WO2006104752A1 - Methods and devices for defending a 3g wireless network against a signaling attack - Google Patents

Methods and devices for defending a 3g wireless network against a signaling attack Download PDF

Info

Publication number
WO2006104752A1
WO2006104752A1 PCT/US2006/010108 US2006010108W WO2006104752A1 WO 2006104752 A1 WO2006104752 A1 WO 2006104752A1 US 2006010108 W US2006010108 W US 2006010108W WO 2006104752 A1 WO2006104752 A1 WO 2006104752A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile
attack
signaling
traffic
wireless network
Prior art date
Application number
PCT/US2006/010108
Other languages
French (fr)
Inventor
Tian Bu
Samphel Norden
Thomas Y. Woo
Original Assignee
Lucent Technologies Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc. filed Critical Lucent Technologies Inc.
Priority to KR1020127019442A priority Critical patent/KR101259775B1/en
Priority to EP06739051A priority patent/EP1864471B1/en
Priority to KR1020077022059A priority patent/KR101235099B1/en
Priority to JP2008504141A priority patent/JP4994359B2/en
Publication of WO2006104752A1 publication Critical patent/WO2006104752A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/08Testing, supervising or monitoring using real traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements

Definitions

  • DoS Denial of Service
  • DoS attacks typically involve sending a large volume of traffic to a node that exceeds its processing capability, in effect knocking the afflicted node out of the network for the duration of the attack.
  • a more sophisticated attack is a Distributed DoS attack (DDoS).
  • DDoS Distributed DoS attack
  • An attacker intending to launch a DDoS attack begins by subverting a number of nodes, using well-known security loopholes. These compromised nodes essentially become slaves of the attacker and act as launch points to inject traffic into the network. By summoning a reasonable number of compromised nodes, an attacker can potentially launch a large-scale, network wide attack by cascading the traffic from multiple launch points.
  • firewalls (Cisco's PIX router, Netscreen, Checkpoint's Firewall- 1 are some examples), router modifications to support pushback, traceback mechanisms that attempt to detect the source of the attack, and related intrusion detection mechanisms that look for anomalies or signatures in arriving traffic.
  • Some of these approaches require significant changes to existing network elements, and are costly to deploy, while others require collaboration across ISPs, and thus may be impractical. Nonetheless, these schemes do reduce the threat of wireline DoS attacks. For example, most firewalls do not allow connections to be initiated from outside, thus preventing DoS flooding attacks.
  • Wireless networks are significantly more fragile than wireline networks. There are several vulnerabilities in wireless networks that can be exploited by novel DoS attacks:
  • a typical 3GIx or UMTS network has several infrastructure elements that perform a host of functions such as power control, resource allocation, paging, etc.
  • a radio network controller (RNC) and base stations are involved in these activities for each mobile. With fast handoff, the overhead required by these devices is tremendous. Furthermore, such devices are typically engineered to handle a load with a certain number of users being simultaneously active. Overload, therefore, is a significant concern for any wireless infrastructure.
  • Another by-product of a wireless attack is that once the attack reaches a mobile it is too late.
  • a wireline DoS attack it takes a certain amount of time for a server to be disabled because such machines have a larger processing capacity than a wireless endpoint (mobile).
  • a mobile has limited processing and battery lifetime.
  • a wireless link is severely bandwidth- constrained when compared to a wireline network. If the traffic from an attack reaches a mobile, the attack has already succeeded in wasting critical resources of the wireless link, the wireless infrastructure, and the battery power of the mobile. This is in contrast to typical wireline DoS attacks that must overload processing resources at a server in order to succeed.
  • FIG. 1 depicts an example of a UMTS wireless network architecture.
  • FIG. 2 depicts an example of a message flow associated with the UMTS wireless network of FIG. 1.
  • FIGs. 3a and 3b depict exemplary simulations of a possible impact of a signaling attack.
  • FIG. 4 depicts exemplary steps in setting up a fundamental channel in a 3GIx wireless network.
  • FIG. 5 depicts an example of a 3GIx wireless network architecture.
  • FIG. 6 depicts an example of an architecture for detecting and preventing signaling attacks according to one embodiment of the present invention.
  • a 3G wireless network requires the establishment (i.e., set-up] of a dedicated channel between a mobile and the associated wireless infrastructure for data to be transmitted.
  • signaling messages need to be transmitted between the mobile and elements of the wireless infrastructure. Signaling attacks seek to exploit the nature of this signaling to overload the wireless infrastructure. Signaling attacks in UMTS networks
  • FIG. 1 shows the typical architecture of a UMTS wireless network.
  • GGSN Gateway GPRS Support Node
  • SGSN Serving GPRS Support Node
  • the GGSN interfaces with authentication servers on external networks as well as DHCP servers for dynamic address allocation.
  • PPP Point-to-Point
  • the SGSN is responsible for sending data to and from mobile stations, in addition to inaintaining information about the location and authentication of a mobile.
  • SGSNs typically, there are multiple SGSNs, each of which serves the GPRS users physically located in their serving area.
  • a Radio Network Controller also known as a Base Station Controller (BSC) is the point where wireless link layer protocols terminate.
  • the RNC provides an interface between wireless devices communicating through Base Stations (BS) and the network edge. This includes controlling and managing the radio transceivers in BS equipment, including radio resource control, admission control, channel allocation, as well as management tasks like handoff between BS equipment.
