See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320559310

TERAMOCS: TElecommunications TRAffic MOnitoring and Fraud Control

System

Conference Paper · November 2017

CITATIONS READS

0 5,234

2 authors:

Babu R. Dawadi Surendra Shrestha

Tribhuvan University Tribhuvan University Institute of Engineering Pulchowk Campus
111 PUBLICATIONS   222 CITATIONS    60 PUBLICATIONS   135 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Reform of Institute of Engineering (IOE) View project

Assess and examine the interference due to frequency allocation for new technologies such as 5G and Short-Range Devices (SRDs) - 5GSRD View project

All content following this page was uploaded by Babu R. Dawadi on 05 February 2018.

The user has requested enhancement of the downloaded file.

 Telecommunications Traffic Monitoring and Fraud Control System 1

Telecommunications Traffic Monitoring and Fraud Control System

*1
Babu Ram Dawadi, 1Surendra Shrestha
1
Department of Electronics and Computer Engineering, Pulchowk Campus, Tribhuvan University

Corresponding Author(s): [1baburd, 1surendra]@ioe.edu.np

Abstract
For the advancement on traffic monitoring and control over the possible fraud due to the misuse of
telecommunication/internet service and with the requirement on empowering regulator towards efficient
regulation, revenue evaluation and cross-verify quality of telecom services, we proposed a framework of
Telecommunications Traffic Monitoring and Fraud Control System (TERAMOCS) for the regulators of
developing countries like Nepal. TERAMOCS is a complete system conceptualized for the lawful interception,
ILD and domestic voice/data traffic monitoring with fraud detection and control over the network of telecom
service operators of Nepal who are providing telecom and internet services to the public.

Keywords: Telecommunications, Policy, Regulator, Traffic Monitoring, Quality of Service, Fraud Control

1. Introduction
In the recent years, controlling of illegal call bypass like VoIP call and other mobile/internet related threats
become the major issues for the telecom/internet service providers and the regulator of Nepal. Incoming VoIP
call termination, Skype/Viber like call termination business to Nepal is not opened to all telecom/internet
service providers leading to challenges of controlling those illegal activities. There are six major telecom
operators and more than sixty internet service providers at Nepal [1] providing voice and data communication
services. Millions of international call traffic have been exchanged via the network of those operators having
international gateway license.
With the liberalization of the telecom sector, different telecom service licensees were awarded to provide
telecom service across the country. At present, there are six major telecom licensees who are allowed to provide
voice telephony services. There are collective subscriber base of 36.21 million subscribers [2] as of July, 2017.
All licensed operators have international gateways and are interconnected with each other. The major telecom
service providers of Nepal are 1) NDCL – Nepal Doorsanchar Company Limited 2) NCell – NcellPvt Limited
3) UTL – United Telecom Limited, 4) STPL – Smart Telecom Pvt. Ltd, 5) CGC – C.G. Telecom Pvt. Ltd, 6)
NSTPL – Nepal Satellite Telecom Pvt. Ltd.
Various technologies are used by the licensed operators to connect the users through VSAT, GSM, CDMA
& PSTN. Operators have to provide regular information to the Nepal Telecommunications Authority (NTA)
such as volumes of International/National (Offnet/Onnet) calls, number of subscribers, complaints reported
and handled by the licensed operators along with other information that the authority needs from time to time
for effectively delivering its function and collecting relevant fees. To ensure this, consumers are provided with
best services by the licensed operators in Nepal, NTA established Quality of Service parameters for Basic,
Cellular and Internet Services [3]. Some key QoS parameters were benchmarked and Key Performance
Indicators (KPI) were defined by sub-dividing the parameters to Network Performance, Billing Complaints &
Readdresal and Customer Perception regarding the Services. Network performance is measured through
Service Access Delay, Call Set-up Success Rate, Call Drop Ratio & Point of Interconnection (PoI) congestion.
Similarly there are KPIs for billing complaints and customer perception. NTA through its interim directive
NEIR 2072 (National Equipment Identity Register-2072) has taken a step further to incorporate a NEIR to
 2 5th International Symposium on Advanced and Applied Convergence (Nov. 9-12, 2017)

detect and block illegal usage of handsets in the country and also establish a detail process for registration of
Handsets though its type approval process, the responsibility of which has been placed with the operators to
establish, install, operate and maintain the NEIR.
As being a regulator, it is required to monitor the real traffic flowing in the operator's network to investigate
over the fraud activities and revenue generation. Currently Nepal Telecommunications Authority (NTA) lacks
the real time monitoring system to effectively monitor the ILD as well as domestic interconnect traffic of the
operators.

