D. Alarm Clue Definition Tips
This section describes techniques that can be used to avoid common
problems that are often encountered when deﬁning Alarm Clues.
To effectively detect Toll Fraud, Alarm Clues must produce an accurate
count of calls that match the characteristics of a suspect phone call. Careful
planning will allow you to create clues that count suspect calls, and ignore
calls you don't need.
D.1. Headers, Banners, and Other "Non-Data"
When you examine data produced by the PBX, you will often discover
that in addition to call records, the PBX also creates records that do not
contain call data. In order to avoid counting this "non-data", clues must be
carefully deﬁned to exclude headers and other items.
In the example below, several call records are shown along with a header.
The PBX might generate this header after every 100 calls to identify the
record ﬁelds. This is helpful when deﬁning the format, but can also be a
nuisance when counting calls.
TIME EXT DUR NO. DIALED COST
D.1.1. The Comparative Operators
When the comparative operators (>, <, >=, and <=) are used, care must be
taken to limit the scope of the comparison.
When the VIP compares information in a call record with values indicated
in the clue deﬁnition, it performs an "ASCII comparison". All ASCII
characters are compared, not just numbers. Each ASCII character,
(including letters and symbols) has a numerical value. Letters of the
alphabet have a higher value than numbers, and symbols have a lower
Although call records may always have a numerical value in a speciﬁc ﬁeld,
"non-data" such as headers and summaries, might have letters or symbols
in that ﬁeld. When creating an Alarm Clue that includes the comparative
operators, the VIP must be prevented from counting symbols and alphabetic
characters as numerical values.