  • the BS functionality includes wireless link transmission/reception, modulation/ demodulation, physical channel coding, error handling, and power control.
  • multiple mobiles communicate with a BS
  • multiple BS's communicate with an RNC
  • multiple RNCs talk to the GGSN/SGSN.
  • UMTS signaling control flow for setting up channels for resource allocation is now described.
  • a UMTS RNC needs to establish a radio access bearer (RAB) with the base station of the subscriber.
  • RAB radio access bearer
  • the RAB is a channel for data transfer and is released after a timeout period for inactivity.
  • a significant number of messages are exchanged between an RNC, mobile and base station. This is a significant amount of overhead for the RNC and causes severe processing overhead during signaling time intervals.
  • FIG. 2 An example of a message flow between an RNC, base station(s) and a mobile is shown in FIG. 2. Essentially, for every data call, a number of messages are exchanged between a mobile and an RNC. While the RNC is not the termination point for some of these messages (designated as Non Access Stratum or NAS messages), the RNC is required to forward these messages to the final destination in the core network (e.g., PDSN).
  • NAS Non Access Stratum
  • RRC Radio Resource Control
  • RRC-like messages are used to establish/release radio channels for mobile power measurements, to transport paging messages and to broadcast information.
  • An RRC setup leads to the creation of a dedicated signaling channel, which is the first step in enabling data transmission to/from a mobile. This requires 6 messages exchanged between the RNC and the mobile. Following this, there is a series of messages exchanged between the mobile and the core network for the purposes of authentication, and establishment of context, including a PPP connection with a PDSN, and assignment of an IP address. A further 4 messages are exchanged between the RNC, the core network and the mobile for a control security mode which results in the exchange of ciphers to secure the context for a given subscriber.
  • an RAB is set up requiring an additional 8 messages exchanged at the RNC (2 with a core network, 3 with a mobile and 3 with a base station), resulting in a total of 24 messages to establish a single RAB with the RNC (not including messages exchanged between different elements within the RNC). It should be noted that subsequent RAB establishments do not need to perform an RRC signaling channel setup, though use of a control security mode may be required to re-authenticate a mobile.
  • a so-called soft handoff requires adding "legs" or base stations to the primary node with which the mobile has the strongest signal. This requires an additional 4 messages exchanged at the RNC (2 with the mobile and 2 with the primary base station). Finally, after a transfer, a mobile can initiate a teardown of RAB and RRC connections. This is initiated by an IU release function. This requires a total of 11 messages exchanged at the RNC (2 with the core network, 4 with the mobile and 5 with the base station). This number again does not include intra- RNC processing messages that contribute to the overall load at the RNC.
  • the mobile If there is no data exchanged between a mobile and its core network, the mobile is placed in a suspended state. In such a state, air link resources are released and assigned to other active mobiles, which requires 4 messages (2 with its core network and 2 with a base station). However, the context is still maintained at the RNC, and the mobile retains its IP address obtained during RRC/RAB establishment.
  • a mobile can be reactivated (2 messages exchanged with RNC) using a packet call context resumption message (additional 2 messages with its core network) as long as an idle timeout period of 5 seconds has not occurred.
  • An attacker exploits the heavy-duty signaling overhead required for setup of RABs by essentially triggering ari excessive signaling message exchange between the RNC and BS. This may be achieved by sending a low volume burst at appropriately timed periods so that immediately after an RAB is torn down due to inactMry, a burst arrives from an attacker to trigger an establishment of a new RAB. This frequent setup /release can easily overload the RNC by requiring an excessive amount of signaling messages.
  • the damage due to such an attack may be so severe that valid traffic may not receive an allocation of resources causing it to be dropped by an RNC.
  • the RNC can also become overloaded, effectively denying service to a significant number of subscribers.
  • RNCs are engineered to handle a certain amount of simultaneously active mobiles/users (in practice, 10%). It is easy for an attacker to exceed this number due to the low-volume nature of an attack.
  • Another side effect of a signaling attack is the potential for draining a mobile's battery. Normally, to conserve power, a mobile switches to a low-power idle or dormant state when there are no packets being sent or received. Because low volume bursts are sent periodically, mobiles would be forced to stay active longer than necessary. In a worst case scenario, a mobile may never be allowed to enter a dormant state causing rapid draining of its battery.
  • FIG. 3a plots a Base Station ControEer's load versus time of day for a series of attacks
  • FIG. 3b plots call set-up delay time (i.e., delay experienced after a call arrives until the time resources are allocated) versus time of day.
  • FIGs. 3a and 3b demonstrate the drastic effect of an attack. Simply by sending 6% attack traffic, the load at an RNC may be increased by a factor of 5 from a utilization of 15% to 75%. This also translates into a 5-fold increase in call setup delay, which further erodes consumer confidence, especially for providers touting real-time services. It is relatively easy to overload an RNC simply by sending around 10% attack traffic.
  • 3GIx architecture e.g., CDMA2000
  • signaling e.g., CDMA2000
  • FIG. 5 depicts a typical architecture for a 3GIx wireless network.
  • the PDSN may be a router, which functions as a gateway for data flow to and from all user mobiles /terminals in the entire wireless network.
  • a PPP link is set up between the GGSN and the user/mobile.
  • On the path to the PDSN there are three devices that are typically part of a wireless infrastructure.
