[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2012057601A1 - Voice over internet protocol monitoring system and method - Google Patents

Voice over internet protocol monitoring system and method Download PDF

Info

Publication number
WO2012057601A1
WO2012057601A1 PCT/MY2010/000230 MY2010000230W WO2012057601A1 WO 2012057601 A1 WO2012057601 A1 WO 2012057601A1 MY 2010000230 W MY2010000230 W MY 2010000230W WO 2012057601 A1 WO2012057601 A1 WO 2012057601A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
packets
data
call
packet
Prior art date
Application number
PCT/MY2010/000230
Other languages
French (fr)
Inventor
Husniza Razalli
Mohd Daud Jaafar
Abdul Razif Tamrin
Ahmad Fuad Mohamed Bandi
Hermiewan Hamdan
Sahirman Abdullah
Azmirul Hamzah Nor Hamzah
Suriah Hasan
Mazlan Burhanudin
Azliza Mat Seden
Original Assignee
Telekom Malaysia Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telekom Malaysia Berhad filed Critical Telekom Malaysia Berhad
Priority to PCT/MY2010/000230 priority Critical patent/WO2012057601A1/en
Publication of WO2012057601A1 publication Critical patent/WO2012057601A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1083In-session procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/41Billing record details, i.e. parameters, identifiers, structure of call data record [CDR]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/43Billing software details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/55Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for hybrid networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/56Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP for VoIP communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/80Rating or billing plans; Tariff determination aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/80Rating or billing plans; Tariff determination aspects
    • H04M15/8044Least cost routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/80Rating or billing plans; Tariff determination aspects
    • H04M15/8044Least cost routing
    • H04M15/8055Selecting cheaper transport technology for a given service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the field of the invention is monitoring of voice over internet protocol (VOIP) traffic on a network.
  • VOIP voice over internet protocol
  • VOIP voice over internet protocol
  • VOIP can be used as a substitute for traditional circuit switched telecommunications for one or more legs of a call between two parties .
  • VOIP may be used for an international leg of a telephone call. Regulations may exist regarding the use of such techniques and charging for services utilising such techniques.
  • a voice over internet protocol (VOIP) monitoring system comprising a processor adapted to receive IP packet data of internet protocol (IP) packets copied from
  • IP network communication to and from a media gateway interconnecting the IP network and a telecommunication network, and analyse the received IP packet data to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway.
  • CDR call data record
  • VOIP voice over internet protocol
  • monitoring method comprising the steps of:
  • IP internet protocol
  • processor to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway.
  • CDR call data record
  • the processor analyses the IP packet data to identify, for further analysis, IP packets having a seize time that matches a CDR of the gateway, including a called number and indicating a complete call transaction.
  • the system can further comprise a network tapper adapted for connection in the internet protocol network between the media gateway and a router to copy internet protocol (IP) packets being transmitted between the media gateway and the router.
  • IP internet protocol
  • the system can further comprise a network analyser in data communication with the network tapper and adapted to identify copied IP packets meeting at least one specified criterion and providing IP packet data of the identified IP packets to the processor.
  • a network analyser in data communication with the network tapper and adapted to identify copied IP packets meeting at least one specified criterion and providing IP packet data of the identified IP packets to the processor.
  • the specified criterion can include any one or more of: IP address, range of IP addresses or packet protocols.
  • the network analyser can be further adapted to convert data of the identified IP packets into standardised format data records .
  • the standardised format data records have a call data record format.
  • IP packets Destination and origination IP addresses of identified IP packets can be analysed. Identified IP packets can be analysed to identify content patterns in IP packet content data.
  • the method can further comprise the steps of:
  • the above method can further comprise the step of
  • the system can further comprise a processing engine adapted to compare a CDR generated for the test call with the constructed CDR for the test call to identify whether unauthorised activity has occurred. Unauthorised activities to be identified can include any one or more of call rebadging, traffic rebadging, number tampering and interconnect bypass.
  • the processor is in data communication with the network analyser via a communication network.
  • the communication network can be a wide area network (WAN) .
  • WAN wide area network
  • VOIP voice over internet protocol
  • monitoring system comprising:
  • a network tapper adapted for connection in the internet protocol network between the media gateway and a router to copy internet protocol (IP) packets being transmitted between the media gateway and the router; and a network analyser in data communication with the network tapper and adapted to identify copied IP packets meeting at least one specified criterion.
  • IP internet protocol
  • the specified criteria can include any one or more of: IP address, range of IP addresses or packet protocols.
  • the network analyser can be further adapted to convert data of the identified IP packets into standardised format data records .
  • the standardised format data records have a call data record format .
  • the network analyser can be further adapted to provide IP packet data of the identified IP packets via a
  • the communication network can be a wide area network
  • IP monitoring comprising the steps of: copying internet protocol (IP) packets transmitted between a media gateway and a router using a network tapper;
  • IP internet protocol
  • This method can further comprise the step of converting data of the identified IP packets into standardised format data records .
  • This method can further comprise the step of analysing data from IP packets meeting any one or more specified criterion, by a processor, to identify any IP packet corresponding to a call data record (CDR) of
  • Figure 1 is an example of an embodiment of a system according to an embodiment of the present invention.
  • FIG. 2a is a flowchart of an example of capturing IP packets in accordance with an embodiment of the present invention.
  • Figure 2b is a flowchart of an example of analysing captured IP packets in accordance with an embodiment of the present invention.
  • Figure 3 is an example of a system for making test calls in accordance with an embodiment of the present invention.
  • Embodiments of the present invention provide a method and system for analysing voice over internet protocol (VOIP) packets, to identify packets which may provide indicators of illegal or unauthorised activity.
  • VOIP monitoring is performed by analysing IP packet data of internet protocol (IP) packets copied from communication to and from a media gateway interconnecting the IP network and a
  • IP internet protocol
  • the IP packet data is analysed to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic
  • the IP packets for analysis can be copied using a network tapper 100 provided in the network between a media gateway 102 for providing interconnection to a telecommunication network 110 and a router 104 for routing IP traffic between the gateway 102 and the wider IP network 112.
  • the network tapper 100 copies IP packets transmitted between the media gateway 102 and the router 104. Copies of the IP packets can be provided directly to the processor for analysis. Alternatively, the copied IP packets can be filtered before analysis.