2. Regulatory Concerns on Traffic Measurement and Quality of Services

Telecom fraud measurement encompasses all aspects of detection, measurement and investigation on any
attempt to deliberately abuse services offered via the telecommunication system [4]. Looking into the
regulatory aspects of telecommunication services in Nepal, there are shortfalls within the current mechanism
that prevent regulator from performing its role as the National Telecom Regulator and it is the need of authority
to look at mechanisms and technologies that will equip the regulator to make enhancements towards
performing its obligation as the Telecom Regulatory Authority. Telecom operators of Nepal are losing almost
USD 1.6 million a month of their revenue due to illegal call bypass where thousands of local sim cards were
used in the illegal VoIP termination. Telecom fraud generally loss 3 to 8% revenue of the operators [4].
Similarly the total cost of telephone fraud worldwide has grown by £40 billion [5]. Hence Key areas on which
the regulator has to consider are as follows.
 Mechanisms and tools like telecom traffic measurement that would provide the regulator with insight
into the telecom infrastructure of the country and independently generate the Call Detail Records
(CDRs) and compare them with the operator declared volumes and CDRs. This tool should be capable
of generating invoices for the regulator to collect fees that the operators are obligated to pay towards
international/off net calls.
 Identify technologies to tap into the signaling circuits of the telecom operators (International &
National Interconnects) and extract key signaling related information that will provide the regulator
with data on key QoS parameters and network congestions. Regulator needs to keep in mind that the
technology should be non-intrusive to the operator’s network thus relieving regulator of any risk (loss
of business for the operators).
 Incorporate a framework, methodology and source technology to perform drive tests in densely
populated areas and key locations (such as major tourist attractions) in the country ensuring there is
good network coverage and call quality for the mobile subscribers in the country.
 The authority should look to harmonize the international incoming call rate to the country and fix the
floor price the same for both international call and international transit that all operators need to adhere
to, this will negate the situation of operators undercutting each other and not transiting international
traffic to other operators.
 A key area for the authority to focus alongside will be to contain telecom fraud. Fraud can happen in
many different ways like illegally operated international gateways by non-licensed providers,
terminating traffic through a private network offering cheaper rates to Nepal. Hence the regulator has
to look at a solution that will provide a diverse global scale service to monitor the international calling
rates to Nepal and also detect the fraudulent Gateway Operators and SIMBoxes.
 The usage of illegal/clone/stolen and non-standard handsets has always been a challenge for all
national telecom regulatory authorities. To address this, regulator needs to look at implementing the
NEIR deployed, maintained by the regulator itself rather than transferring the onus of operations to
the operators since for economic reasons it is unlikely that private operators would be motivated to
terminate illegal handsets.
 Telecommunications Traffic Monitoring and Fraud Control System 3

 The authority shall also find a mechanism to interlink all the technical systems to interoperate by
exchanging key information between them that will provide a wider range of input data to the regulator
to look at a situation and possible solutions and causes, sources. For example the NEIR and fraud
control solutions shall be interconnected and interlinked to provide IMEI’s identified to fraud control
solution and consolidate the detection base by comparing the two. Another example would be for the
anti-fraud solution to be interlinked with the traffic measurement solution to detect illegal gateways.
 With the advent of technologies, there have been a shift on how citizens communicate. There is an
increase in VoIP technologies like WhatsApp, Viber, Skype and other services that are used for calls.
This also leaves a gray area for fraudsters to operate gateways on VoIP technologies and other means
to bypass the local networks. Hence the authority shall additionally consider the possibility of
technologies to inspect IPv4/v6 traffic within the country together with the implementation of Telecom
traffic measurement, fraud control & QoS Solution.