  • the RNC and the BS have functionality identical to their counterparts in UMTS. In this hierarchical architecture, multiple mobiles communicate with a base station, multiple base stations communicate with an RNC, and multiple RNCs talk to the PDSN.
  • 3GIx Signaling 3GIx Signaling
  • a PDSN receives data for a mobile, it pages the mobile. Once a successful response to a paging message has been received (3 messages exchanged), a base station initiates the setup of a FCH or Traffic Channel with the mobile (exchanging 8 messages). In parallel, a service request is made between the base station and an RNC requiring 4 messages. The RNC is also expected to forward messages to the core network, which in this case is required to authenticate the user. This results in an additional 6 messages.
  • Every subscriber typically has an primary leg assigned, which originally acts as the forwarding base station when a call is first setup.
  • an additional base-station called an anchor leg, is established for long-lived connections. This leg could be distinct from the primary leg and is defined as the base station with the strongest signal to the mobile.
  • the anchor leg takes charge of deciding when to allocate supplemental channels (SCH), which are used when there is insufficient capacity on a 9.6Kbps FCH.
  • SCH Supplemental channels
  • the present inventors recognized that knowledge of so-called wireless states, in particular the signaling cost(s) as traffic traverses through a wireless network was needed. This allows malicious traffic to be identified as soon as it begins to introduce excessive signaling cost.
  • Signaling cost can be obtained in various ways depending on the wireless infrastructure involved. Ideally, an exact signaling cost can be obtained by querying wireless elements, such as an RNC and base station, when these elements provide an interface for such queries.
  • wireless elements such as an RNC and base station
  • current 3G wireless networks do not have such an interface, thus requiring modifications in order to support such queries. Changing an existing infrastructure, however, is not a viable solution given the amount of investment already expended by network owners / op erators .
  • the present inventors discovered a simple, yet novel mechanism of estimating the signaling cost from traffic arrival patterns assuming knowledge of signaling call(s).
  • the present inventions provide for methods and devices for detecting an attack using the so estimated signaling cost.
  • the signaling cost can be obtained by a simple query. Absent that, the challenge is to obtain the cost without the assistance of such wireless elements.
  • the signaling cost is estimated from traffic arrival patterns. This requires knowledge of the signaling protocols inside wireless elements.
  • Table 1 shows an example of a technique for estimating signaling cost (due to RAB establish/release) in a UMTS network according to one embodiment of the present invention. Similar techniques within the scope of the present invention can be used to estimate other types of signaling costs for CDMA2000 networks according to alternative embodiments of the present invention.
  • the present invention makes use of the fact that, upon arrival of a packet, if the destination's RAB has been released, the destination mobile has to reestablish the RAB. This reestablishment creates an added cost to establish a new RAB and release the previous RAB due to the expiration of an idle timer; a cost which can be detected by techniques provided by the present invention.
  • a reliable sign of an ongoing signaling attack is the detection of excessive or additional signaling costs even though the volume of actual, transmitted data is low.
  • an attacker can flood a network using huge amounts of traffic that would also introduce excessive signaling costs. However, this can be, relatively speaking, easily detected by existing firewall or intrusion detection mechanisms. With a low-volume attack, there needs to be a more accurate metric for detection.
  • a statistical measure referred to as a signaling cost to data ratio is used as a metric. If the ratio exceeds a certain profiled threshold, a signaling attack is detected and malicious traffic/packets from the source of the attack are blocked.
  • the first step in determining if traffic is part of an attack is to define a threshold for later comparison. This should be user/ application specific. The value of this threshold may be chosen by profiling user/ applications during a pre-processing time period.
  • a profile for each user may be created based on a statistical signaling cost to data ratio.
  • Information used in building the profile includes packet arrival times, IP addresses and port numbers of source(s) and destination(s).
  • One novel aspect of the profiling mechanism provided by the present invention is the ability to aggregate (user, application, as well as server) related profiles.
  • user profile we refer to the statistics for an individual user. This division can be further categorized by individual application. For instance, web surfing is the most frequently used service by most users. Similarly, a video-on ⁇ demand server may use KTP packets to broadcast video to users. Statistics on an individual web server basis can also be compiled by logging the arrival of HTTP/RTP packets.
  • the profiles can be aggregated across users with similar behaviors. Current traffic can then be compared to the aggregated profile to detect inconsistencies. Aggregated profiles can analogously be maintained for popular servers and also for popular applications. The flexibility of using different classification approaches allows a more comprehensive and accurate characterization of what is considered as normal traffic. This profile is key to detecting abnormal and malicious traffic, while also minimizing the probability of false positives (incorrect classification of valid traffic as malicious traffic). TABLE 2
  • Table 2 above sets forth an example of a method or algorithm for defending against a DoS Signaling attack.
  • This method may be executed by a device or devices capable of either estimating or collecting user state statistical information (e.g., actual traffic flow) from the wireless infrastructure.
  • this method operates as follows.
  • a current measure such as a signaling cost to data ratio is generated or derived. This ratio can be obtained through either directly querying the infrastructure or by using an estimation technique.
  • the signaling cost to data ratio is compared against a threshold, reference ratio. If the derived ratio exceeds the threshold for a user, i.e., S/DTHRESH, determined from a pre-processing step that builds a profile for the user, subsequent traffic from a sender "s" is flagged.
