KR20240041505A - Method and apparatus for preventing sim box fraud in mobile communication network using device fingerprinting - Google Patents

Abstract

A method and device for blocking SIM boxes using a control plane message-based fingerprint of a mobile communication network terminal are presented. A SIM box blocking method using a fingerprint based on a control plane message of a mobile communication network terminal performed by a computer device according to an embodiment includes the steps of extracting features from a control plane message transmitted by the terminal to a mobile communication network; Collecting terminal characteristics considering settings within the terminal that can be changed by the user; Reducing the feature space using the collected features; and blocking the SIM box using the generated fingerprint.

Description

Method and device for blocking SIM BOX using control plane message-based fingerprint of mobile communication network terminal {METHOD AND APPARATUS FOR PREVENTING SIM BOX FRAUD IN MOBILE COMMUNICATION NETWORK USING DEVICE FINGERPRINTING}

The following embodiments relate to a method and device for blocking a SIM box using a control plane message-based fingerprint of a mobile communication network terminal. More specifically, a method and device for blocking a SIM box using a fingerprint based on a control plane message of a mobile communication network terminal detects when an unauthorized SIM box is connected to the mobile communication network. This relates to a method and device for blocking SIM boxes using a control plane message-based fingerprint.

Bypass fraud has plagued mobile networks around the world for the past two decades, causing significant financial damage to Mobile Network Operators (MNOs). SIM boxes are at the center of these bypass fraud attacks because they interconnect mobile cellular networks with low-cost Voice-over-IP (VoIP) sessions in a way that mobile network operators (MNOs) typically do not approve.

Most notably, interconnection bypass scams utilize low-cost VoIP connections for callers using SIM boxes deployed in the country where the caller is located, while bypassing international call billing. This illegal activity is particularly prevalent in developing countries, where international call rates are much higher than local call rates due to lack of infrastructure support. The main reason SIM boxes are useful in this attack is because they provide local mobile network operators (MNOs) with a means to bypass their charging systems.

Recently, a new type of criminal activity using SIM boxes has proliferated. Organized crime groups quickly learned that SIM boxes could be used to carry out financial fraud or voice phishing targeting people in specific countries, while remaining outside the legal confines of the victims' country. Fraud calls made through SIM boxes display local phone numbers on the target cell phone's caller ID, making them much less suspicious than traditional VoIP-based scam calls. While these financial scams typically target developed countries (countries where the expected financial gains are expected to be large), their operations take place in less regulated countries. In 2020, there were more than 256,000 phone scams worth about $18.6 billion in China. Not only China but also Korea suffered significant losses of approximately $600 million due to fraudulent calls. For simplicity, we will refer to fraud using SIM boxes here as “SIM box fraud.”

Security researchers have proposed several interesting countermeasures to detect calls passing through SIM boxes based on call data and voice call quality. It first accepts all calls (including fraud) and then starts monitoring SIM box calls and/or long-term behavior of SIM box operations. These solutions primarily leverage the properties of individual SIMs or call sessions.

Meanwhile, one basic approach that has not attracted much attention is to detect the SIM box device itself at the network layer when connecting to a mobile network. A pure approach for this is to use the International Mobile Equipment Identity (IMEI), a basic device identifier designed and used for decades to identify device models. In particular, mobile networks can check the device model based on the reported International Mobile Equipment Identity (IMEI) and deny access if the device is a SIM box. However, the International Mobile Equipment Identification Code (IMEI) is a value reported by the mobile communication terminal to the network, and there is no way to determine whether it has been tampered with. In fact, it is well known that International Mobile Equipment Identity (IMEI) is easily altered and spoofed. For example, many SIM boxes feature International Mobile Equipment Identity (IMEI) spoofing.

M. Kotuliak, S. Erni, P. Leu, M. Roeschlin, and S. Capkun. Ltrack: Stealthy tracking of mobile phones in lte. In USENIX Security, 2022.

Embodiments describe a SIM box blocking method and device using a control plane message-based fingerprint of a mobile communication network terminal, and more specifically, detecting when an unauthorized SIM box is connected to a mobile communication network and applying it to the current mobile communication system. Provides possible access control policy techniques.

Embodiments are mobile communication network terminals that determine whether the international mobile device identification code (IMEI) has been illegally changed or is a terminal mainly used for voice phishing through an access control policy and block the illegal terminals from accessing the mobile communication network. The aim is to provide a method and device for blocking SIM boxes using a control plane message-based fingerprint.

A SIM box blocking method using a fingerprint based on a control plane message of a mobile communication network terminal performed by a computer device according to an embodiment includes the steps of extracting features from a control plane message transmitted by the terminal to a mobile communication network; Collecting terminal characteristics considering settings within the terminal that can be changed by the user; Reducing the feature space using the collected features; and blocking the SIM box using the generated fingerprint.

Extracting features from the control plane message includes converting the content of the control plane message into a key-value representation structure; defining a feature as a key in the converted key value expression structure and generating a feature vector based on the key value list; and configuring a fingerprint of the terminal after additional analysis of the feature vector.

The control plane message includes ATTACH Request and UECapabilityInformation, and the control plane message can be collected repeatedly and features can be extracted for each terminal.

Reducing the feature space includes removing unspecified features whose values are not constant in the terminal; Filtering features with consistent values in all terminals; And after filtering, the remaining features may include forming a cluster that groups features that contribute equally to the fingerprint configuration of the terminal.

A SIM box blocking device using a fingerprint based on a control plane message of a mobile communication network terminal according to another embodiment includes a feature extractor for extracting features from a control plane message transmitted by the terminal to a mobile communication network; a feature collection unit that collects terminal characteristics considering settings within the terminal that can be changed by the user; a feature space reduction unit that reduces the feature space using the collected features; and a SIM box blocking unit that uses the generated fingerprint.

The feature extractor converts the content of the control plane message into a key-value expression structure, defines a feature as a key in the converted key-value expression structure, and defines a feature vector based on the key-value list. , and after further analysis of the feature vector, a fingerprint of the terminal can be constructed.

The control plane message includes ATTACH Request and UECapabilityInformation, and the control plane message can be repeatedly collected and features extracted for each terminal.

The feature space reduction unit removes unspecified features whose values are not constant for the terminal, filters features with consistent values in all terminals, and makes the same contribution to the fingerprint configuration of the terminal for the remaining features after filtering. You can form a cluster that groups together the features.

A method of preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal performed by a computer device according to another embodiment provides an access control list (ACL) for voice calls in a mobile communication network. The step of providing an access control list (ACL) for a voice call may include identifying the authenticity of the reported International Mobile Equipment Identity (IMEI) of the terminal.

If the authenticity of the International Mobile Equipment Identification Code (IMEI) is not identified, the method may further include checking whether the subscribed rate plan of the terminal matches the device type.

According to embodiments, the international mobile device identification code (IMEI) is determined through an access control policy to determine whether the international mobile device identification code (IMEI) has been illegally changed or whether the terminal is mainly used for voice phishing and blocks the illegal terminals from accessing the mobile communication network. A method and device for blocking a SIM box using a control plane message-based fingerprint of a communication network terminal can be provided.

1 is a diagram for explaining a SIM box according to an embodiment.
Figure 2 is a flowchart showing a method of blocking a SIM box using a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment.
Figure 3 is a block diagram showing a SIM box blocking device using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment.
Figure 4 is a diagram for explaining a method of extracting features from a message according to an embodiment.
Figure 5 is a diagram illustrating an outline of a feature pruning procedure according to an embodiment.
Figure 6 is a flowchart showing a method for preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment.
Figure 7 is a block diagram showing a SIM box fraud prevention system using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment.
Figure 8 shows an operation flowchart of a method for verifying IMEI and detecting an unauthenticated terminal according to an embodiment.
Figure 9 shows an example of using a decision tree according to one embodiment.
Figure 10 shows an example of a decision tree that classifies baseband manufacturers according to an active probing message and its response, according to an embodiment.
Figure 11 schematically illustrates the process of extracting fingerprints for each terminal and building a database according to an embodiment.
Figure 12 schematically illustrates the IMEI verification process for an arbitrary terminal according to an embodiment.
Figure 13 is a block diagram showing the detailed configuration of an IMEI verification and unauthenticated terminal detection system according to an embodiment.

