<html><head><title>Re: [OpenSIPS-Users] Fraud_detection module</title>
</head>
<body>
<span style=" font-family:'Times New Roman'; font-size: 12pt;">Ok, Liviu, where this realization can be expected (if any)?<br>
<br>
Thank you.<br>
<br>
</span><a style=" font-family:'arial'; font-size: 10pt;" href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 12pt;">The "sequential-calls" is the only statistic which may also benefit from a periodical reset (daily / weekly / monthly, etc.). IMO, calls-per-min / total-calls / concurrent-calls _should not_ reset to 0 at midnight.<br>
Since a rule's "sequential-calls" cannot be easily reused with multiple reset intervals (it requires either small/big numbers), a check_fraud() parameter will not work so well. This information should be tied to the rule, either in a simplistic string "flags" column (with "d"/"w"/"m" as values), or we could even re-design "sequential_calls" into "seq_daily" / "seq_weekly" / "seq_monthly" and concurrently monitor 0 - 3 of them, depending on their values.<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a style=" font-family:'courier new'; font-size: 12pt;" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size: 12pt;">On 14.11.2016 12:17, Denis wrote:<br>
</span><table>
<tr>
<td width=2 bgcolor= #3200ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Re: [OpenSIPS-Users] Fraud_detection module Hello, Liviu!<br>
<br>
Thank you very much for your answer!<br>
I understood my main mistake. I thought that "call duration" is the total value for all calls but not of only one.<br>
Ok, "<span style=" font-family:'courier new';">sequential-calls<span style=" font-family:'times new roman';">" may be that thing which can help to avoid such situation, but the main problem is (and as you wrote in the previous letter), that this value doesn`t go to 0 at the next period.<br>
Because of this i have to increase this value to 5000, otherwise i blocked honest users.<br>
Can "<span style=" font-family:'courier new';">sequential-calls<span style=" font-family:'times new roman';">" be set to 0 at the next period?<br>
<br>
</span></span></span></span></span><a style=" font-family:'arial'; font-size: 10pt;" href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 12pt;">Hi, Denis!<br>
First of all, thank you for taking the time to gather this nice data! Looking at the calls, to me it looks like the module behaved as expected. Here are some thoughts:<br>
- all call durations were less under 1500 seconds, while your fraud rule is set to 3600 seconds, so it never got triggered.<br>
- the "calls-per-minute" rule worked! Your rule was set to max 6 cpm, thus calls #7 - #9 to prefix "810" were considered fraudulent (at 01:41), as the caller was starting to exceed this quota. The proper critical warnings were raised, calls blocked, emails sent.<br>
- the attacker now _learned_ about your 6 cpm limitation and _lowered_ his cpm to 3 during the following 10 hours (until 11:08), thus bypassing the cpm rate limiting, managing to place 21 fraudulent calls.<br>
It seems like the 21 successful fraudulent calls between 03:06 - 11:08 could _maybe_ have been avoided by setting a better value for "sequential-calls". This is a bit tricky though, as we also don't want to block calls of honest users because of false positives.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a style=" font-family:'courier new'; font-size: 12pt;" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size: 12pt;">On 11.11.2016 09:38, Denis wrote:<br>
</span><table>
<tr>
<td width=2 bgcolor= #3200ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Re: [OpenSIPS-Users] Fraud_detection module Hello, Liviu!<br>
<br>
OK, thank you.<br>
<br>
Additionally i will ask you to analyze one case.<br>
In attachment you can find a log of calls, which were made by one user some time ago (with the number 1234567). It`s a fraud.<br>
Also i attached a piece of opensips.cfg related to a fraud detection (see script.txt). When critical event triggered Opensips sends email to some address (see script.txt).<br>
<br>
As you can see in the call log, fraud began at 01:40 2016-10-01. Value of the field "sip_reason" "fraud_detected" means that fraud_module detects the fraud and a call was discarded by script logging (see script.txt)<br>
First email about that i received at 01:41 with fraud param " calls per minute".<br>
Next email i received only at 11:08 with fraud param "total calls".<br>
<br>
Between these two time stamps i have no emails about fraud, and as you can see from the call log, there were many successful calls in this period with "big" duration.<br>
<br>
Fraud_detection table had such content:<br>
profileid = 1<br>
prefix = 810<br>
start_hour = 00:00<br>