  • the user profile generated during the pre-processing step is adaptable to user behavior in order to minimize false positives and accurately detect when a violation occurs. More specifically, after the initial profile is created during pre- processing, it may be updated regularly based on changes to a user's behavior.
  • AWARE- enabled devices may be modular and can support upgrades in order to counter future attacks.
  • an AWARE architecture (e.g., enabled device) may comprise two components: a learning database and profiler, and/ or a detection engine or detector.
  • the learning database is operable to capture and store information about a user during the pre-processing step.
  • the profiler is operable to generate a traffic profile for a given user under normal (i.e., non- attack) conditions.
  • the database and profiler may be one and the same and may be correlated with other user databases and profilers for cross-mobile correlation.
  • the information in these databases is fed to a detector/ detection engine.
  • the detection engine is operable to maintain a threshold for each user and verify if current traffic for a user or set of users violates the corresponding threshold.
  • the wireless elements that are capable of communicating with an AWARE-enabled device one that contains a database, profiler and/or a detector
  • the location of the AWARE-enabled device may be varied:
  • An AWARE-enabled device can be co-located with a firewall of a wireless service provider. If such a design is chosen, then it is not necessarily assumed that any other part of the wireless infrastructure is aware of the presence of an AWARE-enabled device or interacts with the AWARE- enabled device.
  • an AWARE-enabled device uses IP layer information such as packet arrivals and information from IP/TCP and application layer headers to build profiles. This assumes that the AWARE-enabled device can look inside a packet. If IPsec (tunnel mode) has been enabled, an IPsec (tunnel mode) has been enabled.
  • AWARE-enabled device can be co-located with an IPsec gateway in the domain so as to be able to decrypt and inspect packet headers and payloads.
  • an AWARE-enabled device may be placed between a PDSN and an RNC.
  • the device may interact with the PDSN, and obtain information as to how packets are distributed to different RNCs.
  • An RNC provides finer grain information, such as: the number of signaling events for a FCH & SCH setup/release, the timestamp(s) of signaling messages, and power control information via a base station that estimates mobile power consumption. It should be understood that, in the event that an
  • AWARE-enabled device is a stand-alone device, an AWARE-compatible interface may be needed to allow the device to operate with a wireless infrastructure (e.g., firewall).
  • a wireless infrastructure e.g., firewall
  • an AWARE-enabled device In a "least-invasive" design, an AWARE-enabled device simply looks at IP packets that are passed on from a firewall before they reach the PDSN. All of the necessary information is contained in the application, TCP and IP headers and the payload itself. Information needed to build a profile can be extracted from the above headers and payload. [0059] An AWARE-enabled device should be able to communicate with existing firewalls or IPsec gateways. Ideally, an AWARE-enabled device may be co-located at these entities acting as a filter to block suspected traffic.
  • AWARE-enabled device If a AWARE-enabled device is not co-located with the IPsec gateway, there needs to be a so-called security association with the gateway so it can decrypt and process ESP-encapsulated packets in a tunnel mode. Even if an AWARE-enabled device is not co-located with the firewall, there typically is an interface with most commercial firewalls such as Checkpoint's Firewall- 1 that allows the configuration of filters.
  • an AWARE-enabled device may obtain mobility related information because a mobile may cross over from one RNC to another.
  • the impact of mobility information on the detection heuristic is worth analyzing, because highly mobile end-users can contribute significantly to the load of an infrastructure. Launching a wireless DoS attack against highly mobile users requires additional tasks, such as more frequent paging, that can add substantially to processing overhead.
  • a mobile may initiate a PPP connection with the PDSN before initiating a transfer.
  • An AWARE-enabled device may also query the PDSN to obtain a PPP state history.
  • AWARE-enabled devices In addition to AWARE-enabled devices, the present inventors also recognized that an AWARE related architecture may also require additional devices.
  • an AWARE-compatible interface is provided by the present invention.
  • such an interface is operable to query wireless user /mobile state(s).
  • Such an interface also allows an AWARE-enabled device (or devices) to communicate in a secure manner with the wireless infrastructure in order to obtain mobile /user-specific information. It should be noted that such an interface may be included as an option in infrastructures other than a PDSN, because at a minimum, packet arrivals need to be known in order to estimate state information.
  • Snort is an open-source IDS mechanism that emulates the functionality of an AWARE-enabled device. Snort is modular and allows new plug-ins to be installed, thus allowing the detection mechanism to be customized and enhanced for defense against current and future attacks.
  • plug-in is meant a generic term that refers to modules that can be added dynamically to alter the behavior of Snort.
  • Snort compatible plug-in incorporating the detection heuristic functions of the present invention is provided.
  • Other plug-ins are also provided by the present invention.
  • Snortsam compatible plug-in that allows such interfacing is provided by the present invention.
  • Such a plug-in may be operable to act as filter(s) to block malicious traffic.
  • this plug-in may be interfaced with a wireless packet scheduler to reduce the priority of malicious traffic.
  • the methods of the present invention may be realized in hardware, software, firmware or some combination of the three.
  • one or more programmable or programmed controllers, processors, etc. may be operable to store one or more programs or code (and data) that, in turn, is operable to carry out the features and functions of the present invention described above and in the claims that follow.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Computer And Data Communications (AREA)

Abstract

Wireless state information and user/network profiling are used to detect and prevent Denial of Service attacks.

