WO2005120006A1 - Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system - Google Patents

Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system Download PDF

Info

Publication number
WO2005120006A1
WO2005120006A1 PCT/FI2005/050186 FI2005050186W WO2005120006A1 WO 2005120006 A1 WO2005120006 A1 WO 2005120006A1 FI 2005050186 W FI2005050186 W FI 2005050186W WO 2005120006 A1 WO2005120006 A1 WO 2005120006A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
communication part
smart card
test
memory
Prior art date
Application number
PCT/FI2005/050186
Other languages
Finnish (fi)
French (fr)
Inventor
Jari Jokela
Lauri Isotalo
Original Assignee
Elisa Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Elisa Oyj filed Critical Elisa Oyj
Publication of WO2005120006A1 publication Critical patent/WO2005120006A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Definitions

  • the invention relates generally to the security of data communications and especially to the security of mobile networks, to smart cards, and to intrusion protection systems.
  • a VPN Virtual Private Network
  • a firewall a system that is implemented by software or hardware and protects a private network from attacks initiated outside the private network.
  • a private network is, for example, the local-area network (LAN) of a company.
  • LAN local-area network
  • Virus protection is a protection mechanism against viruses and other harmful programs. Virus protection software scans the contents and features of program files in order to detect harmful programs.
  • the virus protection scans network traffic, especially emails and their attachment files. Infected attachment files are removed so that a virus cannot enter a user's computer and cause harm there.
  • the term "harmful” refers to various causes, including faulty programs and their faulty use, viruses, and harmful acts of hackers.
  • the invention especially relates to a protection mechanism termed IDS (Intrusion Detection System).
  • IDS Intrusion Detection System
  • An intrusion detection system aims to detect possible intrusion attempts to a communication network and then operates according to predetermined instructions. If an intrusion is detected quickly enough, an attacker can be identified and instantly removed from the network. The basic principle is that the earlier an attack is detected, the less damage it causes. A well-designed intrusion system can also operate as a deterrent.
  • an IDS is in some ways similar to a firewall.
  • the IDS also makes it possible to collect information about attack techniques. This information can be utilized when developing better intrusion protection methods.
  • the intrusion detection is based on the assumption that the actions of an intruder differ in some way from normal actions.
  • the IDS includes a database for storing at least one action set of a normal user and/or one action set initiated by intruders. Actions initiated by a user are compared to the action sets stored in the database, and on the basis of the comparison it is determined whether the user is an intruder or a normal user.
  • the IDS implementations can be classified in the following classes: hardware intrusion detection systems (termed HIDS), network intrusion detection systems (termed NIDS), and intrusion detection systems that detect exceptional events.
  • HIDS Operation of the HIDS implementations is focused on "hardware", i.e. on a computer having a certain type of operating system.
  • An HIDS system requires the installation of a certain application (agent) in the computer. By means of the application the HIDS detects the logins of users.
  • NIDS implementations observe network traffic; thus they can also be termed network analyser programs.
  • An NIDS system captures messages from network traffic and compares the captured messages to the traces/patterns occurring in association with known attack techniques.
  • an NIDS system is understood as a device connected to a network in order to make observations. For the present, IDS systems detecting exceptional events are more or less theoretical.
  • IDS systems collect data about the point in time when a user logs into a system, and they set off an alarm if the user logs into the system at a point in time which is exceptional to himself/herself. At that time an intruder may pose as the concerned user.
  • IDS systems and the algorithms used in them are discussed, for example, in the article B. Balajinath and S.V. Raghavan entitled “Intrusion Detection Through Learning Behaviour Model", Computer Communications, Vol. 24, Nr. 12, 15.07.2001 , pages 1202-1212, and in the article by A. Boukerche and M.S.M. Annoni Notare entitled “Behaviour-Based Intrusion Detection in Mobile Phone Systems", Journal of Parallel and Distributed Computing, Vol. 62, Nr.
  • IPS comes from the words "intrusion prevention system". Intrusion prevention can be understood as extensive data security including basically all possible means of preventing hacking. While an IDS system only warns about an intrusion attempt, an IPS system is more active, because it also prevents the intruder from advancing in the network and possibly eliminates the harmful programs used by the intruder. Modern mobile stations and terminals are small-sized computers that can run programs. Most of these programs are utility programs that were installed in a terminal during the manufacturing. However, some of the programs are games and other programs which a user has installed in the terminal later. Previously, when it was only possible to send and receive text messages via mobile stations, the data security was easier to ensure than nowadays.
  • text messages are data files. Although data files are not without risk, program files are riskier than data files. It can be considered a significant risk when various games are loaded from the Internet into terminals, as those games may turn out to be harmful programs.
  • a harmful program may cause harm/damage for a terminal user and/or for a network operator.
  • the harmful program may send messages or make calls without the knowledge of the user. The messages sent and the calls made cause economical losses to the user.
  • the network operator has responsibility for the usability of the network and for the services which are used by means of the network. Denial-of-service attacks, whereby legitimate service provision is interrupted, are in principle possible also in mobile networks.
  • F-Secure is a company that provides a service for enhancing the data security of terminals.
  • a virus protection program installed in a terminal is updated by SMS (Short Message Service) messages.
  • the service is intended for terminals equipped with the Symbia operating system.
  • Symbia has been developed by the largest mobile station manufactures.
  • the virus protection software improves the data security of the terminals in which the software is installed.
  • a network operator's network may still include a number of terminals which lack the virus protection software, which mean that viruses may enter to the network via these unprotected terminals.
  • a drawback in prior art is that in public networks terminal users have a big responsibility for the supervision of the terminals. Many users do not want deal with or are not capable of dealing with the data security applications of their terminals.
  • the invention involves an intrusion prevention system, but it also includes characteristics of firewalls and virus protection methods.
  • the invention preferably utilizes a smart card for a terminal, such as a SIM card.
  • the smart card includes a processor and a protected memory, and is thus able to store and execute applications. Because of the protected memory, it is almost impossible to interfere with the applications of the smart card.
  • the invention comprises 1) a method for observing operation of a radio network terminal, 2) a smart card for the terminal, and 3) an intrusion protection system for the radio network.
  • the method is intended to observe the operation of a terminal that includes a processor, a display, a user interface, a smart card, and a communication part capable of communicating with at least one radio network.
  • a certain impulse or series of impulses starts an application located in the terminal.
  • the application performs a test whereby inappropriate activity is searched for by making at least one of following comparisons: - a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, - a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part, the status data being stored in the memory.
  • a new intrusion detection system intended for radio networks comprises at least one server and terminals that are capable of operating in a radio network and are equipped with a smart card.
  • the intrusion detection system executes with a smart card in a terminal a test resulting in a test result. Then the system writes the test result in a report, delivers the report through a network to a server, and determines on the basis of the report whether the terminal has been used to intrude on the network.
  • Figure 1 shows the parts of a terminal and the interfaces of a processor located in a terminal
  • Figure 2 shows the main steps of a method
  • Figure 3 shows the reading of a bus, a buffer, and a variable
  • Figure 4 shows a comparison between data flows transmitted through different interfaces of a processor
  • Figure 5 shows a comparison between at least one data flow transmitted through an interface of a processor and the status data of a communication part
  • Figure 6 shows a comparison between user inputs obtained through a user interface and the operation of a communication part
  • Figure 7 shows a comparison between the information content of a device and the operation of a communication part
  • Figure 8 shows an intrusion protection system according to the invention
  • Figure 9 shows connections between an IPS server, databases, registers, and systems supporting the intrusion protection system.
  • the method is intended to prevent operations of a harmful program.
  • the method searches by means of a test for a trace of a harmful program in a terminal.
  • the test may check, for example, the following things: 1) whether a user has pushed a certain button for making a call, or 2) whether the terminal is calling a number. If the terminal is calling some number even a user has not pushed the above-mentioned key, the terminal is operating in a contradictory way.
  • the test discloses this contradiction, which indicates the existence of a harmful program.
  • FIG. 1 shows parts of a terminal and the interfaces of a processor located in the terminal.
  • the terminal 101 includes at least the following parts: a communication part 102, a processor 103, a memory 104, a smart card 105, a display 106, and a user interface 107.
  • the communication part 102 includes at least a radio part 108 through which the terminal 101 can be connected to a mobile network or to another radio network.
  • the radio part may be, for example, a radio part according to the GSM (Global System for Mobile Communication) standard or a radio part according to the 3GPP (3rd Generation Partnership Project).
  • the terminal may also include a number of radio parts for different network standards.
  • the communication part may further include other parts, such as a WLAN part 109 for communication with a WLAN (Wireless Local Area Network), a Bluetooth part 110 utilizing the Bluetooth technique, and a Firewire part 111 , i.e. a part obeying the IEEE 1394 standard or a newer bus standard.
  • the communication part 102 may include, for example, a communication part utilizing the infrared technique.
  • the communication part 102 may include, for example, a data transmission part utilizing USB technique (Universal Serial Bus).
  • the communication part may include the following parts: a modem, an ISDN (Integrated Services Digital Network) card or adapter, or an ADLS (Asymmetric Digital Subscriber Line) card or adapter.
  • the processor 103 i.e. the CPU (Central Processing Unit)
  • the memory 104 are essential parts for the operation of the terminal 101.
  • the type of memory is irrelevant from the point of view of the invention.
  • the terminal may also include a slot into which it is possible to place a memory card. It is useful from the point of view of the invention that the smart card 105 includes a protected memory 112 and a processor, i.e. the CPU 113.
  • the smart card is able to execute programs without the assistance of the terminal's 101 processor 102 and memory 104. Due to the protected memory 112 of the smart card a network operator can prevent external parties from accessing the smart card 105. Usually the network operator has an exclusive right to write on the protected memory or read it, or to execute programs stored in the protected memory.
  • the display 106 is composed of a number of parts, of which the video controller 114 is the most pertinent because the display information is shown through it.
  • the user interface 107 refers to means by which a user of the terminal 101 can input data.
  • a keyboard 115 is one of these means. In addition to the keyboard 115, the user interface may include a joystick 116.
  • the keyboard it is possible to implement the keyboard, or a part of it, by means of a touch-sensitive surface 117.
  • the touch-sensitive surface can also be adapted to receive inputs initiated by a stylus pen.
  • the processor 103 When considering the parts 102-107 of the terminal 101 , the processor 103 is operatively of particular importance, because it has interfaces 118-122 with the other parts, i.e. with 102 and 104-107.
  • the steps in the method are performed in the terminal, i.e. in the smart card and/or in the terminal processor. Use of a smart card is recommended, but when necessary, the method can be performed without one.
  • FIG. 2 shows the main steps of the method.
  • a terminal operating in a network includes at least a processor, a memory, a display, a user interface, a smart card, and a communication part.
  • the processor of the terminal has interfaces between the smart card, the memory, the display, the user interface, and with the communication part.
  • At first one application located in the terminal is started 201 and one test is performed 202 by the application.
  • the application searches for a trace or traces indicating an inappropriate activity of the terminal by using at least one of the following comparisons: a) a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, and/or b) a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part.
  • Content and the data type of the status data may vary.
