WO2009082306A1 - Detection of malicious software in communication system - Google Patents

Detection of malicious software in communication system Download PDF

Info

Publication number
WO2009082306A1
WO2009082306A1 PCT/SE2007/051068 SE2007051068W WO2009082306A1 WO 2009082306 A1 WO2009082306 A1 WO 2009082306A1 SE 2007051068 W SE2007051068 W SE 2007051068W WO 2009082306 A1 WO2009082306 A1 WO 2009082306A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
special
address
network
addresses
Prior art date
Application number
PCT/SE2007/051068
Other languages
French (fr)
Inventor
Michael Liljenstam
Luis Barriga
András MÉHES
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/SE2007/051068 priority Critical patent/WO2009082306A1/en
Publication of WO2009082306A1 publication Critical patent/WO2009082306A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Definitions

  • the invention relates to message systems and in particular to detection of and action on hostile messages originating from compromised user device.
  • a type of attack to communications systems involve hostile establishing at user devices of malicious software thereafter performing actions to spread through the communications network exemplary the Internet using address information at the user device.
  • Address information may be implemented in a contact list at a mobile device or at identity module, such as SEVI/USIM/ISIM-module, installed at a mobile device.
  • Current techniques for detection of malicious software propagated through the Internet comprise detection of traffic at unused addresses, e.g. IP addresses, at which no normal traffic would be expected. Such techniques may involve passively listening for incoming connection requests or use more advanced arrangements to attract traffic originating from malicious software, often referred to as honey-pot machines, whose only purpose is to be compromised so that the activity can be monitored and analyzed. Other techniques comprise to manually analyze systems that are known to be compromised.
  • a method and arrangement for detection of malicious software that fraudulently has been installed in a user device in a communications network.
  • the communications network comprises a plurality of nodes inter-working through exchange of messages.
  • the user devices are assigned at least an address for routing of messages and can use a contact list of addresses. All messages initiated by a sending node pass at least a network message center node that, depending on implemented functionality, performs specified actions on the message.
  • a message center has the capability to route a received message to a next recipient node.
  • a contact list is complemented with at least a special address that is recognized by a network message center node.
  • a message initiated using as receiving address a said special address when received at a message center node, is rerouted to a particular message detector node having functionality for message analysis and determining of control action.
  • the complementing of contact list may be performed during an initial set up phase e.g. during initial configuration of a user device.
  • Functionality for performing a control action, as determined at a message detector node is exemplary implemented in the message center node.
  • the complementing of contact list with at least a special address may be performed through communication with a network node that generates suitable addresses.
  • the list may be repeatedly updated according to a predefined schedule in order to make more difficult the discovery by hostile party of special addresses in use.
  • the communications network may be a mobile communications network and the at least one of the plurality of user devices may be a mobile user equipment (UE).
  • the user may approve complementing the contact list with a special address before inserting the same in the list.
  • the provisioning of at least one special address for complementing a contact list may further include provisioning of a list of names whereby the user may select from the list one name for each of the special addresses as an identifier of that special address.
  • the special addresses are hidden for the user thus effectively avoiding unintentional use of these addresses.
  • the message center node stores, for a predefined time period, messages that are sent consecutively in a series. This allows control actions to complete, in case a message is recognized to use a special address, such that no message reaches its receiving address without being acted on by control actions determined at a message detector node.
  • An exemplary control action comprises deletion of stored messages recognized to use a special address.
  • a representation of a message may be stored in place of the complete message. If the representation is unique for each message it can be used to identify messages that, e.g., have been included in a charging record whereby charging may be withdrawn for messages that are determined to be result of malicious software i.e. to use special addresses.
  • a measure is introduced of distance between addresses.
  • the special addresses are then determined such that the distance between a special address and any normal address in the contact list exceeds a minimum value.
  • the measure is the Hamming distance measure.
  • Special addresses installed at a user device contact list by a network node may be stored at a network storage location including a contact list reference, e.g. phone number MSISDN.
  • a message center node recognizing sender of message, can retrieve, from the storage location using contact list reference, the special addresses associated with the sender for determining, by comparison, if receiver address of message corresponds to a special address.
  • Figure 1 Illustrates basic structure of prior art mobile communications system.
  • Figure 2 Shows an arrangement according to a first embodiment of the invention.
  • Figure 3 Shows an exemplary implementation of the invention.
  • Figure 4 Illustrates an exemplary method for configuring a system according to the invention.
  • Figure 5 Illustrates an exemplary method to process a message according to the invention.
  • a message system such as MMS. It is, however, readily understood that the invention is equally applicable to other applications such as VoIP or e-mail. Exemplary embodiments are taken to illustrate the invention only and to obtain a clear description and should not limit the scope of the invention. It is, e.g. readily understood that exemplary functions, means, and apparatuses may be implemented in a variety of ways apparent for a skilled person.
