TSP Lab	Sga-MOSMS_FraudDetector - The MOSMS Fraud Detector	Sga-MOSMS_FraudDetector

The Mobile Originated SMS Fraud Detector module
`("Sga-MOSMS_FraudDetector")`

Features

Connects to Sigtran network over GyX_SCTP.
Filters illegal MO-SMS's coming from foreign countries to the home SMSC.
- Illegal SMS means when an SMS have been posted on behalf of a subscriber who is not in the MSC from which the SMS was posted.
- It is also illegal if some parameters of the SMS can't be interpreted, or the subscriber's residence cannot be located.
- This way the module can filter an illegal SMS when it's GT address is from out network, but originally it have been posted from abroad.
Illegal SMS handling is decided based on the rules set in the program, and based on what is the problem with the SMS.
Various actions can be added to the rules (log, alarm, generate CDR, drop SMS, forward SMS)
Logs queries and responses
Provides simple statistical data and logging on the operation
Creates SNMP traps

Basic operation

Sga-MOSMS_FraudDetector module receives and processes the ForwardSM, Mo-ForwardSM messages. From the ForwardSM, Mo-ForwardSM messages we extract the sender's MSISDN, and with a sendRoutingInfoForSM message to the HLR we can locate its VLR. The process of the ForwardSM, Mo-ForwardSM messages are going according to predefined rules. These rules are based on the ForwardSM, Mo-ForwardSM messages parameters, and the reply to sendRoutingInfoForSM. Data used:

SCCP Calling Party Address
Sender MSISDN
Sender IMSI
Recipient MSISDN
Location according to HLR

Analyzing and filtering on SMS MO side:

If the subscriber is not in that VLR, where the SMS has been submitted, the message should be filtered out.
Alarm message can be generated from the events where automated intervention happened. As intervention we mean that some SMS MO can be blocked.

The SMS-fraud system sorts every message to groups according to predefined rules. If one of the inbound messages cannot be sorted, it is placed to the default group.

The predefined rules for each group:

Rule Number Meaning

#1 SCCP.ClgPA.GT is empty or non-decodable

#2 SCCP.ClgPA ---> HomeNetworkPrefix

#3 SCCP.ClgPA.GT <> SRI4SM(SM-RP-OA/MSISDN).Result.LocationInfo(MSC) and SCCP.ClgPA do not refers to SGSN subsystem

#4 SCCP.ClgPA.GT.Prefix <> SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix and SCCP.ClgPA do not refers to SGSN subsystem

#5 SRI4SM.Result.Error is among 'ConsideredHLRErrors'

#6 SCCP.ClgPA(SGSN).GT.Prefix == SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix

#7 SCCP.ClgPA(SGSN).GT.Prefix <> SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix

#8 SM-RP-OA/MSISDN ---> not HomeNetworkPrefix

#0 (default)

#-1 Non-decodable ForwardSM

#-2 SgaSS7-R4 is not available or HLR answer times out

Rule Number	Meaning
#1	SCCP.ClgPA.GT is empty or non-decodable
#2	SCCP.ClgPA ---> HomeNetworkPrefix
#3	SCCP.ClgPA.GT <> SRI4SM(SM-RP-OA/MSISDN).Result.LocationInfo(MSC) and SCCP.ClgPA do not refers to SGSN subsystem
#4	SCCP.ClgPA.GT.Prefix <> SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix and SCCP.ClgPA do not refers to SGSN subsystem
#5	SRI4SM.Result.Error is among 'ConsideredHLRErrors'
#6	SCCP.ClgPA(SGSN).GT.Prefix == SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix
#7	SCCP.ClgPA(SGSN).GT.Prefix <> SRI4SM(SM-RPOA/ MSISDN).Result.LocationInfo(MSC).Prefix
#8	SM-RP-OA/MSISDN ---> not HomeNetworkPrefix
#0	(default)
#-1	Non-decodable ForwardSM
#-2	SgaSS7-R4 is not available or HLR answer times out

The handling of the messages can be changed in the Sga-MOSMS_FraudDetector.ini/[SMS Fraud]/sRuleX section.

Possible commands:

Command Meaning

FwdAll Forward all without modify and log. If the FwdAll event not included, the MSU is dropped.

FwdN = ... Forward maximum N message per period.

LogDSP The message is saved to a daily message file to directory given at .ini file [SMS Fraud]/sSS7FilesPath .

CDR The message is written to CDR to a directory given at ini file [SMS Fraud]/sCDRFilesPath; the CDRs contain timestamp, and the performed Rule.

Trap When the Rule is performed an ERR alarm is generated, which contains the Rule’s name.