Hereinafter, embodiments will be described with reference to the attached drawings. However, the described embodiments may be modified into various other forms, and the scope of the present invention is not limited to the embodiments described below. In addition, various embodiments are provided to more completely explain the present invention to those with average knowledge in the art. The shapes and sizes of elements in the drawings may be exaggerated for clearer explanation.

SIM boxes have played a key role in an underground ecosystem of international fraud that has swindled billions of dollars from individual victims and mobile carriers around the world. Many mitigation schemes have been proposed against this fraud, mainly aimed at detecting fraudulent call sessions. However, one straightforward approach to this problem (preventing SIM box devices from connecting to the network through device identification) has not received much attention despite high expectations.

The examples below propose a simple access control policy that detects when an unauthorized SIM box connects to a mobile network and deploys it to the current system. The key to the defense proposal according to embodiments is to create an accurate fingerprint of the device model, without relying on self-reported claims from the device that can be easily tampered with. Here, the device model may mean a terminal, for example, a smartphone. For example, it is to distinguish between iPhone 13 and SIM box models on the market. Embodiments show that most fingerprints generated based on more than 30,000 features collected from more than 80 smartphones do not overlap with each other and exhibit unique characteristics, thereby preventing most illegal SIM boxes from making unauthorized voice calls. Experience shows that it can be used. The proposal according to the embodiments is the first practical and reliable unauthorized cellular device model detection method that can alleviate the problem of SIM box fraud.

Rather than using the unreliable International Mobile Equipment Identifier (IMEI), embodiments propose utilizing features extracted from control plane messages exchanged during the initial connection procedure to identify the device model. Examples show that individual smartphone models can be accurately fingerprinted (identified) based on features within control plane messages. This allows you to 1) obtain a specific fingerprint for a given smartphone and 2) verify that the device model indicated by the International Mobile Equipment Identity (IMEI) matches the one obtained from the fingerprint.

Experimental results according to the embodiments show that the smartphone fingerprint is unique. The dataset contains fingerprints based on features within 201 control plane messages from 96 different mobile devices, with multiple options considered, including 80 unique smartphone models, 10 IoT devices, and 6 LTE-compatible SIM boxes. there is. Embodiments show that smartphone manufacturers and baseband suppliers independently and jointly produce a variety of unique device features and configurations to create a unique fingerprint for a smartphone.

As such, embodiments present a fingerprint-based access control mechanism to prevent SIM box fraud that can be easily applied in mobile communication networks. Embodiments present specific recommendations for a mobile network operator's (MNO) internal network operation policy for IoT devices, including SIM boxes. The proposed access control policy successfully prevents most SIM box fraud use cases. This shows that smartphone impersonation through fingerprint manipulation is impossible due to the smartphone's advanced network functions that cannot be easily manipulated with a SIM box.

Mobile network and SIM box

Before describing the defense system against SIM box fraud, we first provide a brief overview of how mobile network operators (MNOs) in mobile networks manage heterogeneous devices (e.g., smartphones, wearables, IoT, and SIM boxes). We then briefly explain the functions that SIM boxes perform in mobile networks and the use cases in which they are actually used.

An LTE network may include user equipment (User Equipment, UE), a base station (evolved Node B, eNB), and an evolved packet core (EPC). UE is an end device that provides data and voice services to end users. eNB is a base station that provides wireless connectivity to the UE using the Radio Resource Control (RRC) protocol. The EPC is the core of the network, including the Mobility Management Entity (MME) for user authentication and session/identification code management. The Mobility Management Entity (MME) communicates with the UE via the Non-Access-Stratum (NAS) protocol to perform these management functions. The Mobility Management Entity (MME) is responsible for authenticating users and managing keys, sessions, and identification codes.

For example, the transient C-RNTI is used at the physical layer and the International Mobile Equipment Identity (IMEI) is stored at the baseband. Among them, the International Mobile Equipment Identity (IMEI) is the most device model-specific (and therefore most permanent) identifier of the device handset itself. This 15-digit identification code provides a globally unique ID for each individual device. In particular, the first eight digits of the International Mobile Equipment Identity (IMEI), called the Type Allocation Code (TAC), indicate the exact model of the individual device that carries it. For example, TAC=35684610 represents Samsung Galaxy Fold 5G.

The TAC system of International Mobile Equipment Identity (IMEI) is used for marketing (to customize products and upgrades for different device models), market identification (to understand the relationship between device models and revenue), and service differentiation (for different types of devices). It is critical to a variety of business and operational applications in the mobile ecosystem, including network planning (to provide different qualities of service to 500 devices) and network planning (to optimize network performance and efficiency).

The identification procedure is used by the Mobility Management Entity (MME) to request a specific UE to provide a specific identifier. When a UE wants to connect to the network, the Mobility Management Entity (MME) can receive the International Mobile Equipment Identity (IMEI) from the UE in two ways. First, the Mobility Management Entity (MME) sends a NAS Identity Request message to the UE, and the UE may send an International Mobile Equipment Identity (IMEI) NAS Identity Response message to the Mobility Management Entity (MME). Since the International Mobile Equipment Identity (IMEI) should not be transmitted in plain text, NAS Identity request/response messages are exchanged after establishing a security context. Another way to obtain the International Mobile Equipment Identity (IMEI) is to use the NAS Security Mode Command message. In the message, the Mobility Management Entity (MME) queries the IMEISV (International Mobile Equipment Identity - Software Version) and the UE sends a NAS Security Mode Complete message containing the International Mobile Equipment Identity (IMEI).

The International Mobile Equipment Identity (IMEI) reported by the UE allows mobile network operators (MNOs) to determine and track the device model a user is currently using. Additionally, a mobile network operator (MNO) can administratively use the International Mobile Equipment Identity (IMEI) to allow or deny the UE's access to network resources. Despite the fact that the International Mobile Equipment Identity (IMEI) is an important identifier for a device, anyone with malicious intent can simply forge the International Mobile Equipment Identity (IMEI) of a UE. On commercial smartphones, the International Mobile Equipment Identity (IMEI) can be changed using the file system modification tool. Additionally, users with software-based LTE equipment that combines an open-source LTE stack and software-defined radio (SDR) can easily modify their device's International Mobile Equipment Identity (IMEI) with minimal source code modification. Additionally, SIM box manufacturers typically provide a means for users to change various device information, including the International Mobile Equipment Identity (IMEI).

1 is a diagram for explaining a SIM box according to an embodiment.

A SIM box is a VoIP gateway device containing multiple SIM cards 111 used to connect to a local mobile network. As shown in Figure 1, a mobile network operator (MNO) may insert a plurality of SIM cards (e.g., 8 slots) 111 into a SIM box. A large SIM box can hold hundreds of SIM cards 111 or more in one device. The baseband chipset 120 corresponding to the SIM slot 110 is represented by a plate, and each SIM slot and baseband chipset pair uses one antenna port 130 among several antenna ports, which includes one antenna ( 140) is connected.

A typical international call is routed through a regulated interconnection between the sender and recipient. In an interconnect bypass scam, international calls bypass these regulated interconnects (and thus skip charging for the foreign call) and are routed to the destination network via low-cost IP voice calls. This is possible because the SIM box acts as a gateway between the mobile network and VoIP, transferring VoIP calls to mobile network calls. According to a recent survey, interconnection bypass fraud using SIM boxes is contributing to the fourth largest fraud in the telecommunications industry, with losses increasing from $2.71 billion in 2019 to $3.11 billion in 2021.

SIM boxes are also used to carry out voice scams or phishing attacks. By impersonating other people, such as close family members, co-workers, or law enforcement officers, criminals increase financial fraud. Perpetrators are often organized crime groups, and callers are usually placed outside the legal boundaries of where the victims are. The main advantage of using SIM boxes in these scams is that scammers can display local phone numbers (unsuspecting VoIP numbers) on victims' caller ID screens. Using local phone numbers is expected to increase the success rate of fraudsters' calls. Combined with artificial intelligence voice cloning technology, voice fraud has become a real threat to businesses and individuals. It explains, for example, how in 2020, a bank manager in Hong Kong transferred $35 million to a voice impersonator posing as his boss. If the call had reached the victim with a traditional VoIP caller ID, the bank manager would have been suspicious and the fraud would have been avoided.