  • a user entity, UE 1 -01 e.g. mobile device, is connected to a communications network 1 -02, e.g. a mobile communications network over an access point 1-04. It is common to offer a user of UE message service whereby the network is provided with message center MS-C 1-03. Because of the generally high load on the message center MS-C messages are usually forwarded immediately to leave room for processing new messages. It is also common in the art to connect, over access point 1 -05, a local area network LAN. The local area network may use a firewall 1 -06 to protect against hostile access to the network from external sources.
  • the user entity UE may have contact list 1 -07 useful to conveniently find receiver addresses. Often addresses are complex and difficult to remember why it is common to associate an address with a more easy to remember name, e.g. name of person.
  • Figure 2 shows a first embodiment of the invention.
  • Like numerals denote like elements as in Figure 1.
  • malicious software inserted into the user entity UE 1-01 may use the contact list 1-07 to spread itself through messages to corresponding receivers.
  • the contact list is augmented with special addresses that are not easily determined to distinguish from an ordinary address. Therefore, malicious software will likely use both the special and the normal addresses when spreading through messages to corresponding receivers.
  • a message center e.g. message center MS-C 1-03
  • the detector 2-01 may determine control actions depending on the analysis of the message and communicate the control actions to an appropriate network node for execution.
  • Type of address can exemplary be phone number, email address, or SIP URL.
  • a network node 2-02 It is convenient to generate such addresses at a network node 2-02 from a pool of addresses reserved for the purpose and update the contact list 1 -07 through sending to UE a package of addresses.
  • MS-C 1-03 may request such addresses from the generating node 2-02 and forward these to UE 1-01 in a configuration phase.
  • the generating functionality may be implemented at the message center e.g. at database means 3 -05 as discussed in following alternative embodiments.
  • the address generating node 2-02 stores an association between contact list reference of UE 1 -01 , being updated, and addresses selected at node 2-02 for the update.
  • the same addresses may be re-used among several users.
  • message center 1 - 03 may be configured to periodically update special addresses at user equipment 1 -01 by requesting new addresses from node 2-02 and returning to the node used addresses that are deleted from the contact list of 1-07.
  • a user of UE 1-01 is provided, during configuration of contact list with special addresses, with an accompanying list of names and requested to select a name from the list to associate with a particular special address.
  • a user of UE may be requested to approve insertion of a special address in the contact list prior to completion of the insertion.
  • special addresses may be hidden to the user.
  • a contact list update message received at UE 1-01 during configuration may involve a user permission to perform update exemplary indicating size that hidden addresses will occupy whereupon contact list update is made such as to hide inserted addresses for the user. By hiding special addresses the user is prevented from accidental misuse of such address.
  • the message center 1-03 stores, for a certain pre-defined time period, messages from the user equipment 1-01.
  • a first identification of the use of a special address may trigger at the message center storage of the message and following messages during a pre-set supervisory period as it can be expected that malicious software is active at the sending user equipment.
  • signature e.g. hash function
  • a further alternative comprises determining a message signature calculated based on the message body, e.g. calculation of hash over message body, whereby said storing is made of messages having the same signature.
  • the reason for this embodiment is that messages generated from malicious software often contain the same message body.
  • the calculation of said signature may be made at the message 1-03 center or at a detector node 2-01. In the latter case the detector node communicates the signature to the message center where message filtering and storage is, thereafter, performed.
  • control actions are at least partly implemented at the message center.
  • An exemplary action may involve deletion of messages stored at the message center.
  • Still another alternative comprises sending a calculated message signature to at least another network node, e.g. another message center or user equipment 1 -01 , wherein message filtering takes place.
  • User equipment 1-01 may, for example, execute antivirus program using the signature. In this way, malicious software detected at one network area may be re-used at other network areas where the existence of the same malicious software has not yet been detected.
  • the message center 1 -03 handles a vast amount of messages from a plurality of user equipments 1 -01. Therefore, it may be a disadvantage to provide capacity for storage of suspected messages. Therefore, according to an alternative embodiment, information representative of a registered suspected message is stored in place of the full message.
  • a hash of a message may be stored. The hash of a message, uniquely identifying the message, may be provided to the detector node 2-01 together with a selection of information pertaining to the message for enabling the detector node to carry out an analysis of the registered messages.
  • Exemplary information provided to the detector 2-01 may comprise identifier of sending UE, address used and whether it is special or normal, subject field of message, and number and type of message attachments.
  • actions, determined at the detection node 2-01 may be invoked at any appropriate node in the network relevant for message handling.
  • a charging node storing hash values for messages being charged for, may be provided by the detection node 2-01 with said hash value in order to retrieve and revoke corresponding charging record.
  • the special addresses are accessible from the contact list there is a risk of unintentional use of such an address. Therefore, according to an alternative embodiment, a distance is introduced for determining a distance between a normal address and a special address. The special addresses are selected to obtain a distance between any special address and any normal address that exceeds a pre-set value.
  • the distance measure is the Hamming distance measure.
  • the message center may retrieve from database at network functionality a list of special addresses relevant for the sending user equipment 1 -07 and stored at the network functionality 2-03 during an initial configuration phase.
  • the database may be implemented at any suitable network node including the message center 1-03 or the detector 2-01.
