International Call Fraud Detection Systems and ...

International Call Fraud Detection Systems and Techniques Arif Bramantoro

Yousef Alraouji

Information System Department

Information System Department

College of Computer and Information Sciences

College of Computer and Information Sciences

Al-Imam Muhammad ibn Saud Islamic University

Al-Imam Muhammad ibn Saud Islamic University

Riyadh, Saudi Arabia

Riyadh, Saudi Arabia

Tel. +966-11-2581273

+966555129112

[email protected]

[email protected]

ABSTRACT In recent years, fraud in telecommunication industry becomes one of encumbrance for a telecommunication operator which is growing dramatically. It is befall a serious international problem for GSM and PSTN network service providers. It has undoubtedly become a significant source of revenue losses and bad debts to the telecommunication industry, and with the expected continuing growth in revenue it can be expected that fraud will increase proportionally. It has become an important reason of revenue losses in the industry of telecommunications. This study focuses on International call fraud detection system and its techniques. It proposes a new technique to detect fraud in international call by classification the CDRs for roaming subscribers. SIM Boxes (also known as GSM Gateways) causes important interconnect revenue losses for mobile operators by bypassing official interconnections which makes the operators lose millions of wholesale minutes. This research provides an algorithm to determine suspected fraud number. Even if ordinal CLI is unavailable, the solution can successfully track calls path. The proposed algorithm enables telecommunication operators to apply fraud detection solution at minimum cost of operation. There are two main parts of study. The first one is theory of fraud in telecommunication operators, fraud management system and its techniques. The second one is implemented solution to detect fraud in international call.

Categories and Subject Descriptors H.2.8 [Database Applications]: Data mining

General Terms Algorithms, Management, Measurement, Performance, Design, Experimentation, Verification.

Keywords Fraud, telecommunication, Fraud detection, algorithm, SIMbox.

1. INTRODUCTION Fraud exist since humanity itself, But it can take new techniques from fraudster and unlimited variety of forms. It take place in many areas, for instance, telecommunication fraud, credit card fraud, cyberspace transaction fraud, electronic cash machine fraud, insurance fraud and healthcare fraud, money laundering,

intrusion into computers or computer networks. The process of detecting fraudster is usually same for the mentioned areas . There are differences between fraud and revenue leakage. Revenue leakage refers to loss of revenues because of operational or technical loopholes, for that the losses may normally can recover when the causes is discovered and usually discovered by applying new audit controls or enhance the build procedures. While fraud means theft by deception, usually characterized by evidence of intention, for that fraud losses usually cannot recovered and the fraud cause often can be detected by analysis data by applying some rules over calling patterns . A survey conducted by Communications Fraud Control Association and mentioned that $72-$80 billion in loss of revenue in worldwide telecommunication is due to fraud [1] referring to CFCA, 2009. While some of operators have created powerful, Fraud Management Systems (FMS) to minimize fraud effect in revenue lose, but others haven't covered a lot of fraud cases because the FMS not created yet. On the other hand there are only about ten present of worldwide operators conducting effective and sensible fraud strategies according to Forum for International Irregular Network Access (FIINA) [2]. Recently The Telecommunications UK Fraud Forum (TUFF) estimates that the telecommunications industry in United Kingdom only suffered losses of around £953 million in 2011, which decreased of 2 per cent from the previous year. Figures are based on an average loss of 2.4 per cent against total operator reported revenue of £39.7 billion. [3] The main causes of fraud crime are new technology complexity, employees dissatisfaction, system operation weaknesses, Immaturity business models, criminal greed, money laundering and political and ideological factors [4]. The general objective from research to overview the fraud cases in telecoms companies that may affect revenue or effect service provided to their customer Fraud is still serious worldwide problem for telecom services even with improvement in security technology in general. Even with development that enhanced some capabilities and cover known fraud cases, fraudsters have been agile enough to find alternative techniques that difficult enough to detection with current technologies, so there is great need of high awareness in facing fraud phenomena.