  • the status data is a boolen value expressing whether the communication part of the terminal is active or not.
  • the status data of the communication part typically contains data which the operating system of the terminal has stored in the memory.
  • the first data flow to be observed can be chosen from the data flows of five interfaces 118-122, after which another data flow to be observed can be chosen from the four (remaining) data flows.
  • a predetermined action set is to be performed 204. This action set may include at least one of the following actions: reporting on the test through the radio network, preventing at least partially the use of the communication part, suspension of a program that has used the communication part without authorization, or removal of a program from the memory.
  • the application located in the terminal performs the test.
  • FIG. 3 depicts the reading of information in a bus, a buffer, and a variable.
  • the figure includes a smart card 301 and its parts: a protected memory 302 and a processor 303.
  • the figure includes a processor 304, a bus 305 connecting a processor and the smart card, and a memory 306.
  • the memory 306 includes a variable 307 and a buffer 308 in which three messages 309 are stored. Only the interface 310 between the memory and the processor is marked in the figure; the rest of the interfaces are omitted.
  • the application performing the steps in the method can read data flows of one or more interfaces of the processor, for example, from the bus 305 to which the smart card 301 is connected.
  • the bus 305 may be a bus according to one of the following standards: GSM 11.11 , GSM 11.14, ISO (International Organization for Standardization) 7810, or ISO 7814.
  • the smart card, or the application located in the smart card obtains information via the bus 305.
  • the information discloses, for example, whether the communication part of the terminal is free or in use.
  • the smart card, or the application stored in the smart card may similarly obtain the information as to whether the display of the terminal is free or in use.
  • the bus 305 connects only the smart card and the processor.
  • the invention is not limited to this kind of implementation of the bus, but the bus could connect the smart card also to other parts of the terminal, such as the display and the user interface.
  • the smart card is able to read data flow from the bus, wherein in the data flow is communication between the smart card and the operating system of the terminal.
  • This communication may be in accordance with a certain standard, such as GSM 11.11 , GSM 11.14, ISO 7810, or ISO 7814.
  • the smart card can read bus messages that are not sent to the smart card by intercepting messages from the bus, or recording the data flow of the bus.
  • the smart card can read the content of the memory 306 through the bus.
  • Another source from which the application performing the steps in the method can read data flows of one or more interfaces of the processor is a buffer or a set of buffers. Then the application reads a data flow/data flows from at least one buffer 308 which is handled by the operating system of the terminal and which is stored in the memory 306.
  • the operating system has one buffer for each of its interfaces.
  • the application must know in which part of the memory 306 the operating system stores the buffer 308.
  • the application must also know data type of the data items/messages 309.
  • the application may read the buffer through the bus 305.
  • the status data of the communication part are essential information which the application obtains from a variable set maintained by the operating system. This variable set is expected to include at least one variable.
  • the application may read the status data of the communication part from the variable 307 through the bus 305. If one of the above-mentioned GSM or ISO standards are in use, the application may read the status data of a certain communication part in a received message which also contains the variable value 307 for the operating system of the terminal.
  • the application is easier to implement, if it deals with one standard and if it obtains all the needed information for the test/tests from the messages. Dealing with just one standard is not necessarily enough. Some tests may require information which cannot be obtained through any standard. Then the application must know certain details about the operating system of the terminal. Especially the location of variables and buffers and the data types of the variable are required details. Symbia is an operating system developed by Nokia and certain other mobile phone producers for use in different types of terminals. Also Microsoft has developed a popular operating system for mobile terminals. Generally speaking, the implementation of the application is according to one of the following: the application is located as a whole in the smart card 301 , as a whole in the memory 306, or partially in the smart card 301 and partially in the memory 306.
  • the program code of the application is at least partially located in the memory of the terminal, it may be integrated as a part of the operating system in the terminal. Also in that case the application is operated according to the steps in the method shown in FIG. 2.
  • the application may be already installed in a terminal/smart card during its production. It is also possible that at least a part of the application is transferred to the terminal/smart card later on. This transfer can be performed via a radio network.
  • the following four figures specify how a test is executed, i.e. how the step 202 in the method in FIG. 2 is executed. First, the execution depends on the information source, i.e. whether the information needed in the test is read in a bus, a buffer, or in a variable.
  • FIG. 2 shows comparisons between data flows transmitted through different interfaces of a processor.
  • the test executed by the application includes the comparison a) the following sub-steps are performed in the method: reading 401 the data flows of different interfaces of the processor, comparing 402 the data flows, and when contents of the data flows differ from each other 403, presenting 404 a result indicating inappropriate activity.
  • the application outputs the result indicating inappropriate activity when, for example, a user of the terminal has selected the phone number of person 'X' from the name list of the terminal but the communication part of the terminal establishes a connection to another phone number than the phone number of person 'X'. Then the phone number that was transmitted through the interface between the processor and the user interface differs from the phone number that was transmitted through the interface of the processor and communication part.
  • the application reads the above-mentioned data flows, it detects that the phone numbers differ.
  • the step 202 in the method can be executed according to the following figure.
  • FIG. 5 shows a comparison between at least one data flow transmitted through an interface of a processor and the status data of a communication part.
  • FIG. 6 shows a comparison between user inputs obtained through a user interface and the operation of a communication part. The execution of the sub-steps is described from the point of view of the application.
  • the application identifies 601 a command set obtained through the user interface of the terminal, the command set to include at least one command.
  • Many mobile station models are equipped with a specific button intended for establishing a connection.
  • the button may include, for example, a green symbol representing a phone set.
  • the application may identify whether a user has pushed the green phone set button or not. If the command set is composed of a number of commands normally a number of messages/signals related to certain keystrokes must be identified. Then the application identifies 602 whether the command set is intended to activate the communication part of the terminal. When the command set is missing from these normal command sets that activate the communication part, the application checks next 603 whether the communication part has been activated.
  • the communication part is activated, for example, when establishing a phone call.
  • the communication part is going to be activated, for example, when the user aims to make a phone call or he/she aims to send a text message.
  • the application may execute the sub-step 603, for example, by reading a value of a certain boolen value.
  • the application presents 604 a result indicating inappropriate activity.
  • the application checks 605 whether the operation of the communication part is in accordance with some command set of the command sets that activate the communication part. If the operation of the command set differs from the operations of the command sets that activate the communication part, the application presents 606 a result indicating another type of inappropriate activity. The result indicating this type of inappropriate activity is presented, for example, when the terminal sends a second text message in addition to the text message which the user wants to send.
  • the step 202 of the method can be executed according to the following figure.
  • FIG. 7 shows a comparison between the information content of a device and the operation of a communication part.
  • the information content is composed of different symbols, of which the symbols related to data communication are significant from the point of view of the invention.
  • the text "calling" to be shown on the display of the terminal is that kind of symbol.
  • the execution of the sub-steps is described from the point of view of the application.
  • the application identifies 701 the symbol set, including at least one symbol.
  • the application checks 702 whether the symbol set includes a symbol that indicates activity of the communication part.
  • the application checks 703 whether the communication part has been activated.
  • the communication part is said to be activated, either it is currently activate or it will be activated if the activation is not prevented.
  • the application presents 704 a result indicating inappropriate activity. If a symbol indicating activity of the communication part is shown on the display 702, the application checks 705 whether operation of the communication part is in accordance with a certain operation to which the symbol indicating the activity of the communication part is logically mapped. For example, the symbol "Calling" is logically mapped to a phone call. The symbol "Calling" is not mapped to, for example, sending a text message. If the operation of the communication part differs from the operation mapped to the symbol, the application presents 706 a result that indicates another type of inappropriate activity.
  • the smart card according to the invention is adapted to perform the steps in the method.
  • the smart card is intended for a terminal operating in a communication network.
  • the communication network may be, for example, a mobile network or a fixed network.
  • the smart card is assumed to be located in a terminal which comprises a processor, a memory, a display, a user interface, and a communication part.
  • the terminal may be, for example, a mobile station or a computer whose communication part connects it to the Internet.
  • the smart card 301 is adapted to perform at a terminal a test in which a trace of inappropriate activity is searched for by using at least one of following comparisons: a) a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, or b) a comparison between at least one data flow transmitted through an interface of the processor and the status data related to the communication part, the status data being stored in the memory.
  • the smart card 301 is adapted to perform a predetermined action set including at least one action. The actions which the smart card 301 is adapted to perform are described in more detail in FIG. 4-7.
  • the smart card is preferably located in a mobile station because the mobile station typically includes a certain button by which a phone call is initiated. Similarly, the sending of text messages or the sending of MMS (Multimedia Messaging Service) messages is executed after a certain keystroke/keystroke series. Therefore, it is quite easy for the smart card to test whether the operation of the mobile station's communication part is inappropriate.
  • the test according to FIG. 6 is more complicated to execute in computers because computers usually lack a certain button that activates the communication part. Also the test according to FIG. 7 is difficult for computers because there are a number of various software establishing data communications and their graphical user interfaces include various symbols indicating activity of the communication part.
  • the command set may be composed of three consecutive keystrokes of the CTRL key.
  • the smart card 301 reads 501 the data flow of the computer's user interface and data flow of the processor's interface.
  • the smart card reads 502 the status data of the communication part, such as the status data of a modem. Then the smart card compares 503 the contents of the data flow and the status data. If the contents conflict 504, i.e. if the data flow lacks of the three consecutive CTRL keystrokes but the modem is nevertheless in use, the smart card presents 505 a result indicating inappropriate activity.
  • the smart card 301 is capable of performing tests according to FIG. 2. There are plenty of tests which include the comparison a) and/or b). In addition, the smart card may be adapted to perform other types of tests, and the smart card may be adapted to the transfer of at least one test program through a protected communication link.
  • FIG. 8 shows an intrusion protection system according to the invention.
  • the intrusion detection system includes at least one server 801 and terminals which are able to operate in radio network 802 and are equipped with smart cards. Terminals 803 and 804 are examples of such terminals.
  • the system is adapted to perform at the terminal 803 at least one test concerning the operation of the terminal, whereby the performed test/tests result in a test result.
  • the system is further adapted to write at the terminal 803 the test result in a report 805, to deliver the report 805 via a radio network 802 to the server 801 , and to determine on the basis of the delivered report whether there has been an intrusion from the terminal 803 on the radio network 802.
  • the test to be performed at the terminal 803 may be the test shown in FIG. 2.
