[go: up one dir, main page]

TW202348002A - Method and system for preventing Internet fraud capable of predicting user information of a fraudster from a large amount of communication data when a fraud has not occurred, or identifying user information of the fraudster from digital traces - Google Patents

Method and system for preventing Internet fraud capable of predicting user information of a fraudster from a large amount of communication data when a fraud has not occurred, or identifying user information of the fraudster from digital traces Download PDF

Info

Publication number
TW202348002A
TW202348002A TW111119420A TW111119420A TW202348002A TW 202348002 A TW202348002 A TW 202348002A TW 111119420 A TW111119420 A TW 111119420A TW 111119420 A TW111119420 A TW 111119420A TW 202348002 A TW202348002 A TW 202348002A
Authority
TW
Taiwan
Prior art keywords
information
communication data
fraud
server
unit
Prior art date
Application number
TW111119420A
Other languages
Chinese (zh)
Other versions
TWI827066B (en
Inventor
胡政嘉
Original Assignee
台灣大哥大股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 台灣大哥大股份有限公司 filed Critical 台灣大哥大股份有限公司
Priority to TW111119420A priority Critical patent/TWI827066B/en
Publication of TW202348002A publication Critical patent/TW202348002A/en
Application granted granted Critical
Publication of TWI827066B publication Critical patent/TWI827066B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention provides a method for preventing an Internet fraud. The method includes: collecting first communication data from a plurality of user devices; parsing the first communication data to obtain first information, wherein the first information is associated with user information of the user devices; parsing the first communication data to obtain second information, wherein the second information is associated with network information used by the user devices; and determining third communication data used in the fraud based on the first information and the second information. Based on the method of the present invention, user information of a fraudster can be predicted from a large amount of communication data when a fraud has not occurred, or user information of the fraudster can be identified from digital traces, so as to effectively prevent fraud or sanction the fraudster.

Description

防治網路詐騙的方法與系統Methods and systems for preventing and controlling Internet fraud

本發明係一種防治網路詐騙的方法與系統,特別係指利用已知詐騙手段習性來訓練人工智慧演算法,從而由大量通信資料中預測出(1)在未發生詐騙時,實施詐騙者的使用者資料、或者(2)由數位軌跡找出實施詐騙者的使用者資料,以有效預防詐騙或制裁詐騙者。The present invention is a method and system for preventing and controlling Internet fraud. In particular, it refers to using the habits of known fraud methods to train artificial intelligence algorithms, thereby predicting from a large amount of communication data (1) When fraud does not occur, the fraudster’s behavior User information, or (2) find out the user information of the fraudster from digital traces to effectively prevent fraud or punish the fraudster.

隨著電腦網路科技的發達,人們透過網路的服務可以輕易地獲取各種資訊。雖然電腦網路科技確實帶給人們有了快速和便利的服務優勢,但是也帶給歹徒有了利於方便詐財的作案工具。請參考圖1所示之目前常見的詐騙手段100的示意圖。目前詐騙集團110為了取得受害者130的私密資訊,例如:帳戶、密碼、一次性密碼(One-Time Password,OTP),利用盜取他人社群帳戶或另外建立新的社群帳戶的手法,來與受害者建立關係進行詐騙,例如假裝為受害者的朋友與之聊天並借款;或者偽造連結網址或仿真網頁,利用社群平台/交友平台(例如:Facebook/Meta、Twitter、Instagram等)、通訊軟體(例如:Line、WeChat等)或釣魚網站(例如:某些網路自行彈出的假的中獎廣告網址、色情網站等)隨機寄發至受害者130,當受害者130點擊假的網址或網頁後並輸入個人資料,詐騙集團110就能得知受害者130的私密資料,並可基於該等私密資料,從金融機構120轉帳受害者130的資產。With the development of computer network technology, people can easily obtain various information through network services. Although computer and network technology has indeed brought people the advantages of fast and convenient services, it has also given criminals tools that facilitate money fraud. Please refer to Figure 1 for a schematic diagram of currently common fraud methods 100. Currently, in order to obtain the private information of the victim 130, such as accounts, passwords, and one-time passwords (OTP), fraud group 110 uses methods to steal other people's social accounts or create new social accounts. Establish a relationship with the victim to commit fraud, such as pretending to be the victim's friend to chat with and borrow money; or forge a link URL or simulated web page, and use social/dating platforms (such as Facebook/Meta, Twitter, Instagram, etc.), communications Software (such as Line, WeChat, etc.) or phishing websites (such as fake lottery-winning advertising URLs, pornographic websites, etc. that pop up on some networks) are randomly sent to the victim 130. When the victim 130 clicks on the fake URL or webpage After entering the personal information, the fraud group 110 can learn the private information of the victim 130, and can transfer the assets of the victim 130 from the financial institution 120 based on the private information.

對於上述手法,詐騙集團110現在不使用固定IP進行連線,而大量使用無法追蹤浮動IP之可上網門號。某些國家之電信服務需要進行身分認證來取得特定的國內門號,也就是一個國內門號對應一組身分資訊。詐騙集團110為避免身分被警方追查,大多使用不用身分驗證的國外門號(黑莓卡、預付卡)的使用者裝置(例如手機、平板電腦)來進行上網。更詳細而言,請參考圖2所示之國外門號網路連線機制200之示意圖,在網路連線機制200中,使用國外門號的使用者裝置210利用漫遊(roaming)機制與國內電信業者220保持數據傳輸,而傳輸的數據封包會直接回到國外電信業者230以傳輸至網際網路240,換句話說,一旦詐騙集團110使用國外門號的使用者裝置210來進行漫遊至網際網路,難以追溯詐騙集團所使用的門號,而詐騙集團110仍可繼續實施詐騙。Regarding the above-mentioned methods, Fraud Group 110 now does not use fixed IPs for connection, but uses a large number of Internet access door numbers that cannot be traced with floating IPs. Telecom services in some countries require identity authentication to obtain a specific domestic phone number. That is, a domestic phone number corresponds to a set of identity information. In order to avoid identity tracing by the police, Fraud Group 110 mostly uses user devices (such as mobile phones and tablets) with foreign numbers (BlackBerry cards, prepaid cards) that do not require identity verification to access the Internet. For more details, please refer to the schematic diagram of the foreign phone number network connection mechanism 200 shown in Figure 2. In the network connection mechanism 200, the user device 210 using the foreign phone number utilizes the roaming mechanism. Data transmission is maintained with the domestic telecom operator 220, and the transmitted data packets will be directly returned to the foreign telecom operator 230 for transmission to the Internet 240. In other words, once the fraud group 110 uses the user device 210 with a foreign phone number to When roaming to the Internet, it is difficult to trace the phone number used by the fraud group, and the fraud group 110 can still continue to commit fraud.