  • a message center has been used as an exemplary node where detection is made of a message using special address it is understood that any other node in the service path that sees the address in clear text, e.g., WAP-GW, firewall, or Unified Threats Management node (UTM).
  • the database 3-05 may, exemplary, be implemented in any user database such as HLR/HSS.
  • the detector 2-01 is implemented as a wireless modem including a SEVI-card related to a special address.
  • all messages using a special address will, therefore, automatically be routed to the detector node for analysis whereas other messages, even if being result of malicious software, will automatically be routed to specified receiver addresses.
  • any action at the message center due to identification of messages received at the detector node must be commanded from the detector node, e.g. storing of messages for a certain time period.
  • the message center withholds any message for a short time allowing the detector node to command storage of messages if identifying reception of a message using a special address.
  • An exemplary apparatus 3-00 for implementing the invention is illustrated in Figure 3.
  • 3- 01 there is shown means for receiving and sending a message exemplary in communication with user equipment 1-01.
  • the arrangement 3-00 is integrated with the message center 1-03.
  • 3-02 means for identifying a special address in a message received at means 3-01.
  • Means 3-03 provides for communication with other network functionalities exemplary for determining actions related to a message using a special address.
  • Said means may receive request for performing at least a said action thereafter performed by means 3-04.
  • An exemplary action may involve deletion of at least a message exemplary stored at means 3 - 01.
  • Another action may comprise forming of message signature, e.g.
  • database means for associating a user contact list reference with list of currently used special addresses.
  • Means 3-01 for sending and receiving messages may further be used in an initial configuration of user equipment 1-01 by retrieving, exemplary from database means 3-05 free special addresses.
  • Means 3-01 may further be used in continued updates of special addresses implemented at user equipment contact list.
  • Database 3-05 is updated by means 3-01 in correspondence to any configuration or update operation.
  • Provisioning of special addresses may be made at subscription to an operator.
  • the special addresses may be pre-configured in an identity module, e.g. SIM/USEVI/ISIM-card.
  • an identity module e.g. SIM/USEVI/ISIM-card.
  • further update of contact list may be performed over the air.
  • a method is now described for providing user equipment with new or updated special addresses.
  • a message center 1-03 is shown and a database 3-05. As described above, the database may be integrated with the message center 1 -03.
  • a user 4-05 operates user equipment 1-01.
  • message center 1-03 provides database 3-05 with the contact list reference of user equipment 1-01 to be configured with special addresses. A specified number of such addresses are thereby returned to the message center.
  • the message center initiates a user equipment update message and provides the list of special addresses.
  • the message center may provide a list of names which the user, at 4-03, may use to associate a name with each special address.
  • the dialogue 4-03 finishes the configuring step wherein the contact list at user equipment is configured with special addresses each associated with a corresponding name.
  • the message center updates database 3-05 to indicate special addresses currently configured at user equipment 1 -01.
  • dialogue step 4-03 may include additional step of approving insertion of special addresses.
  • the configuring with special addresses is repeated according to a pre-defined schedule in order to limit possibilities for detection by hostile party of special addresses in use.
  • re-configuration involves re-selection of addresses from a global list of addresses maintained at database 3-05.
  • update is made of database information indicative of addresses in use for user equipment 1-01 at re-configuration of user equipment.
  • FIG. 5 illustrating an exemplary method according to the invention for processing a message issued by sending user equipment.
  • User equipment 1-01 issues at 5-01 a message that, in this example, is assumed to originate from execution of malicious software installed at 1 -01.
  • the sending party is in a visited network provided with a receiving message center 1 -03 V.
  • the visited network message center 1 -03 may be provided with the inventive means for detecting special addresses although the database 3-05 is not explicitly shown in Figure 5.
  • the visited network message center 1 -03 V is not configured to recognize the special address contained in the message 5-01 and, therefore, forwards in the normal way the message at 5-02 to the sending party home network message center 1 -03H.
  • the home network message center 1 -03 has been configured, according to previous description, to recognize, in communication 5-03, a special address being registered at the database 3-05.
  • the signaling 5-03 and 5-04 is either representative of a request-response communication wherein 3-05 responds to 1-03H that special address is identified or the communication represents 1-03H requesting global list of special addresses or selected list registered for the user equipment 1-01. In either case, a special address is identified and, therefore, the message center forwards information representative of the message at 5-05 to a detector 2-01 for analysis.
  • the detector 2-01 determines actions and, exemplary, at least an action is requested at 5-07 to be performed by message center 1 -03H.
  • the message or representation thereof may be saved by the message center until detector 2-01 has responded at 5-07 with request for action.
  • Exemplary action may be to delete message or representation thereof.
  • FIG. 5 Not shown in Figure 5 is communication by detector 2-01 with other network entities due to at least another determined action by the detector.
  • action may relate to update of charging record for sending user such that no charging is made for malicious messages.
  • Other action may be to store malicious message or representation thereof for statistical analysis and preventive actions at a network management level.
  • Still another action comprises sending a signature calculated over a message body of suspected malicious message, e.g. message identified to use a special address, to network node or user equipment wherein message filtering takes place.
  • Another exemplary action comprises message center 1 -03 modifying address of suspect message, e.g. replacing sender address by special address recognized by message client at receiving party for performing filter actions. Original sender address may be placed in the message body.

