GB2488524A - Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data. - Google Patents

Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data. Download PDF

Info

Publication number
GB2488524A
GB2488524A GB1102761.2A GB201102761A GB2488524A GB 2488524 A GB2488524 A GB 2488524A GB 201102761 A GB201102761 A GB 201102761A GB 2488524 A GB2488524 A GB 2488524A
Authority
GB
United Kingdom
Prior art keywords
mte
telecommunication device
data
unauthorised
exchanged
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1102761.2A
Other versions
GB201102761D0 (en
Inventor
Peter Connell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PRO SOLVE SERVICES Ltd
Original Assignee
PRO SOLVE SERVICES Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PRO SOLVE SERVICES Ltd filed Critical PRO SOLVE SERVICES Ltd
Priority to GB1102761.2A priority Critical patent/GB2488524A/en
Publication of GB201102761D0 publication Critical patent/GB201102761D0/en
Publication of GB2488524A publication Critical patent/GB2488524A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • H04L29/06918
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware

Abstract

Embodiments of the present invention provide a method for detecting an unauthorized application in a telecommunication device, comprising initiating an operation of the telecommunication device, comparing data exchanged with the telecommunication device, as a result of the operation, against reference data, and determining whether an unauthorized application is executing in the telecommunication device according to the comparison. If the exchanged data is different from the reference data the presence of an unauthorized application is detected. The detecting method may include isolating the telecommunication device from the communication network and emulating the operation of the telecommunication device by exchanging data with a network emulator (called a Virtual Base Transceiver Station). The network type may be any operating under a cellular, Bluetooth RTM, IrDA. GPS, IEEE 802.11, IEEE 802.16 or any other standard.