The second important thing in this research is focusing on new fraud cases that indirect effect telecom operator by illegal sharing revenue in international call. Moreover there are lack in studies that focus on fraud generally and fraud detection in communications mainly in the Arab countries. Impact of fraud losses is still continuing virtually in business enterprise although the solutions of fraud detection in continuous development , the fraud loss continuous is to consider a significant problem to many fields like many finance, insurance, health care, internet merchants, brokerage and securities, and many other, about the cost of fraud in the telecom companies can only be estimated due to operators are reluctant to admit to fraud or are not actively looking for fraudulent accounts in the bad debt [5] The Specific objectives of this research to provide fraud management techniques that help telecoms companies to enhancing the current systems with in order to Increase income of international call, Increase Customer satisfactions. Minimizing the depending on third party information to detect International fraud and Building International fraud solution in order to stop loose in revenue by applying algorithms to detecting fraud in international calls.

2. STATE OF THE ART In the literature there are numerous of definitions of fraud, from the subscriber prospective the intention of subscriber has a central role. Johnson defines fraud as any transmission of voice data though a telecom network, where the intent of the user is to avoid or reduce legitimate call charges Johnson as cited in [6]. Also, Davis and Goyal define fraud as gaining unbuildable services and nude-served fees as cited in [7]. Moreover another definition of Telecommunication fraud is provided by Gosset and Hyland (1999) and cited by Hilas in [8] they defined fraud as “any activity by which Telecommunications service is obtained without intention of paying". In other hand, Hoath considers fraud as attractive from fraudster's point of view, since detection risk is low, no special equipment is needed, and product in question is easily converted to cash as cited [6]. Although the term has meaning fraud, especially in the legislation, and the term is used broadly to mean the creation or misuse intention or dishonest or improper conduct without means any legal consequences. There is numerous researcher wrote about how to detect fraud. But many writers, such as Bologna and Lindquist (1995)[9], state that the prevention should take precedence over the detection. The authors imply by fraud prevention establishing a work environment that values sincerity. The work environment includes people who are hired in this area; the paying for them should be competitively, deal with them in fair, and providing a harmless and protected workplace. A Study conducted by Barson in [10] and Hilas and his colleagues [8] in telecom fraud field, Dorronsoro in [11] in credit card fraud in banking field and Fanning and his colleague [12], Green and his colleague [34] and Kirkos and his colleagues [13] in financial statement fraud in finance field Elmi and colleagues [14] in telecom field . These researcher applied neural network technology for fraud detection in different cases. A vague neural network applied by Chiang and his colleagues [15], in the domain of financial reporting fraudulent. A combination of neural nets

and rules is applied in two research conducted by Brause and his colleagues [16] and Estevez and his colleagues in [17]. Using vague rules latter, where the use of the previous rules of traditional association. In addition He and his colleagues in [18] use neural networks in multi layer observation network in the supervise module of their research study and Kohonen [19] that provides a self association maps for in order to managed uncontrollable parts. Brockett and his colleagues in [20] apply self organizing feature maps which shape of neural network technology in order to uncover fake claims in automobile insurance domain. In methodological paper to detect credit card fraud In a associated field of Viaene for fraud in automobile insurance, Bermudez his colleagues [21] provide an Asymmetrical or skewed logic relation in order to in shape a fraud database from insurance market in Spain. Thereafter they developed Bayesian analysis of this model. Major and Riedinger [22] provide fraud detection tools customized for medical insurance. They developed a hybrid of knowledge and statistical based system the power come when statistical power incorporated with expert knowledge. An additional example of integrating different techniques can observe in Fawcett and his colleague [23] work. They use a set of techniques in data mining field in order to detecting mobile cloning in telecommunication industry. It is an efficient technique In particular, when a rule-learning program used to discover evidence by mining customer behavior in a massive database that contains customer transactions and customer information in order to detect fraudster's behavior. From the fraud rules that have been generated, some of rules made to be monitored. These groups of observers determine legitimate customer behavior and indicate anomaly behavior. The monitor's output jointly with labels on an account's preceding daily behavior. These observing data used as training data for Linear Threshold Unit (LTU). The LTU learns to join indication to create high-confidence alerts. The above described method is an example of a hybrid between monitoring and learning techniques which is combined to improve capability of fraud detection. Also Farvaresh and colleagues in [24] provides a data mining framework for detecting subscription fraud in telecommunication they applied a hybrid approach consisting of preprocessing, clustering, and classification. In an additional effort for Fawcett Fawcett and his colleague [25], they find the monitoring activity provided as a separate problem class surrounded by data mining with a unique framework. They illustrate how this framework used through other things for mobile fraud detection .

