monitoring continues after commencing said waiting.
16. A method according to claim 1, further comprising selectively instructing a firewall to block future call packets of the call responsive to said authentication.
17. A method according to claim 16, wherein said firewall blocks packets of a call until a termination packet is detected for the call.
18. A method according to claim 16, wherein said firewall blocks packets of a call for a selected time interval.
19. A system for detecting fraud calls in a packet network comprising: a mediation device that detects call packets in the network and determines one or more caller identities; a billing system that comprises a database of registered clients that are authenticated to conduct calls; a firewall that is adapted to block call packets from being transmitted between two or more clients; wherein said mediation device queries said billing system to authenticate said determined call participant identities; and wherein said mediation device instructs said firewall to block communications from a remote communication device responsive to the status of authentication received from said billing system.
20. A system according to claim 19, wherein said mediation device is positioned in the network between said firewall and a communication device that initiates the call.
21. A system according to claim 19, wherein said mediation device is positioned in the network between said firewall and a communication device that receives the call.
PCT/IL2005/000996 2005-09-15 2005-09-15 Authentication of calls in packet networks WO2007031980A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IL2005/000996 WO2007031980A1 (en) 2005-09-15 2005-09-15 Authentication of calls in packet networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2005/000996 WO2007031980A1 (en) 2005-09-15 2005-09-15 Authentication of calls in packet networks

Publications (1)

Publication Number Publication Date
WO2007031980A1 true WO2007031980A1 (en) 2007-03-22

Family

ID=37864647

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000996 WO2007031980A1 (en) 2005-09-15 2005-09-15 Authentication of calls in packet networks

Country Status (1)

Country Link
WO (1) WO2007031980A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6700962B1 (en) * 2000-07-11 2004-03-02 Motorola, Inc. System and method for creating a call detail record
US6788772B2 (en) * 2001-03-07 2004-09-07 Zvi Barak System and method for controlling outgoing telephone calls
US6836797B2 (en) * 1999-11-18 2004-12-28 Xacct Technologies, Ltd. System, method and computer program product for network record synthesis

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6836797B2 (en) * 1999-11-18 2004-12-28 Xacct Technologies, Ltd. System, method and computer program product for network record synthesis
US6700962B1 (en) * 2000-07-11 2004-03-02 Motorola, Inc. System and method for creating a call detail record
US6788772B2 (en) * 2001-03-07 2004-09-07 Zvi Barak System and method for controlling outgoing telephone calls

Similar Documents

Publication Publication Date Title
US7099301B1 (en) Voice over internet protocol proxy gateway
US7277528B2 (en) Call-content determinative selection of interception access points in a soft switch controlled network
US8737594B2 (en) Emergency services for packet networks
US7460493B1 (en) Video conferencing system with dynamic call management and set-up
US7529359B2 (en) Caller treatment in a SIP network
CN101569143B (en) System and method for proxy signaling manipulation in an ip telephony network
JP4664987B2 (en) Method and system for providing a private voice call service to a mobile communication subscriber and a wireless soft switch device therefor
US20070171898A1 (en) System and method for establishing universal real time protocol bridging
US20070036139A1 (en) System and method for authenticating internetwork resource requests
EP0964560A1 (en) Method and system for terminal mobility
US20070036127A1 (en) Ip-based call establishment
WO2001008377A2 (en) SYSTEM AND METHOD FOR ENABLING SECURE CONNECTIONS FOR H.323 VoIP CALLS
KR19990087993A (en) Optimum routing of calls over the public switched telephone network and the internet
US9854102B2 (en) Systems and methods of providing communications services
US20020009973A1 (en) Communication network and method for providing surveillance services
WO2008065531A2 (en) Communication system
WO2005004443A2 (en) A system and method for routing telephone calls over a voice and data network
US20080235778A1 (en) Communication network, an access network element and a method of operation therefor
WO2001091374A1 (en) Method and apparatus for intercepting packets in a packet-oriented network
DK1825648T3 (en) Procedure for Accessing a WLAN Network for IP Mobile Phone with CPR Authentication
WO2007031980A1 (en) Authentication of calls in packet networks
US20130114590A1 (en) Systems and methods of providing communications services
KR20040075600A (en) The method of implementation of the function in the next generation network with callmixer
EP1161827B1 (en) Arrangement related to a call procedure
KR100824167B1 (en) System and method for monitering voice call in next generation network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05779426

Country of ref document: EP

Kind code of ref document: A1