  • a network analyser 106 is provided to filter the coped IP packets in accordance with specified criteria. Copies of the IP packets can be provided to the network analyser 106 which identifies packets meeting specified any one or more specified criterion. In some embodiments the network analyser converts the identified IP packets into standardised format data for analysis. The data can then analysed by the processor 108 to identify packets that may include indicators of illegal activity for further analysis. In particular this method can be used to acquire evidence of number tampering or call rebadging activity.
  • VOIP Voice over IP
  • a user makes a
  • a user may communicate with another party directly via a data network using VOIP, for example using SKYPE or another VOIP service.
  • VOIP a data network
  • a user may make a telephone call to a VOIP service provider number for making a call to a called number using VOIP.
  • a user can call, via a regular telecommunication service using a local call, and use a media gateway of a VOIP service or
  • a connection to the called number is made from a media gateway to the called number via a telecommunication network.
  • the cost for such a call is lower than where the international leg of the call is provided via an international trunk of a telecommunication network.
  • the network service provider providing access to the communication network and the application service providers (ASPs) providing VOIP service providers may be separate organisations. An ASP may purchase network access for interconnection between the VOIP and telecommunication services from a
  • the ASP then charges users on a use basis for the VOIP service, for example using prepaid phone cards or separate accounts.
  • the ASP typically provides lower per call costs to the user than the network service provider particularly for services such as international calls.
  • the bulk rate charged to the ASP by the network service provider may be based on capacity purchased and traffic routing. For example, different bulk rates may be charged for local traffic routing compared to traffic being routed between international and local networks .
  • a media gateway 102 can provide the interconnection between a PSTN (public switched telecommunication network) 110 and an IP network 112.
  • PSTN public switched telecommunication network
  • Accounting for use of the telecommunication service for the VOIP traffic can be done based on data collected at the media gateways. Different charging regimes and access tariffs may be applied for local and international calls.
  • VOIP traffic uses data routing techniques through the IP network, it is possible to manipulate the data packets to attempt to disguise the true origin or
  • Call rebadging occurs when international traffic is disguised as local traffic when transferred to the PSTN.
  • Other terms for call rebadging are number tampering, call regeneration,
  • Call rebadging involves transferring international traffic into and out of a telecommunication operator's network rebadged as local calls. Call rebadging may be used by an ASP to incur local call tariffs rather than higher international call tariffs for international traffic.
  • an ASP may also be restricted, for example by license conditions, to only provide local VOIP routing services.
  • a local operator ASP typically pays a different network access fee than a global operator ASP.
  • the local operator ASP is prohibited from accepting and routing international calls.
  • International calls should be handled by a global operator ASP authorised to accept and route international VOIP calls. If a local operator ASP does accept international calls, and therefore act as a global operator, this activity can be deemed illegal.
  • Illegal call rebadging can contribute to revenue losses to a network service provider. Typically such call rebadging is done to obtain the benefit of lower routing costs than those which should be incurred from the network provider for the actual carriage of traffic on the network.
  • An embodiment of a VOIP monitoring system according to the present invention is shown in Figure 1.
  • the system comprises a network tapper 100, a network analyser 106 and a processor 108. The operation of the system will be described with reference to Figures 2a and 2b.
  • the network tapper 100 is a device adapted for connection in an internet protocol network between a media gateway 102 and a router 104.
  • the network tapper 100 copies 200 all IP packets transmitted on the network between the media gateway 102 and the router 104 and provides the copied packets to the network analyser 106.
  • the network tapper 100 may be adapted to distinguish VOIP packets from other IP packets and only copy VOIP packets.
  • the network tapper 100 can be implemented using any suitable hardware and software.
  • the network tapper may be implemented using a hardware device adapted to transparently intercept the data transmission and transmit copies of the packets to a network analyser device 106.
  • Copied IP packets 200 are provided to the network analyser 106.
  • the network analyser 106 can scan each copied IP packet 210 to identify specified capture criteria 215. IP packets which do not meet the specified capture criteria 215 can be dropped or ignored 218 while packets meeting the specified capture criteria are further processed.
  • the specified criteria may be only VoIP packets, packets from a specified origin, packets to a specified destination, packets of a suspected number or IP address, packets for a suspected range of IP addresses etc. For example, all packets to and from a suspected IP address may be captured.
  • Specified criteria may also include packet protocol, for example, SIP, H.323, MGCP etc.
  • Packets having the specified protocol may be captured irrespective of IP address or number.
  • Capture criteria may include a combination of specified criteria, for example all packets of a specified protocol to or from IP addresses in a given range.
  • the network analyser 106 can scan each IP packet 210 to identify whether or not the packet meets the capture criteria 215. If the packet does not meet the capture criteria, for example is not for a specified IP address, the packet is ignored 218 and the analyser simply
  • the network analyser 106 is in data communication with the network tapper 100 and can be implemented using any device having a processor programmed with firmware and software to search the packet format and data to identify packets meeting the specified criteria.
  • the network analyser 106 can also have an interface to enable communication with the processor 108 via a communication network 114, for example a wide area network. Packets which meet the capture criteria 215 can be stored or sent to a processor 230 for further analysis. Further processing may be performed by the network analyser 106 or another processor 108 in data communication with the network analyser 106. Once processing of a packet is completed 230 the network analyser 106 scans and processes the next packet 235.
  • the network analyser 106 can be further adapted convert 225 captured IP packets into a standardised format for further analysis. For example, before storing the IP packet data or forwarding 230 the IP packet data to a processor for further analysis.
  • Converting 225 IP packets can involve identifying relevant data from the IP packet and placing this data into a defined data structure. It should be appreciated that some data from the IP packets may also be ignored.
  • An advantage of converting copied IP packets into a standard format is simplification of further analysis of the captured IP packets. For example, the standardised format may simplify further analysis, such as behavioural
  • the network analyser 106 may be adapted to translate VOIP packets into a call data record (CDR) format.
  • CDR call data record
  • Data relevant to the routing of the VOIP packet can be extracted from the packet and placed in a CDR format.
  • the packet header can be used to generate the CDR and non- relevant packet pay load data of the VOIP packet may be ignored or deleted.
  • packet pay load data may be retained or samples of packet payload data retained for analysis.