3. METHODOLOGY The applied methodology to achieve this paper adopting following techniques: study the background about fraud in telecommunication business, over view the most popular solution exist in the market to overcome this phenomena .Discuss the solution proposed from some vendors to preformed international test call that hits the home operator network to detect suspected fraudster number. Implement CDRs classification solution in order to detect fraud cases in international call. Finally obtain a real data set from one of telecommunication operator in Kingdom of Saudi Arabia to validate the proposed solution and make sure it can successful to overcome this kind of fraud by utilizing the home network data .In the following section illustrate the

international call fraud detection system s that provided by researcher to classify roaming CDRs.

3.1 Solution in High Level Design The International Call fraud detection system (ICFDS) will receive Call detail record (CDRs) for international roamer that received from clearing house (settlement System to exchange roamers CDRs between telecom companies)CDR Format (Caller Number, called number, date, Timestamp, Duration) As rules any call originated by international roamers and terminated in customer home country International Gate Way (IGW) should generate CDR for international carrier Billing system .IGW CDR Format (Caller Number, called number, date, Timestamp, Duration, incoming trunk).The system will check if the call exists in IGW stream then call classification will be legitimate call. In case the call not exist in IGW stream, The system will check if the call exists in retail billing (the CDRs generated by national switches)in this case the call will be classified as fraud case and the fraudster using SIM card owned by the same customer company. National switch CDR Format (Caller Number, called number, date, Timestamp, Duration) In case the call not exist in IGW stream and retail billing. The system will check if the call exists in national carrier billing system (the CDRs generated by national switches and CDR contains national trunk group ID) then the call will classified as fraud case and the fraudster use other local operator SIM card. National carrier billing system CDR Format (Caller Number, called number, date, Timestamp, Duration, trunk group ID).

3.3 Data Pre-Processing The data obtained have a lot of quality issues. Like number of columns was huge and a lot of files not actually needed for prove of concept .therefore researcher develop some program to load data to Oracle database. Then run some queries to solve some data quality issues .first issue was in call timestamps was not unified length and to remove some additional data (.000000) here is sample from original data set timestamp format (Some of Records coming like 2014-03-01 9:40:23.000000 PM and another like2014-02-28 10:07:59.000000 PM). The data after processing been as (2014-02-28 10:07:59 PM and 2014-03-01 09:40:23 PM).the second issue was in Duration field the field was come with not valuable dot like (139. Sec) we convert it to number as (139) in order to simplify the comparisons. These issues were in all datasets. Moreover the Anumber (Caller number) and Bnumber (called number) comes in different format like (+966) or (00966) or without county code so we have unified format as (966) in all datasets. Moreover the research taking Privacy issues in consideration. For that we change the last 3 digits in Anumber and Bnumber with XXX and the two digits In the middle with XX in order to sustaining high level of telecommunication customer's privacy.

Table 1. Roaming CDRs sample statistics

4. IMPLEMENTATION Figure 1. Solution in different layers

3.2 Data Collection Methodology In order to collect the data that needed for this search project , the secondary resources used to collecting data such as journals, books, statistics, academic paper ,white papers and web pages. Moreover the preliminary resources is used to collect Data that's surly not available in secondary resources through obtaining real sample date from one of the local telecom operators in kingdom of Saudi Arabia. The Roaming data calls collected in 28th of February for targeted sample from roaming CDRs Streams. The selection criteria were caller number and call date. For all other datasets the data collected in 3 days period (27th February to 1st March) in order to overcome the time zone issues in roaming call.

