Email a colleague    

January 2014

Why Deep Packet Inspection Analysis is Essential for Detecting IP Fraud

Why Deep Packet Inspection Analysis is Essential for Detecting IP Fraud

As telcos transition to more IP services, it’s revolutionizing the fraud management practice.

Look at it from the criminal’s point of view.  Up to now, fraudsters have been making money on relatively traditional and expensive services like international or long distance voice calls.  Yet today, voice calls are super cheap, so how are they going to make money?

The fraudster’s strategy is to switch horses: they are now highly focused on fraud opportunities around Data and IP services.  Trouble is: Traditionally these areas are a relative blind spot for fraud managers.

Sure, fraud departments have always monitored Data transactions and traffic, but the analysis point was traffic volume — who’s using lots of data or uploading information more often.  Now while volumetric data is important, it’s just not enough in today’s world.

So what can fraud managers do?  Well, first and foremost, I think fraud managers need to rethink their existing controls, map and reassess the “new environment” and where the exposure areas are.  This will probably require updating internal policies and procedures, training staff, and creating new and efficient controls on top of the traditional ones.

Deep Packet Inspection meets the IP Fraud Threat

At cVidya, we feel the best way to handle the growing Data fraud threat is to vastly increase the number and variety of data sources you can analyze.  That’s why we’re putting a big emphasis now on data sources that weren‘t available in the past — unconventional data sources such as social media and DPI (deep packet inspection).

DPI is a fancy word, but it simply means looking at the content of Data traffic, not just the headers or the volume.  We’re now busy integrating DPI into our intelligent detection engines that analyze the data.

The idea is to leverage the same DPI data that operators collect for service assurance, engineering, and network planning.  We take that data and using our sophisticated fraud detection engines that take in any data source, then find the suspicious or abnormal things and build alerts and cases around that.

Market Changes Drive Fraud Management Practices

You don‘t need to look far to notice how mobile broadband is changing things massively.  Go to the website of any mobile operator in the world: five years ago you would see ads promoting low cost international calls.  But today you see ads touting things like “unlimited data plan” and “speak as long as you like”, and “get 5 Gigabytes” for a fixed price.

It’s pretty clear that mobile operators are aggressively pushing for customers to consume more data through: attractive data plans, on-demand offers — even selling connected tablets with a SIM card inside to encourage mobile data consumption and reduce the WiFi connection as much as possible.

To understand the impact of these trends, you need to look at the business itself and understand where you are exposed.

Monitoring the Practice of Tethering

One particular interesting case here is “tethering” — basically connecting multiple devices to the web through one internet access point.  Now in many shared plans, tethering is acceptable because you are connecting through someone in your family, for instance.  The issue mobile operators face is when use Tethering for commercial use (trying to make money out of it) and actually reduce the potential revenues of the operator.

Now in most corners of the world, monitoring for tethering is not that important so far.  But I can tell you that operators in the States like Verizon and AT&T have launched dedicated packages for tethering that are much more expensive than normal packages, so it’s likely to become a worldwide trend.

People are not quite sure how to classify tethering.  It’s not a classic fraud case like IPRS.  But it’s certainly an abuse of the wireless contract that could prove very costly for an operator.  Most fraud management systems out there don‘t track tethering abuse: either they can’t get at the DPI data to find it or the fraud team is not fully aware of the issue.

Illegal Mobile Access

Another emerging area of risk is illegal mobile access.  In certain markets of Latin America and Europe, the operator created bundled data plans that offer premium access to certain websites.  For example, one bundle might provide high quality, unlimited Facebook access for $10 a month.  Or for $15, you get access to Twitter, Facebook, and emails.

OK now, suppose the operator wants to charge a premium fee for YouTube access.  Well, right there is an attractive incentive for abusers to bypass the restrictions and gain access to YouTube via proxy servers that hide the user’s IP address.

Fortunately though, with DPI we can manage this abuse: even though the user’s identity is masked at the originating point, you can spot any and all the web traffic that gets to YouTube via a proxy server.

So I think you can see where things are headed.  More and more, operators will make deals with OTT (Over the Top) application providers to offer premium services.  Soon it will become essential to monitor and enforce these premium access policies.


Bottom line, the dramatic expansion of Data services brings a totally new ball game.  Looking through the fraud management binoculars, we need new methods of fraud detection.  And operators who don‘t move toward DPI data analysis will be more and more at risk as the consumption of Data services keeps on growing exponentially.

Copyright 2014 Black Swan Telecom Journal

Dror Eshet

Dror Eshet

Mr.  Dror Eshet is a leading expert in telecom fraud with more than 15 years of experience in fraud detection and prevention at various large enterprises.

Mr.  Eshet joined cVidya in 2008 as its global fraud prevention consultant.  In 2012, he was promoted and became the company’s FraudView product manager.  In this capacity, he was responsible for the company’s flagship FraudView product suite.

In January 2016, cVidya was acquired by Amdocs, a leading provider of customer experience, OSS/BSS solutions for telecom and since then, Mr. Eshet serves as the fraud solutions product manager in Amdocs’s Revenue Guard practice.

During 2007 and 2008, Mr. Eshet took on the role of fraud prevention manager at MIRS Communications Ltd., a provider of cellular communication services (currently part of HOT Telecommunication Systems Ltd. (TASE:HOT), a leading provider of cable television, Internet, broadband and telecom services in Israel).

Before joining MIRS, Mr. Eshet served nine years as a fraud prevention manager at Bezeq International  a part of Bezeq (TASE: BEZQ), Israel’s largest and leading telecom group, offering full range of telecom services.

Mr.  Eshet holds a BA in Business Administration.   Contact Dror via

Black Swan Solution Guides & Papers

cSwans of a Feather

Related Articles