  • the processor 108 is in data communication with the network analyser 106 and can receive 230 captured and translated IP packets from the network analyser 106 for further analysis, for example, via a wide area network 114.
  • the processor 108 can be adapted to identify packets that may be used as evidence of unauthorised activity.
  • the processor reads the data of a translated IP packet 240 and compares 250 the translated IP packet data to CDR data 245 for the gateway, to identify any CDR that may correspond to the IP packet.
  • the CDR data 245 can be obtained from the
  • a CDR corresponding to an IP packet is identified by matching seize time (time of the call) from the IP packet with the CDR seize time 260. If there is no CDR with a seize time matching that of the IP packet 260, then the packet is dropped 255 and processing continues with the next packet 258. If the IP packet and CDR seize time match 260, then the IP packet is checked for a termination number 265, otherwise known as a B- umber, in the PSTN. For example, the termination number may be a landline telephone number in the PSTN or a mobile phone number. If no termination number is present the IP packet is dropped 255 and processing continues with the next packet 258.
  • the processor can check whether or not the call was completed 270. If the call was not completed 270 then the IP packet is dropped 255 and processing continues with the next packet 258. However, where the call was completed 270 then this indicated the IP packet may be used for further analysis to identify unauthorised activity.
  • Relevant data from the IP packet can be compiled into a record for further processing 275 and forwarded for further analysis 280.
  • the processor can then proceed to analyse the next packet 285.
  • Further analysis may included reviewing packet content, analysing IP packet content patterns, analysing origin and destination IP address, making test calls etc. It should be appreciated that the process described above enables IP packets that relate to failed calls or are otherwise irrelevant or unable to be further processed to be dropped. This provides a filtered set of IP packets to input to more sophisticated analysis techniques, such as behavioural analysis.
  • the processor 108 may be adapted to perform further analysis of the filtered IP packets.
  • the processor may be adapted to analyse origin and destination IP addresses, to identify inconsistencies between the address information and other packet data. Data maybe logged for reporting to a network operator.
  • the processor 108 may perform a plurality of tests during analysis to investigate the packets and packet data from different perspectives and summarising the data analysis into information useful for fraud analyst. For example, processor 108 may identify relationships among attributes such as timestamp, originating IP address and destination IP address. The relationships between these attributes can indicate fraudulent activity. For example,
  • the processor 108 may also be adapted to report the packets suspected of indicating unauthorised activity, or a summary thereof, in a human readable form for reporting to a user or fraud analyst .
  • the system may also be adapted to perform a reconciliation operation by making a test call.
  • the reconciliation operation will be explained in greater detail with reference to Figure 3.
  • test equipment 310 and a processing engine 350 are provided. This equipment can be set up in a laboratory.
  • the test equipment 310 can trigger a test call 320 be made via the IP network 370, an application service provider's gateway 330 and PSTN network 340.
  • the call data record 345 generated by this test call 320 is recorded at the processing engine 350.
  • a call data record is also
  • the test equipment constructs expected CDR data for the test call.
  • the constructed CDR 315 can be transmitted to the processing engine 350 via an IP network if the test equipment 310 is remote from the processing engine 350.
  • the processing engine 350 compares the constructed call data record 315 with the actual call data record 345 obtained for the test call 320 made via the ASP's gateway 330.
  • the IP packets and CDR of the test call can be captured from the network using the system of Figure 1 and process of Figures 2a and 2b.
  • the processing engine 350 can be adapted to associate the actual CDR 345 for the test call with the constructed CDR 315. By comparing the actual and constructed CDRs the processing engine can determine whether or not the origination number of the test call is the same as that of the constructed CDR. This data can be presented to a fraud analyst 360 for further analysis of the suspected fraud.
  • the test call reconciliation process is optional and maybe performed after suspected unauthorised activity is identified through other analysis, for example through comparison of source and destination IP addresses, time stamps, etc. An alert regarding potential fraud or illegal activity can be provided to the network operator or other authority and the test call initiated by the network operator or other authority. Alternatively test calls and analysis thereof may be automatically triggered by the processor 108.
  • the processor 108 can be connected to the network analyser 106 via a communication network.
  • the network is a wide area network (WAN) .
  • the network analyser 106 may be accessible via the internet, preferably via virtual private network.
  • analyser 106 are installed. This has an advantage of enabling the processor to be accessed by human operators from a more convenient location than the exchange
  • test equipment 310 and processing engine 350 may also be remote accessed via a communication network. It should be appreciated that the processing engine 350 may be implemented as a function of the processor 108 or using separate processing equipment of any suitable hardware, firmware and software configuration. In some embodiments the test equipment 310 may also be implemented as part of the processor 108 or as separate equipment using any suitable hardware, firmware and software
  • test equipment may be located at a regional office and connected to the processing engine 350 via an IP network.
  • functionality of the test equipment 310 and processing engine 350 may be implemented as different functions of the same equipment.
  • the network analyser 106 performs scanning of IP packets to capture of IP packets based on specified criteria and translation of IP packet data. This significantly filters the raw IP packet data to reduce the amount of irrelevant data forwarded to the processor 108 for analysis. This has an advantage of enabling a practical network
  • the system and method of embodiments of the present invention has an advantage of enabling automation of the scanning of IP packets to identify specific indicators associated with number tampering and rebadging activities.
  • the conversion [of IP packets into a standardised format enables analysis to be performed easily on the
  • Embodiments of the invention could provide evidence of suspicious illegal rebadging activity for international traffic.
  • any international traffic or calls that have been rebadged as a local call may be identified.
  • the evidence provided by the system can aid network service providers when seeking recovery of lost revenue from the parties committing the illegal activities.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A voice over internet protocol (VoIP) monitoring system comprising a processor receiving IP packet data of DP packets copied to and from a gateway connecting the IP network and a telecommunication network. The processor analyses the received packet data to identify any packet corresponding to a call data record (CDR) of the telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway. A network tapper copies the IP packets being transmitted between the media gateway and the router. A network analyser in communication with the tapper identifies copied IP packet meeting specified criteria for analysis by the processor. Unauthorised activities to be identified include call rebadging, traffic rebadging, call reorigination, call regeneration, number tampering and interconnect bypass.