3. Requirements on Centralized Monitoring System

The traffic monitoring system shall be the Centralized Monitoring System (CMS) which requires having
the lawful interception at the international gateway. The intercepted records shall be fetched into the central
monitoring system located at the authority’s premise. The analysis shall be focused on the efficient
visualization of different quality parameters as well as deep packet analysis for fraud detection and control.
An Interception Store and Forwarding (ISF) engine either in the hardware form or programmable APIs
pluggable into the operator's gateway shall be required to collect the call records parameters and fetch into the
central server. The detail of the technical system design is proposed on section 4 of this paper. With the existing
available technologies and international best practices, current requirements of regulator shall preferably cover
the following in the centralized monitoring system.
 Traffic Measurement and Analysis
 Fraud Control
 Quality of Service Monitoring
3.1 International Best Practices in Telecom Traffic Monitoring
Department of Telecommunications (DoT) under ministry of communication and information technology
(MoCIT) in collaboration with Ministry of Home Affairs (MHA) of India has been developing and
implementing the centralized monitoring system [6] in the first phase focusing on the interception of voice
communication. Additionally the project shall be extended towards the monitoring of the data traffic generated
by internet and email service providers.
Golden Shield project [7] also known as "Great Firewall of China" is a censorship and surveillance project
operated by ministry of public security of China Government. The system started operating since 2003 analyze
the international traffic and blocks potentially unfavorable data originated from the foreign countries.
SORM (System for Operative Investigative Activities) [8] is a technical operable system lunched by Russia
in 1995 allowing Federation Security Service of the Russian Federation (FSB) to monitor telephone and
internet communications in Russia. The system was upgraded to SORM-2 in 1998 in which the Russian
Internet Service Providers must install a special device on their servers to allow FSB to track all kinds of
transaction including credit card transaction, email and web traffic. Russian Information and Communication
Ministry issue an order towards introduction of new technical system phone, mobile and wireless
communication including radio paging networks. The government introduced SORM-3 by introducing new
requirements for wiretapping basically focusing on support on: i) IPv4 and IPv6 address and packet processing,
ii) IMSI (International Mobile Subscriber Identity) iii) IMEI (International Mobile Station Equipment Identity)
and iv) MAC address of user's equipment.
Titan Traffic Database [9] is a database established by the Swedish National Defense Radio basically stores
the call detail records of telephony and internet traffic of transaction data concerning of international
telecommunications.
 4 5th International Symposium on Advanced and Applied Convergence (Nov. 9-12, 2017)

Interception Modernization Program [10] is an initiative taken by UK government to lawfully intercept and
store communication data in the central database. Similarly Mastering the Internet (MTI) is a mass surveillance
system operated by British Intelligence Agency to perform monitoring of social contents and email messages.
DCSNet [11] is the real time point-and-click surveillance system owned by US Federal Bureau of
Investigation. This system performs instant wiretaps on any telecommunication device located in the United
States. Similarly Financial Crimes Enforcement Network [12] is a network system operated by department of
Treasury that collects and analyzes financial transactions in order to avoid financial crimes.
Looking into the foreign countries scenarios, almost every country has implemented its own proprietary
monitoring system for the lawful interception of international and national traffic to identify different criminal
activities in their country network.
Table 1. Best practices by foreign regulatory agencies
Regulator’s Name Implemented Solution Focusing Features
 A traffic control system
Regulatory Authority
(TCRA), Tanzania

supervision center


Communications

management and

A Quality of Service (QoS) management system

Interconnection

 Fraud detection and fraud trace back systems

Tanzania

 Interconnection traffic billing systems

 Mobile Money Monitoring System to monitor all
mobile transactions in Tanzania
 Central Equipment Identification Registry (CEIR)
and an Automatic Device Detection system (ADD)
Rwanda Utilities


Supervision
Regulatory

A traffic control management system

(RURA),
Rwanda
Agency

RURA

Center

 A Quality of Service (QoS) management system

 Fraud detection and fraud trace back systems
 Interconnection traffic billing systems
supervision Centre
Authority (NCA),
Communications

management and
Interconnection

 A traffic control system

National

Ghana

 A Quality of Service (QoS) management system

 Fraud detection and fraud trace back systems
 Interconnection traffic billing systems
Traffic Monitoring
Telecommunicatio

Authority, Central
African Republic

Center for Fraud

Management &


ns Regulatory

Market surveillance to monitor compliance with the

International

CAR’s regulations on international and national

interconnection rates
 Automated Fraud Detection System (robocalls)
 Detailed fraud, QoS, and traffic Analysis

 Adopting tariff harmonization for termination rate,

(CONATEL)
Telecommun

Interconnecti
National des

Monitoring
Le Conseil

to improve the country telecom trade balance

ications

System


on

Interconnection monitoring system

 Fraud detection
 Quality of Service
 Telecommunications Traffic Monitoring and Fraud Control System 5

4. Framework for Traffic Monitoring and Fraud Control System

The Traffic Measurement System (TMS) shall be a key component and act as a backbone for the whole
solution comprising of all the various components that will leverage the benefit from the TMS and build upon
namely Fraud Control System & Quality of Service Control system. The TMS shall be capable of the following
 Generating Call Detail Records (CDR’s)
 Invoicing the Licensed Operators
 Monitor the Status of Interconnections (International & National)
 Flexible to adapt to different technologies like SS7, SiP, Sigtran, VoIP etc...by the operators
 Capture signaling information and extract call details from the signaling links
 Non-Intrusive
 Provide real time visualization of the operator's traffic exchange status