Description

Apparatus and Method for Detecting Unauthorised Applications
TECHNICAL FIELD
The invention relates in general to telecommunication devices and, in particular, to a method and a system for detecting unauthorised applications in telecommunication devices.
BACKGROUND
Unauthorised applications are designed to infiltrate a telecommunication device, without the owner's informed consent, with the intention of compromising the security, affecting the operation of, and/or destroying data exchanged with the telecommunication device or contained within the device.
When an unauthorised application, such as a virus, worm, Trojan horse, adware, spyware and/or the like is installed on a telecommunication device, various techniques are used to keep it concealed and to avoid detection and disinfection.
Once installed, the unauthorised application may be used to, for example, steal data, intercept data traffic, interfere with data traffic and lead to corrupted data exchanges or infect other telecommunication devices that are able to interface with the device the unauthorised application is installed on. Unauthorised applications on telecommunication devices may even result in the location of the device being tracked through unauthorised GPS coordinate or cell ID reporting to third parties.
A typical defence against such a threat is to utilise antivirus software that can scan the telecommunication device at regular intervals for any unauthorised applications.
However, it is necessary for antivirus software to be kept updated to detect new threats and, unless said software is capable of detecting the unauthorised application, it may not provide protection.
BRIEF SUMMARY OF THE DISCLOSURE
It is an aim of embodiments of the invention to address one or more problems associated with telecommunication devices.
According to a first aspect of the invention, there is provided a method of detecting an unauthorised application in a telecommunication device, comprising initiating an operation of the telecommunication device, comparing data exchanged with the telecommunication device, as a result of the operation, against reference data and determining whether an unauthorised application is executing on the telecommunication device according to the comparison.
Thus it is possible to detect unauthorised applications that remain hidden in the device before they are covertly executed as a result of an unsuspecting user initiating an operation of a compromised telecommunication device.
In certain embodiments, the reference data comprise information indicative of one or more operations of the device and corresponding data exchanged with the device as a result of each of the operations.
In certain embodiments, the data exchanged with the telecommunication device are via a single communication medium.
In certain embodiments, the data exchanged with the telecommunication device are via a plurality of communication mediums.
In certain embodiments, the method comprises isolating the telecommunication device from one or more wired and/or wireless networks. Preferably, the method comprises emulating the operation of the one or more wired and/or wireless networks at a network emulator.
In certain embodiments, the data exchanged with the telecommunication device are determined at the network emulator.
According to a second aspect of the invention, there is provided a system for detecting an unauthorised application in a telecommunication device, comprising means for initiating an operation of the telecommunication device, means for comparing data exchanged with the telecommunication device, as a result of the operation, against reference data and means for determining whether an unauthorised application is executing on the telecommunication device according to the comparison.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Fig. I shows a system according to an embodiment of the invention; Fig. 2 shows a method according to an embodiment of the invention; Fig. 3 shows a system according to an embodiment of the invention; Fig. 4 shows a method according to an embodiment of the invention; Fig. 5 shows a system according to an embodiment of the invention; Fig. 6 shows a method according to an embodiment of the invention.
DETAILED DESCRIPTION
Embodiments of the invention provide for the detection of unauthorised applications in a telecommunication device by initiating specifically defined operational scenarios at the device and comparing expected interface activity with actual interface activity at the device.
Fig. I shows a system 100 for detecting an unauthorised application in a telecommunication device 150 according to an embodiment of the invention. The system comprises a control unit 110, a Virtual Base Transceiver Station (VBTS) 120 and a store of reference data. System 100 may optionally include a mobile terminal equipment (MTE) interface unit 130.
The control unit 110 is interfaced with the VBTS 120, the reference data store 140 and, when included, the MTE interface unit 130. Control unit 110 controls the VBTS 120 and, when included, the MTE interface 130.
An MTE 150 that is to be tested for the presence of unauthorised applications interfaces with system 100 by connecting to the VBTS 120. When MTE 150 is connected to the VBTS 120, all data exchanged with the MTE 150 and a network 180 are routed via the VBTS 120.
The reference data store 140 maintains a database of reference data. The reference data may be a baseline of data that is expected to be exchanged with the MTE 150 under normal operational conditions. For example, the baseline data may be data that is expected to be exchanged with the MTE 150 when no unauthorised applications are running in the MTE 150.
The MTE interface unit 130 operates in accordance with one or a plurality of communication standards such as, for example, the wireless Bluetooth, IrDA, GPS, IEEE 802.11 and IEEE 802.16 standards and the wired IEEE.802.3 standard. The MTE interface unit 130 is in communication with the MTE 150 via one or a plurality of MTE interfaces.
A method of detecting an unauthorised application in a telecommunication device using the system 100 will now be described with reference to the flow chart shown in fig.2.
A first step 210 comprises initiating an operation of the MTE 150.
Operations that could be initiated at the MTE 150 may, for example, be to: send a message, initiate a call, launch an internet application i.e. an application which sends and/or receives data, communicate with a third party via a wireless interface operating under a cellular, Bluetooth, IrDA, OPS, IEEE 802.11, IEEE 802.16 or other communication standard, communicate with a third party via a wired interface, operating under an IEEE 802.3, or other communication standard, run a recognised authorised application, or similar operations applicable to the MTE 150.
The operation may be initiated at the MTE 150 by, for example, manually operating MTE 150. Alternatively, if the optional MTE interface 130 is available, said operation may be initiated at the MTE 150 by the control unit 110 remotely controlling MTE 150, via the MTE interface 130, to initiate an operation.