Description

VOICE OVER INTERNET PROTOCOL MONITORING SYSTEM AND METHOD
Technical Field The field of the invention is monitoring of voice over internet protocol (VOIP) traffic on a network.
Background Traditionally data communication networks, in particular the Internet, are being increasingly used for voice communication utilising voice over internet protocol (VOIP) . Some services enable users of traditional voice telecommunication networks to make voice calls that are carried in part using VOIP via a data network.
VOIP can be used as a substitute for traditional circuit switched telecommunications for one or more legs of a call between two parties . A known manner of providing low cost long distance telecommunications to utilise data networks using VOIP for at least part of the connection between two users. For example, VOIP may be used for an international leg of a telephone call. Regulations may exist regarding the use of such techniques and charging for services utilising such techniques.
Summary of the invention
According to one aspect of the present invention there is provided a voice over internet protocol (VOIP) monitoring system comprising a processor adapted to receive IP packet data of internet protocol (IP) packets copied from
communication to and from a media gateway interconnecting the IP network and a telecommunication network, and analyse the received IP packet data to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway.
According to another aspect of the present invention there is provided a voice over internet protocol (VOIP)
monitoring method comprising the steps of:
receiving, IP packet data of internet protocol (IP) packets copied from communication to and from a media gateway interconnecting the IP network and a
telecommunication network; and
analysing the received IP packet data, by a
processor, to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway.
In an embodiment the processor analyses the IP packet data to identify, for further analysis, IP packets having a seize time that matches a CDR of the gateway, including a called number and indicating a complete call transaction.
The system can further comprise a network tapper adapted for connection in the internet protocol network between the media gateway and a router to copy internet protocol (IP) packets being transmitted between the media gateway and the router.
The system can further comprise a network analyser in data communication with the network tapper and adapted to identify copied IP packets meeting at least one specified criterion and providing IP packet data of the identified IP packets to the processor.
The specified criterion can include any one or more of: IP address, range of IP addresses or packet protocols.
The network analyser can be further adapted to convert data of the identified IP packets into standardised format data records .
In an embodiment the standardised format data records have a call data record format.
Destination and origination IP addresses of identified IP packets can be analysed. Identified IP packets can be analysed to identify content patterns in IP packet content data.
The method can further comprise the steps of:
making a test call via a suspected media gateway using data from a record identified for further analysis; and
constructing expected CDR data for the test call.
The above method can further comprise the step of
comparing a CDR generated for the test call with the constructed CDR for the test call to identify whether unauthorised activity has occurred.
In an embodiment the system further comprises test
equipment adapted to, using data from an IP packet
identified for further analysis, make a test call via a suspected media gateway and construct expected CDR data for the test call. The system can further comprise a processing engine adapted to compare a CDR generated for the test call with the constructed CDR for the test call to identify whether unauthorised activity has occurred. Unauthorised activities to be identified can include any one or more of call rebadging, traffic rebadging, number tampering and interconnect bypass. In an embodiment the processor is in data communication with the network analyser via a communication network.
The communication network can be a wide area network (WAN) .
According to another aspect of the present invention there is provided a voice over internet protocol (VOIP)
monitoring system comprising:
a network tapper adapted for connection in the internet protocol network between the media gateway and a router to copy internet protocol (IP) packets being transmitted between the media gateway and the router; and a network analyser in data communication with the network tapper and adapted to identify copied IP packets meeting at least one specified criterion.
The specified criteria can include any one or more of: IP address, range of IP addresses or packet protocols.
The network analyser can be further adapted to convert data of the identified IP packets into standardised format data records . The standardised format data records have a call data record format .
The network analyser can be further adapted to provide IP packet data of the identified IP packets via a
communication network to a processor for analysis.
The communication network can be a wide area network
(WAN) . According to another aspect of the present invention there is provided a method of voice over internet protocol
(VOIP) monitoring comprising the steps of: copying internet protocol (IP) packets transmitted between a media gateway and a router using a network tapper;
providing copied of IP packets to a network analyser; and
scanning copied IP packets by the network analyser to identify IP packets meeting any one or more specified criterion. This method can further comprise the step of converting data of the identified IP packets into standardised format data records .
This method can further comprise the step of analysing data from IP packets meeting any one or more specified criterion, by a processor, to identify any IP packet corresponding to a call data record (CDR) of
telecommunication network traffic interconnected between the IP network and the telecommunication network via the gateway.
Brief description of the drawings
Figure 1 is an example of an embodiment of a system according to an embodiment of the present invention.
Figure 2a is a flowchart of an example of capturing IP packets in accordance with an embodiment of the present invention.
Figure 2b is a flowchart of an example of analysing captured IP packets in accordance with an embodiment of the present invention. Figure 3 is an example of a system for making test calls in accordance with an embodiment of the present invention. Detailed description
Embodiments of the present invention provide a method and system for analysing voice over internet protocol (VOIP) packets, to identify packets which may provide indicators of illegal or unauthorised activity. VOIP monitoring is performed by analysing IP packet data of internet protocol (IP) packets copied from communication to and from a media gateway interconnecting the IP network and a
telecommunication network. The IP packet data is analysed to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic
interconnected between the IP network and the
telecommunication network via the gateway.
The IP packets for analysis can be copied using a network tapper 100 provided in the network between a media gateway 102 for providing interconnection to a telecommunication network 110 and a router 104 for routing IP traffic between the gateway 102 and the wider IP network 112. The network tapper 100 copies IP packets transmitted between the media gateway 102 and the router 104. Copies of the IP packets can be provided directly to the processor for analysis. Alternatively, the copied IP packets can be filtered before analysis.
In a preferred embodiment a network analyser 106 is provided to filter the coped IP packets in accordance with specified criteria. Copies of the IP packets can be provided to the network analyser 106 which identifies packets meeting specified any one or more specified criterion. In some embodiments the network analyser converts the identified IP packets into standardised format data for analysis. The data can then analysed by the processor 108 to identify packets that may include indicators of illegal activity for further analysis. In particular this method can be used to acquire evidence of number tampering or call rebadging activity.
It is known to use VOIP for carriage of data for at least part of a telephone call between two users. The use of VOIP may be controlled by the user making the call or the telecommunication service provider.
Where the use of VOIP is controlled by the
telecommunication service provider, a user makes a
telephone call and may be unaware that VOIP is being used. During the connection of the call between the calling party (A number) and called party (B number) the