  • the system is adapted to perform at the terminal 803 the test whereby a trace of inappropriate activity is searched for by using at least one of the comparisons a) or b) shown in FIG. 2.
  • the system is adapted to perform at the terminal 803 a second type of test in which a trace of inappropriate activity is searched for so that the memory content of the terminal is compared to content considered to be appropriate.
  • another type of test is the following. First, a file listing of the programs included in the memory of the terminal is composed at the terminal 803. Then each program of the file listing is searched for from another list. That list includes the programs belonging to the original software of the terminal. If the program searched for is missing from the above-mentioned list, the test presents a result indicating inappropriate activity.
  • the system is adapted to perform at the terminal 803 a third kind of test: In this test a trace of inappropriate activity is searched for by comparing the memory content of the terminal to the content considered to be inappropriate.
  • the third type of test is typically a virus test in which a trace of a virus/harmful program is searched for from the memory of the terminal 803.
  • the system is adapted to perform at the terminal a fourth type of test which collects information about the terminal and its operation. Because the viruses/harmful programs often have specific file names, the fourth type of test program takes the file listing of the terminal's programs and delivers the file listing to the server 801. Another test of the fourth type is more advanced. For example, the test program stores the following log information: a) the name of the program that established a data connection, b) the point in time when the data connection was established, and c) a point of time when the data connection was terminated. This log information is the outcome/the result of the fourth type of test. If needed, the log information is included in a report and delivered to the server 801.
  • the terminal 803 is adapted to perform at least one test that results in an outcome to be placed in the report 805.
  • the test to be performed may correspond to the test described in FIG. 2 and FIG. 4-7.
  • the test may be one of the above-mentioned tests, i.e. the second type of test, the third type of test, or the fourth type of test.
  • the content of the report 805 can be formulated in various ways.
  • the test may result in the following test result: "terminal's operation is OK".
  • the report usually includes a test identifier disclosing the test which was performed at the terminal.
  • the terminal 803 sends the report 805, for example, as an SMS message to the server 801.
  • the SMS message includes the sender's phone number, i.e. the terminal's phone number.
  • the report 805 is composed of a number of messages.
  • the server 801 determines on the basis of the code/character string whether the radio network 802 has been intruded on from the terminal 803. It can be assumed that a terminal includes a test/tests that observe in some way the operation of the terminal. Because a harmful program may be programmed after the manufacture of the terminal, the test installed in the terminal does not necessarily disclose the newest harmful programs.
  • the intrusion protection system is adapted to deliver a test/tests from the server 801 to the terminal 803.
  • the test delivered may be the first test to be performed at the terminal 803, or the test may replace a certain test, or the test may improve a certain existing test/tests.
  • terminals include producer-specific and model-specific differences; thus a certain harmful program usually causes damage in certain terminal models. Therefore the intrusion protection system is adapted to deliver at least partially differing test sets to the terminals 803 and 804.
  • the test intended for the terminal 803 is preferably delivered through a well-protected connection.
  • Delivery protection means that the test cannot be destroyed or altered during delivery.
  • Delivery protection also means that a user of the terminal 803 can be sure that the test has really been sent from the server 801.
  • PKI Public Key Infrastructure
  • Secure SMS for SIM Application 3GPP, TS 23.028
  • PKI Public Key Infrastructure
  • Secure SMS for SIM Application 3GPP, TS 23.028
  • the terminal's 803 smart card provides the operation protection.
  • the system is adapted to perform at the terminal a predetermined action that includes at least one of the following: preventing at least partly use of the communication part, a suspension of a program which used the communication without authorization, or removal of a program from the memory.
  • the action set may be included in the same program code package as the test. Then the terminal 803 obtains the action set from the server 801 simultaneously when it receives the test from the server 801. It is also possible that the server 801 delivers the program code of the action set as a dedicated delivery to the terminal.
  • utility program of the terminal 803 or another program includes a data security hole, or if one of its programs runs erroneously, the program concerned can be replaced with a corrected program to be included in the program code package. It is important that the intrusion protection system continuously maintains in the radio network 802 the data security of the terminals. For this reason the system is adapted to deliver a program code package from the server 801 via the radio network 802 to the terminal 803.
  • the system is adapted to deliver from the server 801 via the radio network 802 at least partially differing program code packages 806 and 807 to the terminals 803 and 804, the program code package 806 or 807 to include at least one of the following program codes: a code executing a certain test, a code executing a certain action set, or a code that corrects a certain erroneous terminal program.
  • terminal program refers basically to any program capable of operating in a terminal.
  • the intrusion protection system is similar to the inventive method and the inventive smart card.
  • one of the following impulses in the intrusion detection system may start the execution of a test at the terminal 803: activation of the terminal, triggering of a timer, establishing a connection between the terminal and the radio network 802, obtaining user input through the user interface of the terminal, loading a program into the memory of the terminal, or receiving an impulse from the server 801 through the radio network.
  • the server 801 belonging to the intrusion protection system is termed "IPS server”.
  • the tests which test the operations of terminals can be stored in the memory of the IPS server. In order to manage and control the tests they are preferably stored in a database.
  • the database preferably includes a user interface so that it is possible to add, remove, or alter tests. Through the user interface it is also possible to control which tests are delivered to which terminals.
  • the simplest version of the IPS server includes only the database for storing tests and a communication link to the radio network.
  • the IPS server may also include other communication links in order to ensure a reliable and efficient operation.
  • FIG. 9 shows connections between the IPS server, databases, registers, and systems supporting the IPS.
  • the IPS server 901 may be, for example, the server 801 shown in FIG. 8. A radio network and terminals are omitted from FIG. 9. However, it can be assumed that the IPS server 901 reads tests from the database 902, delivers the tests read via the radio network to terminals, and receives reports from the terminals.
  • the IPS server 901 stores the reports in a report database 903. The reports can be utilized when drawing conclusions about the operation of the radio network and its terminals.
  • the reports can also be utilized when designing new tests. It is possible to make situation reports on the basis of the reports sent from the terminals.
  • the situation reports can be issued at regular time intervals, or they can be made when a certain threshold limit/limits are met. Some of the situation reports could be intended for the operator's use only. For example, the situation report could be sent to the radio network operator's O&M centre (Operation & Management centre). It is also possible that some situation reports are company-specific, i.e. a certain situation report concerns the terminals of a certain company. In addition, or alternatively, in a certain way a formulated situation report could be sent to a supervision organization of data security, such as "CERT Coordination Center" (CERT/CC).
  • CERT/CC "CERT Coordination Center”
  • the EIR (Equipment Identity Register) 904 is one of the registers which can be utilized in the intrusion protection system.
  • This device register 904 includes information about the vulnerability of terminals. Different terminal models have their own weaknesses. For example, if Elisa (a network operator) finds a weakness in a certain terminal/terminals, Elisa should inform the EIR. Then the information can be delivered to other operators which explore the content of the EIR. It is important from the point of view of virus protection that the operators co-operate by updating the content of the EIR when they have found new viruses.
  • a billing system 905 is a useful information source for the intrusion protection system. The billing system includes information about calls and messages, e.g.
  • the billing system 905 can be adapted to send message to the IPS server 901 when a certain billing limit is reached.
  • the message may include an invoice value, a phone number, and an item of information disclosing whether the phone number is a called number or a received call. Because the billing system 905 assists the IPS server 901 , the intrusion detection system can be considered to include the billing system, too.
  • the invoice value is one example of how a threshold limit causes the IPS server to create a situation report. In addition to sending the situation report, the IPS server may start actions to protect the radio network's operation.
  • the intrusion protection system is adapted to receive at the server 901 information that affects the operation of the system.
  • the information is from at least one of the following sources: the report 805 sent by the terminal, the report database 903, the billing system 905 of the radio network, the subscriber register 906 (HLR), or the EIR (Equipment Identity Register) 904.
  • the system is adapted to perform a) actions that are determined on the basis of the information received, and/or b) actions that are determined on the basis of combined information, and/or c) actions that are performed when the numerical information received, or the numerical information obtained by combining information, reaches a predetermined threshold/thresholds.
  • the following discusses operations performed by some typical systems.
  • the intrusion protection system is adapted by the IPS server 901 to store the report sent by the terminal in the report database 903 and to make by the IPS server 901 at least one situation report on the basis of the content of the report database 903.
  • the system may be adapted so that the IPS server is able to receive a message sent from the billing system 905 when a predetermined invoice value of a number set has been reached, the number set to include at least one phone number.
  • the number set may include numbers having a certain prefix.
  • the system may also be adapted to make at least one situation report on the basis of the message sent from the billing system 905.
  • the system may be adapted by the IPS server to read weakness information of the terminal from the EIR 904 and on the basis of that to direct an action set to the terminal. Then the IPS server may, for example, start a test at the terminal or send a new test to the terminal.
  • the system may be adapted by the IPS server to start at least one congestion service through the HLR of the radio network.
  • the congestion service is one example of how instead of tests observing terminals, or in addition to these tests, the IPS server may perform an action set limiting the operations of one or more terminals. Typically, the action set limits or prohibits access from a certain terminal to the radio network.
  • the report 805 of the terminal 803 can be an impulse for the intrusion detection system.
  • the server 801 may start a certain action set when receiving a report 805 with certain content. If the server 801 as shown in FIG. 9 is equipped with at least part of the connections to the databases, registers, and system, the impulse may be some other report than that sent by a terminal.
  • the impulse is an item of information or a combination of items of information obtained from a report/reports, the report database 903, the EIR 904, the billing system 905, and/or from the HLR 906.
  • the server 801 performs a predetermined action set. A part of the actions of this action set may be performed at a terminal/terminals and another part of the actions, for example, at the HLR.
  • the following two examples describe impulses and action sets.
  • the IPS server reads in the EIR a piece of information that the mobile stations of a certain model contain a program that is a security risk. Then the IPS server may deliver to these mobile stations a program code package that includes an action set for eliminating the program concerned.
  • the IPS server delivers the revised version to those mobile stations.
  • the IPS server receives a message from the billing system. According to this message a large number of phone calls has been made to a certain phone number within a short period of time.
  • the message sent by the billing system also includes a piece of information about the mobile stations from which the phone calls are initiated.
  • the IPS server starts at those mobile stations a test which takes a file listing of the programs included in each mobile station.
  • An analysis is made of the contents of the file listings of the mobile stations. The analysis discloses that a certain game program can be found in each file listing. Further analysis discloses that this game program is a harmful program.
  • the intrusion protection system is intended for a radio network such as a GSM network, a GPRS (General Packet Radio Service) network, a UMTS (Universal Mobile Telecommunications System) network, or a WLAN (Wireless Local Area Network) network.
  • a radio network such as a GSM network, a GPRS (General Packet Radio Service) network, a UMTS (Universal Mobile Telecommunications System) network, or a WLAN (Wireless Local Area Network) network.