4.1 Functional Architecture & Requirements on TERAMOCS

Fig. 1 depicts the conceptual framework of the proposed system. The important steps are the development
of protocol independent interface to extract the details form operators network, temporary storage of the
captured data, processing and final recording on the time series database and visualize/report the details using
applications. The solution shall be capable of tapping into the signaling links of the operators both national
and international to extract key information and generate CDRs independently of the operators’ systems. It
should focus not to disrupt the operators’ infrastructure through the implementation of this system and the
technology should provide a non-intrusive way to extract this information for the authority. The proposed
system should be implemented to capture all the information, process it, and store it in a secure manner. This
can be called the CMS (Centralized Monitoring System) or NOC (Network Operation Center) and should be
located at the regulators premises. This facility will host all the key components like Database, Applications
and Web Servers and Business Logic for the functioning of TMS. All the data should be securely stored and a
Disaster Recovery (DR) facility should also contain a copy of the critical data for restoration in the event of
disaster. The CMS and DR should be at two different locations geographically separated within the country.
Equipment should have its own backup to maintain power at least for 8 hours in an event of power failures.
Equipment and Extraction System (pluggable APIs) shall be placed at each operator's site (Data Centers),
where they have international gateways and national interconnect through local switching and tap the signaling
links. There should not be any limitation for the protocols supported; the solution should be able to tap any
infrastructure used by the operators (SS7, Sigtran, H.323, SiP etc.). All the data captured from the links
extracted should be sent to the CMS for processing and storage through secure network in an encrypted
medium. Like shown in Fig. 2, the extracted data by the Extraction Systems should also be stored locally at
the operator site Extraction Systems for a period of 60 days to allow re-transmission to the central site for re-
processing.
 6 5th International Symposium on Advanced and Applied Convergence (Nov. 9-12, 2017)

Fig. 1. Conceptual Framework of TERAMOCS

An independent transmission system should be established with connectivity from the operator locations to
the CMS & DR sites like shown in Fig. 3. It shall have redundancy to maintain business continuity like primary
connectivity through wired and backup through microwave/wired link. The failover should be automatic
should an issue occur with the primary connectivity link, a real time link monitoring system should be available
that would show the utilization and other key information of the specific link for troubleshooting and reporting
the issue to the operators for follow-up and closure. A real time monitoring tool should be available to monitor
the status of the equipment installed at the operator sites and the links tapped to see if there are any issues with
individual links, servers or network components like switches and routers used and provide out of box SLA’s
for all components of the TMS. Equipment at operator’s site shall have its own backup to maintain adequate
power until the operator generators start to provide power. The system shall also be equipped with required
tools to generate invoices in the frequency required by the regulator to invoice the operators their due of fees.
This system should also be equipped to compare the CDRs submitted to the authority by the operators on a
periodic basis and compare them with the CDRs generated by the system to verify and identify any deviations
in the operator’s network or undeclared, missing links by the operators. A trouble ticketing system should exist
to log all incidents such as outages, issues with the system and operator links. The NOC should be manned
with staff 24x7 to monitor the network and act as interface with the operators for technical issues and follow
up. Change management should be incorporated and all changes should go through a change management
system. Both incident and change management should follow Information Technology Infrastructure Library
(ITIL-V3) standard specifications. The system should be able to process and visualize ILD traffic exported in
different standards (vendor neutral) format by the operators itself.
MIS reports should be made available through the system exportable in both Excel & PDF formats where
volume, link utilization kind of data can be generated. The option to derive custom/on demand reports should
also exist. Similarly an overview of the traffic and summary should also be made available by the system.
These summaries should be able to identify the traffic by its source country, destination network. All the
equipment involved in the monitoring environment should be dual stack capable for both IPv4 and IPv6 packet
processing.
 Telecommunications Traffic Monitoring and Fraud Control System 7

Fig. 2. Framework for signal probing and communication with central monitoring system

Fig. 3. Overall functional architecture of TERAMOCS

4.2 Requirements in Fraud Control

The fraud control system should be able to identify illegal network operators in the country; this shall be
achieved by a calling campaign originating from various countries around the world and call simulation using
global network operators. The campaign should be active 24x7 to make sure all time windows are sampled
while the system shall be capable to i) Simulate calls from global locations to Nepal, ii) Generate CDR, iii)
Record called number and received CLI, iv) Identify illegally operated SIMBoxes/Operators. This system
should mainly identify international calls originating with a local CLI and calls that are being presented to the
test system through changed CLI or no CLI at all. These categories of calls are generally suspected to be
fraudulent and could lead to the identification of potential non licensed illegally operated gateways or
SIMBoxes. Such collected data shall be shared with the regulator on a periodic interval basis within the 24
hour window and on a daily/weekly/monthly basis. This system shall also provide a mechanism to gather
information from various sources on the international termination rate for Nepal. The identified fraud numbers
detected shall be shared with the operators for blocking and investigation to localize the fraudsters.
Furthermore there shall be a mechanism to identify the test calls through the campaign in TMS through
 8 5th International Symposium on Advanced and Applied Convergence (Nov. 9-12, 2017)