telecommunication service provider establishes
communication via a data network using VOIP for at least one leg of the connection between the calling and called parties .
Where use of VOIP is controlled by the user, a user may communicate with another party directly via a data network using VOIP, for example using SKYPE or another VOIP service. Alternatively, a user may make a telephone call to a VOIP service provider number for making a call to a called number using VOIP. For example, a user can call, via a regular telecommunication service using a local call, and use a media gateway of a VOIP service or
application service provider (ASP) to make the
international leg of the call using VOIP. At the
receiving end of the call a connection to the called number is made from a media gateway to the called number via a telecommunication network. Typically the cost for such a call is lower than where the international leg of the call is provided via an international trunk of a telecommunication network. It should be appreciated that the network service provider providing access to the communication network and the application service providers (ASPs) providing VOIP service providers may be separate organisations. An ASP may purchase network access for interconnection between the VOIP and telecommunication services from a
telecommunication network provider at a bulk rate. The ASP then charges users on a use basis for the VOIP service, for example using prepaid phone cards or separate accounts. The ASP typically provides lower per call costs to the user than the network service provider particularly for services such as international calls. The bulk rate charged to the ASP by the network service provider may be based on capacity purchased and traffic routing. For example, different bulk rates may be charged for local traffic routing compared to traffic being routed between international and local networks .
The data network used for the VOIP communication and the telecommunication network interconnect using media
gateways. For example, a media gateway 102 can provide the interconnection between a PSTN (public switched telecommunication network) 110 and an IP network 112.
Accounting for use of the telecommunication service for the VOIP traffic can be done based on data collected at the media gateways. Different charging regimes and access tariffs may be applied for local and international calls.
As the VOIP traffic uses data routing techniques through the IP network, it is possible to manipulate the data packets to attempt to disguise the true origin or
destination of the VOIP packets. Call rebadging occurs when international traffic is disguised as local traffic when transferred to the PSTN. Other terms for call rebadging are number tampering, call regeneration,
reorigination, traffic rebadging or interconnect bypass. Call rebadging involves transferring international traffic into and out of a telecommunication operator's network rebadged as local calls. Call rebadging may be used by an ASP to incur local call tariffs rather than higher international call tariffs for international traffic.
Further, an ASP may also be restricted, for example by license conditions, to only provide local VOIP routing services. Such a local operator ASP typically pays a different network access fee than a global operator ASP. The local operator ASP is prohibited from accepting and routing international calls. International calls should be handled by a global operator ASP authorised to accept and route international VOIP calls. If a local operator ASP does accept international calls, and therefore act as a global operator, this activity can be deemed illegal.
Illegal call rebadging can contribute to revenue losses to a network service provider. Typically such call rebadging is done to obtain the benefit of lower routing costs than those which should be incurred from the network provider for the actual carriage of traffic on the network. An embodiment of a VOIP monitoring system according to the present invention is shown in Figure 1. The system comprises a network tapper 100, a network analyser 106 and a processor 108. The operation of the system will be described with reference to Figures 2a and 2b.
The network tapper 100 is a device adapted for connection in an internet protocol network between a media gateway 102 and a router 104. The network tapper 100 copies 200 all IP packets transmitted on the network between the media gateway 102 and the router 104 and provides the copied packets to the network analyser 106. The network tapper 100 may be adapted to distinguish VOIP packets from other IP packets and only copy VOIP packets.
Alternatively all packets transferred between the router 104 and media gateway 102 can be captured. In some implementations substantially all or all packets routed between the media gateway 102 and router 104 can be VOIP packets, therefore it may not be necessary for the network tapper 100 to distinguish between different types of packets . The network tapper 100 can be implemented using any suitable hardware and software. For example, the network tapper may be implemented using a hardware device adapted to transparently intercept the data transmission and transmit copies of the packets to a network analyser device 106.
Copied IP packets 200 are provided to the network analyser 106. The network analyser 106 can scan each copied IP packet 210 to identify specified capture criteria 215. IP packets which do not meet the specified capture criteria 215 can be dropped or ignored 218 while packets meeting the specified capture criteria are further processed. For example, the specified criteria may be only VoIP packets, packets from a specified origin, packets to a specified destination, packets of a suspected number or IP address, packets for a suspected range of IP addresses etc. For example, all packets to and from a suspected IP address may be captured. Specified criteria may also include packet protocol, for example, SIP, H.323, MGCP etc.
Packets having the specified protocol may be captured irrespective of IP address or number. Capture criteria may include a combination of specified criteria, for example all packets of a specified protocol to or from IP addresses in a given range.
The network analyser 106 can scan each IP packet 210 to identify whether or not the packet meets the capture criteria 215. If the packet does not meet the capture criteria, for example is not for a specified IP address, the packet is ignored 218 and the analyser simply
continues to scan the next packet 220. The network analyser 106 is in data communication with the network tapper 100 and can be implemented using any device having a processor programmed with firmware and software to search the packet format and data to identify packets meeting the specified criteria. The network analyser 106 can also have an interface to enable communication with the processor 108 via a communication network 114, for example a wide area network. Packets which meet the capture criteria 215 can be stored or sent to a processor 230 for further analysis. Further processing may be performed by the network analyser 106 or another processor 108 in data communication with the network analyser 106. Once processing of a packet is completed 230 the network analyser 106 scans and processes the next packet 235.
The network analyser 106 can be further adapted convert 225 captured IP packets into a standardised format for further analysis. For example, before storing the IP packet data or forwarding 230 the IP packet data to a processor for further analysis.
Converting 225 IP packets can involve identifying relevant data from the IP packet and placing this data into a defined data structure. It should be appreciated that some data from the IP packets may also be ignored. An advantage of converting copied IP packets into a standard format is simplification of further analysis of the captured IP packets. For example, the standardised format may simplify further analysis, such as behavioural
analysis of the IP packets' routing and content data.
For example, the network analyser 106 may be adapted to translate VOIP packets into a call data record (CDR) format. Data relevant to the routing of the VOIP packet can be extracted from the packet and placed in a CDR format. In embodiments where only CDR data is required for analysis to identify illegal call rebadging activity, the packet header can be used to generate the CDR and non- relevant packet pay load data of the VOIP packet may be ignored or deleted. In some embodiments packet pay load data may be retained or samples of packet payload data retained for analysis.