Abstract

The invention comprises a method for observing the operation of a terminal in a radio network, a smart card for the terminal, and an intrusion protection system intended for radio networks. A test according to the method includes a comparison in which data flows transmitted through different interfaces of the terminal processor are compared to each other. In addition, or alternatively, the test includes a comparison whereby at least one data flow transmitted through an interface of the terminal’s processor is compared to the status data of the communication part of the terminal. The test aims to disclose inappropriate use of the communication part. The above-mentioned intrusion detection system operates as follows. The system performs at a terminal at least one test which tests the operation of the terminal and results in a test result. Then the system writes the test result in a report, sends the report through the radio network to a server, and determines on the basis of the report whether the radio network has been intruded on from the terminal.

Description

Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system
Field of the invention The invention relates generally to the security of data communications and especially to the security of mobile networks, to smart cards, and to intrusion protection systems.
Background of the invention Different types of protection mechanisms have been developed for communication links. One of these protection mechanisms is a VPN (Virtual Private Network). A VPN is a solution implemented by software or hardware, or a combination of them enabling the establishment of a secure connection over insecure networks such as the Internet. Another known solution is a firewall, a system that is implemented by software or hardware and protects a private network from attacks initiated outside the private network. A private network is, for example, the local-area network (LAN) of a company. Essential requirements for a firewall are that all network traffic passes through it and that it transmits only acceptable network traffic. Virus protection is a protection mechanism against viruses and other harmful programs. Virus protection software scans the contents and features of program files in order to detect harmful programs. At the network level the virus protection scans network traffic, especially emails and their attachment files. Infected attachment files are removed so that a virus cannot enter a user's computer and cause harm there. In this text the term "harmful" refers to various causes, including faulty programs and their faulty use, viruses, and harmful acts of hackers. The invention especially relates to a protection mechanism termed IDS (Intrusion Detection System). An intrusion detection system aims to detect possible intrusion attempts to a communication network and then operates according to predetermined instructions. If an intrusion is detected quickly enough, an attacker can be identified and instantly removed from the network. The basic principle is that the earlier an attack is detected, the less damage it causes. A well-designed intrusion system can also operate as a deterrent. Thus, an IDS is in some ways similar to a firewall. The IDS also makes it possible to collect information about attack techniques. This information can be utilized when developing better intrusion protection methods. The intrusion detection is based on the assumption that the actions of an intruder differ in some way from normal actions. The IDS includes a database for storing at least one action set of a normal user and/or one action set initiated by intruders. Actions initiated by a user are compared to the action sets stored in the database, and on the basis of the comparison it is determined whether the user is an intruder or a normal user. The IDS implementations can be classified in the following classes: hardware intrusion detection systems (termed HIDS), network intrusion detection systems (termed NIDS), and intrusion detection systems that detect exceptional events. Operation of the HIDS implementations is focused on "hardware", i.e. on a computer having a certain type of operating system. An HIDS system requires the installation of a certain application (agent) in the computer. By means of the application the HIDS detects the logins of users. NIDS implementations observe network traffic; thus they can also be termed network analyser programs. An NIDS system captures messages from network traffic and compares the captured messages to the traces/patterns occurring in association with known attack techniques. Generally speaking, an NIDS system is understood as a device connected to a network in order to make observations. For the present, IDS systems detecting exceptional events are more or less theoretical. Those IDS systems collect data about the point in time when a user logs into a system, and they set off an alarm if the user logs into the system at a point in time which is exceptional to himself/herself. At that time an intruder may pose as the concerned user. IDS systems and the algorithms used in them are discussed, for example, in the article B. Balajinath and S.V. Raghavan entitled "Intrusion Detection Through Learning Behaviour Model", Computer Communications, Vol. 24, Nr. 12, 15.07.2001 , pages 1202-1212, and in the article by A. Boukerche and M.S.M. Annoni Notare entitled "Behaviour-Based Intrusion Detection in Mobile Phone Systems", Journal of Parallel and Distributed Computing, Vol. 62, Nr. 9, 2002, pages 1476-1490. The acronym IPS comes from the words "intrusion prevention system". Intrusion prevention can be understood as extensive data security including basically all possible means of preventing hacking. While an IDS system only warns about an intrusion attempt, an IPS system is more active, because it also prevents the intruder from advancing in the network and possibly eliminates the harmful programs used by the intruder. Modern mobile stations and terminals are small-sized computers that can run programs. Most of these programs are utility programs that were installed in a terminal during the manufacturing. However, some of the programs are games and other programs which a user has installed in the terminal later. Previously, when it was only possible to send and receive text messages via mobile stations, the data security was easier to ensure than nowadays. From the point of view of data processing, text messages are data files. Although data files are not without risk, program files are riskier than data files. It can be considered a significant risk when various games are loaded from the Internet into terminals, as those games may turn out to be harmful programs. A harmful program may cause harm/damage for a terminal user and/or for a network operator. The harmful program may send messages or make calls without the knowledge of the user. The messages sent and the calls made cause economical losses to the user. The network operator has responsibility for the usability of the network and for the services which are used by means of the network. Denial-of-service attacks, whereby legitimate service provision is interrupted, are in principle possible also in mobile networks. F-Secure is a company that provides a service for enhancing the data security of terminals. Through this service a virus protection program installed in a terminal is updated by SMS (Short Message Service) messages. The service is intended for terminals equipped with the Symbia operating system. (Symbia has been developed by the largest mobile station manufactures.) The virus protection software improves the data security of the terminals in which the software is installed. A network operator's network may still include a number of terminals which lack the virus protection software, which mean that viruses may enter to the network via these unprotected terminals. A drawback in prior art is that in public networks terminal users have a big responsibility for the supervision of the terminals. Many users do not want deal with or are not capable of dealing with the data security applications of their terminals. Another drawback can be considered the fact that communication networks lack efficient intrusion prevention systems without which network operators cannot significantly improve the data security of their communication networks although they would want to do so. Summary of the invention The invention involves an intrusion prevention system, but it also includes characteristics of firewalls and virus protection methods. The invention preferably utilizes a smart card for a terminal, such as a SIM card. The smart card includes a processor and a protected memory, and is thus able to store and execute applications. Because of the protected memory, it is almost impossible to interfere with the applications of the smart card. The invention comprises 1) a method for observing operation of a radio network terminal, 2) a smart card for the terminal, and 3) an intrusion protection system for the radio network. The method is intended to observe the operation of a terminal that includes a processor, a display, a user interface, a smart card, and a communication part capable of communicating with at least one radio network. At first a certain impulse or series of impulses starts an application located in the terminal. Then the application performs a test whereby inappropriate activity is searched for by making at least one of following comparisons: - a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, - a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part, the status data being stored in the memory. If the results of the test performed indicate inappropriate activity, a predetermined action set including at least one action is to be performed. The application performing the before-mentioned steps in the method may be located as a whole in the smart card, as a whole in the memory, or partially in the smart card and partially in the memory. The smart card according to the invention is adapted to perform the steps in the method. A new intrusion detection system intended for radio networks comprises at least one server and terminals that are capable of operating in a radio network and are equipped with a smart card. The intrusion detection system executes with a smart card in a terminal a test resulting in a test result. Then the system writes the test result in a report, delivers the report through a network to a server, and determines on the basis of the report whether the terminal has been used to intrude on the network.
Brief description of the drawings The invention is described more closely with reference to the accompanying drawings, in which
Figure 1 shows the parts of a terminal and the interfaces of a processor located in a terminal, Figure 2 shows the main steps of a method,
Figure 3 shows the reading of a bus, a buffer, and a variable,
Figure 4 shows a comparison between data flows transmitted through different interfaces of a processor, Figure 5 shows a comparison between at least one data flow transmitted through an interface of a processor and the status data of a communication part, Figure 6 shows a comparison between user inputs obtained through a user interface and the operation of a communication part, Figure 7 shows a comparison between the information content of a device and the operation of a communication part,
Figure 8 shows an intrusion protection system according to the invention, Figure 9 shows connections between an IPS server, databases, registers, and systems supporting the intrusion protection system. Detailed description of the invention The method is intended to prevent operations of a harmful program. The method searches by means of a test for a trace of a harmful program in a terminal. The test may check, for example, the following things: 1) whether a user has pushed a certain button for making a call, or 2) whether the terminal is calling a number. If the terminal is calling some number even a user has not pushed the above-mentioned key, the terminal is operating in a contradictory way. The test discloses this contradiction, which indicates the existence of a harmful program. The above-described test is only one of the possible tests which can be performed by means of the method. The following gives a fictitious example of the assembly of a terminal. FIG. 1 shows parts of a terminal and the interfaces of a processor located in the terminal. The terminal 101 includes at least the following parts: a communication part 102, a processor 103, a memory 104, a smart card 105, a display 106, and a user interface 107. The communication part 102 includes at least a radio part 108 through which the terminal 101 can be connected to a mobile network or to another radio network. The radio part may be, for example, a radio part according to the GSM (Global System for Mobile Communication) standard or a radio part according to the 3GPP (3rd Generation Partnership Project). The terminal may also include a number of radio parts for different network standards. The communication part may further include other parts, such as a WLAN part 109 for communication with a WLAN (Wireless Local Area Network), a Bluetooth part 110 utilizing the Bluetooth technique, and a Firewire part 111 , i.e. a part obeying the IEEE 1394 standard or a newer bus standard. Instead of the Bluetooth part 110, the communication part 102 may include, for example, a communication part utilizing the infrared technique. Instead of the Firewire part 111 the communication part 102 may include, for example, a data transmission part utilizing USB technique (Universal Serial Bus). In addition to the above- mentioned parts, or instead of them, the communication part may include the following parts: a modem, an ISDN (Integrated Services Digital Network) card or adapter, or an ADLS (Asymmetric Digital Subscriber Line) card or adapter. The processor 103, i.e. the CPU (Central Processing Unit), and the memory 104 are essential parts for the operation of the terminal 101. The type of memory is irrelevant from the point of view of the invention. In addition to the memory permanently assembled in the terminal, the terminal may also include a slot into which it is possible to place a memory card. It is useful from the point of view of the invention that the smart card 105 includes a protected memory 112 and a processor, i.e. the CPU 113. Then the smart card is able to execute programs without the assistance of the terminal's 101 processor 102 and memory 104. Due to the protected memory 112 of the smart card a network operator can prevent external parties from accessing the smart card 105. Usually the network operator has an exclusive right to write on the protected memory or read it, or to execute programs stored in the protected memory. The display 106 is composed of a number of parts, of which the video controller 114 is the most pertinent because the display information is shown through it. The user interface 107 refers to means by which a user of the terminal 101 can input data. A keyboard 115 is one of these means. In addition to the keyboard 115, the user interface may include a joystick 116. It is possible to implement the keyboard, or a part of it, by means of a touch-sensitive surface 117. The touch-sensitive surface can also be adapted to receive inputs initiated by a stylus pen. When considering the parts 102-107 of the terminal 101 , the processor 103 is operatively of particular importance, because it has interfaces 118-122 with the other parts, i.e. with 102 and 104-107. The steps in the method are performed in the terminal, i.e. in the smart card and/or in the terminal processor. Use of a smart card is recommended, but when necessary, the method can be performed without one. From the point of view of a network operator, each smart card contained in the intrusion protection system is an assured "bridgehead" whereby the network operator can effectively observe the data coming into the network and protect the network against misuse. FIG. 2 shows the main steps of the method. A terminal operating in a network includes at least a processor, a memory, a display, a user interface, a smart card, and a communication part. The processor of the terminal has interfaces between the smart card, the memory, the display, the user interface, and with the communication part. At first one application located in the terminal is started 201 and one test is performed 202 by the application. During the test the application searches for a trace or traces indicating an inappropriate activity of the terminal by using at least one of the following comparisons: a) a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, and/or b) a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part. Content and the data type of the status data may vary. For example, the status data is a boolen value expressing whether the communication part of the terminal is active or not. The status data of the communication part typically contains data which the operating system of the