綜上所述,現階段的科技執法需要一種新的手段來追查國內詐騙集團的門號及位置,以防治詐騙集團的詐財行為。To sum up, the current stage of technological law enforcement requires a new method to trace the door numbers and locations of domestic fraud groups to prevent and control the fraud groups’ financial fraud.

為了克服上述之缺失,本發明之一構想係利用已知詐騙手段所對應資訊,進行人工智慧演算法訓練而生成一預測模型,藉由大量通信資料進行比對,以預測出符合詐騙手段模式的門號;或者將已詐騙受害者所提供的殘留數位軌跡輸入至該預測模型,以比對出符合該數位軌跡的門號。In order to overcome the above shortcomings, one idea of the present invention is to use the information corresponding to known fraud methods to conduct artificial intelligence algorithm training to generate a prediction model, and compare a large amount of communication data to predict the fraud method patterns. The door number; or the residual digital trace provided by the defrauded victim is input into the prediction model to compare the door number that matches the digital trace.

基於前述構想,本發明提供一種防治網路詐騙的方法,包含:收集來自複數個使用者裝置的第一通信資料;將該等第一通信資料解析出第一資訊,該第一資訊係關聯於該等使用者裝置的用戶資訊;將該等第一通信資料解析出第二資訊,該第二資訊關聯於該等使用者裝置所使用的網路資訊;基於該第一資訊和該第二資訊判斷出詐騙手段所使用的第三通信資料。Based on the foregoing concept, the present invention provides a method for preventing and controlling Internet fraud, which includes: collecting first communication data from a plurality of user devices; parsing the first communication data to obtain first information, and the first information is associated with User information of the user devices; parsing the first communication data to obtain second information, the second information being associated with the network information used by the user devices; based on the first information and the second information Determine the third communication data used in fraud.

基於前述構想,本發明另提供一種防治網路詐騙的方法,包含:收集來自複數個使用者裝置的第一通信資料;由一第一演算法將該等第一通信資料解析出複數個第一資訊,該第一資訊係關聯於該等使用者裝置的用戶資訊;由一第二演算法將該等第一通信資料解析出複數個第二資訊,該第二資訊關聯於該等使用者裝置所使用的網路資訊;提供一第三演算法,該第三演算法係基於已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成;將已實施詐騙後所對應的一數位軌跡、該等第一資訊與該等第二資訊輸入至該第三演算法,以從該等第一資訊與該等第二資訊中辨識出對應該數位軌跡的第三通信資料。Based on the foregoing concept, the present invention further provides a method for preventing and controlling Internet fraud, which includes: collecting first communication data from a plurality of user devices; using a first algorithm to parse the first communication data into a plurality of first communication data. Information, the first information is user information associated with the user devices; a second algorithm parses the first communication data into a plurality of second information, the second information is associated with the user devices The network information used; providing a third algorithm that is generated by an artificial intelligence algorithm based on the second communication data corresponding to known fraud methods; converting a digit corresponding to the fraud into The trajectory, the first information and the second information are input to the third algorithm to identify the third communication data corresponding to the digital trajectory from the first information and the second information.

在本發明之一較佳實施例中,其中該等第一通信資料係包含一信令(GTP-C)與一訊務(GTP-U)。In a preferred embodiment of the present invention, the first communication data includes a signaling (GTP-C) and a message (GTP-U).

在本發明之一較佳實施例中,其中該第一資訊包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者至少其中之一。該第二資訊包含:目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。該第三通信資料包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。In a preferred embodiment of the present invention, the first information includes at least one of: door number, integrated circuit card number, mobile phone serial number, base station location, country, and roaming telecommunications operator. The second information includes: at least one of the destination URL, Internet Protocol address, network traffic, communication protocol, and application service. The third communication information includes: door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications operator, destination website address, Internet Protocol address, network traffic, communication protocol, and application program Serve at least one of these.

基於前述構想,本發明提供一種防治網路詐騙的系統,包含:一裝設於一電信業者的第一伺服器,其用以收集並解析來自複數個使用者裝置的第一通信資料,其中該第一伺服器具有:一神經網路單元,其由已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成;一裝設於一治安單位的第二伺服器,其與該第一伺服器通訊連接,以提供一數位軌跡至該第一伺服器;其中,該神經網路單元基於該數位軌跡以從該等解析後的第一通信資料中辨識出對應該數位軌跡的第三通信資料,以及該第一伺服器將該第三通信資料提供至該第二伺服器。Based on the foregoing concepts, the present invention provides a system for preventing and controlling Internet fraud, including: a first server installed on a telecommunications operator, which is used to collect and parse first communication data from a plurality of user devices, wherein the first server The first server has: a neural network unit, which is generated by an artificial intelligence algorithm based on the second communication data corresponding to the known fraud means; a second server installed in a public security unit, which is connected to the third server. A server communication connection to provide a digital trajectory to the first server; wherein the neural network unit identifies a third party corresponding to the digital trajectory from the parsed first communication data based on the digital trajectory communication data, and the first server provides the third communication data to the second server.