integration of the two solutions and provide details of the calls which are missing from TMS. This will
additionally provide the regulator with a second level check to see if there are any undeclared or missing links
not reported by the operators or are they any additional gateways operational in Nepal not recorded
independently by the fraud control system. To deal with the special cases of changed CLI and no CLI and
eliminate the possibility of fraud this information should be sent to the operators for investigation on their
network and provide feedback. Secondly the efforts need to be made by the operators to comply with regulatory
guidelines for presenting CLI for all calls in the country and not to change the CLI in some specific cases if
exists. Once the system is operational or soon after regulator is able to provide specific originating countries
where it would like to include as origin countries for the calling campaign. The solution shall be able to
incorporate the same and make changes to adhere to the requirements of regulator, furthermore the calling
campaign should be flexible to target calls based on different routes namely low, mid and high priced doing
this will cover all possible options of fraud detection using the antifraud solution.

Fig. 4. Approach for fraud identification and control

5. Conclusion & Future Works

This research study proposed an approach for the operator’s network traffic monitoring to meet the
requirements of regulator. Traffic monitoring is directly linked with the volume of record analysis to identify
the possible fraud and external threats that shall create within the country territory. Hence, a fraud control
system has also been proposed together with the monitoring. The system proposed is fully scalable and elastic
so as the big data analytics system would be able to handle not only the analysis of ILD volume traffic but also
be able to monitor the local interconnect voice and data traffic of operators within the country to ensure better
Quality of Service. Based on the requirements studied, the complete vendor specific solution shall not be
available in the market for this tailored type software, however it shall be run as a long term project
development by selecting the suitable vendor after evaluating their expression of interests. The vendor having
prior experiences of such kind of project development and implementations/operations shall be suitable for
which an early evaluation of the vendors closing towards the regulatory requirements would be the better path
to ensure the operable system to be developed.
This research and development work shall be continued in phased by developing the system starting from
the ILD traffic monitoring, Local Interconnect traffic monitoring and QoS monitoring of the telecom operators
of Nepal.
 Telecommunications Traffic Monitoring and Fraud Control System 9

Acknowledgement
This research study was carried out on 2016 under the partial support from Nepal Telecommunications
Authority.

References
[1] Nepal Telecommunications Authority (2017), Licensee Lists. http://nta.gov.np
[2] Nepal Telecommunications Authority (2017), MIS Report, Issue 105, Vol 153. Nepal
[3] Nepal Telecommunications Authority (2016), QoS Bylaw. http://nta.gov.np
[4] M.A. Bihina Bella, J.H.P. Eloff, M.S. Olivier, “A fraud management system architecture for next-generation
networks”, Forensic Science International 185 (2009) 51–58, Elsevier
[5] C. Pollard, “Telecom Fraud: The cost of doing nothing just went up”, Computers & Security (2005) 24, 437 – 439,
Elsevier
[6] Addison Litton, “The State of Surveillance in India: The Central Monitoring System’s Chilling Effect on Self-
Expression”, 14 Wash. U. Global Stud. L. Rev. 799 (2015),
http://openscholarship.wustl.edu/law_globalstudies/vol14/iss4/17
[7] The Great Firewall of China, https://cs.stanford.edu/people/eroberts/cs181/projects/2010-
11/FreedomOfInformationChina/the-great-firewall-of-china-background/index.html
[8] Privacy and SORM, http://www.tele2.com/our-responsibility/esg/topics-relevant-matters/social/user-safety/privacy-
and-sorm/
[9] C. Akrivopoulou, N. Garipidis. Digital Democracy and the Impact of Technology on Governance and Poli
tics: New Globalized Practices, IGI Global (2013) USA, ISBN: 978-1-46666-3637-8 (eBook)
[10] Musa Khan Jalalzai, The Crisis of Britain's Surveillance State: Security, Law Enforcement and the Intellig
ence War in Cyberspace, Algora Publishing New York (2014). ISBN: 978-1-62894-078-7 (eBook).
[11] RYAN SINGEL, How the FBI Wiretap Net Operates. Wired Magazine (2007-8-29), Online:
https://www.wired.com/2007/08/wiretap/
[12] FinCEN. https://www.fincen.gov/what-we-do

View publication stats