terminal has stored in the memory. On the basis of FIG. 1 it can be stated that the first data flow to be observed can be chosen from the data flows of five interfaces 118-122, after which another data flow to be observed can be chosen from the four (remaining) data flows. If the performed test results in an outcome/a test result indicate inappropriate activity 203 of the terminal, a predetermined action set is to be performed 204. This action set may include at least one of the following actions: reporting on the test through the radio network, preventing at least partially the use of the communication part, suspension of a program that has used the communication part without authorization, or removal of a program from the memory. Thus the application located in the terminal performs the test. One of the following events may start the application: activation of the terminal, triggering of a timer, establishing a connection between the terminal and the radio network, user input obtaining through the user interface, loading a program in the memory, or receiving an impulse via the radio network. It is essential from the point of view of the method that data flow of at least one interface of the terminal can be read. In addition to the data flow/ data flows, the status data of the communication part of the terminal can be read. FIG. 3 depicts the reading of information in a bus, a buffer, and a variable. The figure includes a smart card 301 and its parts: a protected memory 302 and a processor 303. In addition, the figure includes a processor 304, a bus 305 connecting a processor and the smart card, and a memory 306. The memory 306 includes a variable 307 and a buffer 308 in which three messages 309 are stored. Only the interface 310 between the memory and the processor is marked in the figure; the rest of the interfaces are omitted. The application performing the steps in the method can read data flows of one or more interfaces of the processor, for example, from the bus 305 to which the smart card 301 is connected. The bus 305 may be a bus according to one of the following standards: GSM 11.11 , GSM 11.14, ISO (International Organization for Standardization) 7810, or ISO 7814. Then the smart card, or the application located in the smart card, obtains information via the bus 305. The information discloses, for example, whether the communication part of the terminal is free or in use. The smart card, or the application stored in the smart card, may similarly obtain the information as to whether the display of the terminal is free or in use. Typically the bus 305 connects only the smart card and the processor. However, the invention is not limited to this kind of implementation of the bus, but the bus could connect the smart card also to other parts of the terminal, such as the display and the user interface. Thus, the smart card is able to read data flow from the bus, wherein in the data flow is communication between the smart card and the operating system of the terminal. This communication may be in accordance with a certain standard, such as GSM 11.11 , GSM 11.14, ISO 7810, or ISO 7814. In addition, or alternatively, the smart card can read bus messages that are not sent to the smart card by intercepting messages from the bus, or recording the data flow of the bus. The smart card can read the content of the memory 306 through the bus. Another source from which the application performing the steps in the method can read data flows of one or more interfaces of the processor is a buffer or a set of buffers. Then the application reads a data flow/data flows from at least one buffer 308 which is handled by the operating system of the terminal and which is stored in the memory 306. Typically the operating system has one buffer for each of its interfaces. The application must know in which part of the memory 306 the operating system stores the buffer 308. The application must also know data type of the data items/messages 309. The application may read the buffer through the bus 305. In certain tests the status data of the communication part are essential information which the application obtains from a variable set maintained by the operating system. This variable set is expected to include at least one variable. The application may read the status data of the communication part from the variable 307 through the bus 305. If one of the above-mentioned GSM or ISO standards are in use, the application may read the status data of a certain communication part in a received message which also contains the variable value 307 for the operating system of the terminal. The application is easier to implement, if it deals with one standard and if it obtains all the needed information for the test/tests from the messages. Dealing with just one standard is not necessarily enough. Some tests may require information which cannot be obtained through any standard. Then the application must know certain details about the operating system of the terminal. Especially the location of variables and buffers and the data types of the variable are required details. Symbia is an operating system developed by Nokia and certain other mobile phone producers for use in different types of terminals. Also Microsoft has developed a popular operating system for mobile terminals. Generally speaking, the implementation of the application is according to one of the following: the application is located as a whole in the smart card 301 , as a whole in the memory 306, or partially in the smart card 301 and partially in the memory 306. If the program code of the application is at least partially located in the memory of the terminal, it may be integrated as a part of the operating system in the terminal. Also in that case the application is operated according to the steps in the method shown in FIG. 2. The application may be already installed in a terminal/smart card during its production. It is also possible that at least a part of the application is transferred to the terminal/smart card later on. This transfer can be performed via a radio network. The following four figures specify how a test is executed, i.e. how the step 202 in the method in FIG. 2 is executed. First, the execution depends on the information source, i.e. whether the information needed in the test is read in a bus, a buffer, or in a variable. Different ways of reading information were discussed in the above as illustrated in FIG. 3. Secondly, the execution of the step 202 (FIG. 2) depends whether it is a) or b) of the above-mentioned comparisons to be performed. FIG. 4 shows comparisons between data flows transmitted through different interfaces of a processor. When the test executed by the application includes the comparison a) the following sub-steps are performed in the method: reading 401 the data flows of different interfaces of the processor, comparing 402 the data flows, and when contents of the data flows differ from each other 403, presenting 404 a result indicating inappropriate activity. The application outputs the result indicating inappropriate activity when, for example, a user of the terminal has selected the phone number of person 'X' from the name list of the terminal but the communication part of the terminal establishes a connection to another phone number than the phone number of person 'X'. Then the phone number that was transmitted through the interface between the processor and the user interface differs from the phone number that was transmitted through the interface of the processor and communication part. When the application reads the above-mentioned data flows, it detects that the phone numbers differ. In addition or alternatively the step 202 in the method can be executed according to the following figure. FIG. 5 shows a comparison between at least one data flow transmitted through an interface of a processor and the status data of a communication part. When the test executed by the application includes the comparison b), at least the following sub-steps are to be performed in the method: reading 501 data flow of at least one interface of the processor, reading 502 status data of the communication part, comparing 503 content of the data flow/flows read to the content of the status data of the communication part, and when the contents conflict 504, presenting 505 a result indicating inappropriate activity of the communication part. FIG. 6 and FIG. 7 depict ways in which (FIG. 5, step 504) the contents may conflict. In addition or alternatively the step 202 of the method can be executed according to the following figure. FIG. 6 shows a comparison between user inputs obtained through a user interface and the operation of a communication part. The execution of the sub-steps is described from the point of view of the application. The application identifies 601 a command set obtained through the user interface of the terminal, the command set to include at least one command. Many mobile station models are equipped with a specific button intended for establishing a connection. The button may include, for example, a green symbol representing a phone set. During the execution of the sub-step 601 , the application may identify whether a user has pushed the green phone set button or not. If the command set is composed of a number of commands normally a number of messages/signals related to certain keystrokes must be identified. Then the application identifies 602 whether the command set is intended to activate the communication part of the terminal. When the command set is missing from these normal command sets that activate the communication part, the application checks next 603 whether the communication part has been activated. If the command set given by the user should not have activated the communication part, some harmful program has probably activated the communication part. When the communication part is said to be activated, it is either currently activated or it will be activated, if the activation is not prevented. The communication part is activated, for example, when establishing a phone call. The communication part is going to be activated, for example, when the user aims to make a phone call or he/she aims to send a text message. The application may execute the sub-step 603, for example, by reading a value of a certain boolen value. When the communication part is activated, the application presents 604 a result indicating inappropriate activity. If the command set in 602 includes the command sets activating the communication part, the application checks 605 whether the operation of the communication part is in accordance with some command set of the command sets that activate the communication part. If the operation of the command set differs from the operations of the command sets that activate the communication part, the application presents 606 a result indicating another type of inappropriate activity. The result indicating this type of inappropriate activity is presented, for example, when the terminal sends a second text message in addition to the text message which the user wants to send. In addition, or alternatively, the step 202 of the method can be executed according to the following figure. FIG. 7 shows a comparison between the information content of a device and the operation of a communication part. The information content is composed of different symbols, of which the symbols related to data communication are significant from the point of view of the invention. For example, the text "calling" to be shown on the display of the terminal is that kind of symbol. In the following, the execution of the sub-steps is described from the point of view of the application. The application identifies 701 the symbol set, including at least one symbol. Then the application checks 702 whether the symbol set includes a symbol that indicates activity of the communication part. When that symbol is not shown on the display, the application checks 703 whether the communication part has been activated. When the communication part is said to be activated, either it is currently activate or it will be activated if the activation is not prevented. If the communication part has been activated or is to be activated when no symbol is displayed, it is reasonable to assume that a harmful program has performed the activation. Then the application presents 704 a result indicating inappropriate activity. If a symbol indicating activity of the communication part is shown on the display 702, the application checks 705 whether operation of the communication part is in accordance with a certain operation to which the symbol indicating the activity of the communication part is logically mapped. For example, the symbol "Calling" is logically mapped to a phone call. The symbol "Calling" is not mapped to, for example, sending a text message. If the operation of the communication part differs from the operation mapped to the symbol, the application presents 706 a result that indicates another type of inappropriate activity. The smart card according to the invention is adapted to perform the steps in the method. The smart card is intended for a terminal operating in a communication network. The communication network may be, for example, a mobile network or a fixed network. The smart card is assumed to be located in a terminal which comprises a processor, a memory, a display, a user interface, and a communication part. The terminal may be, for example, a mobile station or a computer whose communication part connects it to the Internet. The smart card shown in FIG. 3 is adapted to perform at a terminal a test in which a trace of inappropriate activity is searched for by using at least one of following comparisons: a) a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, or b) a comparison between at least one data flow transmitted through an interface of the processor and the status data related to the communication part, the status data being stored in the memory. When the performed test results in an outcome/a test result indicate inappropriate activity of the communication part, the smart card 301 is adapted to perform a predetermined action set including at least one action. The actions which the smart card 301 is adapted to perform are described in more detail in FIG. 4-7. The smart card is preferably located in a mobile station because the mobile station typically includes a certain button by which a phone call is initiated. Similarly, the sending of text messages or the sending of MMS (Multimedia Messaging Service) messages is executed after a certain keystroke/keystroke series. Therefore, it is quite easy for the smart card to test whether the operation of the mobile station's communication part is inappropriate. The test according to FIG. 6 is more complicated to execute in computers because computers usually lack a certain button that activates the communication part. Also the test according to FIG. 7 is difficult for computers because there are a number of various software establishing data communications and their graphical user interfaces include various symbols indicating activity of the communication part. Testing the operation of the communication part is easier and more reliable if a user is assumed to indicate his/her intent to use the communication part by using a certain command set. For example, the command set may be composed of three consecutive keystrokes of the CTRL key. In this example, the smart card 301 reads 501 the data flow of the computer's user interface and data flow of the processor's interface. In addition, the smart card reads 502 the status data of the communication part, such as the status data of a modem. Then the smart card compares 503 the contents of the data flow and the status data. If the contents conflict 504, i.e. if the data flow lacks of the three consecutive CTRL keystrokes but the modem is nevertheless in use, the smart card presents 505 a result indicating inappropriate activity. The smart card 301 is capable of performing tests according to FIG. 2. There are plenty of tests which include the comparison a) and/or b). In addition, the smart card may be adapted to perform other types of tests, and the smart card may be adapted to the transfer of at least one test program through a protected communication link. FIG. 8 shows an intrusion protection system according to the invention. The intrusion detection system includes at least one server 801 and terminals which are able to operate in radio network 802 and are equipped with smart cards. Terminals 803 and 804 are examples of such terminals. The system is adapted to perform at the terminal 803 at least one test concerning the operation of the terminal, whereby the performed test/tests result in a test result. The system is further adapted to write at the terminal 803 the test result in a report 805, to deliver the report 805 via a radio network 802 to the server 801 , and to determine on the basis of the delivered report whether there has been an intrusion from the terminal 803 on the radio network 802. The test