Embodiments consider SIM Box fraud attacks such as interconnect bypass fraud and voice scam. The immediate goal of a SIM box fraud attack is to operate a SIM box and have unblocked access to voice calls through the local mobile network operator (MNO). A legitimate means for attackers to modify the International Mobile Equipment Identity (IMEI) reported by the SIM box to impersonate the smartphone model and connect to the network of a commercial mobile network operator (MNO) with a legitimately issued local SIM. Assume you have. Embodiments consider prepaid SIM for SIM box operation as in an actual SIM box fraud attack. This is because it is easy to obtain and easy to withdraw without a credit check. It does not take into account supply chain attackers who could directly or indirectly influence device manufacturers or baseband suppliers to tamper with devices and baseband implementations.

The goal according to embodiments is to detect when a SIM box device is connected to a mobile network requesting permission for unauthorized voice calls. To strictly prevent such unauthorized access, embodiments propose a simple access control policy for mobile network operators (MNOs) to deploy and enforce for all devices connected to the system. Embodiments aim to provide precise and granular access control for SIM boxes, for example telemarketing, since not all SIM box calls are illegal. Embodiments anticipate that SIM boxes for legitimate applications will be pre-registered (e.g., self-registered with the carrier) with each mobile network operator (MNO) to allow voice call access. The SIM box unit detection method according to embodiments is independent (orthogonal) of the existing SIM box call detection method, and they can be used together to complement each other. For example, approaches according to embodiments could potentially prevent many fraudulent calls made through a SIM box before the call is even made.

Because the International Mobile Equipment Identity (IMEI), the de facto standard device model identification, is known to be easily spoofed, strict access control at the entry point (i.e., UE attachment) of a mobile network has been considered difficult. Therefore, security policies based on International Mobile Equipment Identity (IMEI) may give operators, regulators, and end users a false sense of security due to the risk of malicious access missing to the system.

To solve this problem and design reliable and practical access control for mobile communication networks, mobile network operators (MNOs) utilize auxiliary information found in control plane messages when a mobile device connects to the network. Using the new auxiliary information along with the reported International Mobile Equipment Identity (IMEI) and the rate plan in use, embodiments can build a simple access control policy that is effective in preventing most unauthorized SIM box calls at low cost. .

The SIM box is a device widely used in voice phishing, which is currently a hot issue. It is a device that provides a VoIP gateway function that changes Internet calls into mobile phones. The SIM box has a baseband like other terminals, so when connected to a mobile communication network, the network recognizes it as a normal terminal. However, connecting the equipment to a mobile communication network and providing normal services leads to major problems such as an increase in the risk of users being exposed to voice phishing and a decrease in profits for mobile communication companies.

Embodiments determine whether the international mobile device identification code (IMEI) has been illegally changed or a terminal is mainly used for voice phishing through an access control policy and block the illegal terminals from accessing the mobile communication network.

Figure 2 is a flowchart showing a method of generating a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment.

Referring to FIG. 2, the method of generating a fingerprint based on a control plane message of a mobile communication network terminal performed by a computer device according to an embodiment includes extracting features from a control plane message transmitted by the terminal to the mobile communication network (S110). , collecting terminal features considering settings within the terminal that can be changed by the user (S120), reducing the feature space using the collected features (S130); and blocking the SIM box using the generated fingerprint.

The method of generating a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment can be explained by taking as an example a SIM box blocking device using a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment.

Figure 3 is a block diagram showing an apparatus for generating a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment.

Referring to FIG. 3, the control plane message-based fingerprint generation device 300 of a mobile communication network terminal according to an embodiment includes a feature extraction unit 310, a feature collection unit 320, and a feature space reduction unit 330. This can be done. Additionally, depending on the embodiment, it may further include a sim box blocking unit.

In step S110, the feature extractor 310 may extract features from the control plane message transmitted by the terminal to the mobile communication network. The feature extraction unit 310 converts the contents of the control plane message into a key-value expression structure, defines features as keys in the converted key-value expression structure, and creates a list of key values. Based on this, a feature vector is created, and after additional analysis of the feature vector, a fingerprint of the terminal can be constructed. Here, the control plane message includes ATTACH Request and UECapabilityInformation, and features can be extracted for each terminal by repeatedly collecting the control plane message.

In step S120, the feature collection unit 320 may collect features of the terminal by considering settings within the terminal that can be changed by the user.

In step S130, the feature space reduction unit 330 may reduce the feature space using the collected features. That is, the feature space reduction unit 330 can quadratically reduce the number of features. The feature space reduction unit 330 removes features that do not specify a terminal because their values are not constant in the terminal, filters features that have consistent values in all terminals, and, after filtering, applies the remaining features to the terminal's fingerprint configuration. Clusters can be formed that group together features that make the same contribution.

Afterwards, the SIM box blocking unit can block the SIM box using the generated fingerprint.

Below, a method and device for blocking a SIM box using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment will be described in more detail.

Create a device model fingerprint

One important part of the system is to ensure that the fingerprint generated using features collected from control plane messages is unique for each model. If the device model has a unique fingerprint, embodiments may utilize this fingerprint to replace the International Mobile Equipment Identity (IMEI) reported by the end device, which is easy to spoof.

Here we describe the overall procedure of the fingerprint generation model. First, features that can potentially contribute to the fingerprint construction of each model are extracted from the control plane message. Next, we explain the feature collection procedure that collects the features of each model using settings within the terminal that can be changed by the user. Using the collected features, we perform a semi-automatic pruning procedure that significantly reduces the feature space to a second-order structure (i.e., from a total of 31,001 features to 283 feature clusters).

Embodiments extract features from control plane messages that a mobile device transmits to a mobile communication network during service registration, called the Attach procedure. Specifically, inspired by existing technology (Non-Patent Document 1), it utilizes two messages from the NAS and RRC protocols: ATTACH Request and UECapabilityInformation. These messages include device capabilities, including phone service, data communication service, location location, wireless technology, and transmission method.

The ATTACH Request, the first control plane message delivered from the NAS layer, contains the device's supported functions, including security algorithms, voice codecs, supported networks, and telephony functions. While the information in the ATTACH Request is related to core network-related functions, the UECapabilityInformation, an RRC layer message, allows the eNB to know the wireless access-related functions of the device. For example, such wireless connectivity features include the device's supported radio frequencies, carrier aggregation (CA) settings, wireless resource scheduling functions, etc.

Figure 4 is a diagram for explaining a method of extracting features from a message according to an embodiment.

As shown in Figure 4, for example, the content of the control plane message is converted into a key-value representation structure. In the ATTACH Request message, the name of the information element (IE) and the corresponding data become the key and value, respectively, according to the specific format defined in the NAS specification. Likewise, the UECapabilityInformation message follows ASN.1 format, where the field names are the keys. Because this conversion utilizes the message format directly, some fields (or IEs) in the message may not be assigned values. In this case, manually set the value to "Exist".

In this work, the features in the converted representation are defined as keys. Then, a feature vector is generated based on the key value list. After further analysis of the feature vectors, a fingerprint of the device is constructed. To achieve this, control plane messages (i.e., ATTACH Request and UECapabilityInformation) are repeatedly collected and the above feature extraction procedure is performed for each device.

Existing technology (Non-Patent Document 1) proposes to collect control plane characteristics of each device model using only basic options. However, this embodiment shows that if the end user takes ownership of the mobile device and changes the terminal settings with various options, he or she can have a different fingerprint from the mobile device using the default options. Therefore, feature vectors generated from the same model may differ depending on each user's terminal settings. In fact, you can set the terminal to use a specific radio frequency or set the type of network the terminal will use between 5G and LTE. Additionally, default settings for the same device may also vary depending on which mobile network operator (MNO) each user uses because they vary depending on services (e.g., cell settings) that affect the device's network functionality. This means that the end user's change in terminal settings diversifies the device's feature vector.

