<html>
<head>
<meta content="text/html; charset=windows-1251"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><tt>The "sequential-calls" is the only statistic which may also
benefit from a periodical reset (daily / weekly / monthly,
etc.). IMO, calls-per-min / total-calls / concurrent-calls
_should not_ reset to 0 at midnight.</tt><br>
</p>
<p><tt>Since a rule's "sequential-calls" cannot be easily reused
with multiple reset intervals (it requires either small/big
numbers), a check_fraud() parameter will not work so well. This
information should be tied to the rule, either in a simplistic
string "flags" column (with "d"/"w"/"m" as values), or we could
even re-design "sequential_calls" into "seq_daily" /
"seq_weekly" / "seq_monthly" and concurrently monitor 0 - 3 of
them, depending on their values.</tt><br>
</p>
<pre class="moz-signature" cols="72">Liviu Chircu
OpenSIPS Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 14.11.2016 12:17, Denis wrote:<br>
</div>
<blockquote cite="mid:72829925.20161114131704@ptl.ru" type="cite">
<title>Re: [OpenSIPS-Users] Fraud_detection module</title>
<span style=" font-family:'Times New Roman'; font-size: 12pt;">Hello,
Liviu!<br>
<br>
Thank you very much for your answer!<br>
I understood my main mistake. I thought that "call duration" is
the total value for all calls but not of only one.<br>
Ok, "<span style=" font-family:'courier new';">sequential-calls<span
style=" font-family:'Times New Roman';">" may be that thing
which can help to avoid such situation, but the main problem
is (and as you wrote in the previous letter), that this
value doesn`t go to 0 at the next period.<br>
Because of this i have to increase this value to 5000,
otherwise i blocked honest users.<br>
Can "<span style=" font-family:'courier new';">sequential-calls<span
style=" font-family:'Times New Roman';">" be set to 0 at
the next period?<br>
<br>
</span></span></span></span></span><a
moz-do-not-send="true" style=" font-family:'arial'; font-size:
10pt;" href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style=" font-family:'courier new'; font-size:
12pt;">Hi, Denis!<br>
First of all, thank you for taking the time to gather
this nice data! Looking at the calls, to me it looks
like the module behaved as expected. Here are some
thoughts:<br>
- all call durations were less under 1500 seconds, while
your fraud rule is set to 3600 seconds, so it never got
triggered.<br>
- the "calls-per-minute" rule worked! Your rule was set
to max 6 cpm, thus calls #7 - #9 to prefix "810" were
considered fraudulent (at 01:41), as the caller was
starting to exceed this quota. The proper critical
warnings were raised, calls blocked, emails sent.<br>
- the attacker now _learned_ about your 6 cpm limitation
and _lowered_ his cpm to 3 during the following 10 hours
(until 11:08), thus bypassing the cpm rate limiting,
managing to place 21 fraudulent calls.<br>
It seems like the 21 successful fraudulent calls between
03:06 - 11:08 could _maybe_ have been avoided by setting
a better value for "sequential-calls". This is a bit
tricky though, as we also don't want to block calls of
honest users because of false positives.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a moz-do-not-send="true" style="
font-family:'courier new'; font-size: 12pt;"
href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size:
12pt;">On 11.11.2016 09:38, Denis wrote:<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#3200ff" width="2"><br>
</td>
<td><span style=" font-family:'times new roman';
font-size: 12pt;">Re: [OpenSIPS-Users]
Fraud_detection module Hello, Liviu!<br>
<br>
OK, thank you.<br>
<br>
Additionally i will ask you to analyze one case.<br>
In attachment you can find a log of calls, which
were made by one user some time ago (with the
number 1234567). It`s a fraud.<br>
Also i attached a piece of opensips.cfg related
to a fraud detection (see script.txt). When
critical event triggered Opensips sends email to
some address (see script.txt).<br>
<br>
As you can see in the call log, fraud began at
01:40 2016-10-01. Value of the field
"sip_reason" "fraud_detected" means that
fraud_module detects the fraud and a call was
discarded by script logging (see script.txt)<br>
First email about that i received at 01:41 with
fraud param " calls per minute".<br>
Next email i received only at 11:08 with fraud
param "total calls".<br>
<br>
Between these two time stamps i have no emails
about fraud, and as you can see from the call
log, there were many successful calls in this
period with "big" duration.<br>
<br>
Fraud_detection table had such content:<br>
profileid = 1<br>
prefix = 810<br>
start_hour = 00:00<br>
end_hour = 23:59<br>
daysoftheweek = Mon-Sun<br>
cpm_critical = 6<br>
call_duration_critical = 3600<br>
tatal_calls_critical = 30<br>
concurant_calls_critical = 30<br>
sequential_calls_critical = 5000<br>
<br>
The questions is:<br>
- Why module didn`t detect fraud based on "call
duration"?<br>