在本發明之一較佳實施例中,其中該第一通信資料係包含一信令(GTP-C)與一訊務(GTP-U)。In a preferred embodiment of the present invention, the first communication data includes a signaling (GTP-C) and a transaction (GTP-U).

在本發明之一較佳實施例中,其中更包含一儲存單元,用以儲存該等解析後的第一通信資料,其中該神經網路單元由該儲存單元提取該等解析後的第一通信資料。In a preferred embodiment of the present invention, it further includes a storage unit for storing the parsed first communication data, wherein the neural network unit retrieves the parsed first communication data from the storage unit material.

在本發明之一較佳實施例中,其中該等解析後的第一通信資料係包含:由一第一演算單元解析出的複數個第一資訊,該第一資訊包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者至少其中之一;以及由一第二演算單元解析出的複數個第二資訊,該第二資訊包含:目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。In a preferred embodiment of the present invention, the parsed first communication data includes: a plurality of first information parsed by a first computing unit, the first information includes: door number, integrated circuit At least one of the card number, mobile phone serial number, base station location, country, and roaming telecommunications operator; and a plurality of second information parsed by a second computing unit, the second information includes: destination URL, At least one of Internet Protocol addresses, network traffic, communication protocols, and application services.

在本發明之一較佳實施例中,其中該第三通信資料包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。In a preferred embodiment of the present invention, the third communication data includes: door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications operator, destination URL, Internet Protocol At least one of address, network traffic, communication protocol, and application service.

請參考圖3,其例示本發明防治網路詐騙系統1000的架構圖,其中該系統1000係應用於本地電信業者與本地治安單位,而省略國外電信業者的傳輸關係。此處僅簡要說明各組件的功能以及各組件之間的連接關係,其細節後述。如圖所示,該系統1000包含配置裝設於本地電信業者(或國內電信業者)的第一伺服器1100以及裝設於治安單位(例如當地警方,更詳細來說,專責於電腦及網路犯罪偵查工作的科技犯罪防制中心)的一第二伺服器2000,該第一伺服器1100與該第二伺服器2000形成通訊連接,以相互且實時的傳輸一特定資料(如後述之數位軌跡或預測結果)。該第一伺服器1100具有一第一演算單元1110、一第二演算單元1120以及一神經網路單元1130。該第一演算單元1110與該第二演算單元1120用以解譯或分析來自複數個使用者裝置的第一通信資料S1,其中該第一通信資料S1係指由不同的本地基地台接收來自複數個裝設有門號卡(此處門號卡不限定於任何種類)之使用者設備所上行的GTP(GPRS Tunneling Protocol,GTP)資料(其中一門號對應一GTP資料),再由該等基地台將複數個GTP資料彙整而成的一GTP串流(GTP FLOW)。接著該等基地台將該第一通信資料S1(對應圖3中的GTP FLOW)傳輸至該第一伺服器1100,亦或者敘述為該第一伺服器1100從該等基地台中取得該第一通信資料S1。Please refer to FIG. 3 , which illustrates the architecture diagram of the Internet fraud prevention and control system 1000 of the present invention. The system 1000 is applied to local telecommunications operators and local security units, and the transmission relationship between foreign telecommunications operators is omitted. Here we only briefly describe the functions of each component and the connection relationships between them, and the details will be described later. As shown in the figure, the system 1000 includes a first server 1100 installed in a local telecommunications operator (or a domestic telecommunications operator) and a first server 1100 installed in a security unit (such as the local police, to be more specific, responsible for computers and networks). A second server 2000 of the Technology Crime Prevention Center for Criminal Investigation Work). The first server 1100 and the second server 2000 form a communication connection to transmit a specific data (such as a digital trace described later) to each other and in real time. or predict outcomes). The first server 1100 has a first computing unit 1110, a second computing unit 1120 and a neural network unit 1130. The first computing unit 1110 and the second computing unit 1120 are used to interpret or analyze the first communication data S1 from a plurality of user devices, wherein the first communication data S1 refers to received data from a plurality of user devices by different local base stations. The GTP (GPRS Tunneling Protocol, GTP) data uploaded by each user device equipped with a phone number card (the phone number card here is not limited to any type) (one phone number corresponds to one GTP data) is then sent by these bases The station compiles multiple GTP data into one GTP stream (GTP FLOW). Then the base stations transmit the first communication data S1 (corresponding to the GTP FLOW in Figure 3) to the first server 1100, or the first server 1100 obtains the first communication from the base stations. Data S1.

該第一伺服器1100會在第一演算單元1110(對應圖3中的第一層)對GTP FLOW中的GTP-C進行解譯,在第二演算單元1120(對應圖3中的第二層)對GTP FLOW中的GTP-U進行解譯,以及根據解譯後的資料在人工智慧演算法進行預測(對應圖3中的第三層)。關於該第一伺服器1100對GTP FLOW進行解譯及後續預測的細節會於後面段落詳細說明。The first server 1100 will interpret GTP-C in GTP FLOW in the first computing unit 1110 (corresponding to the first layer in Figure 3), and in the second computing unit 1120 (corresponding to the second layer in Figure 3) ) Interpret GTP-U in GTP FLOW, and make predictions based on the interpreted data using artificial intelligence algorithms (corresponding to the third layer in Figure 3). The details of the first server 1100's interpretation and subsequent prediction of GTP FLOW will be described in detail in the following paragraphs.

該神經網路單元1130基於解譯後的資料(第一資訊D1、第二資訊D2)來預測或辨別出詐騙集團所使用門號。該神經網路單元1130係基於已知詐騙手段所對應的通信資料進行人工智慧演算法訓練而成的預測模型。The neural network unit 1130 predicts or identifies the phone number used by the fraud group based on the interpreted data (first information D1, second information D2). The neural network unit 1130 is a prediction model trained by artificial intelligence algorithms based on communication data corresponding to known fraud methods.