To build a fingerprint of a smartphone model, it is necessary to understand and leverage how end-user settings affect the device. If the fingerprint of a smartphone model is constructed considering only the feature vectors generated as the basic options of the terminal, the device arbitrarily set by the user has a modified feature vector even though it is the same model, so the fingerprint does not completely reflect the model. Incorrectly identifying the device model can lead to incorrect results in access control policies. Experiments according to embodiments show that distinguishing device models through fingerprints, ignoring the influence of end-user settings, has significantly lower performance, and in this case, the feature set cannot be called the fingerprint of the device model.

To solve this problem, settings are changed for each device and a feature extraction procedure is performed. Among the various settings, we focus on network-related settings that the end user can modify, since most of the features that distinguish individual device models are related to network functionality.

Table 1 shows options used for feature extraction according to one embodiment.

[Table 1]

Two common ways end users can change device settings are through changes in the Settings tab and in Engineering Mode. First, you can select your preferred wireless technology (e.g., 5G-SA, 5G-NSA, LTE) through the settings tab on both iOS and Android mobile operating systems. Second, tech-savvy users can change the device's settings through Engineering Mode, which offers a variety of additional settings. These options may vary depending on your baseband vendor and smartphone manufacturer. Among them, this covers LTE-related configuration options, namely band selection and service domain selection.

Finally, we collect the model features separately using SIMs issued by three different mobile network operators (MNOs). This is to check whether the control plane messages (and therefore the characteristics used for fingerprinting) change when devices connect to networks under different mobile network operators (MNOs).

After extracting feature vectors from all devices tested with available options, systematic pruning of these features is performed. This is where the work according to the embodiments is most distinguished from the fingerprint work of the existing device model (Non-Patent Document 1). In this work, researchers with background knowledge provide anecdotal evidence with some feature vectors picked from within a small dataset. On the other hand, embodiments systematically build a semi-automatic pruning procedure for a large feature space. Organizing feature vectors systematically is very important for two reasons:

First, not all features in the large feature space are specific to the device model. For example, some features depend on transient session information (e.g., key identifier, sequence number, transaction identifier) and are therefore not suitable for device model identification. Additionally, some contain information about each user (eg, IMSI, TMSI). Also, some are too crude (e.g., all devices share the same features).

Additionally, the features inherent to a device model (and thus useful for fingerprinting) change over time, so pruning must be repeated frequently to reflect changes. For example, it can provide a more detailed device fingerprint as new features emerge each time a new device model is introduced to the market.

However, pruning device fingerprint features is not easy for two reasons: First, there are too many features in modern 4G/5G mobile network control plane channels. The number of features is in the tens of thousands (e.g., 31,001 features in the test), and this number increases over time given the ongoing development of the standard specification. Second, many of those features that are actually useful for device model fingerprinting do not always fit well with the background knowledge of the embodiments, making the pruning process difficult (as well as tedious) even for experts. For example, features often do not follow 3GPP standards due to differences in implementation.

Accordingly, the embodiments present a simple yet highly effective approach for pruning features for device model fingerprints, which can ultimately be used to prevent SIM box fraud in real-world mobile networks.

Figure 5 is a diagram illustrating an outline of a feature pruning procedure according to an embodiment.

Referring to Figure 5, all three steps utilize comparative analysis of feature vectors collected from devices with various options.

At step 510, analysis within the model may be performed. First, we aim to remove features that are not specific to the device model. In particular, in this step, features whose values are not constant within a device model of the same configuration are identified (see T1 in FIG. 3). These inconsistent characteristics should not be used to construct device model fingerprints. For this purpose, comparative analysis is performed on the same device model. Then, these features are confirmed with specifications through a characterization procedure (T1). As a result, such characteristics may be (1) per individual user (e.g., an identifier such as IMSI or TMSI), (2) per session (e.g., MAC, sequence number), (3) detailed radio band information (e.g., band configuration, It can be observed that information,can be classified into (band combinations supported for CA). Additionally, we update T1 by adding features with similar characteristics to those already in T1. Then, manually check these functions by referring to the specifications. For example, in the RRC message, there are some fields that exhibit the same characteristics but have different names (e.g., supportedBandCombination-r10, supportedBandCombination-v1130). As a result, this step significantly reduces the total of 31,001 features to 971 features.

At step 520, a cross-model analysis may be performed. Then, we filter out features that have consistent values across all device models. Similar to step 510, a comparative analysis is performed on various models of devices with various options. Then, features with consistent values are classified as T2 (see Figure 3). After characterizing the features of T2, we further classify them into several types. They can be classified into features that indicate (1) the IE or field name of the message, (2) fields for unused values (e.g., EEA5-7), and (3) outdated algorithms (e.g., AS5/2). In summary, step 520 creates 29 features in T2 and removes them from the feature vector. Removing these features now may be useful for device model fingerprinting later when new device models come to market. Therefore, this pruning must be repeated continuously.

In step 530, clustering may be performed. These features form a cluster that groups features that contribute equally to the construction of the device model fingerprint. That is, device models are classified identically through two features in the same cluster. This clustering procedure not only reduces the feature space, but also helps to better understand and analyze the fingerprint results. The basic idea of clustering is to group features (e.g. A and B) that satisfy the following conditions: If any two devices have the same value for feature A, then their values for feature B are also the same. For all features in the same cluster, the values of these features in the feature vectors of both devices are either completely identical or completely different. Therefore, multiple features within the same cluster can be considered as one feature constituting a fingerprint.

Below is a simple example. If there is a feature indicating the frequency availability of 5G-NSA, other features indicating the encryption and integrity algorithm for the frequency are also present and always have the same value. Automatic clustering features group these features together to help you understand relationships between features that aren't immediately visible when reading a standard document. After this clustering step, the features are finally grouped into 283 clusters.

Finally, through several procedures ranging from feature extraction from control plane messages to feature pruning, embodiments construct a fingerprint as a set containing multiple feature vectors of a given device model. Note that, as previously explained, one device may have multiple feature vectors corresponding to each configured option.

Figure 6 is a flowchart showing a method for preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment.

Referring to FIG. 6, a method of preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal performed by a computer device according to an embodiment includes an access control list (Access Control List) for voice calls in a mobile communication network. , ACL), and the step of providing an access control list (ACL) for a voice call (S210) identifies the authenticity of the International Mobile Equipment Identity (IMEI) of the reported terminal. It may include a step (S211).

In addition, if the authenticity of the International Mobile Equipment Identification Code (IMEI) is not identified, a step (S212) of checking whether the subscribed rate plan of the terminal matches the device type may be further included.

A method of preventing SIM box fraud using a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment is explained by taking as an example a SIM box fraud prevention system using a fingerprint based on a control plane message of a mobile communication network terminal according to an embodiment. can do.

Figure 7 is a block diagram showing a SIM box fraud prevention system using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment.

Referring to FIG. 7, a SIM box fraud prevention system using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment may include an access control list providing unit 710. Here, the access control list providing unit 710 may further include an international mobile device identification code identification unit 711 and a rate plan determination unit 712.

In step S210, the access control list providing unit 710 may provide an access control list (ACL) for voice calls in a mobile communication network.

In step S211, the international mobile device identification code identification unit 711 may identify the authenticity of the reported international mobile device identification code (IMEI) of the terminal.

In step S212, if the authenticity of the international mobile device identification code (IMEI) is not identified, the rate plan determination unit 712 may check whether the subscribed rate plan of the terminal matches the device type.

Below, a method and system for preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal according to an embodiment will be described in more detail.

SIM box fraud prevention system

Using effective fingerprints collected according to embodiments, a SIM box fraud prevention system is designed. This system is the first of its kind to prevent unauthorized SIM box voice calls on mobile networks (without detecting the fraud once it has started). Below, we propose a strong access control policy for voice call authorization in mobile communication networks, which is used to design a SIM box fraud prevention system. We then describe how the proposed system can be adopted into operational networks.

Embodiments design a SIM box fraud prevention system with a strict access control policy. In particular, embodiments propose an access control list (ACL) for voice calls in mobile communication networks. In our threat model, we only focus on voice calls because they are the main system resource exploited by fraudsters.