to be performed at the terminal 803 may be the test shown in FIG. 2. In other words, the system is adapted to perform at the terminal 803 the test whereby a trace of inappropriate activity is searched for by using at least one of the comparisons a) or b) shown in FIG. 2. In addition or alternatively, the system is adapted to perform at the terminal 803 a second type of test in which a trace of inappropriate activity is searched for so that the memory content of the terminal is compared to content considered to be appropriate. For example, another type of test is the following. First, a file listing of the programs included in the memory of the terminal is composed at the terminal 803. Then each program of the file listing is searched for from another list. That list includes the programs belonging to the original software of the terminal. If the program searched for is missing from the above-mentioned list, the test presents a result indicating inappropriate activity. In addition or alternatively the system is adapted to perform at the terminal 803 a third kind of test: In this test a trace of inappropriate activity is searched for by comparing the memory content of the terminal to the content considered to be inappropriate. The third type of test is typically a virus test in which a trace of a virus/harmful program is searched for from the memory of the terminal 803. In addition, or alternatively, the system is adapted to perform at the terminal a fourth type of test which collects information about the terminal and its operation. Because the viruses/harmful programs often have specific file names, the fourth type of test program takes the file listing of the terminal's programs and delivers the file listing to the server 801. Another test of the fourth type is more advanced. For example, the test program stores the following log information: a) the name of the program that established a data connection, b) the point in time when the data connection was established, and c) a point of time when the data connection was terminated. This log information is the outcome/the result of the fourth type of test. If needed, the log information is included in a report and delivered to the server 801. The terminal 803 is adapted to perform at least one test that results in an outcome to be placed in the report 805. The test to be performed may correspond to the test described in FIG. 2 and FIG. 4-7. Alternatively, the test may be one of the above-mentioned tests, i.e. the second type of test, the third type of test, or the fourth type of test. The content of the report 805 can be formulated in various ways. For example, the test may result in the following test result: "terminal's operation is OK". In addition to the test result, the report usually includes a test identifier disclosing the test which was performed at the terminal. The terminal 803 sends the report 805, for example, as an SMS message to the server 801. The SMS message includes the sender's phone number, i.e. the terminal's phone number. Especially the fourth type of test may result in a lot of information. If needed, the report 805 is composed of a number of messages. In practice, it is reasonable to code the test results so that a certain short code/character string corresponds to the test result "terminal's operation is OK". Then the server 801 determines on the basis of the code/character string whether the radio network 802 has been intruded on from the terminal 803. It can be assumed that a terminal includes a test/tests that observe in some way the operation of the terminal. Because a harmful program may be programmed after the manufacture of the terminal, the test installed in the terminal does not necessarily disclose the newest harmful programs. Then the newer harmful programs may cause damage at the terminal and/or in the radio network. Therefore, it is important that the tests observing the terminal's operation are continuously developed. When the tests are developed or completely new tests are created, these tests need to be delivered to the terminal. For this reason the intrusion protection system is adapted to deliver a test/tests from the server 801 to the terminal 803. The test delivered may be the first test to be performed at the terminal 803, or the test may replace a certain test, or the test may improve a certain existing test/tests. Generally speaking, terminals include producer-specific and model-specific differences; thus a certain harmful program usually causes damage in certain terminal models. Therefore the intrusion protection system is adapted to deliver at least partially differing test sets to the terminals 803 and 804. The test intended for the terminal 803 (or 804) is preferably delivered through a well-protected connection. Delivery protection means that the test cannot be destroyed or altered during delivery. Delivery protection also means that a user of the terminal 803 can be sure that the test has really been sent from the server 801. For example, the methods termed PKI (Public Key Infrastructure) or "Secure SMS for SIM Application" (3GPP, TS 23.048) can be used to ensure delivery protection. In addition, it is important that the test delivered cannot be eliminated or altered without authorization. In other words, the test should have operation protection. The terminal's 803 smart card provides the operation protection. Thus operation protection make the smart card of the terminal 803 is one of the reliable bridgeheads of the intrusion detection system at which intrusions attempts on the radio network 801 are blocked. In more detail, when the test results in an outcome indicate inappropriate activity of the terminal 803, the system is adapted to perform at the terminal a predetermined action that includes at least one of the following: preventing at least partly use of the communication part, a suspension of a program which used the communication without authorization, or removal of a program from the memory. The action set may be included in the same program code package as the test. Then the terminal 803 obtains the action set from the server 801 simultaneously when it receives the test from the server 801. It is also possible that the server 801 delivers the program code of the action set as a dedicated delivery to the terminal. If utility program of the terminal 803 or another program includes a data security hole, or if one of its programs runs erroneously, the program concerned can be replaced with a corrected program to be included in the program code package. It is important that the intrusion protection system continuously maintains in the radio network 802 the data security of the terminals. For this reason the system is adapted to deliver a program code package from the server 801 via the radio network 802 to the terminal 803. In addition, the system is adapted to deliver from the server 801 via the radio network 802 at least partially differing program code packages 806 and 807 to the terminals 803 and 804, the program code package 806 or 807 to include at least one of the following program codes: a code executing a certain test, a code executing a certain action set, or a code that corrects a certain erroneous terminal program. The term "terminal program" refers basically to any program capable of operating in a terminal. The intrusion protection system is similar to the inventive method and the inventive smart card. Also one of the following impulses in the intrusion detection system may start the execution of a test at the terminal 803: activation of the terminal, triggering of a timer, establishing a connection between the terminal and the radio network 802, obtaining user input through the user interface of the terminal, loading a program into the memory of the terminal, or receiving an impulse from the server 801 through the radio network. The server 801 belonging to the intrusion protection system is termed "IPS server". The tests which test the operations of terminals can be stored in the memory of the IPS server. In order to manage and control the tests they are preferably stored in a database. The database preferably includes a user interface so that it is possible to add, remove, or alter tests. Through the user interface it is also possible to control which tests are delivered to which terminals. The simplest version of the IPS server includes only the database for storing tests and a communication link to the radio network. The IPS server may also include other communication links in order to ensure a reliable and efficient operation. FIG. 9 shows connections between the IPS server, databases, registers, and systems supporting the IPS. The IPS server 901 may be, for example, the server 801 shown in FIG. 8. A radio network and terminals are omitted from FIG. 9. However, it can be assumed that the IPS server 901 reads tests from the database 902, delivers the tests read via the radio network to terminals, and receives reports from the terminals. The IPS server 901 stores the reports in a report database 903. The reports can be utilized when drawing conclusions about the operation of the radio network and its terminals. The reports can also be utilized when designing new tests. It is possible to make situation reports on the basis of the reports sent from the terminals. The situation reports can be issued at regular time intervals, or they can be made when a certain threshold limit/limits are met. Some of the situation reports could be intended for the operator's use only. For example, the situation report could be sent to the radio network operator's O&M centre (Operation & Management centre). It is also possible that some situation reports are company-specific, i.e. a certain situation report concerns the terminals of a certain company. In addition, or alternatively, in a certain way a formulated situation report could be sent to a supervision organization of data security, such as "CERT Coordination Center" (CERT/CC). The EIR (Equipment Identity Register) 904 is one of the registers which can be utilized in the intrusion protection system. This device register 904 includes information about the vulnerability of terminals. Different terminal models have their own weaknesses. For example, if Elisa (a network operator) finds a weakness in a certain terminal/terminals, Elisa should inform the EIR. Then the information can be delivered to other operators which explore the content of the EIR. It is important from the point of view of virus protection that the operators co-operate by updating the content of the EIR when they have found new viruses. Among the operator's own systems a billing system 905 is a useful information source for the intrusion protection system. The billing system includes information about calls and messages, e.g. a caller number, a receiver number, and the cost of a call or a message. The billing system 905 can be adapted to send message to the IPS server 901 when a certain billing limit is reached. The message may include an invoice value, a phone number, and an item of information disclosing whether the phone number is a called number or a received call. Because the billing system 905 assists the IPS server 901 , the intrusion detection system can be considered to include the billing system, too. The invoice value is one example of how a threshold limit causes the IPS server to create a situation report. In addition to sending the situation report, the IPS server may start actions to protect the radio network's operation. Then it is possible to start a congestion service through the HLR (Home Location Register) 906 for one or more terminals. For example, the following congestion services are useful for the intrusion detection system: congestion of phone calls to a certain number/numbers, congestion of received messages, and/or congestion of sent messages, wherein the messages are SMS messages or MMS (Multimedia Messaging Service) messages. The intrusion protection system is adapted to receive at the server 901 information that affects the operation of the system. The information is from at least one of the following sources: the report 805 sent by the terminal, the report database 903, the billing system 905 of the radio network, the subscriber register 906 (HLR), or the EIR (Equipment Identity Register) 904. In addition the system is adapted to perform a) actions that are determined on the basis of the information received, and/or b) actions that are determined on the basis of combined information, and/or c) actions that are performed when the numerical information received, or the numerical information obtained by combining information, reaches a predetermined threshold/thresholds. The following discusses operations performed by some typical systems. If required, the intrusion protection system is adapted by the IPS server 901 to store the report sent by the terminal in the report database 903 and to make by the IPS server 901 at least one situation report on the basis of the content of the report database 903. In addition, the system may be adapted so that the IPS server is able to receive a message sent from the billing system 905 when a predetermined invoice value of a number set has been reached, the number set to include at least one phone number. For example, the number set may include numbers having a certain prefix. The system may also be adapted to make at least one situation report on the basis of the message sent from the billing system 905. In addition, the system may be adapted by the IPS server to read weakness information of the terminal from the EIR 904 and on the basis of that to direct an action set to the terminal. Then the IPS server may, for example, start a test at the terminal or send a new test to the terminal. In addition, the system may be adapted by the IPS server to start at least one congestion service through the HLR of the radio network. The congestion service is one example of how instead of tests observing terminals, or in addition to these tests, the IPS server may perform an action set limiting the operations of one or more terminals. Typically, the action set limits or prohibits access from a certain terminal to the radio network. The report 805 of the terminal 803 can be an impulse for the intrusion detection system. In other words, the server 801 may start a certain action set when receiving a report 805 with certain content. If the server 801 as shown in FIG. 9 is equipped with at least part of the connections to the databases, registers, and system, the impulse may be some other report than that sent by a terminal. Generally speaking, the impulse is an item of information or a combination of items of information obtained from a report/reports, the report database 903, the EIR 904, the billing system 905, and/or from the HLR 906. In response to the impulse, the server 801 performs a predetermined action set. A part of the actions of this action set may be performed at a terminal/terminals and another part of the actions, for example, at the HLR. The following two examples describe impulses and action sets. In the first example, the IPS server reads in the EIR a piece of information that the mobile stations of a certain model contain a program that is a security risk. Then the IPS server may deliver to these mobile stations a program code package that includes an action set for eliminating the program concerned. Later, when a revised version of the program is available, the IPS server delivers the revised version to those mobile stations. In the second example, the IPS server receives a message from the billing system. According to this message a large number of phone calls has been made to a certain phone number within a short period of time. The message sent by the billing system also includes a piece of information about the mobile stations from which the phone calls are initiated. Then the IPS server starts at those mobile stations a test which takes a file listing of the programs included in each mobile station. An analysis is made of the contents of the file listings of the mobile stations. The analysis discloses that a certain game program can be found in each file listing. Further analysis discloses that this game program is a harmful program. In addition to the above-mentioned examples there are a number of other ways to utilize the inventive intrusion protection system. However, these ways are obvious for a person skilled in the art. On the basis of the instructions obtainable from this patent application a person skilled in the art can create modifications of the inventive method, the smart card, and/or the intrusion detection system, but these modifications can be considered to be included within the scope of the invention. In principle, the method and the smart card can be utilized in any communication network. The intrusion protection system is intended for a radio network such as a GSM network, a GPRS (General Packet Radio Service) network, a UMTS (Universal Mobile Telecommunications System) network, or a WLAN (Wireless Local Area Network) network.