Alternatively, the operation may be initiated at the MTE 150 as a response to traffic directed towards the MTE 150 from the VBTS 120 such as, for example, receiving a call, receiving a message, receiving a push request or similar.
In step 220, exchanged data 160 that is generated as a result of the operation and exchanged with the MTE 150 and the VBTS 120, is detected at the VBTS 120.
In step 230 the control unit 110 compares the detected data 160 with reference data that corresponds to the same operation maintained in the data store 140.
Step 240 comprises determining whether an unauthorised application is executing on the device according to the comparison of step 230. If the exchanged data 160 is different from the reference data, the presence of an unauthorised application is detected. This is because an unauthorised application that is attempting to compromise security, and/or affect the way MTE 150 operates, will be exchanging data with the network 180 that is different from the baseline data expected to be exchanged when the MTE 150 performs the selected operation. If the exchanged data 160 matches the reference data for the selected operation, the system determines that no unauthorised application is running alongside the operation.
It is to be understood that the detection process may be performed while MTE 150 is isolated from network 180. In the case of the system 100 shown in fig.1, the VBTS 120 may isolate the MTE 150 from the network 180 by disabling access to and from the network 180. Consequently, MTE 150 may be scanned for unauthorised applications and only allowed to access network 180 when it has been established that no unauthorised applications are present.
Fig. 3 shows a system 300 according to another embodiment of the invention comprising a control unit 310, a cell emulator 320, an MTE interface unit 330, a reference data store 340 and an enclosure 301.
The control unit 310 is interfaced with the cell emulator 320, the MTE interface unit 330 and the data store 340, and controls the cell emulator 320 and the MTE interface unit 330.
The cell emulator 320 is capable of emulating network activity and generating traffic in accordance with one or more of a plurality of communication standards such as, for example, the cellular GSM, UMTS and HSDPA standards. In certain embodiments, the cell emulator 320 emulates network activity and generates traffic in accordance with one of the plurality of abovementioned communication standards.
The MTE interface unit 330 operates in accordance with one or a plurality of communication standards such as, for example, the wireless Bluetooth, IrDA, GPS, IEEE 802.11 and IEEE 802.16 standards and the wired IEEE.802.3 standard. The MTE interface unit 230 is in communication with the MTE via one or a plurality of MTE interfaces.
The reference data store 340 maintains a database of reference data. The reference data may be a baseline of data that is expected to be exchanged with the MTE 350 under normal operational conditions. For example, the baseline data may be data that is expected to be exchanged with the MTE 350 when no unauthorised applications are running in the MTE 350.
The enclosure 301 contains the cell emulator 320 and the MTE interface unit 330 and provides a means for isolating any contained components from external wireless networks. The control unit 310 interfaces with the enclosed cell emulator 320 and MTE interface unit 330 via a wired interface. The enclosure 301 may be an enclosure that is substantially impenetrable to electric fields such as a Faraday shield.
A method of detecting an unauthorised application in a telecommunication device using system 300 will now be described with reference to the flow chart shown in fig.4.
A first step 402 comprises isolating MTE 350 from wireless and/or wired networks. In the embodiment illustrated in fig.3, isolation of the MTE 350 is achieved by placing the MTE into the enclosure 301.
In step 404, the cell emulator 320 emulates the network operation of a cellular network.
This provides a means for the MTE 350 to interface with the system 300 by connecting to the emulated network. The MTE 350 is further interfaced with the MTE interface unit 330 that provides a second means for interfacing with the system 300.
Step 410 comprises initiating an operation of the MTE 350.
Examples of operations that could be initiated at the MTE may be to: send a message, initiate a call, launch an internet application, communicate with a third party via a wireless interface, operating under a cellular, Bluetooth, IrDA, OPS, IEEE 802.11, IEEE 802.16 or other communication standard, communicate with a third party via a wired interface, operating under an IEEE 802.3, or other communication standard, run a recognised authorised application, or similar operations of the MTE 350.
The operation may be initiated at MTE 350 by, for example, manually operating MTE 350, by an operator operating from within the enclosure 301, or by the control unit 310 remotely controlling MTE 350, via the MTE interface unit 330, to initiate an operation.
Alternatively, the operation may be initiated at the MTE 350 as a response to traffic generated by the cell emulator 320 and directed towards the MTE 350 such as, for example, receiving a call, receiving a message, receiving a push request or similar.
In step 420, exchanged data 360 that is generated as a result of the operation exchanged between the MTE 350 and the cell emulator 320 and/or the MTE interface unit 330, is detected at the cell emulator 320 and/or the MTE interface unit 330. The two points of detection enable the system 300 to; for example, detect all data that has been exchanged as a result of an operation that is generating normal traffic across the cellular network, but, due to the presence of an unauthorised application, is also generating traffic across a Bluetooth interface.
In step 430 the control unit 310 compares the intercepted data 360 with reference data that corresponds to the same operation maintained in the data store 340.
Step 440 comprises determining whether an unauthorised application is executing on the device according to the comparison of step 430. If the exchanged data 360 is different from the reference data, the presence of an unauthorised application is detected. This is because an unauthorised application that is attempting to compromise security, and/or affect the way MTE 350 operates, will be exchanging data that is different from the baseline data expected to be exchanged when the MTE performs the selected operation.
If the exchanged data 360 matches the reference data for the selected operation, the system determines that no unauthorised application is running alongside the operation.
Fig. 5 shows a system 500 according to another embodiment of the invention comprising a control unit 510, a cell receiver 520, an MTE interface unit 530 and a reference data store 540. This embodiment differs from the embodiments described previously in that the cell receiver 520 is listening into the communication between an MTE 550 and a cellular network 580 rather than directly interfacing with the MTE 550.