For the access control list (ACL), embodiments utilize three different fields that can be obtained for each device connected to the mobile network operator's (MNO) network. (i) Device Reporting International Mobile Equipment Identity (IMEI), (ii) Control Plane Characteristics (or Fingerprint), and (iii) Plan Type. The first two were explained earlier, and the rate plan type refers to the type of service plan that an end user generally selects when purchasing a SIM from a mobile network operator (MNO). For the purposes of access control lists (ACLs) for voice calls, only a rough breakdown of service plans is used. Either a phone plan (allows both voice calls and mobile data) or an IoT plan (allows only mobile data).

Table 2 shows an access control list (ACL) according to one embodiment.

[Table 2]

This is the first access control policy introduced for voice calls in mobile networks using control plane fingerprints. Without control plane fingerprinting, strong access control cannot be applied because International Mobile Equipment Identity (IMEI) can be easily spoofed.

To make the policy in Table 2 easier to understand, it is explained in two steps. Step 1 identifies devices whose International Mobile Equipment Identity (IMEI) value is clearly spoofed or definitely authentic. When the authenticity of the International Mobile Equipment Identity (IMEI) is inconclusive, the device is sent to step 2, where it is checked whether the type of subscribed plan matches the device type.

The primary goal of Stage 1 is to conclude the authenticity (i.e., authenticity, tampering, or indeterminacy) of the International Mobile Equipment Identity (IMEI) of the reported device. The system closes the case in step 1 if it concludes that the reported International Mobile Equipment Identity (IMEI) is authentic or tampered with (e.g., cases 1-8 in Table 2). If authenticity cannot be determined due to lack of evidence of control plane characteristics, further investigation is performed in step 2 (e.g., cases 9-12 in Table 2).

Stage 1 utilizes the first two fields reported: the International Mobile Equipment Identity (IMEI) and the control plane fingerprint. Compare device model information inferred from control plane characteristics with the model specified in the reported International Mobile Equipment Identity (IMEI). For this purpose, the collected control plane features and fingerprint database are used. If each device model has a unique fingerprint, if the collected control plane features match one of the smartphone model's fingerprints, it can be concluded that the device is a specific smartphone. It is then compared to the device model specified in the IMEI to conclude the reliability of the reported IMEI. Cases 1-8 in Table 2 are cases where the authenticity of the International Mobile Equipment Identity (IMEI) is concluded in step 1 of the Access Control List (ACL).

i) If the device model specified in the reported International Mobile Equipment Identity (IMEI) exists (registered on the network) and this model matches the model identified by the fingerprint generated by the control plane features, it is considered a non-fraud case. (Cases 1 and 6).

ii) If the device model specified in the reported International Mobile Equipment Identity (IMEI) exists but does not match the model identified by the fingerprint generated by the control plane features, this is considered a case of fraud (Cases 2-5, 7 ).

iii) If the model identified by the fingerprint generated by the control plane features is different from the model specified in the International Mobile Equipment Identity (IMEI), this is considered a case of fraud (Case 8).

When the model can be identified by the smartphone's International Mobile Equipment Identity (IMEI) or a fingerprint generated by the control plane features, step 1 ensures that there are no false positives (Cases 1-5, 8). This is because fingerprints according to embodiments can capture all possible variant fingerprints of existing smartphone models.

However, some false negatives may occur in cases that are not stage 1 fraud (Case 6 in Table 2). For example, even though the model specified in the reported International Mobile Equipment Identity (IMEI) and the fingerprint generated by the control plane features both represent the same IoT device, an attacker can impersonate that device with the same fingerprint as the registered device. False negatives may occur when using a SIM box that However, this does not significantly reduce the SIM box fraud prevention effectiveness according to embodiments. This means that in order to exploit this niche false negative case, an attacker would either happen to have an IoT device that shares a fingerprint with the SIM box, or would have to directly modify the IoT device to have the same fingerprint as the SIM box, and would also need to obtain a copy of the IoT device registered on the network. This is because you need to know the exact International Mobile Equipment Identity (IMEI). Embodiments show that manipulating control plane features is non-trivial and expensive. We also believe that common IoT devices can be easily distinguished using CDR or usage pattern analysis, and that fraudsters can be easily detected using an International Mobile Equipment Identity (IMEI) duplicate check policy based on registration/subscription information.

Phase 2 addresses devices for which the authenticity of the reported International Mobile Equipment Identity (IMEI) has not been determined. Since the possibility of SIM box usage cannot be completely ruled out in these cases, we rely on some new operational access control policy rules that we argue should be deployed in each mobile network operator (MNO) to better handle SIM boxes. Specifically, operational access control list (ACL) rules examine subscription plans along with International Mobile Equipment Identity (IMEI) and control plane characteristics to identify unauthorized access to the system (see examples 9-12 in Table 2). . In other words, we use a rough classification of phone and IoT plans.

Here, we expect mobile network operators (MNOs) to adopt a simple operational policy: “Telephone plans should not be accepted for unregistered IoT devices.” This forces virtually all legitimate, authenticated SIM box applications to register with a mobile network operator (MNO) (e.g., T-Mobile's BYOD) to be able to have voice call connectivity.

With this operational policy, Phase 2 concludes with acceptance of devices with the following two criteria (Cases 9-12 in Table 2):

1. If the identified device is considered an IoT device and subscribes to an IoT rate plan, access to the device is permitted (Cases 10 and 12).

2. If the identified device is considered an IoT device and subscribed to a cell phone plan, their access is denied (Cases 9 and 11).

The ultimate goal of the embodiments is not only to propose a high-level concept of a SIM box fraud prevention system, but also to present specific methods for use in commercial networks.

Communication between the eNB and the Mobility Management Entity (MME) is required. There is one immediate problem that may arise when deploying the proposed system in a large-scale operational LTE network. Systems according to embodiments utilize control plane messages in two different control plane protocols (i.e., NAS and RRC), and each protocol is managed by a different entity (i.e., MME and eNB). Therefore, each entity with a different role has limited access to a different set of information about control plane messages. For example, the eNB cannot monitor NAS messages and the Mobility Management Entity (MME) cannot see RRC messages.

This limited access to control plane messages requires some communication channel (or control messages) between the eNB and the mobility management entity (MME). Considering the large number of eNBs in the operational network under a single mobility management entity (MME), establishing new communication channels can incur significant overhead if they need to be added to the current system.

Fortunately, channels already exist between the eNB and the mobility management entity (MME), and more importantly, they are used to exchange many of the control plane messages needed for fingerprinting. According to the standard specification, the eNB forwards the corresponding information of the device to the Mobility Management Entity (MME) whenever 1) it receives a UECapabilityInformation message from the device, or 2) it receives a request from the Mobility Management Entity (MME). For this purpose, the UE Capability Info Indication message of S1AP, a control plane protocol between eNB and mobility management entity (MME), is used. Accordingly, the sensing system according to embodiments does not require additional channels to the operating network and new message formats to new standards. Instead, all the information needed to generate feature vectors is achieved by communicating only with the mobility management entity (MME). Therefore, the proposed system can be deployed in operational networks with additional implementation only in mobility management entities (MMEs).

In this way, embodiments generate fingerprints for each baseband using differences in control plane message content that occur due to differences in implementation for each baseband within the terminal and differences in terminal specifications such as available wireless technology. do. Embodiments propose an access control policy based on a fingerprint generated based on messages sent and received when a terminal connects to a mobile communication network, device information obtained from the International Mobile Equipment Identification Code (IMEI), and subscription plan information. do. Accordingly, through the proposed access control policy, it is determined whether the international mobile device identification code (IMEI) has been illegally changed or whether the terminal is mainly used for voice phishing, and the illegal terminals are blocked from accessing the mobile communication network.

Below, we describe a technology for verifying IMEI based on the contents of control plane messages exchanged when a terminal in a mobile communication network connects to a commercial network.

In order to verify the IMEI verification and unauthenticated terminal detection technology according to one embodiment, 80 commercial terminals (smart phones) were used and it was confirmed that each terminal had a different fingerprint. Here, some terminals have the same fingerprint. In addition, the terminals used for verification were terminals with 7 types of terminal manufacturers and 5 types of basebands, and it was confirmed that they could be distinguished by each terminal/terminal manufacturer/baseband manufacturer. Through this, it was confirmed that even if the IMEI was altered, it was possible to verify whether the terminal reported a valid IMEI to the mobile communication network by checking the control plane messages exchanged with the network. This function blocks abnormal access by unauthenticated terminals. It is possible to use.