Abstract

A method and arrangement in a communications network is disclosed for detection and action on messages originating from execution ofmalicious software surreptitiouslyimplemented at a user device. The system is initially configured with special addresses generated at the network. A configuration phase includes update of user device address list and registration at network database of special addresses applicable for the user. A message is analyzed with respect to special address indicated as message receiver whereby network functionality determines actions ranging from deletion of message, update of charging data, to further statistical analysis for preventive actions at network level.

Description

Detection of malicious software in communication system
Field of invention
The invention relates to message systems and in particular to detection of and action on hostile messages originating from compromised user device.
Background A type of attack to communications systems involve hostile establishing at user devices of malicious software thereafter performing actions to spread through the communications network exemplary the Internet using address information at the user device. Address information may be implemented in a contact list at a mobile device or at identity module, such as SEVI/USIM/ISIM-module, installed at a mobile device. Current techniques for detection of malicious software propagated through the Internet comprise detection of traffic at unused addresses, e.g. IP addresses, at which no normal traffic would be expected. Such techniques may involve passively listening for incoming connection requests or use more advanced arrangements to attract traffic originating from malicious software, often referred to as honey-pot machines, whose only purpose is to be compromised so that the activity can be monitored and analyzed. Other techniques comprise to manually analyze systems that are known to be compromised.
Similarly, in order to detect virus attacks or mail attacks, for example what is often referred to as spam, or attacks aimed to copy private information, often referred to as phishing, it is known to use specific addresses allocated at user devices and advertised on various Internet forum with the purpose to enable detection of communication originating from actions by malicious software. Commercial products based on such principles are known (http://www.symantec.com/enteφrise/products/overview.jsp?pcid=1008&pvid=835_l). The system maintains a worldwide network of hosts that collect information from malicious software. Non-profit projects are known that provide similar techniques, e.g. the HoneyPot project (http://www.projecthoneypot.org/). The project relies on goodwill from webmasters that allow their web sites to publish decoy e-mail addresses that can attract spam or phishing attempts.
Known hostile attacks mentioned are indiscriminate in that large numbers of addresses, representing potential victim hosts, are used. However, a type of targeted attack becoming more common is selective in directing the attack to specific targets so as not to unnecessarily arouse suspicion. Current techniques are inadequate providing for early detection of threats that are discriminately targeted.
It can also be noted that techniques specifically designed to attempt to lure attackers to certain targets, i.e., to try to make the detector appear to be an interesting target for attackers appear to be more of an art than a science at this point, making such approach less useful.
There is, thus, a need for an efficient method to detect malicious software implemented in attacks targeted to selected users.
Summary
A method and arrangement is disclosed for detection of malicious software that fraudulently has been installed in a user device in a communications network. The communications network comprises a plurality of nodes inter-working through exchange of messages. The user devices are assigned at least an address for routing of messages and can use a contact list of addresses. All messages initiated by a sending node pass at least a network message center node that, depending on implemented functionality, performs specified actions on the message. Generally, a message center has the capability to route a received message to a next recipient node.
In a first embodiment of the invention, a contact list is complemented with at least a special address that is recognized by a network message center node. A message initiated using as receiving address a said special address, when received at a message center node, is rerouted to a particular message detector node having functionality for message analysis and determining of control action. The complementing of contact list may be performed during an initial set up phase e.g. during initial configuration of a user device. Functionality for performing a control action, as determined at a message detector node, is exemplary implemented in the message center node.
The complementing of contact list with at least a special address may be performed through communication with a network node that generates suitable addresses. In addition to an initial configuration of a contact list, the list may be repeatedly updated according to a predefined schedule in order to make more difficult the discovery by hostile party of special addresses in use.
The communications network may be a mobile communications network and the at least one of the plurality of user devices may be a mobile user equipment (UE). The user may approve complementing the contact list with a special address before inserting the same in the list. The provisioning of at least one special address for complementing a contact list may further include provisioning of a list of names whereby the user may select from the list one name for each of the special addresses as an identifier of that special address.
In an alternative embodiment, the special addresses are hidden for the user thus effectively avoiding unintentional use of these addresses.
In another alternative embodiment, the message center node stores, for a predefined time period, messages that are sent consecutively in a series. This allows control actions to complete, in case a message is recognized to use a special address, such that no message reaches its receiving address without being acted on by control actions determined at a message detector node. An exemplary control action comprises deletion of stored messages recognized to use a special address.
In still another embodiment, whereas storage of complete messages consumes much memory space, a representation of a message may be stored in place of the complete message. If the representation is unique for each message it can be used to identify messages that, e.g., have been included in a charging record whereby charging may be withdrawn for messages that are determined to be result of malicious software i.e. to use special addresses.
According to still another embodiment a measure is introduced of distance between addresses. The special addresses are then determined such that the distance between a special address and any normal address in the contact list exceeds a minimum value. Exemplary the measure is the Hamming distance measure. Special addresses installed at a user device contact list by a network node may be stored at a network storage location including a contact list reference, e.g. phone number MSISDN. A message center node, recognizing sender of message, can retrieve, from the storage location using contact list reference, the special addresses associated with the sender for determining, by comparison, if receiver address of message corresponds to a special address.
Advantages of the invention are:
- Improved security for operator subscribers.
Avoid traffic that can not be charged for. Reduce complaints related to undesired communication.
Detailed description
A better understanding of the invention is obtained from the following detailed description taken together with the accompanying drawings wherein
Figure 1 Illustrates basic structure of prior art mobile communications system.
Figure 2 Shows an arrangement according to a first embodiment of the invention.
Figure 3 Shows an exemplary implementation of the invention.
Figure 4 Illustrates an exemplary method for configuring a system according to the invention.