系統1000更包含一第一儲存單元1210與一第二儲存單元1220,其分別儲存該第一演算單元1110與第二演算單元1120解譯後的資料(第一資訊D1、第二資訊D2)。該神經網路單元1130從該第一儲存單元1210與該第二儲存單元1220取得解譯後的資料(第一資訊D1、第二資訊D2)來進行演算並預測。前述之第一演算單元1110、第二演算單元1120以及神經網路單元1130係由一中央處理單元(Central Processing Unit,CPU)所執行,第一儲存單元1210與第二儲存單元1220係為硬碟(Hard Disk Drive,HDD)或固態硬碟(Solid State Drive,SSD),其個別配置於相同或不同的網路位置或伺服器中。在本發明的其他實施例中,第一儲存單元1210與第二儲存單元1220可配置在同一個伺服器中,甚至配置在第一伺服器1100中。The system 1000 further includes a first storage unit 1210 and a second storage unit 1220, which respectively store the data (first information D1 and second information D2) interpreted by the first operation unit 1110 and the second operation unit 1120. The neural network unit 1130 obtains the interpreted data (first information D1, second information D2) from the first storage unit 1210 and the second storage unit 1220 to perform calculations and predictions. The aforementioned first computing unit 1110, second computing unit 1120 and neural network unit 1130 are executed by a central processing unit (Central Processing Unit, CPU), and the first storage unit 1210 and the second storage unit 1220 are hard disks. (Hard Disk Drive, HDD) or Solid State Drive (SSD), which are individually configured in the same or different network locations or servers. In other embodiments of the present invention, the first storage unit 1210 and the second storage unit 1220 may be configured in the same server, or even in the first server 1100 .

以下說明關於第一伺服器1100解譯第一通信資料S1的流程,請同時參考圖3以及圖5所示本發明電信業者伺服器處理通信資料的步驟圖中的步驟S110至步驟S130。在本發明實施例中,係以通用封包無線服務(General Packet Radio Service,GPRS)為例進行說明。The following describes the process of the first server 1100 interpreting the first communication data S1. Please refer to FIG. 3 and FIG. 5 for steps S110 to S130 in the step diagram of processing communication data by the telecommunications operator server of the present invention. In the embodiment of the present invention, General Packet Radio Service (GPRS) is used as an example for explanation.

如步驟S110,該第一伺服器1100從不同的本地基地台收集來自複數個使用者裝置的第一通信資料S1,該等第一通信資料S1係一GPRS隧道協議(GPRS Tunneling Protocol,GTP)串流。In step S110, the first server 1100 collects first communication data S1 from a plurality of user devices from different local base stations. The first communication data S1 is a GPRS Tunneling Protocol (GTP) string. flow.

如步驟S120,該第一伺服器1100的第一演算單元1110由一第一演算法將該等第一通信資料S1解譯出複數個第一資訊D1,該等第一資訊D1係關聯於該等使用者裝置的用戶資訊。在本發明的較佳實施例中,該第一演算單元1110係採用深度封包檢測(Deep Packet Inspection,DPI)技術,以協定識別(Protocol Recognition)演算法對該等第一通信資料S1中的信令,也就是GTP-控制面(GTP-control,GTP-C)進行解譯,以解譯出第一資訊D1,該等第一資訊D1包含使用者門號、集成電路卡號碼(Integrate Circuit Card Identity ,ICCID)、手機序列號(International Mobile Equipment Identity,IMEI)、基地台位置、所處之國家、漫遊電信業者。當解譯完成後,該第一演算單元1110會將該第一資訊D1儲存於該第一儲存單元1210,並同時傳送該第一通信資料S1中的訊務,也就是GTP-用戶數據隧道(GTP-User Data Tunneling,GTP-U)以及一通知於該第二演算單元1120來執行進一步的解譯。In step S120, the first computing unit 1110 of the first server 1100 uses a first algorithm to interpret the first communication data S1 into a plurality of first information D1, and the first information D1 is associated with the Wait for the user information of the user device. In a preferred embodiment of the present invention, the first computing unit 1110 adopts Deep Packet Inspection (DPI) technology and uses a protocol recognition (Protocol Recognition) algorithm to analyze the information in the first communication data S1. command, that is, the GTP-control plane (GTP-C) is interpreted to interpret the first information D1. The first information D1 includes the user number, integrated circuit card number (Integrate Circuit Card Identity (ICCID), mobile phone serial number (International Mobile Equipment Identity, IMEI), base station location, country, and roaming telecommunications operator. After the interpretation is completed, the first computing unit 1110 will store the first information D1 in the first storage unit 1210 and simultaneously transmit the information in the first communication data S1, that is, GTP-user data tunnel ( GTP-User Data Tunneling (GTP-U) and a notification to the second computing unit 1120 to perform further interpretation.