Furthermore, the IMEI verification and unauthenticated terminal detection technology according to the proposed embodiment can be applied to the following two scenarios.

The first is IMEI verification to prevent access to stolen devices. When an attacker acquires a stolen terminal and attempts to access the network by changing the terminal's IMEI, the terminal's IMEI is verified to detect whether the terminal is using a forged/altered IMEI. Through this, it contributes to recovering stolen terminals by preventing the terminal from accessing the network or tracking the connection. In fact, it is not difficult to modify the IMEI of a terminal, and it can be easily done through many existing publicly available software. However, in order to avoid the proposed technology, 1) modification of the control plane message and 2) modification of the baseband operation logic are required to ensure that the processing of the control plane message transmitted from the network is the same as that of the terminal corresponding to the IMEI. This has the effect of making IMEI forgery/falsification attacks difficult by increasing the difficulty and cost of the attack for the attacker.

Second, it detects and blocks attempts by unauthenticated terminals to access the network. SIMBOX is a device widely used in voice phishing, which has become an issue by using fingerprints in the baseband. It is a device that provides a VoIP gateway function that changes Internet calls into calls through a cellular network. The SIM box has a baseband like other terminals, so when it connects to a mobile communication network, the network recognizes it as a normal terminal. However, connecting the equipment to a mobile communication network and providing normal services exposes customers to the threat of voice phishing and is a major problem that leads to a decrease in profits for mobile communication companies. The technology proposed in the present invention can be used to build a system that searches for such equipment and blocks access to the network. By establishing a fingerprint of the baseband used by the SIM box, you can check whether the device you are trying to connect to is a SIM box through the IMEI verification technology according to the above embodiment, even if the SIM box attempts to connect by modifying the IMEI. A fingerprint is created based on the control plane messages exchanged, and through comparison with information in an existing database, it is possible to check whether the IMEI has been forged or altered and identify the device. Through this, it is possible to block unauthenticated terminals from accessing the mobile communication network and provide additional management.

In a terminal detection method for verifying IMEI (International Mobile Equipment Identity, terminal unique identification number) and detecting an unauthenticated terminal using a control plane message according to an embodiment, the control plane generated in the process of the terminal connecting to a commercial network Building a fingerprint database for each terminal using the contents of the message and responses to the control plane message and verifying the IMEI of any terminal connecting to the commercial network using the fingerprint database. Includes.

The step of constructing the fingerprint database is based on the contents of the passive message generated in the process of the terminal connecting to the commercial network and the response of the active probing message delivered to the terminal by the commercial network. The fingerprint database can be constructed separately.

The step of building the fingerprint database collects and records control plane messages transmitted from different types of terminals to the base station, and uses decision tree and machine learning technology based on the collected information. In this way, the fingerprint database can be constructed.

In the step of building the fingerprint database, the decision tree is created based on the contents of the passive message, which is a control plane message delivered to the base station when the terminal connects to a commercial network, and used to create the decision tree. The fingerprint database can be created by obtaining the baseband manufacturer of each terminal.

The step of building the fingerprint database is to create the decision tree based on the response difference of the Active Probing message, which is a control plane message that the base station transmits to the network to find out the response of the terminal, and use this. Thus, the fingerprint database can be created.

In the step of verifying the IMEI, a fingerprint corresponding to the arbitrary terminal may be extracted.

In the step of verifying the IMEI, the IMEI can be verified by comparing the extracted fingerprint with a fingerprint corresponding to the IMEI for the arbitrary terminal in the fingerprint database to determine whether there is a match.

Verifying the IMEI includes receiving a control plane message generated when the arbitrary terminal connects to a commercial network, extracting a fingerprint of the arbitrary terminal based on the received control plane message, and Confirming the IMEI of the terminal, confirming the model of the arbitrary terminal from the fingerprint database, and obtaining a fingerprint of the corresponding model, comparing the obtained fingerprint with the fingerprint extracted for the arbitrary terminal. It may include verifying the IMEI of the arbitrary terminal and detecting whether it is an unauthenticated terminal according to the step and comparison result.

The step of verifying the IMEI and detecting whether the terminal is not authenticated includes detecting that the arbitrary terminal is a properly authenticated terminal whose IMEI has not been altered if the obtained fingerprint matches the fingerprint extracted for the arbitrary terminal; , if the acquired fingerprint and the fingerprint extracted for the arbitrary terminal do not match, it can be detected that the arbitrary terminal has an unauthenticated and altered IMEI.

In the terminal detection method for verifying IMEI (International Mobile Equipment Identity, terminal unique identification number) and detecting unauthenticated terminals using a control plane message according to another embodiment of the present invention, the occurrence occurs in the process of the terminal connecting to a commercial network. Building a fingerprint database for each terminal using the contents of the control plane message and the response to the control plane message, extracting a fingerprint corresponding to the IMEI of any terminal connecting to the commercial network, and Comparing the extracted fingerprint with the fingerprint database to verify the IMEI of the arbitrary terminal and detecting whether it is an unauthenticated terminal.

In the step of extracting the fingerprint, a control plane message generated when the arbitrary terminal connects to a commercial network may be received, and the fingerprint of the arbitrary terminal may be extracted based on the received control plane message.

The step of verifying the IMEI and detecting whether it is an unauthenticated terminal includes confirming the IMEI of the arbitrary terminal, confirming the model of the arbitrary terminal from the fingerprint database, obtaining a fingerprint of the corresponding model, and By comparing the print with the fingerprint extracted for the arbitrary terminal, the IMEI of the arbitrary terminal can be verified and whether it is an unauthenticated terminal can be detected.

In a terminal detection system that verifies IMEI (International Mobile Equipment Identity, terminal unique identification number) and detects unauthenticated terminals using a control plane message according to an embodiment, the control plane generated in the process of the terminal connecting to a commercial network A data construction unit that builds a fingerprint database for each terminal using the contents of the message and responses to the control plane message, and a data construction unit that verifies the IMEI of any terminal connecting to the commercial network using the fingerprint database. Includes a verification unit.

The data construction unit creates the fingerprint database for each terminal based on the contents of the passive message generated in the process of the terminal connecting to the commercial network and the response of the active probing message delivered to the terminal by the commercial network. can be built.

The data construction unit collects and records control plane messages transmitted from different types of terminals to the base station, and uses decision tree and machine learning technology based on the collected information to create the fingerprint database. can be built.

The data construction unit generates the decision tree based on the contents of a passive message, which is a control plane message delivered to the base station when the terminal connects to a commercial network, and uses this to determine the baseband of each terminal. (baseband) The fingerprint database can be created by obtaining the manufacturer.

The data construction unit generates the decision tree based on the response difference of the active probing message, which is a control plane message that the base station transmits to the network to determine the response of the terminal, and uses this to create the fingerprint database. can be created.

The verification unit extracts a fingerprint corresponding to the arbitrary terminal, compares the extracted fingerprint with a fingerprint corresponding to the IMEI for the arbitrary terminal in the fingerprint database, and determines whether or not the IMEI is matched. can be verified.

The verification unit receives a control plane message generated when the arbitrary terminal connects to a commercial network, extracts the fingerprint of the arbitrary terminal based on the received control plane message, and verifies the IMEI of the arbitrary terminal. Obtain a fingerprint for the model of the arbitrary terminal from the fingerprint database, and compare the obtained fingerprint with the fingerprint extracted for the arbitrary terminal to verify the IMEI of the arbitrary terminal and unauthenticated terminal. You can verify whether or not.

If the obtained fingerprint matches the fingerprint extracted for the arbitrary terminal, the verification unit detects that the arbitrary terminal is a properly authenticated terminal whose IMEI has not been altered, and detects the acquired fingerprint and the arbitrary terminal. If the fingerprint extracted for the terminal does not match, it can be detected that the random terminal is an unauthenticated, altered IMEI.

Hereinafter, the present invention will be described in more detail with reference to FIGS. 8 to 13.

Figure 8 shows an operation flowchart of a method for verifying IMEI and detecting an unauthenticated terminal according to an embodiment. Additionally, Figure 9 shows an example of using a decision tree according to an embodiment, and Figure 10 shows an example of a decision tree that classifies baseband manufacturers according to an active probing message and its response according to an embodiment. .