In order to demonstration the proposed solution for detecting fraud in incoming international call the researcher use a lot of technology. Oracle database will be used to accommodate the sample data that has been cleansing to be ready for testing purpose. There are 9 tables created to be user in proof of concept 7 table created to load samples CDR data from each source system. The CDR_CLASSIFIER_R table created to save the result of classification. In deed this table filled by stored procedure and used for reporting the result to system users. The ninth table called ROAMER has information about roamer like the customer number and country roam, actually this table used as reference. The logic of classification has been built by stored procedure. The first obstacle of comparing were difference in time stamp between CDRs that received from clearing house and the CDRs that’s collected for the home network elements. We solve the issue by shifting time stamp to be able compared with home

network element CDRs in the code below illustrate how the timestamp shifted.

Figure 2. Piece of code describe Timestamp Shifting

Step 2: Shift Timestamp in VTIMESTAMP variable based on county name in VCOUNTY variable to be comparable with Timestamp that’s generated by home network Step 3: Check if the call exists in NICT table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration

The time zone deference between home network county and customer roaming in Afghanistan is one and half hour so the time shifted by minus 1.5 from the actual time stamp .in next IF statements when the roamer in Bahrain the Timestamp not shifted because the time zone is same as home county network. In case the roamer in roam Pakistan the time shifted by minus 2 hours from the actual timestamp. Farther more the time stamp shifted by minus 2.5 from the actual timestamp in case the customer roam in India. In case the roamer in roam Egypt the time shifted by plus 1 hour from the actual timestamp. Finally if the roamer roam in UK the time shifted by plus 3 hours from the actual timestamp.

Step 4: In case the call exists in NICT table assign (Y) in VIN_ICT variable as flag, if not the call not exist in NICT table assign (N) in VIN_ICT variable

The second obstacle in classifying the CDRs their slight difference in call duration in some cases between Clearing house CDRs (Roam CDRs) and home network CDRs. The deference is normal because the every data network elements have special methodology to calculate duration. While our objective to detect the fraud cases in call we find method to overcome the mentioned obstacle by accept the slight difference. We are accept up to 8 seconds of difference, which means if any record Roam CDR is matched with another record in home network CDRs and the difference Equal or less than 8 Second we consider it matches.

Step 7: Check if the call exists in NIGW table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration

The last obstacle in classifying the CDR also slight difference in timestamps in some cases between Clearing house CDRs (Roam CDRs) and home network CDRs. The deference is normal because the Network Time Server is different between the home network and the call generation network (the network that’s has been used by roamer). Therefore we accept 60 second difference in timestamps. In fact 240 second difference is accepted in real business analysis report in order to reconcile to data set from two different telecom networks. So 60 second is justified and accepted in our sample data sets. The below piece of code illustrate how we overcome the two above obstacles

Figure 3. Piece of code describe how difference in duration and Timestamp accepted. As mentioned above Oracle PLSQL has been created to classify the roamer CDRs. the main objective of stored procedure to read every record in ROAMCDR Table and check if the call appears in any one of home network CDRs there are the results of check and suspected number stores in CDR_CLASSIFIER_R table. The scenario and steps of stored procedure illustrated in below paragraph.

4.1 Algorithm for CDR Classification Step 1: Fetch statement to assigning record to variables (VANUMBER, VBNUMBER, VDURATION, VTIMESTAMP, VCOUNTRY_CODE, VCOUNTRY)

Step 5: Check if the call exists in NITU table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration Step 6: In case the call exists in NITU table assign (Y) in VIN_ITU variable as flag, if not the call not exist in NITU table assign (N) in VIN_ITU variable

Step 8: In case the call exists in NIGW table assign (Y) in VIN_IGW variable as flag, if not the call not exist in NIGW table assign (N) in VIN_IGW variable Step 9: Check if the call exists in NMSC table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration Step 10: In case the call exists in NMSC table assign (Y) in VIN_MSC variable as flag, if not the call not exist in NMSC table assign (N) in VIN_MSC variable Step 11: Check if the call exists in NNGN table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration Step 12: In case the call exists in NNGN table assign (Y) in VIN_NGN variable as flag, if not the call not exist in NNGN table assign (N) in VIN_NGN variable Step 13: Check if the call exists in NNSN table the condition is (BNUMBER Equal VBNUMBER and DURATION Equal VDURATION and TIMESTAMP Equal VTIMESTAMP) with consideration of slight difference in Timestamp and Duration Step 14: In case the call exists in NNSN table assign (Y) in VIN_NSN variable as flag, if not the call not exist in NNSN table assign (N) in VIN_NSN variable Step 15: In case the call not exist in (NICT,NITU and NIGW) which is source for wholesales billing and exist in one of (MSC,NGN or NSN) which is retail billing source retrieve ANUMBER from Retail billing source and assigning it as value of Suspected variable as suspected number Step 16: Insert the record that's fetched in step 2 plus the information that’s obtained in steps (5, 7, 9, 11, 13, 15 and 16)