Command	Meaning
FwdAll	Forward all without modify and log. If the FwdAll event not included, the MSU is dropped.
FwdN = ...	Forward maximum N message per period.
LogDSP	The message is saved to a daily message file to directory given at .ini file [SMS Fraud]/sSS7FilesPath .
CDR	The message is written to CDR to a directory given at ini file [SMS Fraud]/sCDRFilesPath; the CDRs contain timestamp, and the performed Rule.
Trap	When the Rule is performed an ERR alarm is generated, which contains the Rule’s name.

In the system the following configuration is currently active:

Configuration Name Configuration

sRule1 LogDSP+CDR

sRule2 LogDSP+CDR

sRule3 LogDSP+FwdAll+CDR

sRule4 LogDSP+FwdAll+CDR+Trap

sRule5 LogDSP+FwdAll+CDR

sRule0 FwdAll

sRule-1 LogDSP+FwdAll

sRule-2 LogDSP+FwdAll+CDR

Configuration Name	Configuration
sRule1	LogDSP+CDR
sRule2	LogDSP+CDR
sRule3	LogDSP+FwdAll+CDR
sRule4	LogDSP+FwdAll+CDR+Trap
sRule5	LogDSP+FwdAll+CDR
sRule0	FwdAll
sRule-1	LogDSP+FwdAll
sRule-2	LogDSP+FwdAll+CDR

The module is logging ForwardSM, Mo-ForwardSM messages that have parameters that can't be decoded. If this portion of the message can be isolated, the text of the SMS is overwritten.

User interface

The main menu

Menu	Menuitem	Shortcut(s)	Meaning
[Log]
	Find line containing...	(Ctrl-F)	Search in the log file for the given phrase
	Find next matching line	(F3)	Find nest phrase
	Details		Detail of the log files
[SMS Fraud]
	Reload rules		Reloads ini sections [SMS Fraud]/RuleX and sHLRQueryConsideredErrors
	Reload rule exceptions		Reloads ini section [SMS Fraud: 'Rule #X']/ sException#nn
	Reload operator prefix codes		Reloads operator prefix list
[Options]
	Auto scroll	(Scroll Lock, or )	Allow automatic scrolling of the log screen
	Save settings		Save actual settings into the configuration (INI) file

The bottom status-line

GyX - Connection indicator towards the GyX_SCTP module.
Rx OK/fail, Tx OK/fail - Total of the received, transmitted MSU and the errored transmissions.
HLR Query - Connection to the SgaSS7_R4 module:
- Red - If the connection is broken
- Gray - If the connection to the other server is up and running
tx: Messages sent to the HLR query module:
- OK - Sent successfully
- Fail - Sent faulty
rx: Messages received from the query module:
- OK+ - Answer received and the SRI4SM query was successful.
- OK- - Answer received but the SRI4SM query was not successful.
- Fail - erroneous answer received
T/O: Number of answers not received, plus received after timeout
Rule: Counters to different Rules
Uptime: Time elapsed since module has been started.

Logging

Every module writes a text file as log.
The log file is daily scale.

Logging levels:

Off (0) - Only the warnings, errors are visible (smallest size) - Not recommended
Normal (1) - Details of normal operation are visible - Recommended
Detailed (2) - Every one of the inbound and outbound messages are visible
Debug (3) - The messages are logged hexadecimally to the log file - Not recommended

The different colors of log entries have different meanings:

Code Color Usage

0 Black Compact data record

1 Red Errors

2 Green Open/close output file/stream

3 Blue Open/close input file/stream

4 Yellow Warnings

5 Light Gray Detailed data (debug info)

6 Dark Grey Detailed data (user info)

7 Purple Operator intervention;
Errors with emphasis

Code	Color	Usage
0	Black	Compact data record
1	Red	Errors
2	Green	Open/close output file/stream
3	Blue	Open/close input file/stream
4	Yellow	Warnings
5	Light Gray	Detailed data (debug info)
6	Dark Grey	Detailed data (user info)
7	Purple	Operator intervention; Errors with emphasis