The control unit 510 is interfaced with the cell receiver 520, the MTE interface unit 530 and the data store 540, and controls the cell receiver 520 and the MTE interface unit 530! The cell receiver 520 detects network activity that has been generated in accordance with one or a plurality of communication standards such as, for example, the cellular GSM, UMTS and HSDPA standards.
The MTE interface unit 530 operates in accordance with one or a plurality of communication standards such as, for example, the wireless Bluetooth, lrDA, OPS, 1EEE 802.11 and IEEE 802.16 standards and the wired IEEE.802.3 standard. The MTE interface unit 530 is in communication with the MTE 550 via one or a plurality of MTE 550 interfaces.
The reference data store 540 maintains a database of reference data. The reference data may be a baseline of data that is expected to be exchanged with the MTE 550 under normal operational conditions. For example, the baseline data may be data that is expected to be exchanged with the MTE 550 when no unauthorised applications are running in the MTE 550.
A method of detecting an unauthorised application in a telecommunication device using system 500 will now be described with reference to the flow chart shown in fig.6.
A first step 610 comprises initiating an operation of the MTE 550.
Operations that could be initiated at the MTE 550 may, for example, be to: send a message, initiate a call, launch an internet application, communicate with a third party via a wireless interface operating under a cellular, Bluetooth, IrDA, GPS, IEEE 802.11, IEEE 802.16 or other communication standard, communicate with a third party via a wired interface, operating under an IEEE 802.3, or other communication standard, run a recognised authorised application, or similar operations applicable to the MTE 550.
The operation may be initiated at the MTE 550 by, for example, manually operating the MTE 550, or by the control unit 510 remotely controlling the MTE 550, via the MTE interface 530, to initiate an operation.
In step 620, exchanged data 560 that is generated as a result of the operation and exchanged with the MTE 550, is detected at the cell receiver 520 and/or at the MTE interface unit 530. The two points of detection enable the system 500 to; for example, detect all data that has been exchanged as a result of an operation that is generating normal traffic across the cellular network, but, due to the presence of an unauthorised application, is also generating traffic across a Bluetooth interface.
In step 630 the control unit 510 compares the detected and/or intercepted data 560 with reference data that corresponds to the same operation maintained in the data store 540.
Step 640 comprises determining whether an unauthorised application is executing on the device according to the comparison of step 630. If the exchanged data 560 is different from the reference data, the presence of an unauthorised application is detected. This is because an unauthorised application that is attempting to compromise security, and/or affect the way the MTE 550 operates, will be exchanging data with the network 580 that is different from the baseline data expected to be exchanged when MTE 550 performs the selected operation. If the exchanged data 560 matches the reference data for the selected operation, the system determines that no unauthorised application is running alongside the operation.
As will be appreciated by those skilled in the art, a user testing the MTE 150, 350 or 550 may wish to repeat steps 210 to 240, 410 to 440, or 610 to 640 of any of the above mentioned methods for a different known operation, until he is satisfied that no unauthorised applications are running or would be running on the MTE under normal operational scenarios.
Embodiments of the invention may be used to run various test scenarios. In a test scenario, the MTE 150, 350, 550 is operated, either manually or via the MTE interface 130, 330, 530 to perform a series of operations. For example, the MTE 150, 350, 550 may be operated to call a series of telephone numbers. The series of telephone numbers may be stored in a phonebook of the MTE 150, 350, 550. The MTE 150, 350, 550 may then be monitored during the scenario to determine is an authorised application is executing on the MTE 150, 350, 550. For example, the MTE 150, 350, 550 may be monitored by the VBTS 120 in Figure 1, the cell emulator and/or MTE interface in Figure 3, or the cell receiver 520 and/or MTE interface(s) 530 in Figure 5 to determine if data exchanged with the MTE 150, 350, 550 matches the reference data. For example, the control unit 110, 310, 510 may determine if the MTE 150, 350, 550 attempts to perform an operation such as connecting to a website to send data to the website indicative of the numbers called by the MTE 150, 350, 550. Such activity would indicate the presence of an unauthorised application on the MTE 150, 350, 550. Another test scenario is the control unit 110, 310, 510 sending a series of text messages to the MTE 150, 350, 550 via network 180, 580 or cell emulator 320. The control unit 110 may then determine if any of the sent text messages are sent to another destination by the MTE 150, 350, 550, such being forwarded over MTE 130, 330, 530 or via network 180, 580 or to cell emulator 320.
It will be appreciated that embodiments of the invention allow the detection of unauthorised application executing on telecommunication equipment, such as mobile telephones and other equipment which exchange data with a communications network.
The detection may be performed in a non-invasive manner i.e. without requiring modification of the telecommunication equipment, such as by installing one or more software components on the telecommunication equipment.
It will be appreciated that embodiments of the present invention can be realised in the form of hardware, software or a combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage such as, for example, a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape. It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs that, when executed, implement embodiments of the present invention. Accordingly, embodiments provide a program comprising code for implementing a system or method as claimed in any preceding claim and a machine readable storage storing such a program. Still further, embodiments of the present invention may be conveyed electronically via any medium such as a communication signal carried over a wired or wireless connection and embodiments suitably encompass the same.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive.
Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features.
The invention is not restricted to the details of any foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed. The claims should not be construed to cover merely the foregoing embodiments, but also any embodiments which fall within the scope of the claims.