Step 17: Loop back to step 2 and repeat all steps until finishing all record s in cursor

4.2 Decision Tree In deed this decision tree is extracted from the algorithm that we build in the stored procedure. We use this decision tree to visualize the algorithm so that readers can easily understand the process of identifying the fraud.

Figure 1. Decision Tree

The below screen shot illustrate the result of classification for each record of roaming CDRs the check result added for each source system "Y" means the call exist in the source while 'N' means the call not exist in source. In the last column in the table the final result of classification 'Normal' means the call received through proper path while 'Not Found' means the call not found in all sources. In case the call received through improper path the suspected number shown in this column with hyper link for more details witch give the user all call that originated by suspected number.

Figure 2. The result of classification for each record of roaming CDRs

5. EVALUATION We have built some screens in JSP in order to see and evaluate the implemented stored procedure. The system consist fourteen developed pages the main result illustrated in the below screenshot.

The blow screen shot shows all calls that originated by suspected number .the calls indeed fraud cases not detect directly from ICFD system. The page will shown when user click on suspected number in the previous page

Figure 4. All calls that originated by suspected number

Figure 3. Main Result

Figure 5. Running Decision Tree on the data.

6. RESULT AND DISCUSSION The result of implemented solution illustrate that fraud in international call can be detected by classification the roaming CDRs. The system successfully classifies 25 CDRs and found one suspected number which is 9665XX543XXX. There are five voice calls not found in all source data, but this is normal issue because the CDR may not be collected from network elements when the sample data collected. Also there are 61 Roaming CDRs not found because the source data not collected during sample data. The source for these kinds of CDRs can be collected from Short Message Service Center (SMSC) for SMS and from Multimedia Message Service Center (MMSC) for MMS. In deed these sources is not included in project because the researcher concentrates on voice call rather than MMS and SMS CDRs. The below table contains the statistical information about classification report.

Table 1. Statistical Classification report

Furthermore we find that there are same data in two of our sample data. The ITU and IGW data sets has same number of records and also same call duration for all CDR. This symmetry of these two source give indication to exclude one of these source in order to enhance system performance. The below table illustrate the symmetry of these two source systems.

Table 2. Symmetry of two source systems

The suspected number originate 53 seconds call duration for that call from originally originated by roaming customer this call not appear on any one of wholesales Billing system (ITU, ICT and IGW). This means that call terminated as local call rather than international call. In this call the home network cannot earn international call termination fees from international operator. In other hand the same suspected number bypass anther two calls to different customers on home network. These results obtained by search on the retail billing system dataset and collect any call originated by the suspected number. The below table illustrate the call generated by suspected number. Table 3. Call generated by suspected number

Based on above find cases there are around 1% of calls in MSC dataset. The total records in this dataset 297 records. According to result there are three calls has been detected as fraud cases. The suspected number owned by the home network. Therefore it easy for home network to decide if it is really case of fraud and take the optimal process to deal with number as per company internal process in such case. According to proposed algorithm decision tree the suspected number fall in this path the CDR exist in Roaming CDRs But for sure it is not exist in ITU, ICT and IGW. While it was exist in MCS CDRs that means the suspected number belong to home network subscriber. The figure 5 illustrates the path of decision tree. In order to validate the result of developed system check if the suspected number answering the any call in all data dataset. The result of check was support our assumption, because the suspected number not receiving any call in any one of collected sources datasets. According to proof of concept the proposed solution achieve the company goals by detecting the home network subscribers how use the service that provided to him in immoral behavior. Moreover the proposed solution can be applied easily and not depending on third party information or even help in detection. Also when we comparing proposed solution with other solutions in market, we can see our solution not need to generate test call from other country in order to check the call path and detect suspected numbers. While ICFD solution utilize the call generated by home network subscribers how roam in other international operator are in order to reduce cost of fraud detection solution. On other hand the proposed solution may need move powerful machined to handle massive number of recorded that need to classify to detect fraud cases, however the benefits will be more than cost of processing power needed. Another issue can be weakness of proposed solution which is time period between call generation and CDRs arrive from clearing house CDR settlements, actually there are two types of agreements to deliver CDRs between operators. The first is near real time which is take