Description

METHODS AND DEVICES FOR DEFENDING A 3G WIRELESS NETWORK AGAINST A SIGNALING ATTACK
BACKGROUND OF THE INVENTION
[0001] Denial of Service (DoS) attacks continue to present a significant challenge. In fact, the frequency and magnitude of attacks in the Internet have been steadily increasing. There have been a number of well-publicized attacks such as the February, 2000 attack on popular Web sites that included Yahoo, CNN, EBay, etc., and the recent attacks on root DNS servers.
[0002] DoS attacks typically involve sending a large volume of traffic to a node that exceeds its processing capability, in effect knocking the afflicted node out of the network for the duration of the attack. A more sophisticated attack is a Distributed DoS attack (DDoS).
[0003] An attacker intending to launch a DDoS attack begins by subverting a number of nodes, using well-known security loopholes. These compromised nodes essentially become slaves of the attacker and act as launch points to inject traffic into the network. By summoning a reasonable number of compromised nodes, an attacker can potentially launch a large-scale, network wide attack by cascading the traffic from multiple launch points.
[0004] A large variety of solutions have been proposed to counter DoS attacks. The current state-of-the-art in defending against DoS attacks include firewalls (Cisco's PIX router, Netscreen, Checkpoint's Firewall- 1 are some examples), router modifications to support pushback, traceback mechanisms that attempt to detect the source of the attack, and related intrusion detection mechanisms that look for anomalies or signatures in arriving traffic. Some of these approaches require significant changes to existing network elements, and are costly to deploy, while others require collaboration across ISPs, and thus may be impractical. Nonetheless, these schemes do reduce the threat of wireline DoS attacks. For example, most firewalls do not allow connections to be initiated from outside, thus preventing DoS flooding attacks.
[0005] Wireless networks on the other hand are significantly more fragile than wireline networks. There are several vulnerabilities in wireless networks that can be exploited by novel DoS attacks:
• Limited wireless link bandwidth: The scarcity of resources combined with the low capacity of a wireless link makes it an easy target of a DoS attack. In fact, the attacker's job is made even easier than in the wireline case because it takes significantly less traffic (i.e., relatively low volume) to overload a wireless link. In addition, the relatively low volume of traffic makes it difficult to detect a wireless DoS attack.
• Processing Overhead: A typical 3GIx or UMTS network has several infrastructure elements that perform a host of functions such as power control, resource allocation, paging, etc. A radio network controller (RNC) and base stations are involved in these activities for each mobile. With fast handoff, the overhead required by these devices is tremendous. Furthermore, such devices are typically engineered to handle a load with a certain number of users being simultaneously active. Overload, therefore, is a significant concern for any wireless infrastructure.
• Limited Power supply: Another constraining factor is that mobile devices ("mobile") in a wireless network are usually powered by batteries whose limited lifetimes make them targets of a class of attacks that simply drain their power by making the mobile perform redundant power consuming activities. This by itself can render the mobile inoperable. • Multi-targeted: In a wireless DoS attack, the attacker has more flexibility because both the infrastructure as well as mobiles can be easily attacked. The same attack can now target multiple mobiles, either by attacking each mobile individually, or by targeting the wireless infrastructure for a more widespread effect. Furthermore, new architectures such as IxEV-DO with its always-on capability increases the probability of an attack.
[0006] An attacker launching a wireless-specific DoS attack can easily exploit these vulnerabilities.
[0007] Another by-product of a wireless attack is that once the attack reaches a mobile it is too late. In a wireline DoS attack, it takes a certain amount of time for a server to be disabled because such machines have a larger processing capacity than a wireless endpoint (mobile). In contrast, a mobile has limited processing and battery lifetime. In addition, a wireless link is severely bandwidth- constrained when compared to a wireline network. If the traffic from an attack reaches a mobile, the attack has already succeeded in wasting critical resources of the wireless link, the wireless infrastructure, and the battery power of the mobile. This is in contrast to typical wireline DoS attacks that must overload processing resources at a server in order to succeed.
[0008] It is desirable, therefore, to provide methods and devices for detecting, preventing and defending against 3G wireless network DoS-like attacks. More particularly, it is desirable to provide methods and devices for detecting, preventing and defending against wireless DoS-like attacks launched against UMTS, CDMA2000 and other 3G wireless networks.
BRIEF DESCRIPTION OF THE DRAWINGS [0009] FIG. 1 depicts an example of a UMTS wireless network architecture. [0010] FIG. 2 depicts an example of a message flow associated with the UMTS wireless network of FIG. 1.
[0011] FIGs. 3a and 3b depict exemplary simulations of a possible impact of a signaling attack. [0012] FIG. 4 depicts exemplary steps in setting up a fundamental channel in a 3GIx wireless network.
[0013] FIG. 5 depicts an example of a 3GIx wireless network architecture.
[0014] FIG. 6 depicts an example of an architecture for detecting and preventing signaling attacks according to one embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION. WITH EXAMPLES
[0015] A 3G wireless network requires the establishment (i.e., set-up] of a dedicated channel between a mobile and the associated wireless infrastructure for data to be transmitted. In order to set up the channel, signaling messages need to be transmitted between the mobile and elements of the wireless infrastructure. Signaling attacks seek to exploit the nature of this signaling to overload the wireless infrastructure. Signaling attacks in UMTS networks
[0016] First, we begin with a brief introduction of the UMTS architecture. Then, we present an overview of the signaling required to set up a data channel and the vulnerability of a UMTS network to signaling attacks. [0017] FIG. 1 shows the typical architecture of a UMTS wireless network. There are several components, beginning with the Gateway GPRS Support Node (GGSN) which is a GPRS network entity that serves as a wireless gateway between a Serving GPRS Support Node (SGSN) and the Internet. Additionally, the GGSN interfaces with authentication servers on external networks as well as DHCP servers for dynamic address allocation. When a mobile or user successfully authenticates and registers with the network, a Point-to-Point (PPP) link is set up between the GGSN and the mobile.