Figure 5 Illustrates an exemplary method to process a message according to the invention.
The invention will be illustrated with reference to a mobile communications network as shown in prior art figure 1. It is, however, readily understood that the invention may equally well apply to other types of networks.
As an exemplary application a message system is described such as MMS. It is, however, readily understood that the invention is equally applicable to other applications such as VoIP or e-mail. Exemplary embodiments are taken to illustrate the invention only and to obtain a clear description and should not limit the scope of the invention. It is, e.g. readily understood that exemplary functions, means, and apparatuses may be implemented in a variety of ways apparent for a skilled person.
A user entity, UE 1 -01 , e.g. mobile device, is connected to a communications network 1 -02, e.g. a mobile communications network over an access point 1-04. It is common to offer a user of UE message service whereby the network is provided with message center MS-C 1-03. Because of the generally high load on the message center MS-C messages are usually forwarded immediately to leave room for processing new messages. It is also common in the art to connect, over access point 1 -05, a local area network LAN. The local area network may use a firewall 1 -06 to protect against hostile access to the network from external sources. The user entity UE may have contact list 1 -07 useful to conveniently find receiver addresses. Often addresses are complex and difficult to remember why it is common to associate an address with a more easy to remember name, e.g. name of person.
Figure 2 shows a first embodiment of the invention. Like numerals denote like elements as in Figure 1. It is known that malicious software inserted into the user entity UE 1-01 may use the contact list 1-07 to spread itself through messages to corresponding receivers. In order to detect that malicious software is present at UE, the contact list is augmented with special addresses that are not easily determined to distinguish from an ordinary address. Therefore, malicious software will likely use both the special and the normal addresses when spreading through messages to corresponding receivers. According to the embodiment, a message center, e.g. message center MS-C 1-03, is arranged to recognize a special address whereby the message center, having means for routing a message, re-routes the corresponding message or part thereof to a detector node 2-01 for further analysis. The detector 2-01 may determine control actions depending on the analysis of the message and communicate the control actions to an appropriate network node for execution. Type of address can exemplary be phone number, email address, or SIP URL.
It is convenient to generate such addresses at a network node 2-02 from a pool of addresses reserved for the purpose and update the contact list 1 -07 through sending to UE a package of addresses. Exemplary, MS-C 1-03 may request such addresses from the generating node 2-02 and forward these to UE 1-01 in a configuration phase. Alternatively, the generating functionality may be implemented at the message center e.g. at database means 3 -05 as discussed in following alternative embodiments.
Preferably, according to an alternative of the embodiment, the address generating node 2-02 stores an association between contact list reference of UE 1 -01 , being updated, and addresses selected at node 2-02 for the update. In order to limit size of database of special addresses the same addresses may be re-used among several users.
In order to make more difficult the discovery by hostile party of a special address, being used repeatedly, the special addresses may be changed periodically. Exemplary, message center 1 - 03 may be configured to periodically update special addresses at user equipment 1 -01 by requesting new addresses from node 2-02 and returning to the node used addresses that are deleted from the contact list of 1-07.
Alternatively, a user of UE 1-01 is provided, during configuration of contact list with special addresses, with an accompanying list of names and requested to select a name from the list to associate with a particular special address.
A user of UE may be requested to approve insertion of a special address in the contact list prior to completion of the insertion.
Advantageously, special addresses may be hidden to the user. Exemplary, a contact list update message received at UE 1-01 during configuration may involve a user permission to perform update exemplary indicating size that hidden addresses will occupy whereupon contact list update is made such as to hide inserted addresses for the user. By hiding special addresses the user is prevented from accidental misuse of such address.
According to an alternative embodiment of the invention, the message center 1-03 stores, for a certain pre-defined time period, messages from the user equipment 1-01. Exemplary, a first identification of the use of a special address may trigger at the message center storage of the message and following messages during a pre-set supervisory period as it can be expected that malicious software is active at the sending user equipment.
It is known to use signature e.g. hash function to uniquely identify a message. A further alternative, therefore, comprises determining a message signature calculated based on the message body, e.g. calculation of hash over message body, whereby said storing is made of messages having the same signature. The reason for this embodiment is that messages generated from malicious software often contain the same message body. The calculation of said signature may be made at the message 1-03 center or at a detector node 2-01. In the latter case the detector node communicates the signature to the message center where message filtering and storage is, thereafter, performed.
In an alternative of the embodiment, the control actions are at least partly implemented at the message center. An exemplary action may involve deletion of messages stored at the message center.
Still another alternative comprises sending a calculated message signature to at least another network node, e.g. another message center or user equipment 1 -01 , wherein message filtering takes place. User equipment 1-01 may, for example, execute antivirus program using the signature. In this way, malicious software detected at one network area may be re-used at other network areas where the existence of the same malicious software has not yet been detected.
The message center 1 -03 handles a vast amount of messages from a plurality of user equipments 1 -01. Therefore, it may be a disadvantage to provide capacity for storage of suspected messages. Therefore, according to an alternative embodiment, information representative of a registered suspected message is stored in place of the full message. Exemplary, a hash of a message may be stored. The hash of a message, uniquely identifying the message, may be provided to the detector node 2-01 together with a selection of information pertaining to the message for enabling the detector node to carry out an analysis of the registered messages. Exemplary information provided to the detector 2-01 may comprise identifier of sending UE, address used and whether it is special or normal, subject field of message, and number and type of message attachments.
It is readily understood that actions, determined at the detection node 2-01, may be invoked at any appropriate node in the network relevant for message handling. Exemplary, a charging node, storing hash values for messages being charged for, may be provided by the detection node 2-01 with said hash value in order to retrieve and revoke corresponding charging record. In case that the special addresses are accessible from the contact list there is a risk of unintentional use of such an address. Therefore, according to an alternative embodiment, a distance is introduced for determining a distance between a normal address and a special address. The special addresses are selected to obtain a distance between any special address and any normal address that exceeds a pre-set value. Exemplary, the distance measure is the Hamming distance measure.