Claims

Claims 1. A method for observing the operation of a terminal, said terminal to include a processor, a memory, a display, a user interface, and a communication part which is capable of communicating with at least a radio network, characterized by the steps of starting an application located in the terminal, performing by the application a test in which a trace of inappropriate activity is searched for by using at least one of the following comparisons: - a comparison between data flows transmitted through different interfaces of the processor, the processor having interfaces with the smart card, the memory, the display, the user interface, and the communication part, - a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part, the status data being stored in the memory, and when the performed test results in an outcome indicate inappropriate activity, performing a predetermined action set which includes at least one action.
2. The method as in claim ^characterized in that the action set includes at least one of the following actions: reporting on the test via the radio network, preventing at least partially the use of the communication part, suspension of a program which has used the communication part without authorization, or removal of a program from the memory.
3. The method as in claim ^ characterized in that one of the following events starts the application located in the smart card: an activation of the terminal, triggering of a timer, establishing a connection between the terminal and the radio network, obtaining user input through the user interface, loading a program in the memory, or receiving an impulse via the radio network.
4. The method as in claim 1, characterized in that during execution of the test, data flow/flows are read from a bus to which the smart card is connected.
5. The method as in claim 1, characterized in that during execution of the test, data flow/flows are read from at least one buffer located in the memory and handled by an operating system of the terminal.
6. The method as in claim 1, characterized in that during execution of the test, the status data of the communication part is obtained from a variable set maintained by an operating system and stored in the memory, the variable set to include at least one variable.
7. The method as in claim 1, characterized in that implementation of the application is one of the following: the application is located as a whole in the smart card, the application is located as a whole in the memory, the application is partially located in the smart card and partially in the memory.
8. The method as in claim ^ characterized in that at least part of the application is transferred through the radio network to the terminal.
9. The method as in claim 1, characterized in that when the test includes the first-mentioned comparison, the method further comprises the steps of: reading data flows of different interfaces of the processor, comparing the data flows, and when contents of the data flows differ from each other, presenting a result indicating inappropriate activity of the communication part.
10. The method as in claim ^ characterized in that when the test includes the second-mentioned comparison, the method further comprises the steps of reading the data flow of at least one interface of the processor, reading the status data of the communication part, comparing content of the data flow/flows read to the content of the status data of the communication part, and when the contents conflict, presenting a result indicating inappropriate activity of the communication part.
11. The method as in claim 1, characterized in that comparison between user inputs obtained through the user interface and operation of the communication part comprise the steps of: identifying a command set which is input through the user interface and includes at least one command, checking whether the command set is intended to activate the communication part of the terminal, and when the command set is missing from those command sets which activate the communication part, checking whether the communication part is activated, and when communication part is activated, presenting a result indicating inappropriate activity.
12. The method as in claim 11 , c h a ra ct e ri z e d in that when the command set that is input through the user interface is included in the those command sets which activate the communication part, checking whether the operation of the communication part is in accordance with some command of the command set, and presenting a result indicating another type of inappropriate activity when the operation of the communication part differs from the command set activating the communication part.
13. The method as in claim 1 , c h a ra ct e r i z e d in that the application located in the smart card performs the steps of: identifying a symbol set presented on the display of the terminal, the symbol set to include at least one symbol, checking whether the symbol set includes a symbol intended to characterize the activity of the communication part, and when said symbol is missing from the display, checking whether the communication part is active, and when the communication part is active, presenting a result indicating inappropriate activity.
14. The method as in claim 13, c h a r a ct e r i z e d in that when said symbol appears on the display, checking whether the activity of the communication part is in accordance with some command set activating the communication part and presenting a result indicating another type of inappropriate activity when the operation of the communication part differ from the command set activating the communication part.
15. A smart card for a terminal capable of operating in a communications network, the terminal to include a processor, a memory, a display, a user interface, and a communication part which is capable of communicating with at least a radio network, c h a ra c te r i z e d in that the smart card is adapted to perform on a terminal a test in searching for a trace of inappropriate activity by using at least one of following comparisons: - a comparison between data flows transmitted through different interfaces of the processor, wherein the processor has interfaces with the smart card, the memory, the display, the user interface, and the communication part, - a comparison between at least one data flow transmitted through an interface of the processor and the status data related to the communication part, wherein the status data is stored in the memory, and when the performed test results in an outcome indicate inappropriate activity, the smart card is adapted to perform a predetermined action set to include at least one action.
16. The smart card as in claim 15, characterized in that the action set includes at least one of the following actions: reporting on the test through the radio network, preventing at least partially use of the communication part, suspension of a program which has used the communication part without authorization, or removal of a program from the terminal memory.
17. The smart card as in claim 15, characterized in that one of the following actions starts the operation of the test: activation of the terminal, triggering of a timer, establishing a connection between the terminal and the radio network, obtaining user input through the user interface, loading a program in the memory, or receiving an impulse via the radio network.
18. The smart card as in claim 15, characterized in that during the test the smart card is adapted to read data flow/data flows from the bus to which the smart card is connected.
19. The smart card as in claim 15, characterized in that during the test the smart card is adapted to read data flow/data flows from at least one buffer stored in the memory and handled by an operating system of the terminal.
20. The smart card as in claim 15, characterized in that the status data of the communication part is obtainable from a variable set stored in the memory, the variable set to include at least one variable.
21. The smart card as in claim 15, characterized in that the smart card is adapted to read data flows of different interfaces of the processor and compare the data flows read.
22. The smart card as in claim 15, characterized in that the smart card is adapted to read data flow from at least one interface of the processor, read the status data of the communication part, and compare the content of the read data flow/flows to the content of the status data of the communication part.
23. The smart card as in claim 15, characterized in that the smart card is adapted to identify a command set presented on the display of the terminal, the command set to include at least one command, check whether the command set is intended to activate the communication part of the terminal, and check whether the communication part is active.
24. The smart card as in claim 15, characterized in that the smart card is adapted to identify a symbol set presented on the display of the terminal, the symbol set to include at least one symbol, check whether the symbol set includes a symbol intended to characterize activity of the communication part, and when said symbol is missing from the display, check whether the communication part is active.
25. The smart card as in claim 15, characterized in that the communication network is one of the following networks: a radio network, a mobile network, or a fixed network.
26. The smart card as in claim 15, characterized in that the smart card is adapted to receive at least one test through a protected communication link of the communications network.
27. An intrusion protection system for a radio network, characterized in that said system includes at least one server and terminals which operate in the radio network and are equipped with a smart card, said system being adapted to perform at the terminal at least one test concerning the activity of the terminal, the test to result in a test result, write at the terminal the test result in a report, deliver the report via the radio network to the server, and determine on the basis of the report delivered whether the radio network has been intruded on from the terminal.
28. The intrusion detection system as in claim 27, c h a ra ct e ri z e d in that said system is adapted to perform on a terminal a test in which a trace of inappropriate activity is searched for by using at least one of following comparisons: - a comparison between data flows transmitted through different interfaces of the processor, wherein the processor has interfaces with the smart card, the memory, the display, the user interface, and the communication part, - a comparison between at least one data flow transmitted through an interface of the processor and status data related to the communication part, wherein the status data is stored in the memory.
29. The intrusion detection system as in claim 27, c h a ra cte r- i z e d in that said system is adapted to perform at the terminal a second type of test whereby a search is performed for a trace of inappropriate activity and the content of the memory is compared to a certain content considered to be appropriate.
30. The intrusion detection system as in claim 27, c h a ra cte r- i z e d in that said system is adapted to perform at the terminal a third type of test whereby a search is performed for a trace of inappropriate activity and the memory content of the terminal is compared to a certain content considered to be inappropriate.
31. The intrusion detection system as in claim 27, c h a r a ct e r- i z e d in that said system is adapted to perform at the terminal a fourth type of test which results in a test result that includes information about the activity of the terminal.
32. The intrusion detection system as in claim 27, c h a ra cte ri z e d in that said system is adapted to perform at the terminal a predetermined action set including at least one of the following actions: preventing at least partially use of the communication part, suspension of a program which has used the communication part without authorization, or removal of a program from the memory.
33. The intrusion detection system as in claim 27, characterized in that said system is adapted to deliver a program code package from the server via the radio network to the terminal.
34. The intrusion detection system as in claim 27, characterized in that said system is adapted to deliver from the server at least partially differing program code packages and to different terminals of the radio network, wherein a program code package includes at least one of the following program codes: a code executing a certain test, a code executing a certain action set, or a code that corrects a certain erroneous terminal program.
35. The intrusion detection system as in claim 27, character- i z e d in that said system is adapted to receive at the terminal information affecting the operation of said system, the information having originated from the following sources: the report send by the terminal, a report database storing reports sent by terminals, a billing system of the radio network, a subscriber register of the radio network, or the EIR (Equipment Identity Register).
36. The intrusion detection system as in claim 35, characterized in that said system is adapted to perform actions that are at least partially determined on the basis of the information received. 37 The intrusion detection system as in claim 35, characterized in that said system is adapted to store at the server the report sent from the terminal to the report database and make at least one situation report on the basis of the content of the report database. 38. The intrusion detection system as in claim 35, characterized in that said system is adapted to receive at the server a message which has been sent from the billing system when a predetermined invoice value of a number set has been reached, the number set to include at least one phone number, and make at the server at least one situation report on the basis of the content of said message. 39. The intrusion detection system as in claim 35, characterized in that said system is adapted to read by server weakness information of the terminal from the EIR, and on the basis of the read weakness information, direct an action set to the terminal. 40. The intrusion detection system as in claim 35, characterized in that said system is adapted to start by the server at least one congestion service through the subscriber register of the radio network.
PCT/FI2005/050186 2004-06-02 2005-06-01 Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system WO2005120006A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20045206 2004-06-02
FI20045206A FI118709B (en) 2004-06-02 2004-06-02 Method for monitoring the function of a radio network terminal, an intelligent card for the terminal and an intrusion blocking system