[00181 The SGSN is responsible for sending data to and from mobile stations, in addition to inaintaining information about the location and authentication of a mobile. Typically, there are multiple SGSNs, each of which serves the GPRS users physically located in their serving area.
[0019] A Radio Network Controller (RNC), also known as a Base Station Controller (BSC) is the point where wireless link layer protocols terminate. The RNC provides an interface between wireless devices communicating through Base Stations (BS) and the network edge. This includes controlling and managing the radio transceivers in BS equipment, including radio resource control, admission control, channel allocation, as well as management tasks like handoff between
BS's and deciding power control parameters. The BS functionality includes wireless link transmission/reception, modulation/ demodulation, physical channel coding, error handling, and power control. In this hierarchical architecture, multiple mobiles communicate with a BS, multiple BS's communicate with an RNC, and multiple RNCs talk to the GGSN/SGSN.
[0020] The UMTS signaling control flow for setting up channels for resource allocation is now described. Essentially, when data arrives for a subscriber, a UMTS RNC needs to establish a radio access bearer (RAB) with the base station of the subscriber. The RAB is a channel for data transfer and is released after a timeout period for inactivity. For establishing and releasing an RAB, a significant number of messages are exchanged between an RNC, mobile and base station. This is a significant amount of overhead for the RNC and causes severe processing overhead during signaling time intervals.
[0021] An example of a message flow between an RNC, base station(s) and a mobile is shown in FIG. 2. Essentially, for every data call, a number of messages are exchanged between a mobile and an RNC. While the RNC is not the termination point for some of these messages (designated as Non Access Stratum or NAS messages), the RNC is required to forward these messages to the final destination in the core network (e.g., PDSN).
Radio Resource Control (RRC) Messages
[0022] RRC-like messages are used to establish/release radio channels for mobile power measurements, to transport paging messages and to broadcast information. An RRC setup leads to the creation of a dedicated signaling channel, which is the first step in enabling data transmission to/from a mobile. This requires 6 messages exchanged between the RNC and the mobile. Following this, there is a series of messages exchanged between the mobile and the core network for the purposes of authentication, and establishment of context, including a PPP connection with a PDSN, and assignment of an IP address. A further 4 messages are exchanged between the RNC, the core network and the mobile for a control security mode which results in the exchange of ciphers to secure the context for a given subscriber. Finally, an RAB is set up requiring an additional 8 messages exchanged at the RNC (2 with a core network, 3 with a mobile and 3 with a base station), resulting in a total of 24 messages to establish a single RAB with the RNC (not including messages exchanged between different elements within the RNC). It should be noted that subsequent RAB establishments do not need to perform an RRC signaling channel setup, though use of a control security mode may be required to re-authenticate a mobile.
[0023] Depending on the location of a mobile, a so-called soft handoff requires adding "legs" or base stations to the primary node with which the mobile has the strongest signal. This requires an additional 4 messages exchanged at the RNC (2 with the mobile and 2 with the primary base station). Finally, after a transfer, a mobile can initiate a teardown of RAB and RRC connections. This is initiated by an IU release function. This requires a total of 11 messages exchanged at the RNC (2 with the core network, 4 with the mobile and 5 with the base station). This number again does not include intra- RNC processing messages that contribute to the overall load at the RNC.
[0024] If there is no data exchanged between a mobile and its core network, the mobile is placed in a suspended state. In such a state, air link resources are released and assigned to other active mobiles, which requires 4 messages (2 with its core network and 2 with a base station). However, the context is still maintained at the RNC, and the mobile retains its IP address obtained during RRC/RAB establishment. A mobile can be reactivated (2 messages exchanged with RNC) using a packet call context resumption message (additional 2 messages with its core network) as long as an idle timeout period of 5 seconds has not occurred.
Vulnerability and Nature of the Attack
[0025] An attacker exploits the heavy-duty signaling overhead required for setup of RABs by essentially triggering ari excessive signaling message exchange between the RNC and BS. This may be achieved by sending a low volume burst at appropriately timed periods so that immediately after an RAB is torn down due to inactMry, a burst arrives from an attacker to trigger an establishment of a new RAB. This frequent setup /release can easily overload the RNC by requiring an excessive amount of signaling messages. [0026] It should be noted that it is relatively easy for an attacker to obtain the IP addresses of mobiles. Wireless service providers typically assign chunks of contiguous IP addresses making it easy for an attacker to guess a valid range of addresses simply by posing as a valid subscriber. [0027] Two salient features of an attack are worthy of note. First, as noted before, the low average transmission rate of the attack (small bursts are sent periodically), make it hard for any existing detection mechanism to classify the traffic as malicious. The low volume also makes it easier for an attacker to launch an attack as opposed to conventional DDoS attacks requiring the attacker to compromise thousands of hosts in order to even launch an attack. Furthermore, only one packet needs to be sent per mobile allowing the attacker to have a widespread, diffused impact further complicating detection.
