Dynamic Real-Time Security for Seamless Service Provisioning in

ICL, TUB, CERTH, Telecom Italia IT, COSMOTE, HISPASEC
Erol Gelenbe
Fellow of the French National Academy of Engineering
Dynamic Real-Time Security for Seamless
Service Provisioning in the Mobile
Ecosystem
Your Euros at Work ..
www.nemesys-project.eu
No. 317888
Mobile Security -- Why is it Important ??
Critical Applications
 Private Communications: Eavesdropping & Deceit
 Access and Update of Sensitive Data – E Health,
Business Data, False Data, Deceit
 The Internet of Things – Smart Grid, Smart
Vehicles, Cyber-Technical Systems
 Mobile Economy, Bitcoin, Payments
www.nemesys-project.eu
No. 317888
Context and Tools
NEMESYS Components




Observation: Dynamic Data Collection
External Data Sets
SECSIM: Simulator for Dynamic Security Signaling Storm Detection and Mitigation
www.nemesys-project.eu
www.nemesys-project.eu
No. 317888
No. 317888
 Mobile Honeypots
 Analytics, Visualization – Root
Cause Analysis
 Rooting Security
Observation, Analyics and
Visualisation
Property/factors specific testing
 The Visualization and Analysis
 Placing Honeypots
 Convergence time
 Scalability
 Processing complexity
Visual Correlation evaluation
User Perception
Integrability Evaluation
www.nemesys-project.eu
No. 317888
Technical issues

Detection of attacks
 Analysis of signalling storms  Disruption of Mobile Networks & Cyber-Technical Systems
 Development of signalling storm detectors and mitigators
 Changes in Standards with regard to Signalling
 Attracting Attacks via Honeypots  Where and How

Exploiting Resource Consumption (e.g. Computing time, Energy) & Billing
 Real-time detector for signalling anomalies and a graph based algorithm for detecting billing
related attacks  System Instability & Energy Cost of Signalling Attacks

Lightweight Technologies for Base Stations – Femtocells  Risks
 Anomaly detection framework for femtocell architectures and virtualisation to protect users and
femtocell devices
 Specific anomaly detection algorithms running on top of this framework
www.nemesys-project.eu
No. 317888
5
Detection based on signalling protocols
Signalling storms

Apps on mobile devices generating data traffic that results in excessive signalling load,
causing outages, possible system breakdowns and performance degradations

Apps may not necessarily be malicious but together they act like a distributed denial-ofservice attack (DDoS)

Root causes are due to interworking between the entire mobile ecosystem: smartphones,
operating systems, apps, the network configuration, cloud services, and users




Poorly designed apps (e.g. incidents reported by DoCoMo [1], SK Telecom [2] and Nokia [3])
Outages in mobile cloud services [4]
Malware infections [5] (e.g. adware, SMS trojans, botnets)
Unwanted traffic from the Internet [6] (e.g. scanning worms, backscatter DoS traffic)
[1] DoCoMo demands Google's help with signalling storm http://www.rethink-wireless.com/2012/01/30/docomo-demands-googles-signalling-storm.htm
[2] Operators Urge Action Against Chatty Apps http://www.lightreading.com/operators-urge-action-against-chatty-apps/d/d-id/687399#msgs
[3] Angry Birds + Android + ads = network overload http://www.itwire.com/business-it-news/networking/47823-angry-birds-%20-android-%20-ads-=-networkoverload
[4] OTT service blackouts trigger signaling overload in mobile networks http://blogs.nsn.com/mobile-networks/2013/09/16/ott-service-blackouts-trigger-signalingoverload-in-mobile-networks/
[5] J. Li et al, “Characterizing high-frequency subscriber sessions in cellular data networks,” in Proc. IFIP Networking Conf. 2013.
[6] F. Ricciato et al., “On the impact of unwanted traffic onto a 3G network,” in Proc. SecPerU’06.
www.nemesys-project.eu
No. 317888
6
Radio resource control (RRC) state machine
 Systems have been designed to:


Save spectrum

Stay in states with lower battery consumption
The cost in terms of signalling load is paid during state transitions
www.nemesys-project.eu
No. 317888
7
Congestion due to attacks
 Signalling storms do not always translate into congestion in the data plane
 The affected signalling servers are the RNC (3G) and MME (4G)
State transition model
www.nemesys-project.eu
No. 317888
8
9
Detection based on Signalling System Load &
Types
www.nemesys-project.eu
No. 317888
10
Root Cause Analysis
Anomalous users
Behavioral similarity
Core network impact
www.nemesys-project.eu
No. 317888
Mobile Security – Prepare for the Future
European R & D for Future Security and Privacy
 Build Test-Beds for Cyberdefense with Large Scale Usecases
such as the IoT
 Develop Sophisticated Dynamic Detection & Mitigation
Systems for existing and future systems
 Revisit Networking Routing and Signaling Protocols for
Enhanced Security
 Use Security and Privacy to Add Value to European Industry
and Commerce
www.nemesys-project.eu
No. 317888