The processor 108 is in data communication with the network analyser 106 and can receive 230 captured and translated IP packets from the network analyser 106 for further analysis, for example, via a wide area network 114. The processor 108 can be adapted to identify packets that may be used as evidence of unauthorised activity.
For example, as shown in Figure 2b the processor reads the data of a translated IP packet 240 and compares 250 the translated IP packet data to CDR data 245 for the gateway, to identify any CDR that may correspond to the IP packet. The CDR data 245 can be obtained from the
telecommunication network provider who may also be the entity responsible for operation of the VOIP analysis system. A CDR corresponding to an IP packet is identified by matching seize time (time of the call) from the IP packet with the CDR seize time 260. If there is no CDR with a seize time matching that of the IP packet 260, then the packet is dropped 255 and processing continues with the next packet 258. If the IP packet and CDR seize time match 260, then the IP packet is checked for a termination number 265, otherwise known as a B- umber, in the PSTN. For example, the termination number may be a landline telephone number in the PSTN or a mobile phone number. If no termination number is present the IP packet is dropped 255 and processing continues with the next packet 258. Next the processor can check whether or not the call was completed 270. If the call was not completed 270 then the IP packet is dropped 255 and processing continues with the next packet 258. However, where the call was completed 270 then this indicated the IP packet may be used for further analysis to identify unauthorised activity.
Relevant data from the IP packet can be compiled into a record for further processing 275 and forwarded for further analysis 280. The processor can then proceed to analyse the next packet 285.
Further analysis may included reviewing packet content, analysing IP packet content patterns, analysing origin and destination IP address, making test calls etc. It should be appreciated that the process described above enables IP packets that relate to failed calls or are otherwise irrelevant or unable to be further processed to be dropped. This provides a filtered set of IP packets to input to more sophisticated analysis techniques, such as behavioural analysis.
In some embodiments the processor 108 may be adapted to perform further analysis of the filtered IP packets. For example, the processor may be adapted to analyse origin and destination IP addresses, to identify inconsistencies between the address information and other packet data. Data maybe logged for reporting to a network operator.
The processor 108 may perform a plurality of tests during analysis to investigate the packets and packet data from different perspectives and summarising the data analysis into information useful for fraud analyst. For example, processor 108 may identify relationships among attributes such as timestamp, originating IP address and destination IP address. The relationships between these attributes can indicate fraudulent activity. For example,
identification of foreign origin IP addresses for traffic which is terminated as local traffic in the PSTN may indicate call rebadging or interconnect bypass activity. The processor 108 may also be adapted to report the packets suspected of indicating unauthorised activity, or a summary thereof, in a human readable form for reporting to a user or fraud analyst .
In some embodiments the system may also be adapted to perform a reconciliation operation by making a test call. The reconciliation operation will be explained in greater detail with reference to Figure 3. In this embodiment test equipment 310 and a processing engine 350 are provided. This equipment can be set up in a laboratory. The test equipment 310 can trigger a test call 320 be made via the IP network 370, an application service provider's gateway 330 and PSTN network 340. The call data record 345 generated by this test call 320 is recorded at the processing engine 350. A call data record is also
constructed 315 at the test equipment and provided to the processing engine 350. The test equipment constructs expected CDR data for the test call. The constructed CDR 315 can be transmitted to the processing engine 350 via an IP network if the test equipment 310 is remote from the processing engine 350. The processing engine 350 compares the constructed call data record 315 with the actual call data record 345 obtained for the test call 320 made via the ASP's gateway 330.
The IP packets and CDR of the test call can be captured from the network using the system of Figure 1 and process of Figures 2a and 2b. The processing engine 350 can be adapted to associate the actual CDR 345 for the test call with the constructed CDR 315. By comparing the actual and constructed CDRs the processing engine can determine whether or not the origination number of the test call is the same as that of the constructed CDR. This data can be presented to a fraud analyst 360 for further analysis of the suspected fraud. The test call reconciliation process is optional and maybe performed after suspected unauthorised activity is identified through other analysis, for example through comparison of source and destination IP addresses, time stamps, etc. An alert regarding potential fraud or illegal activity can be provided to the network operator or other authority and the test call initiated by the network operator or other authority. Alternatively test calls and analysis thereof may be automatically triggered by the processor 108.
In some embodiments of the present invention the processor 108 can be connected to the network analyser 106 via a communication network. In a preferred embodiment the network is a wide area network (WAN) . Alternatively the network analyser 106 may be accessible via the internet, preferably via virtual private network. An advantage of network accessibility for the network analyser 106 is this enables the processor to be remote from the exchange equipment where the network tapper 100 and network
analyser 106 are installed. This has an advantage of enabling the processor to be accessed by human operators from a more convenient location than the exchange
equipment site.
Further, the test equipment 310 and processing engine 350 may also be remote accessed via a communication network. It should be appreciated that the processing engine 350 may be implemented as a function of the processor 108 or using separate processing equipment of any suitable hardware, firmware and software configuration. In some embodiments the test equipment 310 may also be implemented as part of the processor 108 or as separate equipment using any suitable hardware, firmware and software
configuration. The test equipment may be located at a regional office and connected to the processing engine 350 via an IP network. Alternatively, the functionality of the test equipment 310 and processing engine 350 may be implemented as different functions of the same equipment.
The network analyser 106 performs scanning of IP packets to capture of IP packets based on specified criteria and translation of IP packet data. This significantly filters the raw IP packet data to reduce the amount of irrelevant data forwarded to the processor 108 for analysis. This has an advantage of enabling a practical network
assessable solution for tapping and analysing VOIP data.
The system and method of embodiments of the present invention has an advantage of enabling automation of the scanning of IP packets to identify specific indicators associated with number tampering and rebadging activities. The conversion [of IP packets into a standardised format enables analysis to be performed easily on the
standardised data. This enables suspected fraud and illegal activity to be brought to the attention of a network operator automatically for further attention and investigation.
Embodiments of the invention could provide evidence of suspicious illegal rebadging activity for international traffic. Thus, any international traffic or calls that have been rebadged as a local call may be identified. The evidence provided by the system can aid network service providers when seeking recovery of lost revenue from the parties committing the illegal activities.
In the claims which follow and in the preceding
description of the invention, except where the context requires otherwise due to express language or necessary implication, the word "comprise" or variations such as "comprises" or "comprising" is used in an inclusive sense, i.e. to specify the presence of the stated features but not to, preclude the presence or addition of further features in various embodiments of the invention.
It is to be understood that, if any prior art publication is referred to herein, such reference does not constitute an admission that the publication forms a part of the common general knowledge in the art, in any country.