The IMEI verification and unauthenticated terminal detection technology according to one embodiment largely consists of two steps. The first step (step S310) is a fingerprint database construction process, based on the contents of the control plane message generated in the process of connecting to the commercial network for each terminal and the response when a probing message is sent from the network. Create a fingerprint database. Thereafter, in the second step (step S320), the IMEI is verified by comparing the fingerprint corresponding to the IMEI of the connected terminal in the previously constructed fingerprint database to check for a match.

To explain the above in more detail with reference to FIG. 8, in step S310, a fingerprint database (fingerprint database) is created for each terminal using the contents of the control plane message generated during the terminal's access to the commercial network and the response to the control plane message Build a Fingerprint Database).

Step S310 builds a fingerprint database for each terminal based on the contents of the passive message generated in the process of the terminal connecting to the commercial network and the response of the active probing message delivered to the terminal by the commercial network. can do.

In the present invention, a control plane message is used to obtain terminal information. Specifically, the present invention does not use the IMEI value in the control plane message, but generates a fingerprint for each terminal according to the contents of the control plane message that vary depending on the terminal model and the processing results of the control plane message, and based on this, Find out terminal information.

LTE's control plane protocols, RRC and NAS, are implemented according to the standards defined by 3GPP, and all manufacturers implement control plane protocols within the baseband according to the standards. However, the standard only defines basic operations and the purpose of each control plane message, and does not define any other exception situations, so there is a degree of freedom in the implementation process. Therefore, although there is one standard, the content of the control plane message may vary depending on the terminal's baseband implementation, hardware specifications of the terminal, or supportable technology, and even for the same control plane message, each baseband may differ differently. Process and respond.

The fingerprint proposed in the terminal detection technology according to one embodiment is generated by utilizing the differences for each terminal. In order to create such a fingerprint, it is necessary to understand what content in the control plane messages exchanged with the mobile communication network varies from terminal to terminal during the terminal's connection to the network, and how the processing results differ depending on the message sent by the network. To this end, step S310 of the present invention first collects and records control plane messages sent by different types of terminals to build a fingerprint database. Afterwards, based on the collected information, it is found which specific pieces of information serve as criteria for classifying the terminal. To find these criteria, step S310 uses decision tree and machine learning technology. Additionally, the criteria for classifying terminals can be terminal model, terminal manufacturer (Samsung, LG, APPLE, Huawei, etc.), and terminal baseband manufacturer (Qualcomm, Samsung, Intel, etc.).

At this time, the control plane message can be divided into a control plane message sent to the base station and EPC during the terminal's access to the mobile communication network and a response to the control plane message sent by the base station to the terminal. In the present invention, the control plane messages that the terminal transmits to the base station in the process of connecting to the mobile communication network are called 'passive messages', and the control plane messages that the base station sends to the network to find out the response of the terminal are called 'active probing ( It is called an ‘Active probing’ message.

Accordingly, step S310 of FIG. 8 collects and records control plane messages transmitted from different types of terminals to the base station, and uses decision tree and machine learning technology based on the collected information. Build a fingerprint database.

Here, step S310 generates a decision tree based on the contents of the passive message, which is a control plane message delivered to the base station during the terminal's access to the commercial network, and uses this to determine the baseband of each terminal. (baseband) You can create a fingerprint database by obtaining the manufacturer.

Referring to FIG. 9, the process of creating a fingerprint based on the contents of passive messages is described. Among the contents of fingerprint construction, noteworthy things are the RRC UEcapabilityInformation and the NAS Attack request message. UE Capability refers to the functions supported by the terminal. This includes whether encryption and integrity algorithms are supported. This information is different for each terminal and for each chipset manufacturer, so it is a good indicator for distinguishing between terminals. Therefore, among the contents of passive messages, RRC UEcapabilityInformation and NAS Attack request message are used to build a fingerprint database. Figure 9 is an experiment result showing that a decision tree can be created based on the contents of these control plane messages and the baseband manufacturer of each terminal can be found through this. Additionally, the generated decision tree can be classified according to the model of the terminal device.

In addition, step S310 generates a decision tree based on the response difference of the active probing message, which is a control plane message that the base station transmits to the terminal to find out the response of the terminal, and uses this to create a fingerprint database. can be created.

Referring to FIG. 10, the process of generating a decision tree based on the active probing message is described. The active probing message represents an RRC/NAS message that the base station or EPC sends to the terminal to find out the terminal's response. Messages to be used to build a database can be selected based on the following criteria.

a) When a control plane message is sent, the operation of the terminal is not defined in the standard.

b) When a control plane message is sent, the operation between terminals shows differences.

If the operation of a terminal is defined in a standard, terminals that do not follow this soon have vulnerabilities. Therefore, there will be no difference in terminal implementation for these messages. Therefore, in order to distinguish them based on differences in responses from the terminal, messages whose operations are not defined in the standard must be used. Figure 10 shows the results of configuring these active probing messages into NAS messages and generating a decision tree based on the differences in the responses.

Referring again to FIG. 8, in step S320 of the terminal detection method according to one embodiment, the IMEI of any terminal connecting to the commercial network is verified using the fingerprint database.

The terminal detection method according to one embodiment applies the constructed fingerprint database to the mobile communication network, and then detects the contents of the control plane message exchanged with the mobile communication network by the terminal (hereinafter referred to as 'random terminal') that wants to access the mobile communication network. And a fingerprint is generated based on the response of the active probing message, and a match is checked by comparing it with the fingerprint corresponding to the IMEI of any terminal in the previously constructed fingerprint database. Through this, the IMEI can be verified by checking whether the IMEI reported by any terminal trying to connect matches the characteristics shown by the actual IMEI of the terminal. According to the above description, step S320 extracts a fingerprint corresponding to an arbitrary terminal to be connected, and compares the extracted fingerprint with a fingerprint corresponding to the IMEI for an arbitrary terminal in the fingerprint database. You can verify the IMEI by checking whether it matches.

More specifically, step S320 is a first step of receiving a control plane message generated when a certain terminal connects to a commercial network, a second step of extracting a fingerprint of a certain terminal based on the received control plane message, and a random The third step is to check the IMEI of the terminal, confirm the model of any terminal from the fingerprint database, and obtain the fingerprint of the corresponding model, and compare the obtained fingerprint with the fingerprint extracted for any terminal. It may include step 4, and a fifth step of verifying the IMEI of any terminal and detecting whether it is an unauthenticated terminal according to the comparison result.

Here, the fifth step is to detect that the arbitrary terminal is a legitimately authenticated terminal whose IMEI has not been altered if the obtained fingerprint matches the fingerprint extracted for the arbitrary terminal, and If the extracted fingerprints do not match, it can be detected that a random terminal has a modified IMEI that has not been authenticated. The IMEI verification process for any terminal described above will be described in more detail with reference to FIG. 12 below.

Figure 11 schematically illustrates the process of extracting fingerprints for each terminal and building a database according to an embodiment, and Figure 12 schematically illustrates the IMEI verification process for an arbitrary terminal according to an embodiment.

The IMEI verification and unauthenticated terminal detection technology according to one embodiment is largely composed of two steps. The first step is to check the messages sent by various types of UEs (terminals) to the eNB (base station) in the EPC (core network) and then collect them to build a 'Fingerprint Database'. At this time, the fingerprint database refers to a database that collects message responses according to the type of each terminal and creates a fingerprint for each type with the appropriate ones. The second step is to verify the IMEI using the fingerprint database when a random terminal connects to a commercial network after configuring the entire fingerprint database.

Referring to FIG. 11, the process of configuring a fingerprint database is schematized. First (①) shows the process of exchanging messages between a terminal and a base station. This includes both the message the terminal sends to the base station in the process of accessing the network and the response to the message sent by the base station to the terminal. At the same time, messages delivered to the core network are also delivered to the fingerprint database. Afterwards, in the fingerprint database, a fingerprint is created (③) and stored through a passive/active probing method based on the collected control plane messages (②).

Referring to FIG. 12, the process of verifying the IMEI when a random terminal connects to a commercial network using a fingerprint database is explained as follows.