Claims (14)

  1. CLAIMS1. A method of detecting an unauthorised application in a telecommunication device, comprising: initiating an operation of the telecommunication device; comparing data exchanged with the telecommunication device, as a result of the operation, against reference data; determining whether an unauthorised application is executing on the telecommunication device according to the comparison.
  2. 2. The method of claim 1, wherein the reference data comprise information indicative of one or more operations of the device and corresponding data exchanged with the device as a result of each of the operations.
  3. 3. The method of claim I or claim 2, wherein the data exchanged with the telecommunication device are via a single communication medium.
  4. 4. The method of claim 1 or claim 2, wherein the data exchanged with the telecommunication device are via a plurality of communication mediums.
  5. 5. The method of any preceding claim further comprising isolating the telecommunication device from wired and wireless networks; and emulating the operation of the wired and wireless networks at a network emulator.
  6. 6. The method of claim 5, wherein the data exchanged with the telecommunication device are detected at the network emulator.
  7. 7. A system for detecting an unauthorised application in a telecommunication device, comprising: means for initiating an operation of the telecommunication device; means for comparing data exchanged with the telecommunication device, as a result of the operation, against reference data; means for determining whether an unauthorised application is executing on the telecommunication device according to the comparison.
  8. 8. The system of claim 7, wherein the reference data comprise information indicative of one or more operations of the device and corresponding data exchanged with the device as a result of each of the operations.
  9. 9. The system of claim 7 or claim 8, wherein the data exchanged with the telecommunication device are via a single communication medium.
  10. 10. The system of claim 7 or claim 8, wherein the data exchanged with the telecommunication device are via a plurality of communication mediums.
  11. 11. The system of any preceding claim further comprising means for isolating the telecommunication device from wired and wireless networks; and a network emulator to emulate the operation of the wired and wireless networks.
  12. 12. The system of claim 11, wherein the data exchanged with the telecommunication device are detected at the network emulator.
  13. 13. A method substantially as described herein and/or with reference to the accompanying figures.
  14. 14. A system substantially as described herein and/or with reference to the accompanying figures.
GB1102761.2A 2011-02-17 2011-02-17 Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data. Withdrawn GB2488524A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1102761.2A GB2488524A (en) 2011-02-17 2011-02-17 Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data.