In order to determine that a message received at the message center 1 -03 is using a special address, the message center may retrieve from database at network functionality a list of special addresses relevant for the sending user equipment 1 -07 and stored at the network functionality 2-03 during an initial configuration phase. It is readily understood that the database, according to this alternative embodiment, may be implemented at any suitable network node including the message center 1-03 or the detector 2-01. Although a message center has been used as an exemplary node where detection is made of a message using special address it is understood that any other node in the service path that sees the address in clear text, e.g., WAP-GW, firewall, or Unified Threats Management node (UTM). The database 3-05 may, exemplary, be implemented in any user database such as HLR/HSS.
According to one embodiment of the invention the detector 2-01 is implemented as a wireless modem including a SEVI-card related to a special address. According to this arrangement, all messages using a special address will, therefore, automatically be routed to the detector node for analysis whereas other messages, even if being result of malicious software, will automatically be routed to specified receiver addresses. Thus, any action at the message center due to identification of messages received at the detector node must be commanded from the detector node, e.g. storing of messages for a certain time period. In an alternative of this embodiment, the message center withholds any message for a short time allowing the detector node to command storage of messages if identifying reception of a message using a special address. Thus, all messages, using normal addresses, following detection at detector node of a first message using special address may be prevented from reaching their corresponding receivers until actions are taken by the detector node.
An exemplary apparatus 3-00 for implementing the invention is illustrated in Figure 3. At 3- 01 there is shown means for receiving and sending a message exemplary in communication with user equipment 1-01. A particular case is that the arrangement 3-00 is integrated with the message center 1-03. At 3-02 means for identifying a special address in a message received at means 3-01. Means 3-03 provides for communication with other network functionalities exemplary for determining actions related to a message using a special address. Said means may receive request for performing at least a said action thereafter performed by means 3-04. An exemplary action may involve deletion of at least a message exemplary stored at means 3 - 01. Another action may comprise forming of message signature, e.g. forming hash, based on message body and sending of the signature through means 3-03 to other network functionalities wherein message filtering may take place. At 3-05 there is shown database means for associating a user contact list reference with list of currently used special addresses. Although it is shown to implement the database in the apparatus 3 -00 it is readily understood that the database may be implemented at any suitable network node for access exemplary through communication means 3-03. Means 3-01 for sending and receiving messages may further be used in an initial configuration of user equipment 1-01 by retrieving, exemplary from database means 3-05 free special addresses. Means 3-01 may further be used in continued updates of special addresses implemented at user equipment contact list. Database 3-05 is updated by means 3-01 in correspondence to any configuration or update operation.
Provisioning of special addresses may be made at subscription to an operator. Exemplary, the special addresses may be pre-configured in an identity module, e.g. SIM/USEVI/ISIM-card. However, further update of contact list may be performed over the air. With reference to Figure 4 a method is now described for providing user equipment with new or updated special addresses. In Figure 4 a message center 1-03 is shown and a database 3-05. As described above, the database may be integrated with the message center 1 -03. A user 4-05 operates user equipment 1-01.
At 4-01 message center 1-03 provides database 3-05 with the contact list reference of user equipment 1-01 to be configured with special addresses. A specified number of such addresses are thereby returned to the message center. At 4-02 the message center initiates a user equipment update message and provides the list of special addresses. In addition, the message center may provide a list of names which the user, at 4-03, may use to associate a name with each special address. The dialogue 4-03 finishes the configuring step wherein the contact list at user equipment is configured with special addresses each associated with a corresponding name. In a final step 4-04 of the process the message center updates database 3-05 to indicate special addresses currently configured at user equipment 1 -01. Alternatively, dialogue step 4-03 may include additional step of approving insertion of special addresses. According to an embodiment, the configuring with special addresses is repeated according to a pre-defined schedule in order to limit possibilities for detection by hostile party of special addresses in use. Preferably, such re-configuration involves re-selection of addresses from a global list of addresses maintained at database 3-05. Preferably, update is made of database information indicative of addresses in use for user equipment 1-01 at re-configuration of user equipment.
We now refer to Figure 5 illustrating an exemplary method according to the invention for processing a message issued by sending user equipment.
User equipment 1-01 issues at 5-01 a message that, in this example, is assumed to originate from execution of malicious software installed at 1 -01. In this example it is assumed that the sending party is in a visited network provided with a receiving message center 1 -03 V. The visited network message center 1 -03 may be provided with the inventive means for detecting special addresses although the database 3-05 is not explicitly shown in Figure 5. However, the visited network message center 1 -03 V is not configured to recognize the special address contained in the message 5-01 and, therefore, forwards in the normal way the message at 5-02 to the sending party home network message center 1 -03H. The home network message center 1 -03 has been configured, according to previous description, to recognize, in communication 5-03, a special address being registered at the database 3-05. The signaling 5-03 and 5-04 is either representative of a request-response communication wherein 3-05 responds to 1-03H that special address is identified or the communication represents 1-03H requesting global list of special addresses or selected list registered for the user equipment 1-01. In either case, a special address is identified and, therefore, the message center forwards information representative of the message at 5-05 to a detector 2-01 for analysis. At 5-06 the detector 2-01 determines actions and, exemplary, at least an action is requested at 5-07 to be performed by message center 1 -03H. As explained before, the message or representation thereof may be saved by the message center until detector 2-01 has responded at 5-07 with request for action. Exemplary action may be to delete message or representation thereof. Not shown in Figure 5 is communication by detector 2-01 with other network entities due to at least another determined action by the detector. As mentioned before, such action may relate to update of charging record for sending user such that no charging is made for malicious messages. Other action may be to store malicious message or representation thereof for statistical analysis and preventive actions at a network management level. Still another action comprises sending a signature calculated over a message body of suspected malicious message, e.g. message identified to use a special address, to network node or user equipment wherein message filtering takes place. Another exemplary action comprises message center 1 -03 modifying address of suspect message, e.g. replacing sender address by special address recognized by message client at receiving party for performing filter actions. Original sender address may be placed in the message body.