(1), (2) The base station 1202 and the core network 1203 transmit a message generated when the terminal 1201 connects to the base station to a commercial network to the IMEI verification system 1300.

(3) A fingerprint database (1211) is constructed by extracting the fingerprint of the terminal attempting to connect based on the delivered control plane messages.

(4) Check the IMEI reported by the terminal attempting to connect, retrieve information from the IMEI database (IMEI Database, 1212) held by the mobile communication service provider, check the model of any connected terminal, and find the finger of the corresponding model. Get a print.

(5) Compare the generated fingerprint with the fingerprint corresponding to the IMEI reported by the terminal in the database. If they match, any terminal attempting to connect has reported an unmodified IMEI, so it is determined that it is a properly authenticated terminal. Conversely, if they do not match, it is determined that the terminal is not certified and the IMEI has been altered.

Figure 13 is a block diagram showing the detailed configuration of an IMEI verification and unauthenticated terminal detection system according to an embodiment.

A terminal detection system according to an embodiment verifies the IMEI based on the contents of control plane messages exchanged when a terminal in a mobile communication network connects to a commercial network.

To this end, the terminal detection system 1300 according to an embodiment includes a data construction unit 1310 and a verification unit 1320.

Referring to FIG. 13, the data construction unit 1310 builds a fingerprint database for each terminal using the contents of the control plane message generated in the process of the terminal connecting to the commercial network and the response to the control plane message. do.

The data construction unit 1310 creates a finger for each terminal based on the contents of the passive message generated in the process of the terminal connecting to the commercial network and the response of the active probing message delivered to the terminal by the commercial network. A print database can be built.

That is, the data construction unit 1310 collects and records control plane messages transmitted from different types of terminals to the base station, and uses decision tree and machine learning technology based on the collected information. Build a fingerprint database.

Here, the data construction unit 1310 generates a decision tree based on the contents of a passive message, which is a control plane message delivered to the base station when the terminal connects to a commercial network, and uses this to determine each A fingerprint database can be created by obtaining the baseband manufacturer of the terminals.

In addition, the data construction unit 1310 creates a decision tree based on the response difference of the active probing message, which is a control plane message that the base station transmits to the network to find out the response of the terminal, and uses this to create a decision tree. A fingerprint database can be created.

The verification unit 1320 verifies the IMEI of any terminal connecting to a commercial network using a fingerprint database.

The verification unit 1320 extracts a fingerprint corresponding to any terminal to be connected, compares the extracted fingerprint with the fingerprint corresponding to the IMEI for any terminal in the fingerprint database, and determines whether there is a match. You can verify the IMEI through .

More specifically, the verification unit 1320 performs a first step of receiving a control plane message generated when a certain terminal accesses a commercial network, and a second step of extracting a fingerprint of a certain terminal based on the received control plane message. Step, check the IMEI of any terminal, check the model of any terminal from the fingerprint database, and obtain the fingerprint of the corresponding model. Third step, obtain the obtained fingerprint and the fingerprint extracted for the arbitrary terminal. It may include a fourth step of comparison, and a fifth step of verifying the IMEI of any terminal and detecting whether it is an unauthenticated terminal according to the comparison result.

Here, in the fifth step, the verification unit 1320 detects that the arbitrary terminal is a legitimately authenticated terminal whose IMEI has not been altered if the acquired fingerprint matches the fingerprint extracted for any terminal, and the obtained fingerprint If the print and the fingerprint extracted for a random terminal do not match, it can be detected that the random terminal has a modified IMEI that has not been authenticated.

Although the description is omitted in the system of FIG. 13, each constituent means constituting FIG. 13 may include all the contents described in FIGS. 8 to 12, and this is obvious to those skilled in the art.

The device described above may be implemented with hardware components, software components, and/or a combination of hardware components and software components. For example, devices and components described in embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable array (FPA), It may be implemented using one or more general-purpose or special-purpose computers, such as a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may execute an operating system (OS) and one or more software applications that run on the operating system. Additionally, a processing device may access, store, manipulate, process, and generate data in response to the execution of software. For ease of understanding, a single processing device may be described as being used; however, those skilled in the art will understand that a processing device includes multiple processing elements and/or multiple types of processing elements. It can be seen that it may include. For example, a processing device may include multiple processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are possible.

Software may include a computer program, code, instructions, or a combination of one or more of these, which may configure a processing unit to operate as desired, or may be processed independently or collectively. You can command the device. Software and/or data may be used on any type of machine, component, physical device, virtual equipment, computer storage medium or device to be interpreted by or to provide instructions or data to a processing device. It can be embodied in . Software may be distributed over networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., singly or in combination. Program instructions recorded on the medium may be specially designed and configured for the embodiment or may be known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. -Includes optical media (magneto-optical media) and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, etc. Examples of program instructions include machine language code, such as that produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc.

As described above, although the embodiments have been described with limited examples and drawings, various modifications and variations can be made by those skilled in the art from the above description. For example, the described techniques are performed in a different order than the described method, and/or components of the described system, structure, device, circuit, etc. are combined or combined in a different form than the described method, or other components are used. Alternatively, appropriate results may be achieved even if substituted or substituted by an equivalent.

Therefore, other implementations, other embodiments, and equivalents of the claims also fall within the scope of the claims described below.

Claims (10)

In the SIM box blocking method using a control plane message-based fingerprint of a mobile communication network terminal performed by a computer device,
Extracting features from a control plane message transmitted by the terminal to a mobile communication network;
Collecting terminal characteristics considering settings within the terminal that can be changed by the user;
Reducing the feature space using the collected features; and
Steps to block the SIM box using the generated fingerprint
Including, sim box blocking method. According to paragraph 1,
The step of extracting features from the control plane message is:
converting the content of the control plane message into a key-value representation structure;
defining features as keys in the converted key-value expression structure and generating a feature vector based on the key value list; and
After additional analysis of the feature vector, constructing a fingerprint of the terminal.
Including, sim box blocking method. According to paragraph 1,
The control plane message is,
Includes ATTACH Request and UECapabilityInformation, and repeatedly collects the control plane messages and extracts features for each terminal.
A method of blocking a sim box, characterized by: According to paragraph 1,
The step of reducing the feature space is,
removing features whose values are not constant among the features appearing in the terminal;
Filtering features with consistent values in all terminals; and
After filtering, forming a cluster that groups features that contribute equally to the fingerprint configuration of the terminal for the remaining features.
Including, sim box blocking method. In the SIM box blocking device using a control plane message-based fingerprint of a mobile communication network terminal,
a feature extraction unit that extracts features from a control plane message transmitted by the terminal to a mobile communication network;
a feature collection unit that collects terminal characteristics considering settings within the terminal that can be changed by the user;
a feature space reduction unit that reduces the feature space using the collected features; and
SIM box blocker using the generated fingerprint
A simbox blocking device comprising: According to clause 5,
The feature extraction unit,
Convert the content of the control plane message into a key-value expression structure, define features as keys in the converted key-value expression structure, and create a feature vector based on the key value list. Generating, and after additional analysis of the feature vector, constructing a fingerprint of the terminal.
Characterized by a sim box blocking device. According to clause 5,
The control plane message is,
Includes ATTACH Request and UECapabilityInformation, and repeatedly collects the control plane messages and extracts features for each terminal.
Characterized by a sim box blocking device. According to clause 5,
The feature space reduction unit,
Among the features appearing in the terminal, features with inconsistent values are removed, features with consistent values in all terminals are filtered, and after filtering, the remaining features are grouped together with features that contribute equally to the fingerprint configuration of the terminal. forming
Characterized by a sim box blocking device. In a method for preventing SIM box fraud using a control plane message-based fingerprint of a mobile communication network terminal performed by a computer device,
Step of providing an access control list (ACL) for voice calls in a mobile communication network
Including,
The step of providing an access control list (ACL) for the voice call,
Identifying the authenticity of the International Mobile Equipment Identity (IMEI) of the reported terminal
How to prevent simbox fraud, including. According to clause 9,
If the authenticity of the International Mobile Equipment Identification Code (IMEI) is not identified, checking whether the subscribed rate plan of the terminal matches the device type.
Method for preventing simbox fraud, further comprising:

Images