Damage Due to the Attack [0028] The damage due to such an attack may be so severe that valid traffic may not receive an allocation of resources causing it to be dropped by an RNC. The RNC can also become overloaded, effectively denying service to a significant number of subscribers. In addition, RNCs are engineered to handle a certain amount of simultaneously active mobiles/users (in practice, 10%). It is easy for an attacker to exceed this number due to the low-volume nature of an attack.
[0029] Another side effect of a signaling attack is the potential for draining a mobile's battery. Normally, to conserve power, a mobile switches to a low-power idle or dormant state when there are no packets being sent or received. Because low volume bursts are sent periodically, mobiles would be forced to stay active longer than necessary. In a worst case scenario, a mobile may never be allowed to enter a dormant state causing rapid draining of its battery.
[0030] The present inventors performed simulations of the impact of an attack; some of the results are given by the graphs in FIGs. 3a and 3b. FIG. 3a plots a Base Station ControEer's load versus time of day for a series of attacks, while FIG. 3b plots call set-up delay time (i.e., delay experienced after a call arrives until the time resources are allocated) versus time of day. [0031] The results from FIGs. 3a and 3b demonstrate the drastic effect of an attack. Simply by sending 6% attack traffic, the load at an RNC may be increased by a factor of 5 from a utilization of 15% to 75%. This also translates into a 5-fold increase in call setup delay, which further erodes consumer confidence, especially for providers touting real-time services. It is relatively easy to overload an RNC simply by sending around 10% attack traffic.
[0032] Changing gears, the following is a brief description of the
3GIx architecture (e.g., CDMA2000) and signaling.
3GIx Architecture
[0033] FIG. 5 depicts a typical architecture for a 3GIx wireless network. The PDSN may be a router, which functions as a gateway for data flow to and from all user mobiles /terminals in the entire wireless network. When a mobile or user successfully authenticates and registers with the network, a PPP link is set up between the GGSN and the user/mobile. On the path to the PDSN, there are three devices that are typically part of a wireless infrastructure. The RNC and the BS have functionality identical to their counterparts in UMTS. In this hierarchical architecture, multiple mobiles communicate with a base station, multiple base stations communicate with an RNC, and multiple RNCs talk to the PDSN. 3GIx Signaling
[0034] In a 3GIx network, there is an analogous problem for resource allocation. The equivalent of an RAB in UMTS networks is the fundamental channel (FCH) that needs to be setup to transfer data. Typical steps used to set-up an FCH are shown in FIG. 4. [0035] When a PDSN receives data for a mobile, it pages the mobile. Once a successful response to a paging message has been received (3 messages exchanged), a base station initiates the setup of a FCH or Traffic Channel with the mobile (exchanging 8 messages). In parallel, a service request is made between the base station and an RNC requiring 4 messages. The RNC is also expected to forward messages to the core network, which in this case is required to authenticate the user. This results in an additional 6 messages. Finally, 2 additional messages are exchanged between the RNC and the PDSN for accounting purposes. Once this is done, an active channel exists for transmitting data to and from the mobile. [0036] Call release(s) follow the reverse procedure and require 7 messages from the RNC to the PDSN and base station, 8 messages between the base station and the RNC, PDSN and mobile. Overall, 29 messages are generated or received by the BS and 13 messages by the RNC in addition to 9 more messages that the RNC is responsible for forwarding to the core network.
[0037] Every subscriber typically has an primary leg assigned, which originally acts as the forwarding base station when a call is first setup. In certain cases, an additional base-station, called an anchor leg, is established for long-lived connections. This leg could be distinct from the primary leg and is defined as the base station with the strongest signal to the mobile. The anchor leg takes charge of deciding when to allocate supplemental channels (SCH), which are used when there is insufficient capacity on a 9.6Kbps FCH.
[0038] If there is excess data in the form of bursts that exceed the capacity of the FCH, then resources are allocated on demand to create a SCH for each user. There are an additional 16 messages exchanged between the anchor leg, the RNC and other base stations (for soft handoffs) leading to a similar vulnerability of the anchor leg for supplemental channel allocation and release. [0039] While an attack on the anchor leg potentially has less widespread damage than an attack on the RNC, the impact is still severe enough to lead to a significant loss of revenue to a wireless service provider. If an attacker can impact multiple anchor legs, then the damage is magnified even more. An attacker may even be able to target the subscribers that belong to a particular anchor leg. [0040] It should be noted that if an attacker simply sends randomly addressed bursts the damage could still be severe. Even if a single anchor leg is not in charge of the subscribers that are receiving the bursts, the RNC can still be overloaded due to its interaction with multiple anchor legs.