Claims

Claims:
1. A method for detection of malicious software installed at a user device, the device communicating messages through a communications system comprising a plurality of inter- working network nodes whereby at least one user device has a contact list of user device addresses, the malicious software acting to duplicate and spread through messages using the contact list, characterized by the steps:
inserting, during set up phase, at least one special address into user device 1-01; identifying, at network message center 3-00 identifying means 3-02, at least a message having a receiver address selected from the at least one special address information; re-routing at said message center information related to the identified message to a network detector node 2-01 for analysis; determining at said detector node a control action; performing the control action.
2. The method of claim 1 characterized in that the at least one special address is provided by a network functionality 3-01 through communication for update of the contact list associated with a particular user equipment.
3. The method of claim 2 characterized in an association is stored at database 3-05 between the contact list reference of the user equipment 1-01, object for update, and inserted special addresses.
4. The method of claim 1 characterized in that the insertion of at least one special address is made repeatedly according to a pre-defined update schedule.
5. The method of claim 1 characterized in that the insertion includes a list of names and in that the user assigns a name from the list of names to the at least one special address.
6. The method of claim 1 characterized in that the insertion of at least one special address, prior to insertion into the contact list, is first approved by the user.
7. The method of claim 1 characterized in that at least one special address is hidden for the user.
8. The method of claim 1 characterized in that the control action comprises deletion of at least a stored message.
9. The method of claim 1 characterized in that the message center 3-00 stores at sending and receiving means 3-01, for a pre-defined time period, messages received from a sender if the identifying step is positive.
10. The method of claim 9 characterized in that the storing comprises storing message identifying representation of received message.
11. The method of claim 10 characterized in that the control action at least comprises revoking of charging records associated with said identifying representations.
12. The method of claim 1 characterized in the further step of determining a distance between any two addresses and in that the step of inserting comprises insertion of the at least one special address to have a distance to any normal address exceeding a minimum distance.
13. The method of claim 12 characterized in that the distance is the Hamming distance.
14. The method of claim 1 characterized in the additional step of storing at a network node database 3-05, during set up phase, an association between the contact list reference of the user device 1-01 and the at least one special address and in that the step of identifying during communication of messages comprises retrieval from the database 3-05 of the at least one special address for comparison, at identifying means 3-02, with receiver address in said message.
15. The method of claim 1 characterized in that said identifying is performed at MMS-C, a WAP gateway, a local network firewall, or UTM node.
16. A method for detection of malicious software installed at a user device, the device communicating messages through a communications system comprising a plurality of inter- working network nodes whereby at least one user device has a contact list of user device addresses, the malicious software acting to duplicate and spread through messages using the contact list, characterized by the steps: inserting, during a set up phase, at least one special address into the user device 1 -01 ; identifying, at a network message center 3-00 identifying means 3-02, at least a message having a receiver address selected from the at least one special address information; forming message signature based on at least a message; - sending the signature to at least another network functionality wherein message filtering is processed based on the signature.
17. An apparatus 3-00 in a communications network for determining that a message received from sending user equipment originate from the execution at the user equipment of malicious software characterized by: means 3-01 for sending and receiving a message; means 3-02 for identifying in a received message a special address; means 3-03 for communicating with a network functionality for determining at least an action related to the message; means 3-04 for performing a requested said at least an action.
18. The apparatus according to claim 17 characterized by: means for storing 3-01 for a pre-specifϊed time period information representative of at least a message.
19. The apparatus according to claim 17 characterized in that said means for identifying 3-02 comprises means for comparing an address contained in the message with a database 3-05 of special addresses associated with the user equipment 1-01 contact list reference.
20. The apparatus of claim 17 characterized by means 3-01 for performing an update operation with sending user equipment 1-01 comprising sending at least a special address to the equipment for replacing a previous at least an address and same time update database 3-05 to indicate active special addresses currently in use at said user equipment.
21. The apparatus of claim 17 characterized in that said at least an action comprises forming signature of said a received message and sending through means 3-03 the signature to at least a network functionality or user equipment 1-01.
PCT/SE2007/051068 2007-12-21 2007-12-21 Detection of malicious software in communication system WO2009082306A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/051068 WO2009082306A1 (en) 2007-12-21 2007-12-21 Detection of malicious software in communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2007/051068 WO2009082306A1 (en) 2007-12-21 2007-12-21 Detection of malicious software in communication system