Claims

Claims
1. A voice over internet protocol (VOIP) monitoring system comprising a processor (108) adapted to receive IP packet data of internet protocol (IP) packets copied from communication to and from a media gateway (102)
interconnecting the IP network (112) and a
telecommunication network (110) , and analyse the received IP packet data to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network (112) and the telecommunication network (110) via the gateway (102) .
2. A system as claimed in claim 1 wherein the processor (108) analyses the IP packet data to identify, for further analysis, IP packets having a seize time that matches a CDR of the gateway (102) , including a called number and indicating a complete call transaction.
3. A system as claimed in claim 2 further comprising a network tapper (100) adapted for connection in the
internet protocol network (112) between the media gateway (102) and a router (104) to copy internet protocol (IP) packets being transmitted between the media gateway (102) and the router (104) .
4. A system as claimed in claim 3 further comprising a network analyser (106) in data communication with the network tapper (100) and adapted to identify copied IP packets meeting at least one specified criterion and providing IP packet data of the identified IP packets to the processor (108) .
5. A system as claimed in claim 1 wherein the specified criteria can include any one or more of: IP address, range of IP addresses or packet protocols.
6. A system as claimed in claim 4 wherein the network analyser (106) is further adapted to convert data of the identified IP packets into standardised format data records .
7. A system as claimed in claim 6 wherein the
standardised format data records have a call data record format .
8. A system as claimed in claim 1 wherein the identified IP packets are further analysed to identify any
unauthorised activity.
9. A system as claimed in claim 8 wherein the processor (108) is further adapted to analyse destination and origination IP addresses of IP packets.
10. A system as claimed in claim 8 wherein the processor (108) is further adapted to analyse IP packets to identify content patterns in IP packet content data.
11. A system as claimed in claim 8 further comprising test equipment (310) adapted to, using data from a record identified for further analysis, make a test call (320) via a suspected media gateway (330) and construct expected CDR data (315) for the test call.
12. A system as claimed in claim 11 further comprising a processing engine (350) adapted to compare a CDR (345) generated for the test call (320) with the constructed CDR (315) for the test call (320) to identify whether
unauthorised activity has occurred.
13. A system as claimed in claim 7 wherein unauthorised activities to be identified can include any one or more of call rebadging, traffic rebadging, number tampering and interconnect bypass.
14. A system as claimed in claim 4 wherein the processor (108) is in data communication with the network analyser (106) via a communication network (114).
15. A system as claimed in claim 14 wherein the
communication network (114) is a wide area network (WAN) .
16. A voice over internet protocol (VOIP) monitoring system comprising:
a network tapper (100) adapted for connection in the internet protocol network (112) between the media gateway (102) and a router (104) to copy internet protocol (IP) packets being transmitted between the media gateway (102) and the router (104) ; and
a network analyser (106) in data communication with the network tapper (100) and adapted to identify copied IP packets meeting at least one specified criterion.
17. A system as claimed in claim 16 wherein the specified criteria can include any one or more of: IP address, range of IP addresses or packet protocols.
18. A system as claimed in claim 17 wherein the network analyser (106) is further adapted to convert data of the identified IP packets into standardised format data records .
19. A system as claimed in claim 18 wherein the
standardised format data records have a call data record format.
20. A system as claimed in claim 16 wherein the network analyser (106) is further adapted to provide IP packet data of the identified IP packets via a communication network (114) to a processor (108) for analysis.
21. A system as claimed in claim 20 wherein the communication network (114) is a wide area network (WAN) .
22. A voice over internet protocol (VOIP) monitoring method comprising the steps of:
receiving, IP packet data of internet protocol (IP) packets copied from communication to and from a media gateway (102) interconnecting the IP network (112) and a telecommunication network (110) ; and
analysing the received IP packet data, by a processor (108) , to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network (112) and the telecommunication network (110) via the gateway (102) .
23. A method as claimed in claim 22 wherein the IP packet data is analysed to identify, for further analysis IP packets having a seize time that matches a CDR of the gateway, including a called number and indicating a complete call transaction.
24. A method as claimed in claim 22 further comprising the initial step of copying internet protocol (IP) packets transmitted between a media gateway (102) and a router (104) using a network tapper (100) .
25. A method as claimed in claim 24 further comprising the step of scanning copied IP packets by the network analyser (106) to identify IP packets meeting any one or more specified criterion.
26. A method as claimed in claim 25 further comprising the step of converting data of the identified IP packets into standardised format data records.
27. A method as claimed in claim 26 wherein the
standardised format data records have a call data record format .
28. A method as claimed in claim 25 wherein the specified criteria include any one or more of: IP address, range of IP addresses or packet protocols.
29. A method as claimed in claim 22 wherein the step of analysing the IP packet data comprises the step of identifying records having a seize time that matches a CDR of the gateway (102) , including a called number and indicating a complete call transaction, to identify
ί
records for further analysis to identify any unauthorised activity.
30. A method as claimed in claim 29 further comprising the step of analysing destination and origination IP addresses of IP packets.
31. A method as claimed in claim 29 further comprising the step of analysing IP packets to identify content patterns in IP packet content data.
32. A method as claimed in claim 29 further comprising the steps of:
making a test call (320) via a suspected media gateway (330) using data from an IP packet identified for further analysis; and
constructing expected CDR data (315) for the test call (320) .
33. A method as claimed in claim 32 further comprising the step of comparing a CDR (345) generated for the test call (320) with the constructed CDR (315) for the test call (320) to identify any unauthorised activity.
34. A method as claimed in claim 33 wherein unauthorised activities to be identified can include any one or more of call rebadging, traffic rebadging, number tampering and interconnect bypass.
35. A method of voice over internet protocol (VOIP) monitoring comprising the steps of:
copying internet protocol (IP) packets transmitted between a media gateway (102) and a router (104) using a network tapper (100) ;
providing copied of IP packets to a network analyser (106) ; and
scanning copied IP packets by the network analyser (106) to identify IP packets meeting any one or more specified criterion.
36. A method as claimed in claim 35 further comprising the step of converting data of the identified IP packets into standardised format data records.
37. A method as claimed in claim 35 further comprising the step of analysing data from IP packets meeting any one or more specified criterion, by a processor (108) , to identify any IP packet corresponding to a call data record (CDR) of telecommunication network traffic interconnected between the IP network (112) and the telecommunication network (110) via the gateway (102) .
PCT/MY2010/000230 2010-10-29 2010-10-29 Voice over internet protocol monitoring system and method WO2012057601A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/MY2010/000230 WO2012057601A1 (en) 2010-10-29 2010-10-29 Voice over internet protocol monitoring system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/MY2010/000230 WO2012057601A1 (en) 2010-10-29 2010-10-29 Voice over internet protocol monitoring system and method