end_hour = 23:59<br>
daysoftheweek = Mon-Sun<br>
cpm_critical = 6<br>
call_duration_critical = 3600<br>
tatal_calls_critical = 30<br>
concurant_calls_critical = 30<br>
sequential_calls_critical = 5000<br>
<br>
The questions is:<br>
- Why module didn`t detect fraud based on "call duration"?<br>
<br>
Thank you.<br>
<br>
</span><a style=" font-family:'arial'; font-size: 10pt;" href="mailto:denis7979@mail.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 12pt;">Upon looking through the source code, it seems that calls_per_min / total_calls / concurrent_calls are also reset to 0 every time a new rule is matched, or if the day has changed since we last matched the current rule.<br>
I will make sure this info ^ is more easily accessible: either in a new tutorial section or the module doc.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a style=" font-family:'courier new'; font-size: 12pt;" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size: 12pt;">On 10.11.2016 16:29, Denis wrote:<br>
</span><table>
<tr>
<td width=2 bgcolor= #3200ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Re: [OpenSIPS-Users] Fraud_detection module <br>
</span><table>
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Hello, Liviu!<br>
<br>
Thank you for your answer.<br>
<br>
About 2)<br>
<br>
"Calls per minute" - ok, but what about other parameters?<br>
For example, "total calls"?<br>
Suppose we have 09:00 - 17:00, Mon-Fri, and "total calls" = 30.<br>
If in Mon user makes 25 calls, on Tue since 09:00 counts of "total calls" begin from 0 or 25?<br>
<br>
</span><a style=" font-family:'arial'; font-size: 10pt;" href="mailto:d.putyato@ptl.ru">mailto:denis7979@mail.ru</a><br>
<br>
<table bgcolor="#ffffff">
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'courier new'; font-size: 12pt;">Hi, Deniz!<br>
Answers below.<br>
Regards,<br>
Liviu Chircu<br>
OpenSIPS Developer<br>
</span><a style=" font-family:'courier new'; font-size: 12pt;" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a><br>
<span style=" font-family:'times new roman'; font-size: 12pt;">On 10.11.2016 15:18, Denis wrote:<br>
</span><table>
<tr>
<td width=2 bgcolor= #3200ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Re: Fraud_detection modul <br>
</span><table>
<tr>
<td width=2 bgcolor= #0000ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">Hello!<br>
<br>
Opensips 2.2.1<br>
<br>
A couple of questions about fraud_detection:<br>
<br>
1) In documentation says "<span style=" font-size: 10pt; color: #666666;"><b>consecutive calls</b> to the same destination <span style=" font-size: 12pt; color: #000000;">". Same destination = same number, or prefix?</td>
</tr>
</table>
</td>
</tr>
</table>
<span style=" font-family:'courier new'; font-size: 12pt;">Same prefix, taken from the fraud detection rule <br>
</span><table>
<tr>
<td width=2 bgcolor= #6400ff><br>
</td>
<td><table>
<tr>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">2) At the beginning of the next period, a counts of events begin 0?</td>
</tr>
</table>
</td>
</tr>
</table>
<span style=" font-family:'courier new'; font-size: 12pt;">The module uses a gliding window of 60 seconds, in order to keep track of "calls per minute". When changing time intervals, hence putting new thresholds in place, the "calls per minute" will not reset. In other words, when switching intervals, the new "calls per minute" thresholds will initially work with calls placed during the last minute when the old thresholds were in place. <br>
</span><table>
<tr>
<td width=2 bgcolor= #9600ff><br>
</td>
<td><table>
<tr>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">3) is there any method to reset counts of events for certain user?</td>
</tr>
</table>
</td>
</tr>
</table>
<span style=" font-family:'times new roman'; font-size: 12pt;">Currently there is no way of doing this.<br>
<br>
</span><table>
<tr>
<td width=2 bgcolor= #c800ff><br>
</td>
<td><table>
<tr>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">4) what is the value used to calculate duration in fraud_module, minutes or seconds?</td>
</tr>
</table>
</td>
</tr>
</table>
<span style=" font-family:'times new roman'; font-size: 12pt;">It should be "seconds", I will fix the misleading example in the tutorial. <br>
</span><table>
<tr>
<td width=2 bgcolor= #fa00ff><br>
</td>
<td><span style=" font-family:'times new roman'; font-size: 12pt;">______________________________________________ <br>
<span style=" font-family:'courier new';">Users mailing list<br>
</span></span><a style=" font-family:'courier new'; font-size: 12pt;" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a style=" font-family:'courier new'; font-size: 12pt;" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body></html>