maximum four hour from event occur to send CDR through clearing house to the home network company ,the second agreement can be delay CDR for more than one day . However the mentioned agreement can affect the postpaid subscriber CDR but prepaid CDR can be collect from intelligent network in order to overcome this weakness. Moreover it is enough to depend on real time agreement to detect suspected number in shortest time.

7. CONCLUSION The paramount purpose of this study was to determine one the most importance of methods to minimize revenue leakage in telecommunication industry. In order to complete this goal we are working on prerequisite goals. Determining what fraud in telecommunication means and how that ideal is related to field of information technology as we study the importance during the literature review conducted for this study. Related to that effort, it became necessary to over new solution to close the gap of leakage in international call revenue due to fraud. To propose our solution we provide an overview about the existing solutions in this field which is fraud management systems in general the most important systems ROC from Subex and RAID from WEDO technology not capable to detect fraud in international call without depending on Third Party Company. On other hand other solutions depends of test call generation in order to detect this kind of fraud. Therefore the solutions that proposed by vendors is very costly for telecommunication operators and has limited number of test calls. The main cost from test call generation because the telecom operators should pay for every test call. In proposed solution we proved that possibility of detecting this kind of fraud by utilizing the operator information in order to detect fraud in international call. As we shown in the solution it depends on home network subscribers whom roam in other countries in order to verify the call path by CDRs Classification. This method will reduce the cost of operation fraud detection in practical of test call generation. It was important to develop a new model with the ability to cover the entire operations of fraud in the incoming international calls to minimize the revenue loss as result of revenue share with the fraudster. In order to achieve our goal we build our logic in real data from one of telecom operators. Moreover we provide decision tree to classify call into normal and fraud call. As a result of implementation we found three call of fraud in one of obtained data sets. The study emphasized that there is about 1% of calls based on sample data falls on fraud domain.

8. FUTURE WORK The fraud in telecommunication actually is fertile environment for research because the methods of fraud are change from time to time. Therefore we recommend expanding this research to involve fraud in SMS and MMS service in same concept of detecting calls. Also there are significant domains of international call revenue sharing fraud which is leads by international operators in order to get advantages of call routing by changing CLI to hide the real source of the call. Moreover it is very important to apply our method of detecting fraud in international call in big sample of real data to detect all fraud sources whether in home network and in other local operators.