Configuration (Sga-MOSMS_FraudDetector.ini) file settings

Section	Entry	Example	Meaning
[Position]
	iLeft	140	Position of the program module on the display screen
	iTop	72	Position of the program module on the display screen
	iWidth	995	Position of the program module on the display screen
	iHeight	694	Position of the program module on the display screen
[Options]
	bAutoScroll	True	(Refer to the corresponding menu item!)
[SS7 over GyX]
	sRemoteIPAddress	127.0.0.1	IP address of the GyX_SCTP module
	wRemoteTCPPort	9002	Port address of the GyX_SCTP module
	wConnectRetryDelaySec	3	Delay between reconnect attempts (in seconds)
[SMS Fraud]
	sHLRQueryModuleIPAddress	127.0.0.1	IP number of the SgaSS7_R4 module.
	wHLRQueryModuleTCPPort	9068	Port number of the SgaSS7_R4 module.
	wHLRQueryModuleConnectRetryDelaySec	3	Reconnect attempt interval.
	dwHLRQueryTimeoutMS	3000	Timeout for SRI4SM query.
	dwHLRQueryTimeoutCountLimit	9	Maximum number of HLR queries at the same time.
	sHomeNetworkPrefix	3670	Prefix of the Home Network.
	sSS7FilesPath	c:\Ss7Files	Path for message files (*.dsp).
	sCDRFilesPath	c:\CdrFiles	Path for CDR files.
	sHLRQueryConsideredErrors	-1, 5, 56, 1000 , 62 -20 -9999	This list of errors are taken into account at Rule #5
	sRule1	LogDSP + CDR	Events to perform in case of Rule #1
	sRule2	LogDSP + CDR	Events to perform in case of Rule #2
	sRule3	LogDSP + FwdAll + CDR	Events to perform in case of Rule #3
	sRule4	LogDSP + FwdAll + CDR + Trap	Events to perform in case of Rule #4
	sRule5	FwdN=100 + LogDSP + CDR	Events to perform in case of Rule #5
	sRule6	LogDSP + FwdN=3 + CDR	Events to perform in case of Rule #6
	sRule7	LogDSP + FwdN=102 + CDR	Events to perform in case of Rule #7
	sRule8	LogDSP + CDR + FwdN=103	Events to perform in case of Rule #8
	sRule0	FwdAll	Events to perform in case of Rule #0
	sRule-1	LogDSP+FwdAll	Events to perform in case of Rule #-1
	sRule-2	LogDSP+FwdAll+CDR	Events to perform in case of Rule #-2
	sOpPrefFile	SgaRS_Serv_OpPref.lst	Prefix list of the operators prefix
[SMS Fraud: "Rule #3" Exceptions]
	sException#nn	nn=00,01,...,99)	LocationInfo.Prefix exceptions for Rule 3.
[SMS Fraud: "Rule #4" Exceptions]
	sException#nn	nn=00,01,...,99)	LocationInfo.Prefix exceptions for Rule 4.
[SMS Fraud: "Rule #5" Exceptions]
	sException#nn	nn=00,01,...,99)	CalgPA.Prefix exceptions for Rule 5.
[SMS Fraud: "Rule #6" Exceptions]
	sException#nn	nn=00,01,...,99)	CalgPA.Prefix exceptions for Rule 6.
[SMS Fraud: "Rule #7" Exceptions]
	sException#nn	nn=00,01,...,99)	CalgPA.Prefix exceptions for Rule 7.
[Advanced]
	wLogDetailLevel	3	Log file detail level
	dwMaxLinesInLogWindow	1000	Maximum lines visible in the main window
	bAlternateTrapUID	True	Trap-identifiers managing, should it generate new identifier each time or not
	sLogFilesPath	c:\LogFiles	Path for log files
	sTrapFilesPath	c:\TrapFiles	Path for trap files
	wThreadPeriod		Time period, when idle threads are given CPU time slice (millisecond)

Alarms (Traps)

UID	Type	Text	Remarks	To Do
0	INF	`'$MainCaption$' module is started.`
0	WAR	`'$MainCaption$' module has been shut down by operator.`
0	INF	`GyX: Connection to remote module established.`	Connection established to the GyX_SCTP module after starting the module
94	WAR	`Received an unexpected MSU, or its format is unknown.`
96	CRI	`Could not create new CDR file, immediate intervention required!`		Check if output directory is set properly
99	CRI	`GyX: Connection to remote module is lost.`	Connection lost to the GyX_SCTP module	Check if GyX_SCTP module is running in one copy, and can accept connections
99	CEA	`GyX: Connection to remote module established.`	Connection established to the GyX_SCTP module after a connection error
191	ERR	`GyX: Received a bad MagicCode. (...)`
192	ERR	`GyX: Received and calculated CRC do not match. (...<>...)`
193	ERR	`GyX: Received MSU too short. (...)`
++N	CRI	`SMS fraud detection: Connection to the HLR-Query is not defined.`
++N	CRI	`SMS fraud detection: Connection to the HLR-Query module is lost.`
N	CEA	`SMS fraud detection: Connected to the HLR-Query module.`
++N	ERR	`SMS fraud detection: Rule #$RULEID$ fired.`
++N	ERR	`SMS fraud detection: Rule #$RULEID$ fired./[+FwdN]`
N	CEA	`SMS fraud detection: Rule #$RULEID$ fired./[+FwdN]`
++N	ERR	`SMS fraud detection: Too many HLR-Query time-outs.`
N	CEA	`SMS fraud detection: Too many HLR-Query time-outs.`

Version history

v0.92

Initial release

The Mobile Originated SMS Fraud Detector module("Sga-MOSMS_FraudDetector")