<br>
Thank you.<br>
<br>
</span><a moz-do-not-send="true" style="
font-family:'arial'; font-size: 10pt;"
href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tbody>
<tr>
<td bgcolor="#0000ff" width="2"><br>
</td>
<td><span style=" font-family:'courier new';
font-size: 12pt;">Upon looking through
the source code, it seems that
calls_per_min / total_calls /
concurrent_calls are also reset to 0
every time a new rule is matched, or if
the day has changed since we last
matched the current rule.<br>
I will make sure this info ^ is more
easily accessible: either in a new
tutorial section or the module doc.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a moz-do-not-send="true" style="
font-family:'courier new'; font-size:
12pt;"
href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new
roman'; font-size: 12pt;">On 10.11.2016
16:29, Denis wrote:<br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#3200ff" width="2"><br>
</td>
<td><span style=" font-family:'times
new roman'; font-size: 12pt;">Re:
[OpenSIPS-Users] Fraud_detection
module <br>
</span>
<table>
<tbody>
<tr>
<td bgcolor="#0000ff"
width="2"><br>
</td>
<td><span style="
font-family:'times new
roman'; font-size:
12pt;">Hello, Liviu!<br>
<br>
Thank you for your
answer.<br>
<br>
About 2)<br>
<br>
"Calls per minute" - ok,
but what about other
parameters?<br>
For example, "total
calls"?<br>
Suppose we have 09:00 -
17:00, Mon-Fri, and
"total calls" = 30.<br>
If in Mon user makes 25
calls, on Tue since
09:00 counts of "total
calls" begin from 0 or
25?<br>
<br>
</span><a
moz-do-not-send="true"
style="
font-family:'arial';
font-size: 10pt;"
href="mailto:d.putyato@ptl.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tbody>
<tr>
<td
bgcolor="#0000ff"
width="2"><br>
</td>
<td><span style="
font-family:'courier
new'; font-size:
12pt;">Hi,
Deniz!<br>
Answers below.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS
Developer<br>
</span><a
moz-do-not-send="true"
style="
font-family:'courier
new'; font-size:
12pt;"
href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style="
font-family:'times
new roman';
font-size:
12pt;">On
10.11.2016
15:18, Denis
wrote:<br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#3200ff"
width="2"><br>
</td>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">Re:
Fraud_detection
modul <br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#0000ff"
width="2"><br>
</td>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">Hello!<br>
<br>
Opensips 2.2.1<br>
<br>
A couple of
questions
about
fraud_detection:<br>
<br>
1) In
documentation
says "<span
style="
font-size:
10pt; color:
#666666;"><b>consecutive
calls</b> to
the same
destination <span
style="
font-size:
12pt; color:
#000000;">".
Same
destination =
same number,
or prefix?</span></span></span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style="
font-family:'courier
new'; font-size:
12pt;">Same
prefix, taken
from the fraud
detection rule <br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#6400ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">2) At
the beginning
of the next
period, a
counts of
events begin
0?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style="
font-family:'courier
new'; font-size:
12pt;">The
module uses a
gliding window
of 60 seconds,
in order to keep
track of "calls
per minute".
When changing
time intervals,
hence putting
new thresholds
in place, the
"calls per
minute" will not
reset. In other
words, when
switching
intervals, the
new "calls per
minute"
thresholds will
initially work
with calls
placed during
the last minute
when the old
thresholds were
in place. <br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#9600ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">3) is
there any
method to
reset counts
of events for
certain user?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style="
font-family:'times
new roman';
font-size:
12pt;">Currently
there is no way
of doing this.<br>
<br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#c800ff"
width="2"><br>
</td>
<td>
<table>
<tbody>
<tr>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">4)
what is the
value used to
calculate
duration in
fraud_module,
minutes or
seconds?</span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<span style="
font-family:'times
new roman';
font-size:
12pt;">It should
be "seconds", I
will fix the
misleading
example in the
tutorial. <br>
</span>
<table>
<tbody>
<tr>
<td
bgcolor="#fa00ff"
width="2"><br>
</td>
<td><span
style="
font-family:'times
new roman';
font-size:
12pt;">______________________________________________
<br>
<span style="
font-family:'courier new';">Users mailing list<br>
</span></span><a
moz-do-not-send="true" style=" font-family:'courier new'; font-size:
12pt;"
href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a
moz-do-not-send="true"
style="
font-family:'courier
new';
font-size:
12pt;"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</body>
</html>