9. REFERENCES [1] 1.F. Li, N. Clarke, M. Papadaki, and P. Dowland, “Misuse detection for mobile devices using behaviour profiling,” International Journal of Cyber Warfare and Terrorism (IJCWT), vol. 1, no. 1, 2011, pp. 41-53. [2] 2.R. Shelton, “The Global Battle Against Telecom Fraud,” 2003. [3] 3.OFCOM, “Communications Market Report 2012 Visted in 2014/2/23 http://stakeholders.ofcom.org.uk/binaries/research/cmr/cmr1 2/CMR_UK_2012.pdf,” Ofcom’s ninth annual Communications Market Report., 2012. [4] 4.S.BROWN, “TELECOMMUNICATION FRAUD MANAGEMENT,” White Paper, 2005. [5] 5.P.R. Bhandary, and S.S. Bhat, “Finanacial performance of top 4 Indian telecom companies: A comparative study,” EXCEL International Journal of Multidisciplinary Management Studies, vol. 3, no. 5, 2013, pp. 137-144. [6] 6.J. Hollmton, User profiling and classification for fraud detection in mobile communications networks, Helsinki University of Technology, 2000. [7] 7.C.W. Davia, kastintin, “Accountant's Guide to Fraud Detection and Control,” Johwiley&son, 2000. [8] 8.C.S. Hilas, and P.A. Mastorocostas, “An application of supervised and unsupervised learning approaches to telecommunications fraud detection,” Knowledge-Based Systems, vol. 21, no. 7, 2008, pp. 721-726. [9] 9.B.a. Lindquist, “Fraud Auditing and Forensic Accounting : New Tools andTechniques.second edition ” Wiley & Sons, 1995. [10] 10.P. Barson, S. Field, N. Davey, G. McAskie, and R. Frank, “The detection of fraud in mobile phone networks,” Neural Network World, vol. 6, no. 4, 1996, pp. 477-484. [11] 11.J.R. Dorronsoro, F. Ginel, C. Sgnchez, and C.S. Cruz, “Neural fraud detection in credit card operations,” Neural Networks, IEEE Transactions on, vol. 8, no. 4, 1997, pp. 827-834. [12] 12.K.M. Fanning, and K.O. Cogger, “Neural network detection of management fraud using published financial data,” International Journal of Intelligent Systems in Accounting, Finance & Management, vol. 7, no. 1, 1998, pp. 21-41. [13] 13.E. Kirkos, C. Spathis, and Y. Manolopoulos, “Data mining techniques for the detection of fraudulent financial statements,” Expert Systems with Applications, vol. 32, no. 4, 2007, pp. 995-1003. [14] 14.A.H. Elmi, S. Ibrahim, and R. Sallehuddin, “Detecting SIM Box Fraud Using Neural Network,” IT Convergence and Security 2012, Springer, 2013, pp. 575-582. [15] 15.D.-A. Chiang, Y.-F. Wang, S.-L. Lee, and C.-J. Lin, “Goal-oriented sequential pattern for network banking churn analysis,” Expert Systems with Applications, vol. 25, no. 3,

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. MEDES’13, October 29-31, 2013, Neumünster Abbey, Luxembourg. Copyright © 2013 ACM 978-1-4503-2004-7...$10.00.

2003, pp. 293-302. [16] 16.R. Brause, T. Langsdorf, and M. Hepp, “Neural data mining for credit card fraud detection,” Tools with Artificial Intelligence, 1999. Proceedings. 11th IEEE International Conference on, IEEE, pp. 103-106. [17] 17.P.A. Estevez , C.M. Held, and C.A. Perez, “Subscription fraud prevention in telecommunications using fuzzy rules and neural networks,” Expert Systems with Applications, vol. 31, no. 2, 2006, pp. 337-344. [18] 18.H. He, J. Wang, W. Graco, and S. Hawkins, “Application of neural networks to detection of medical fraud,” Expert Systems with Applications, vol. 13, no. 4, 1997, pp. 329336. [19] 19.T. Kohonen, “The self-organizing map,” Proceedings of the IEEE, vol. 78, no. 9, 1990, pp. 1464-1480. [20] 20.P.L. Brockett, X. Xia, and R.A. Derrig, “Using Kohonen's self-organizing feature map to uncover automobile bodily injury claims fraud,” Journal of Risk and Insurance, 1998, pp. 245-274. [21] 21.L. Bermudez , J.M. Perez, M. Ayuso, and E. Gomez, “A Bayesian dichotomous model with asymmetric link for fraud in insurance,” Insurance: Mathematics and Economics, vol. 42, no. 2, 2008, pp. 779-786. [22] 22.J.A. Major, and D.R. Riedinger, “EFD: A Hybrid Knowledge/Statistical-Based System for the Detection of Fraud,” Journal of Risk and Insurance, vol. 69, no. 3, 2002, pp. 309-324. [23] 23.T. Fawcett, and F. Provost, “Adaptive fraud detection,” Data mining and knowledge discovery, vol. 1, no. 3, 1997, pp. 291-316. [24] 24.H. Farvaresh, and M.M. Sepehri, “A data mining framework for detecting subscription fraud in telecommunication,” Engineering Applications of Artificial Intelligence, vol. 24, no. 1, 2011, pp. 182-194. [25] 25.T. Fawcett, and F. Provost, “Activity monitoring: Noticing interesting changes in behavior,” Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, ACM, pp. 53-62.