接著如步驟S130,該第二演算單元1120收到前述的通知與GTP-U後,由一第二演算法將該等第一通信資料S1的GTP-U解譯出第二資訊D2,其中該第二資訊D2關聯於該等使用者裝置所使用的網路資訊。在本發明的較佳實施例中,該第二演算單元1120係採用資訊萃取(Information Extraction)技術,以模式識別(Pattern Recognition)演算法解析GTP-U得出第二資訊D2,該第二資訊D2包含:目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務(例如使用者目前所使用的應用程式)。當解譯完成後,該第二演算單元1120會將該第二資訊D2儲存於該第二儲存單元1220,並傳輸一執行通知告知神經網路單元1130來執行進一步的預測動作。其中該執行通知係為一執行指令,該神經網路單元1130根據該執行指令來執行進一步的預測動作。在本發明的其他實施例中,該第一演算單元1110與該第二演算單元1120的解譯順序可互換,也就是步驟S120和S130的順序可互換,以先解譯GTP-U再對GTP-C進行解譯,在此解譯順序下,該執行通知係由第一演算單元1110傳輸至神經網路單元1130。Next, in step S130, after receiving the aforementioned notification and GTP-U, the second calculation unit 1120 uses a second algorithm to interpret the GTP-U of the first communication data S1 to obtain the second information D2, in which the The second information D2 is associated with network information used by the user devices. In a preferred embodiment of the present invention, the second calculation unit 1120 uses information extraction (Information Extraction) technology and uses a pattern recognition (Pattern Recognition) algorithm to analyze GTP-U to obtain the second information D2. D2 includes: destination URL, Internet Protocol address, network traffic, communication protocol, application service (such as the application currently used by the user). After the interpretation is completed, the second computing unit 1120 will store the second information D2 in the second storage unit 1220, and transmit an execution notification to inform the neural network unit 1130 to perform further prediction actions. The execution notification is an execution instruction, and the neural network unit 1130 performs further prediction actions according to the execution instruction. In other embodiments of the present invention, the interpretation order of the first calculation unit 1110 and the second calculation unit 1120 is interchangeable, that is, the order of steps S120 and S130 is interchangeable, so that GTP-U is first interpreted and then GTP -C is interpreted, and under this interpretation sequence, the execution notification is transmitted from the first computing unit 1110 to the neural network unit 1130.

以下說明本發明關於神經網路單元1130的細節,請參考圖3所示本發明神經網路單元與治安單位的架構圖以及圖5。如步驟S140,神經網路單元1130提供一第三演算法,該第三演算法係基於已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成。詳細而言,在本發明較佳實施例中,神經網路單元1130採用運算思維(Computational Thinking)技術,以決策樹(Decision Tree)演法基於已知詐騙手段(或行為)所對應的第二通信資料進行訓練而生成一預測模型,其中第二通信資料係以下預設模式所對應的傳輸資料:預設模式(1)詐騙集團所使用的手機同時匹配大量的門號,也就是說傳輸資料係一個手機序列號同時對應至大量門號;預設模式(2)詐騙集團使用的手機通常都會保持在一個地點而不移動,也就是說,傳輸資料係一個手機序列號或一門號一直停留在同個地址或與同一個基地台連線;預設模式(3)使用者通常不會僅使用社群網站而會大量遊覽不同網頁,而詐騙集團僅會在手機上使用特定的社群平台或者通訊軟體,也就是說,該傳輸資料係一手機序列號或門號僅對應使用特定的應用程式服務(社群應用程式或通訊應用程式)。The following describes the details of the neural network unit 1130 of the present invention. Please refer to the architecture diagram of the neural network unit and the security unit of the present invention shown in FIG. 3 and FIG. 5 . In step S140, the neural network unit 1130 provides a third algorithm, which is generated by an artificial intelligence algorithm based on the second communication data corresponding to the known fraud method. Specifically, in the preferred embodiment of the present invention, the neural network unit 1130 uses computational thinking technology to use a decision tree (Decision Tree) algorithm based on the second fraud method (or behavior) corresponding to the known fraud method. The communication data is trained to generate a prediction model, in which the second communication data is the transmission data corresponding to the following preset mode: Preset mode (1) The mobile phone used by the fraud group matches a large number of house numbers at the same time, which means that the transmission data A mobile phone serial number corresponds to a large number of phone numbers at the same time; default mode (2) The mobile phones used by fraud groups usually stay in one location and do not move. That is to say, the transmitted data is a mobile phone serial number or a phone number that always stays in The same address or connection to the same base station; Default mode (3) Users usually do not only use social networking sites but browse a large number of different web pages, while fraud groups only use specific social platforms on mobile phones or Communication software, that is to say, the transmitted data is a mobile phone serial number or phone number that only corresponds to the use of a specific application service (social application or communication application).

請同時參閱圖4及圖5,如步驟S150,當詐騙行為還未發生時,本發明預設處於一領先指標模式,其定義為將上述詐騙預設模式之第二通信資料輸入至神經網路單元1130而生成對應的預測模型,一旦預測模型預測出有匹配該預設模式的行為,能立即通報治安單位來預防詐騙的模式。詳細而言,在領先指標模式下,具有上述預設模式之第二通信資料所生成對應預測模型的神經網路單元1130收到來自第二演算單元1120的通知,神經網路單元1130會從第一儲存單元1210提取第一資訊D1以及從第二儲存單元1220提取第二資訊D2以進行比對,進而生成一預測結果。該預測結果係一與詐騙手段(上述之預設模式)相符之第三通信資料S3(對應圖4中的領先指標產出結果),該第三通信資料S3可包含有來自第一資訊D1與第二資訊D2的數據,例如前述之門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定與應用程式服務。Please refer to Figure 4 and Figure 5 at the same time. In step S150, when the fraud has not yet occurred, the present invention is in a leading indicator mode by default, which is defined as inputting the second communication data of the above-mentioned fraud default mode into the neural network. The unit 1130 generates a corresponding prediction model. Once the prediction model predicts a behavior that matches the preset pattern, it can immediately notify the security unit to prevent the fraud pattern. Specifically, in the leading indicator mode, the neural network unit 1130 having the prediction model corresponding to the second communication data in the above-mentioned preset mode receives a notification from the second calculation unit 1120, and the neural network unit 1130 will receive the notification from the second calculation unit 1120. A storage unit 1210 extracts the first information D1 and the second information D2 from the second storage unit 1220 for comparison, and then generates a prediction result. The prediction result is a third communication data S3 that is consistent with the fraud method (the above-mentioned default mode) (corresponding to the leading indicator output result in Figure 4). The third communication data S3 may include information from the first information D1 and The data of the second information D2, such as the aforementioned door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications operator, destination URL, Internet Protocol address, network traffic, communication protocol and application services.

以及如步驟S160,若詐騙已發生,本發明切換至一落後指標模式,其定義為當詐騙事件已發生,治安單位可以根據殘留的數位軌跡從已分析完該等第一資訊D1、該等第二資訊D2中找出對應的門號的模式。詳細而言,在落後指標模式下,治安單位會由受害人報案,從而取得詐騙集團所殘留的數位軌跡D3,該數位軌跡D3可為詐騙集團提供假網站或網址的時間點,或者連接的基地台等輸入條件,並由治安單位的第二伺服器2000提供至第一伺服器1100中的神經網路單元1130,藉由輸入該等第一資訊D1、該等第二資訊D2以及該數位軌跡D3之輸入條件(對應圖4中的輸入條件)至神經網路單元1130,神經網路單元1130會辨識出對應該數位軌跡D3的第三通信資料S3(對應圖4中的落後指標產出結果),該第三通信資料S3可包含有來自第一資訊D1與第二資訊D2的數據,例如前述之門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定與應用程式服務。更具體而言,對於神經網路單元1130,該數位軌跡D3之條件係用於縮小辨識範圍,再從該範圍中,由該等第一資訊D1與該等第二資訊D2中找出符合詐騙手段或詐騙模式的資訊。舉例來說,治安單位可以輸入前述詐騙發生時點的正負五分鐘內(因為延遲或時差導致時間不準確)之條件(對應圖4中的輸入條件),再從這十分鐘的範圍中,辨識出符合詐騙手段或詐騙模式的門號或詐騙手段所連接的基地台,因此可以快速及準確定位詐騙集團的門號或位置。And in step S160, if fraud has occurred, the present invention switches to a backward indicator mode, which is defined as when a fraud event has occurred, the security unit can analyze the first information D1, the third information D1, and the third information based on the remaining digital traces. Find the pattern of the corresponding door number in the second information D2. Specifically, in the lagging indicator mode, the security unit will report the crime to the victim to obtain the remaining digital trace D3 of the fraud group. This digital trace D3 can provide the fraud group with the time point of the fake website or URL, or the base of the connection. The station and other input conditions are provided by the second server 2000 of the security unit to the neural network unit 1130 in the first server 1100, by inputting the first information D1, the second information D2 and the digital trajectory. The input conditions of D3 (corresponding to the input conditions in Figure 4) are sent to the neural network unit 1130. The neural network unit 1130 will identify the third communication data S3 corresponding to the digital trajectory D3 (corresponding to the lagging indicator output results in Figure 4 ), the third communication data S3 may include data from the first information D1 and the second information D2, such as the aforementioned door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications Operators, destination URLs, IP addresses, network traffic, protocols and application services. More specifically, for the neural network unit 1130, the condition of the digital trajectory D3 is used to narrow the identification range, and then find out from the range the first information D1 and the second information D2 that match the fraud Information about tactics or patterns of fraud. For example, the security unit can enter the conditions within plus or minus five minutes of the time when the aforementioned fraud occurred (the time is inaccurate due to delay or time difference) (corresponding to the input conditions in Figure 4), and then identify the conditions within this ten-minute range. The door number or the base station connected to the fraud method that conforms to the fraud method or fraud pattern can quickly and accurately locate the door number or location of the fraud group.

請參閱圖4。最終,由步驟S150中神經網路單元1130所預測出對應領先指標模式的第三通信資料S3(對應圖4中的領先指標產出結果),或者由步驟S160中神經網路單元1130所辨識出對應落後指標模式的第三通信資料S3(對應圖4中的落後指標產出結果),會由圖3所示之第一伺服器1100傳輸至第二伺服器2000,且第一伺服器1100同時會給予一提醒通知至治安單位,以使治安單位能夠及時的處置,例如在領先指標模式下,治安單位可以即時的要求電信業者將詐騙集團使用的門號廢除或者阻斷其連線,已達到預防效果,亦或者在落後指標模式下,藉由找出詐騙集團使用的基地台來定位出其目前所在位置,已執行抓捕,以達成防治詐騙。See Figure 4. Finally, the third communication data S3 corresponding to the leading indicator pattern is predicted by the neural network unit 1130 in step S150 (corresponding to the leading indicator output result in Figure 4), or is identified by the neural network unit 1130 in step S160. The third communication data S3 corresponding to the lagging indicator mode (corresponding to the lagging indicator output result in Figure 4) will be transmitted from the first server 1100 shown in Figure 3 to the second server 2000, and the first server 1100 simultaneously A reminder notification will be given to the security unit so that the security unit can handle it in a timely manner. For example, in the leading indicator mode, the security unit can immediately request the telecom operator to cancel the phone number used by the fraud group or block its connection. It has reached The prevention effect, or in the backward indicator mode, is to locate the base station used by the fraud group to locate its current location and arrest it to prevent fraud.

至此,本發明防治網路詐騙的方法及系統已經由上述說明及圖式加以說明。然應了解,本發明的各個具體實施例僅是做為說明之用,在不脫離本發明申請專利範圍與精神下可進行各種改變,且均應包含於本發明之專利範圍中。因此,本說明書所描述的各種具體實施例並非用以限制本發明,本發明之真實範圍與精神揭示於下列申請專利範圍。So far, the method and system for preventing and controlling Internet fraud according to the present invention have been explained by the above descriptions and drawings. However, it should be understood that each specific embodiment of the present invention is for illustration only, and various changes can be made without departing from the patent scope and spirit of the present invention, and all should be included in the patent scope of the present invention. Therefore, the various specific embodiments described in this specification are not intended to limit the invention, and the true scope and spirit of the invention are disclosed in the following patent applications.