Publications (1)

Publication Number Publication Date
WO2009082306A1 true WO2009082306A1 (en) 2009-07-02

Family

ID=40801437

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2007/051068 WO2009082306A1 (en) 2007-12-21 2007-12-21 Detection of malicious software in communication system

Country Status (1)

Country Link
WO (1) WO2009082306A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120151588A1 (en) * 2010-12-09 2012-06-14 At&T Intellectual Property I, L.P. Malware Detection for SMS/MMS Based Attacks
CN104144422A (en) * 2013-05-07 2014-11-12 华为技术有限公司 Method for identifying autodial of terminal and terminal
GB2518460A (en) * 2013-12-09 2015-03-25 F Secure Corp Unauthorised/Malicious redirection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194489A1 (en) * 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20060276173A1 (en) * 2005-06-07 2006-12-07 Lena Srey Wireless communication network security method and system
US20070101430A1 (en) * 2005-10-28 2007-05-03 Amit Raikar Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network
US20070123214A1 (en) * 2005-11-25 2007-05-31 Motorola, Inc. Mobile device system and strategies for determining malicious code activity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020194489A1 (en) * 2001-06-18 2002-12-19 Gal Almogy System and method of virus containment in computer networks
US20060276173A1 (en) * 2005-06-07 2006-12-07 Lena Srey Wireless communication network security method and system
US20070101430A1 (en) * 2005-10-28 2007-05-03 Amit Raikar Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network
US20070123214A1 (en) * 2005-11-25 2007-05-31 Motorola, Inc. Mobile device system and strategies for determining malicious code activity

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120151588A1 (en) * 2010-12-09 2012-06-14 At&T Intellectual Property I, L.P. Malware Detection for SMS/MMS Based Attacks
US9064112B2 (en) * 2010-12-09 2015-06-23 At&T Intellectual Property I, L.P. Malware detection for SMS/MMS based attacks
CN104144422A (en) * 2013-05-07 2014-11-12 华为技术有限公司 Method for identifying autodial of terminal and terminal
GB2518460A (en) * 2013-12-09 2015-03-25 F Secure Corp Unauthorised/Malicious redirection
GB2518460B (en) * 2013-12-09 2015-10-28 F Secure Corp Unauthorised/Malicious redirection
US9407650B2 (en) 2013-12-09 2016-08-02 F-Secure Corporation Unauthorised/malicious redirection

Similar Documents

Publication Publication Date Title
US11700268B2 (en) Systems and methods for providing shifting network security via multi-access edge computing
EP1736016B1 (en) Method for preventing the delivery of short message service message spam
US20200344208A1 (en) Method and apparatus for processing service request
EP4205416A1 (en) Methods, systems, and computer readable media for 5g user equipment (ue) historical mobility tracking and security screening using mobility patterns
JP2006178996A (en) Spam preventing server
US20220060901A1 (en) Source base station, ue, method in wireless communication system
CN104247371A (en) Name-based neighbor discovery and multi-hop service discovery in information-centric networks
JP2006178999A (en) Storage of anti-spam black list
CN117099386A (en) Method, system, and computer readable medium for mitigating location tracking and denial of service (DoS) attacks utilizing access and mobility management function (AMF) location services
WO2019223887A1 (en) Methods for processing encrypted domain name server, dns, queries received from user equipment in a telecommunication network
Khemariya et al. An efficient algorithm for detection of blackhole attack in aodv based manets
CN108028835B (en) Automatic configuration server and server execution method
US20220361085A1 (en) Methods, systems, and computer readable media for hiding network function instance identifiers
JP5363342B2 (en) System and method for filtering cellular telephone messages
EP3763142B1 (en) Method and device for correlating in a lawful intercept mediation system
WO2014206152A1 (en) Network safety monitoring method and system
CN101521885B (en) Authority control method, system and equipment
Wang et al. What you see predicts what you get—lightweight agent‐based malware detection
WO2009082306A1 (en) Detection of malicious software in communication system
Hofer et al. Vulnerability analysis of LTE location services
KR101351998B1 (en) Method and apparatus for detecting botnet
JP5313104B2 (en) Transfer control method, transfer control device, transfer control system, and transfer control program
US10659497B2 (en) Originator-based network restraint system for identity-oriented networks
CN113067741B (en) Information processing method, device, terminal and storage medium
Chen et al. Dual‐collaborative DoS/DDoS mitigation approach in information‐centric mobile Internet

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07861163

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07861163

Country of ref document: EP

Kind code of ref document: A1