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1102761.2A GB2488524A (en) 2011-02-17 2011-02-17 Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data.

Publications (2)

Publication Number Publication Date
GB201102761D0 GB201102761D0 (en) 2011-03-30
GB2488524A true GB2488524A (en) 2012-09-05

Family

ID=43859553

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1102761.2A Withdrawn GB2488524A (en) 2011-02-17 2011-02-17 Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data.

Country Status (1)

Country Link
GB (1) GB2488524A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6981279B1 (en) * 2000-08-17 2005-12-27 International Business Machines Corporation Method and apparatus for replicating and analyzing worm programs
EP1971102A1 (en) * 2007-03-14 2008-09-17 Deutsche Telekom AG Method and system for monitoring communication devices to detect malicious software
JP2009182722A (en) * 2008-01-30 2009-08-13 Duaxes Corp Monitoring device
US20090241173A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20100011029A1 (en) * 2008-07-14 2010-01-14 F-Secure Oyj Malware detection
CN101784054A (en) * 2009-01-20 2010-07-21 华为终端有限公司 Method for preventing rogue software of mobile phone, terminal, server and system thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6981279B1 (en) * 2000-08-17 2005-12-27 International Business Machines Corporation Method and apparatus for replicating and analyzing worm programs
EP1971102A1 (en) * 2007-03-14 2008-09-17 Deutsche Telekom AG Method and system for monitoring communication devices to detect malicious software
JP2009182722A (en) * 2008-01-30 2009-08-13 Duaxes Corp Monitoring device
US20090241173A1 (en) * 2008-03-19 2009-09-24 Websense, Inc. Method and system for protection against information stealing software
US20100011029A1 (en) * 2008-07-14 2010-01-14 F-Secure Oyj Malware detection
CN101784054A (en) * 2009-01-20 2010-07-21 华为终端有限公司 Method for preventing rogue software of mobile phone, terminal, server and system thereof

Also Published As

Publication number Publication date
GB201102761D0 (en) 2011-03-30

Similar Documents

Publication Publication Date Title
EP3375159B1 (en) Dynamic honeypot system
US11546371B2 (en) System and method for determining actions to counter a cyber attack on computing devices based on attack vectors
US9686236B2 (en) Mobile telephone firewall and compliance enforcement system and methods
CN104933362B (en) Android application software API misapplies class leak automated detection method
US9065846B2 (en) Analyzing data gathered through different protocols
US8225393B2 (en) Apparatus for restricting access to application module in mobile wireless device and method of restricting access to application module using the same
EP2562673B1 (en) Apparatus and method for securing mobile terminal
US8479288B2 (en) Method and system for providing a honeypot mode for an electronic device
US8443439B2 (en) Method and system for mobile network security, related network and computer program product
CN104376263B (en) The method and apparatus that application behavior intercepts
US20130055387A1 (en) Apparatus and method for providing security information on background process
Penning et al. Mobile malware security challeges and cloud-based detection
EP2680182A1 (en) Mobile device and method to monitor a baseband processor in relation to the actions on an application processor
GB2461870A (en) Database of expected application behaviours distributed to mobile devices and used for malware detection
CN1869927B (en) Device controller, method for controlling a device, and program therefor
US9351167B1 (en) SMS botnet detection on mobile devices
Seo et al. Analysis on maliciousness for mobile applications
CN108566643A (en) APP access control methods, system, terminal device and storage medium
KR101715179B1 (en) Cloud computing based mobile security system and method through user behavior event
CA2593991C (en) Method and system for providing a honeypot mode for an electronic device
US9948672B2 (en) Simulating unauthorized use of a cellular communication network
GB2488524A (en) Detecting the presence of an unauthorised application on a telecommunications device by comparing network interactions with reference data.
Wen et al. Thwarting Smartphone SMS Attacks at the Radio Interface Layer.
US20210409432A1 (en) Automatic identification of applications that circumvent permissions and/or obfuscate data flows
Ugus et al. A leaky bucket called smartphone

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)