Publications (1)

Publication Number Publication Date
WO2005120006A1 true WO2005120006A1 (en) 2005-12-15

Family

ID=32524581

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2005/050186 WO2005120006A1 (en) 2004-06-02 2005-06-01 Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system

Country Status (2)

Country Link
FI (1) FI118709B (en)
WO (1) WO2005120006A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009112367A1 (en) * 2008-03-11 2009-09-17 Wincor Nixdorf International Gmbh Method and device for defending against attacks to systems comprising a plug & play function
US8041030B2 (en) 2007-01-09 2011-10-18 Mastercard International Incorporated Techniques for evaluating live payment terminals in a payment system
CN102546302A (en) * 2012-01-18 2012-07-04 北京视博数字电视科技有限公司 Detection method and system of clone terminal devices
CN106934310A (en) * 2017-02-24 2017-07-07 飞天诚信科技股份有限公司 The method and card reader of a kind of testing smart card

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002051185A1 (en) * 2000-12-20 2002-06-27 Nortel Networks Limited Method and computer system for monitoring events on a wireless connected device
US6687499B1 (en) * 1999-03-29 2004-02-03 Nokia Mobile Phones Ltd. Method and system for testing the functioning of data communication in a radio apparatus
US20040028000A1 (en) * 2002-08-12 2004-02-12 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6687499B1 (en) * 1999-03-29 2004-02-03 Nokia Mobile Phones Ltd. Method and system for testing the functioning of data communication in a radio apparatus
WO2002051185A1 (en) * 2000-12-20 2002-06-27 Nortel Networks Limited Method and computer system for monitoring events on a wireless connected device
US20040028000A1 (en) * 2002-08-12 2004-02-12 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHIRUMAMILLA M K ET AL: "Agent based intrusion detection and response system for wireless lans", ICC 2003. 2003 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS. ANCHORAGE, AK, MAY 11 - 15, 2003, IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS, NEW YORK, NY : IEEE, US, vol. VOL. 1 OF 5, 11 May 2003 (2003-05-11), pages 492 - 496, XP010642798, ISBN: 0-7803-7802-4 *
ZHANG Y ET AL: "Intrusion detection in wireless ad-hoc networks", MOBICOM. PROCEEDINGS OF THE ANNUAL INTERNATIONAL CONFERENCE ON MOBILE COMPUTING AND NETWORKING, 6 August 2000 (2000-08-06), pages 1 - 9, XP002972773 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8041030B2 (en) 2007-01-09 2011-10-18 Mastercard International Incorporated Techniques for evaluating live payment terminals in a payment system
WO2009112367A1 (en) * 2008-03-11 2009-09-17 Wincor Nixdorf International Gmbh Method and device for defending against attacks to systems comprising a plug & play function
CN101965571A (en) * 2008-03-11 2011-02-02 温科尼克斯多夫国际有限公司 Method and device for defending against attacks to systems comprising a plug & play function
US8418248B2 (en) 2008-03-11 2013-04-09 Wincor Nixdorf International Gmbh Method and device for defending against attacks to systems comprising a plug and play function
CN102546302A (en) * 2012-01-18 2012-07-04 北京视博数字电视科技有限公司 Detection method and system of clone terminal devices
CN106934310A (en) * 2017-02-24 2017-07-07 飞天诚信科技股份有限公司 The method and card reader of a kind of testing smart card
CN106934310B (en) * 2017-02-24 2019-09-13 飞天诚信科技股份有限公司 A kind of method and card reader of testing smart card

Also Published As

Publication number Publication date
FI20045206A (en) 2005-12-03
FI118709B (en) 2008-02-15
FI20045206A0 (en) 2004-06-02

Similar Documents

Publication Publication Date Title
US11546371B2 (en) System and method for determining actions to counter a cyber attack on computing devices based on attack vectors
US9686236B2 (en) Mobile telephone firewall and compliance enforcement system and methods
Xie et al. pBMDS: a behavior-based malware detection system for cellphone devices
US8832827B2 (en) System and method for detection and recovery of malfunction in mobile devices
US8621551B2 (en) Safety and management of computing environments that may support unsafe components
EP1999925B1 (en) A method and system for identifying malicious messages in mobile communication networks, related network and computer program product therefor
US9317701B2 (en) Security methods and systems
US8626125B2 (en) Apparatus and method for securing mobile terminal
RU2530210C2 (en) System and method for detecting malware preventing standard user interaction with operating system interface
US7870612B2 (en) Antivirus protection system and method for computers
RU2477520C1 (en) System and method for device configuration-based dynamic adaptation of antivirus application functional
US9183392B2 (en) Anti-malware tool for mobile apparatus
US20160232349A1 (en) Mobile malware detection and user notification
Xie et al. Designing system-level defenses against cellphone malware
CN111651754A (en) Intrusion detection method and device, storage medium and electronic device
Schmidt et al. Malicious software for smartphones
WO2006120972A1 (en) Communication terminal, security device, and integrated circuit
WO2005120006A1 (en) Method for observing operation of a smart card, the smart card for a terminal, and an intrusion protection system
CN113452717B (en) Method and device for communication software safety protection, electronic equipment and storage medium
KR20090109154A (en) Device, system and method for preventing malicious code
CN107070878B (en) System and method for virus isolation of monitored application
Becher Security of smartphones at the dawn of their ubiquitousness
CN113687925A (en) Equipment operation processing method and device, storage medium and computer equipment
KR101153115B1 (en) Method, server and device for detecting hacking tools
Mulliner On the impact of the cellular modem on the security of mobile phones

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase