How To Protect Your Mobile From Attack From A Signalling Storm

Transcription

1 ICL, TUB, CERTH, Telecom Italia IT, COSMOTE, HISPASEC Erol Gelenbe Fellow of the French National Academy of Engineering Dynamic Real-Time Security for Seamless Service Provisioning in the Mobile Ecosystem Your Euros at Work..

2 Mobile Security -- Why is it Important?? Critical Applications Private Communications: Eavesdropping & Deceit Access and Update of Sensitive Data E Health, Business Data, False Data, Deceit The Internet of Things Smart Grid, Smart Vehicles, Cyber-Technical Systems Mobile Economy, Bitcoin, Payments

3 Context and Tools NEMESYS Components Observation: Dynamic Data Collection External Data Sets SECSIM: Simulator for Dynamic Security - Signaling Storm Detection and Mitigation Mobile Honeypots Analytics, Visualization Root Cause Analysis Rooting Security

4 Observation, Analyics and Visualisation Property/factors specific testing The Visualization and Analysis Placing Honeypots Convergence time Scalability Processing complexity Visual Correlation evaluation User Perception Integrability Evaluation

5 Technical issues Detection of attacks Analysis of signalling storms Disruption of Mobile Networks & Cyber-Technical Systems Development of signalling storm detectors and mitigators Changes in Standards with regard to Signalling Attracting Attacks via Honeypots Where and How Exploiting Resource Consumption (e.g. Computing time, Energy) & Billing Real-time detector for signalling anomalies and a graph based algorithm for detecting billing related attacks System Instability & Energy Cost of Signalling Attacks Lightweight Technologies for Base Stations Femtocells Risks Anomaly detection framework for femtocell architectures and virtualisation to protect users and femtocell devices Specific anomaly detection algorithms running on top of this framework 5

6 Detection based on signalling protocols Signalling storms Apps on mobile devices generating data traffic that results in excessive signalling load, causing outages, possible system breakdowns and performance degradations Apps may not necessarily be malicious but together they act like a distributed denial-ofservice attack (DDoS) Root causes are due to interworking between the entire mobile ecosystem: smartphones, operating systems, apps, the network configuration, cloud services, and users Poorly designed apps (e.g. incidents reported by DoCoMo [1], SK Telecom [2] and Nokia [3]) Outages in mobile cloud services [4] Malware infections [5] (e.g. adware, SMS trojans, botnets) Unwanted traffic from the Internet [6] (e.g. scanning worms, backscatter DoS traffic) [1] DoCoMo demands Google's help with signalling storm [2] Operators Urge Action Against Chatty Apps [3] Angry Birds + Android + ads = network overload [4] OTT service blackouts trigger signaling overload in mobile networks [5] J. Li et al, Characterizing high-frequency subscriber sessions in cellular data networks, in Proc. IFIP Networking Conf [6] F. Ricciato et al., On the impact of unwanted traffic onto a 3G network, in Proc. SecPerU 06. 6

7 Radio resource control (RRC) state machine Systems have been designed to: Save spectrum Stay in states with lower battery consumption The cost in terms of signalling load is paid during state transitions 7

8 Congestion due to attacks Signalling storms do not always translate into congestion in the data plane The affected signalling servers are the RNC (3G) and MME (4G) State transition model 8

9 9

10 Detection based on Signalling System Load & Types 10

11 Root Cause Analysis Anomalous users Behavioral similarity Core network impact

12 Mobile Security Prepare for the Future European R & D for Future Security and Privacy Build Test-Beds for Cyberdefense with Large Scale Usecases such as the IoT Develop Sophisticated Dynamic Detection & Mitigation Systems for existing and future systems Revisit Networking Routing and Signaling Protocols for Enhanced Security Use Security and Privacy to Add Value to European Industry and Commerce