100:詐騙手段 110:詐騙集團 120:金融機構 130:受害者 200:網路連線機制 210:使用國外門號的使用者裝置 220:國內電信業者 230:國外電信業者 240:網際網路 1000:系統 1100:第一伺服器 1110:第一演算單元 1120:第二演算單元 1130:神經網路單元 1210:第一儲存單元 1220:第二儲存單元 2000:第二伺服器 D1:第一資訊 D2:第二資訊 D3:數位軌跡 S1:第一通信資料 S3:第三通信資料 S100:防治網路詐騙的方法 S110~S160:步驟 100: Fraudulent tactics 110:Fraud syndicate 120:Financial institutions 130:Victim 200:Network connection mechanism 210: User device using a foreign phone number 220:Domestic telecommunications operators 230: Foreign telecommunications operators 240:Internet 1000:System 1100:First server 1110: First calculation unit 1120: Second calculation unit 1130: Neural Network Unit 1210: First storage unit 1220: Second storage unit 2000:Second server D1: First information D2: Second information D3:Digital track S1: First communication information S3: Third communication data S100: Methods to prevent online fraud S110~S160: steps

圖1顯示目前常見的詐騙手段的示意圖。Figure 1 shows a schematic diagram of current common fraud methods.

圖2顯示國外門號網路連線機制之示意圖。Figure 2 shows a schematic diagram of the overseas phone number network connection mechanism.

圖3顯示本發明防治網路詐騙系統的架構圖。Figure 3 shows the architecture diagram of the Internet fraud prevention system of the present invention.

圖4顯示本發明神經網路單元與治安單位的架構圖。Figure 4 shows the architecture diagram of the neural network unit and the security unit of the present invention.

圖5顯示本發明電信業者伺服器處理通信資料的步驟圖。Figure 5 shows a step diagram of processing communication data by a telecommunications operator's server according to the present invention.

S100:防治網路詐騙的方法 S100: Methods to prevent online fraud

S110~S160:步驟 S110~S160: steps

Claims (12)

一種防治網路詐騙的方法,包含: 收集來自複數個使用者裝置的第一通信資料; 將該等第一通信資料解析出第一資訊,該第一資訊係關聯於該等使用者裝置的用戶資訊; 將該等第一通信資料解析出第二資訊,該第二資訊關聯於該等使用者裝置所使用的網路資訊; 基於該第一資訊和該第二資訊判斷出詐騙手段所使用的第三通信資料。 A method to prevent and control online fraud, including: Collect first communication data from a plurality of user devices; Parse the first communication data to obtain first information, the first information being user information associated with the user devices; Parse the first communication data to obtain second information, the second information being associated with the network information used by the user devices; The third communication data used in the fraud method is determined based on the first information and the second information. 一種防治網路詐騙的方法,包含: 收集來自複數個使用者裝置的第一通信資料; 將該等第一通信資料解析出第一資訊,該第一資訊係關聯於該等使用者裝置的用戶資訊; 將該等第一通信資料解析出第二資訊,該第二資訊關聯於該等使用者裝置所使用的網路資訊; 提供一第三演算法,該第三演算法係基於已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成; 將已實施詐騙後所對應的一數位軌跡、該等第一資訊與該等第二資訊輸入至該第三演算法,以從該等第一資訊與該等第二資訊中辨識出對應該數位軌跡的第三通信資料。 A method to prevent and control online fraud, including: Collect first communication data from a plurality of user devices; Parse the first communication data to obtain first information, the first information being user information associated with the user devices; Parse the first communication data to obtain second information, the second information being associated with the network information used by the user devices; Provide a third algorithm, which is generated by an artificial intelligence algorithm based on the second communication data corresponding to the known fraud method; Input a corresponding digital trace, the first information and the second information after the fraud has been carried out into the third algorithm to identify the corresponding digital from the first information and the second information Locus of third communications. 如請求項1或2所述之方法,其中該第一通信資料係包含一信令(GTP-C)與一訊務(GTP-U)。The method of claim 1 or 2, wherein the first communication data includes a signaling (GTP-C) and a message (GTP-U). 如請求項1或2所述之方法,其中該第一資訊包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者至少其中之一。The method as described in claim 1 or 2, wherein the first information includes at least one of: door number, integrated circuit card number, mobile phone serial number, base station location, country, and roaming telecommunications operator. 如請求項4所述之方法,其中該第二資訊包含:目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。The method described in request 4, wherein the second information includes at least one of: destination URL, Internet Protocol address, network traffic, communication protocol, and application service. 如請求項5所述之方法,其中該第三通信資料包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。The method described in claim 5, wherein the third communication data includes: door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications operator, destination website address, Internet Protocol address , network traffic, communication protocols, and application services at least one of them. 一種防治網路詐騙的系統,包含: 一裝設於一電信業者的第一伺服器,其用以收集並解析來自複數個使用者裝置的第一通信資料,其中該第一伺服器具有: 一神經網路單元,其由已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成,該神經網路單元基於該等解析後的第一通信資料生成一預測結果,該預測結果係一詐騙手段相關聯之第三通信資料; 一裝設於一治安單位的第二伺服器,其與該第一伺服器通訊連接,以接收該第三通信資料。 A system to prevent and control online fraud, including: A first server installed in a telecommunications operator for collecting and parsing first communication data from a plurality of user devices, wherein the first server has: A neural network unit, which is generated by an artificial intelligence algorithm based on the second communication data corresponding to known fraud methods. The neural network unit generates a prediction result based on the analyzed first communication data. The prediction result Third party communication data related to a fraudulent method; A second server installed in a security unit, which is communicatively connected to the first server to receive the third communication data. 一種防治網路詐騙的系統,包含: 一裝設於一電信業者的第一伺服器,其用以收集並解析來自複數個使用者裝置的第一通信資料,其中該第一伺服器具有: 一神經網路單元,其由已知詐騙手段所對應的第二通信資料進行人工智慧演算法所生成; 一裝設於一治安單位的第二伺服器,其與該第一伺服器通訊連接,以提供一數位軌跡至該第一伺服器; 其中,該神經網路單元基於該數位軌跡以從該等解析後的第一通信資料中辨識出對應該數位軌跡的第三通信資料,以及該第一伺服器將該第三通信資料提供至該第二伺服器。 A system to prevent and control online fraud, including: A first server installed in a telecommunications operator for collecting and parsing first communication data from a plurality of user devices, wherein the first server has: A neural network unit generated by an artificial intelligence algorithm based on the second communication data corresponding to known fraud methods; A second server installed in a security unit that is communicatively connected to the first server to provide a digital track to the first server; Wherein, the neural network unit identifies third communication data corresponding to the digital trajectory from the parsed first communication data based on the digital trajectory, and the first server provides the third communication data to the Second server. 如請求項7或8所述之系統,其中該第一通信資料係包含一信令(GTP-C)與一訊務(GTP-U)。The system of claim 7 or 8, wherein the first communication data includes a signaling (GTP-C) and a message (GTP-U). 如請求項7或8所述之系統,其中更包含一儲存單元,用以儲存該等解析後的第一通信資料,其中該神經網路單元由該儲存單元提取該等解析後的第一通信資料。The system according to claim 7 or 8, further comprising a storage unit for storing the parsed first communication data, wherein the neural network unit retrieves the parsed first communication from the storage unit material. 如請求項7或8所述之系統,其中該等解析後的第一通信資料係包含: 由一第一演算單元解析出的複數個第一資訊,該第一資訊包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者至少其中之一;以及 由一第二演算單元解析出的複數個第二資訊,該第二資訊包含:目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。 The system as described in claim 7 or 8, wherein the parsed first communication data includes: A plurality of first information parsed by a first calculation unit, the first information includes at least one of: door number, integrated circuit card number, mobile phone serial number, base station location, country, and roaming telecommunications operator; as well as A plurality of second information parsed by a second computing unit, the second information includes at least one of: destination URL, Internet protocol address, network traffic, communication protocol, and application service. 如請求項11所述之系統,其中該第三通信資料包含:門號、集成電路卡號碼、手機序列號、基地台位置、所處之國家、漫遊電信業者、目的地網址、網際協定位址、網路流量、通訊協定、應用程式服務至少其中之一。The system as described in claim 11, wherein the third communication data includes: door number, integrated circuit card number, mobile phone serial number, base station location, country, roaming telecommunications operator, destination website address, Internet Protocol address , network traffic, communication protocols, and application services at least one of them.
TW111119420A 2022-05-25 2022-05-25 Methods and systems for preventing and controlling Internet fraud TWI827066B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111119420A TWI827066B (en) 2022-05-25 2022-05-25 Methods and systems for preventing and controlling Internet fraud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111119420A TWI827066B (en) 2022-05-25 2022-05-25 Methods and systems for preventing and controlling Internet fraud

