Detecting Fraudulent ModemPOOL Terminals with K‑Means Clustering

ModemPOOL Overview

ModemPOOL (also called ModemPOOL) is a device that aggregates a large number of modems via special dial‑up requests, allowing multiple users to connect simultaneously. It is widely used by organizations that need bulk remote networking, such as postal services, tax bureaus, customs, banks, securities firms, exchanges, brokerage companies, and call centers.

Terminal Identification Model

The goal is to detect terminals that belong to fraudulent “cat‑pool” schemes, where SIM cards are separated from devices to create artificial usage patterns for profit. Fraudulent terminals show distinct behavior in revenue, billing duration, traffic volume, call duration, call count, number of base stations used, activation counts, primary‑use counts, social‑circle counts, outbound‑call proportion, and concentrated short‑call occurrences.

More than 20 indicators were engineered from a DB2 data warehouse containing >10,000 terminals and thousands of reports. Representative indicators include:

Revenue : total monetary value generated by the terminal.

Billing duration : cumulative billed minutes.

Traffic volume : total data transferred.

Call duration and count : sum of call minutes and number of calls.

Number of base stations : distinct cell towers the terminal connected to.

Activation terminal count : how many other terminals were activated by the same SIM.

Primary‑use terminal count : number of terminals for which the SIM is the primary number.

Social‑circle terminal count : count of terminals that frequently communicate with the same set of numbers.

Outbound‑call proportion : ratio of outgoing calls to total calls.

Concentrated short‑call occurrences : instances where, within a single day and base station, the terminal makes >2 calls to the same number, each <30 seconds.

Indicator engineering required roughly three months; data preparation (extracting two months of daily data) added another half‑month.

Data Exploration

Each indicator was visualized with histograms to assess distribution shape. Indicators deviating from normality (e.g., activation terminal count, primary‑use counts) were flagged as potential fraud signals because normal terminals typically have zero values for these metrics, whereas fraudulent terminals often show multiple activations per SIM.

Algorithm Selection and Clustering

No labeled examples of fraudulent terminals were available, so supervised methods (e.g., decision trees) could not be used. An unsupervised clustering approach—k‑means—was selected to group terminals with similar behavior.

k‑means procedure :

Select the number of clusters k.

Assign each terminal to the nearest cluster using Euclidean distance.

Recalculate each cluster’s centroid as the mean of its members.

Repeat steps 2–3 until assignments stabilize.

Experiments showed that the sum of squared errors (SSE) dropped sharply up to k≈8 and plateaued after k≈30, while iteration time increased rapidly. A practical compromise of k=10 provided sufficient granularity and interpretability.

Cluster 10 exhibited lower revenue, fewer base stations, and smaller social‑circle metrics, but higher activation counts and outbound‑call proportion—matching the expected fraud profile.

Business rules were derived: terminals assigned to cluster 10 are flagged as suspicious (label = 1); all others are considered normal (label = 0).

Model Deployment

In production, the clustering model runs daily. For each new terminal, the Euclidean distance to each centroid is computed, the terminal is assigned to the nearest cluster, and if the assignment is to cluster 10 the terminal is flagged for further investigation. This enables continuous monitoring and iterative rule refinement.

Day‑Interval Warning Model

The second model predicts churn by adapting the RFM framework to call‑interval statistics. For each user the following statistics are computed from historical call detail records (CDR):

Expected interval (μ) : mean of daily call‑intervals during a stable period.

Standard deviation (δ) : variability of the interval.

Current silence time (I) : number of days since the last call up to the current date.

T‑value : T = (I - μ) / δ. A large positive T‑value indicates a significant deviation from normal calling behavior, suggesting a high churn risk.

The model was trained on three months of CDRs and five months of user profile data, then evaluated on subsequent months using hit‑rate (recall) and coverage (precision). Thresholds on the T‑value were tuned to balance these metrics, and the model can be specialized for high‑value or at‑risk user segments.

Key Takeaways

Fraudulent “cat‑pool” terminals can be uncovered by engineering behavior‑based indicators and applying unsupervised clustering.

Visual data exploration (e.g., histograms) helps prioritize indicators and reveal distribution anomalies.

k‑means clustering with an appropriate number of clusters (≈10) yields interpretable groups that map directly to business fraud rules.

The day‑interval warning model provides an early‑churn signal using a simple T‑value derived from RFM‑style call‑interval statistics.

Continuous deployment and periodic rule refinement are essential for sustained operational value.