Publications (1)

Publication Number Publication Date
WO2012057601A1 true WO2012057601A1 (en) 2012-05-03

Family

ID=45994132

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2010/000230 WO2012057601A1 (en) 2010-10-29 2010-10-29 Voice over internet protocol monitoring system and method

Country Status (1)

Country Link
WO (1) WO2012057601A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI514837B (en) * 2012-05-30 2015-12-21 Gogolook Co Ltd Account analysis apparatus, account analysis method, non-transitory tangible machine-readable medium thereof, and computer program product thereof

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060002534A1 (en) * 2003-03-28 2006-01-05 Lang Howard L Method for determining concurrent voice over IP calls
US20070206580A1 (en) * 2006-03-02 2007-09-06 Andrew Silver Call flow system and method use in VoIP telecommunication system
US20070230345A1 (en) * 2006-03-31 2007-10-04 Witness Systems, Inc. Systems and methods for capturing multimedia communication signals

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060002534A1 (en) * 2003-03-28 2006-01-05 Lang Howard L Method for determining concurrent voice over IP calls
US20070206580A1 (en) * 2006-03-02 2007-09-06 Andrew Silver Call flow system and method use in VoIP telecommunication system
US20070230345A1 (en) * 2006-03-31 2007-10-04 Witness Systems, Inc. Systems and methods for capturing multimedia communication signals

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI514837B (en) * 2012-05-30 2015-12-21 Gogolook Co Ltd Account analysis apparatus, account analysis method, non-transitory tangible machine-readable medium thereof, and computer program product thereof

Similar Documents

Publication Publication Date Title
US7076040B2 (en) Generating call detail records
US8121113B2 (en) Terminal-to-terminal communication connection control method using IP transfer network
US20030002637A1 (en) Internet telephone network system, network access method and talking device adapter
US20030083991A1 (en) Method and apparatus for tracking and billing cellular roaming charges via a data packet network
US10582043B1 (en) Method of identifying instances of international call interconnect bypass telecommunications fraud
CN101627619A (en) A pre-biller in internet protocol multimedia subsystem (IMS) charging gateway function (CGF)
CN101179449B (en) Monitoring system, apparatus and method in IP network
EP2509294B1 (en) A telecommunication network bypass detection system with reduced counter detection risk
EP2671372B1 (en) A system for detection of a bypass of an interconnect to a telecommunication network
WO2012057601A1 (en) Voice over internet protocol monitoring system and method
KR20120057293A (en) Method and apparatus of charging the network usage ofVoIP traffic for VoIP service provider
US20130163581A1 (en) Systems and methods of integrating call detail record information from multiple sources
WO2019226129A2 (en) A system and a method that detect ott bypass fraud using network-data analysis
CN109819089B (en) Voiceprint extraction method, core network element, electronic device and storage medium
WO2019190438A2 (en) Ott bypass fraud detection by using call detail record and voice quality analytics
CN100359911C (en) Method for collecting called gate keeper information
CN102572840B (en) A kind of method utilizing monitoring signaling technology to differentiate novel malicious callback service
Khan et al. Automatic Monitoring & Detection System (AMDS) for Grey Traffic
CN101278272B (en) Network routing
KR100687658B1 (en) Internet usage fee management system and method of internet service provider for voip traffic
US9184985B2 (en) Investigating a communication aspect of a data flow
KR101078448B1 (en) Method and System For multi media traffic measurement on IP network
CN118827864A (en) Method and device for identifying multiple numbers
JP2023544456A (en) System and method for classifying and processing voice over IP traffic
US10673910B2 (en) Network marketing and analysis tool

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10859024

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10859024

Country of ref document: EP

Kind code of ref document: A1