Publications (2)

Publication Number Publication Date
TW202348002A true TW202348002A (en) 2023-12-01
TWI827066B TWI827066B (en) 2023-12-21

Family

ID=90039427

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111119420A TWI827066B (en) 2022-05-25 2022-05-25 Methods and systems for preventing and controlling Internet fraud

Country Status (1)

Country Link
TW (1) TWI827066B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI885907B (en) * 2024-05-20 2025-06-01 台灣大哥大股份有限公司 Port number evaluation system and method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291424B (en) * 2020-10-29 2021-09-14 上海观安信息技术股份有限公司 Fraud number identification method and device, computer equipment and storage medium
CN114331473A (en) * 2021-12-29 2022-04-12 中国电信股份有限公司 Method and device for identifying telecommunication fraud event and computer-readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI885907B (en) * 2024-05-20 2025-06-01 台灣大哥大股份有限公司 Port number evaluation system and method

Also Published As

Publication number Publication date
TWI827066B (en) 2023-12-21

Similar Documents

Publication Publication Date Title
US12500938B2 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
US11038903B2 (en) System security configurations based on assets associated with activities
CN103338188B (en) A kind of dynamic authentication method of client side being applicable to mobile cloud
CN110516173B (en) Illegal network station identification method, illegal network station identification device, illegal network station identification equipment and illegal network station identification medium
EP3884411A1 (en) Cryptocurrency based malware and ransomware detection systems and methods
Fallah et al. Android malware detection using network traffic based on sequential deep learning models
CN110535971A (en) Interface configuration processing method, device, equipment and storage medium based on block chain
US20220141252A1 (en) System and method for data filtering in machine learning model to detect impersonation attacks
KR102756783B1 (en) Device for preventing phishing fraud and method for warning phishing through sender information verification
Masoud et al. On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach
TWI827066B (en) Methods and systems for preventing and controlling Internet fraud
Iorliam Cybersecurity in Nigeria: A case study of surveillance and prevention of digital crime
CN117641332B (en) A system and method for protecting user information security at the edge of a 5G network
Chang et al. AI-URG: Account identity-based uncertain graph framework for fraud detection
US20240098098A1 (en) Computer-based systems configured for contextual notification of monitored dark web intelligence and methods of use thereof
CN115550926A (en) Electronic evidence obtaining method, system, device, equipment and storage medium
CN114417198A (en) Phishing early warning method, phishing early warning device, phishing early warning system
EP4177801B1 (en) Techniques to assess a risk of online transactions
Zhao et al. SD-Transformer: A System-Level Denoising Transformer for Encrypted Traffic Behavior Identification
Li Countermeasures against various network attacks using machine learning methods
US12192403B2 (en) Computer-based systems having computing devices programmed for caller identity verification and methods of use thereof
CN120110908B (en) Application of methods, devices and equipment for constructing interconnected control models
CN118869279B (en) Data interaction system, method and related device based on remote model implantation
CN119854039B (en) Road terminal access method and related equipment of road traffic network
KR102920853B1 (en) Security apparatus and method for web3 wallet