[0041] To prevent and defend against an attack, the present inventors recognized that knowledge of so-called wireless states, in particular the signaling cost(s) as traffic traverses through a wireless network was needed. This allows malicious traffic to be identified as soon as it begins to introduce excessive signaling cost. Signaling cost can be obtained in various ways depending on the wireless infrastructure involved. Ideally, an exact signaling cost can be obtained by querying wireless elements, such as an RNC and base station, when these elements provide an interface for such queries. However, current 3G wireless networks do not have such an interface, thus requiring modifications in order to support such queries. Changing an existing infrastructure, however, is not a viable solution given the amount of investment already expended by network owners / op erators . [0042] The present inventors discovered a simple, yet novel mechanism of estimating the signaling cost from traffic arrival patterns assuming knowledge of signaling call(s). The present inventions provide for methods and devices for detecting an attack using the so estimated signaling cost. [0043] As mentioned above, if a wireless element provides an interface for querying, the signaling cost can be obtained by a simple query. Absent that, the challenge is to obtain the cost without the assistance of such wireless elements. In one embodiment of the present invention, the signaling cost is estimated from traffic arrival patterns. This requires knowledge of the signaling protocols inside wireless elements. Table 1 shows an example of a technique for estimating signaling cost (due to RAB establish/release) in a UMTS network according to one embodiment of the present invention. Similar techniques within the scope of the present invention can be used to estimate other types of signaling costs for CDMA2000 networks according to alternative embodiments of the present invention.
TABLE 1
1. LastArrival(i) = 0
2. while true do a. Packet arrives for user i OR user i sends a packet b. IF (CurrentTime - LastArrival(ι) > IdleTimeout) THEN i. Cost(ή += cost of RAB establishment ii. CostfO += cost of RAB release
3. LastArrival(ι) = CurrentTime
[0044] The present invention makes use of the fact that, upon arrival of a packet, if the destination's RAB has been released, the destination mobile has to reestablish the RAB. This reestablishment creates an added cost to establish a new RAB and release the previous RAB due to the expiration of an idle timer; a cost which can be detected by techniques provided by the present invention.
[0045] A reliable sign of an ongoing signaling attack is the detection of excessive or additional signaling costs even though the volume of actual, transmitted data is low. Before continuing, it should be noted that an attacker can flood a network using huge amounts of traffic that would also introduce excessive signaling costs. However, this can be, relatively speaking, easily detected by existing firewall or intrusion detection mechanisms. With a low-volume attack, there needs to be a more accurate metric for detection. In accordance with the present invention, a statistical measure referred to as a signaling cost to data ratio is used as a metric. If the ratio exceeds a certain profiled threshold, a signaling attack is detected and malicious traffic/packets from the source of the attack are blocked. In a further embodiment of the present invention, if multiple attacks from the same source are detected, malicious traffic/packets, etc. from the source of the attack is blocked while allowing traffic from other sources through, for example. Other intrusion detection mechanisms may also be used to reduce the chance of false alarms.
[0046] In accordance with an exemplary method of the present invention, the first step in determining if traffic is part of an attack is to define a threshold for later comparison. This should be user/ application specific. The value of this threshold may be chosen by profiling user/ applications during a pre-processing time period.
[0047] During such a time period, a profile for each user may be created based on a statistical signaling cost to data ratio. Information used in building the profile includes packet arrival times, IP addresses and port numbers of source(s) and destination(s).
[0048] One novel aspect of the profiling mechanism provided by the present invention is the ability to aggregate (user, application, as well as server) related profiles. By user profile, we refer to the statistics for an individual user. This division can be further categorized by individual application. For instance, web surfing is the most frequently used service by most users. Similarly, a video-on~ demand server may use KTP packets to broadcast video to users. Statistics on an individual web server basis can also be compiled by logging the arrival of HTTP/RTP packets.
[0049] To enable scalability, the profiles can be aggregated across users with similar behaviors. Current traffic can then be compared to the aggregated profile to detect inconsistencies. Aggregated profiles can analogously be maintained for popular servers and also for popular applications. The flexibility of using different classification approaches allows a more comprehensive and accurate characterization of what is considered as normal traffic. This profile is key to detecting abnormal and malicious traffic, while also minimizing the probability of false positives (incorrect classification of valid traffic as malicious traffic). TABLE 2
Collect the signaling cost to data ratio a. Query: Actual number of signaling messages exchanged per user from wireless elements b. Estimate: Infer signaling cost from packet arrivals Detection: For packet(j) from sender s to user i:
Metric: Signaling Cost to Data Ratio (S/D) IF (S/D) > S/DTORESH&) for user i, THEN
■ FLAGjs++;
Start INVALIDTTMER(S)
Verification: IF (FLAGjs > VOTETHRESH(S) OR INVALIDΉMER = 0) THEN
■ Install filter at firewall to block data to s
[0050] Table 2 above sets forth an example of a method or algorithm for defending against a DoS Signaling attack. This method may be executed by a device or devices capable of either estimating or collecting user state statistical information (e.g., actual traffic flow) from the wireless infrastructure. In general this method operates as follows. [0051] In an initial step, a current measure, such as a signaling cost to data ratio is generated or derived. This ratio can be obtained through either directly querying the infrastructure or by using an estimation technique.
[0052] Next, the signaling cost to data ratio is compared against a threshold, reference ratio. If the derived ratio exceeds the threshold for a user, i.e., S/DTHRESH, determined from a pre-processing step that builds a profile for the user, subsequent traffic from a sender "s" is flagged.
[0053] Lastly, if a sufficient number of packets (when compared to a threshold, VOTETHRESH) have been flagged as suspicious from the sender s, OR the suspicious behavior lasts for an extended period of time (INVALIDTIMER), then a filter may be applied at a firewall to block future traffic from that sender. [0054] It should be noted that the user profile generated during the pre-processing step is adaptable to user behavior in order to minimize false positives and accurately detect when a violation occurs. More specifically, after the initial profile is created during pre- processing, it may be updated regularly based on changes to a user's behavior.
[0055] The method utilized in Table 2 may be implemented in a number of different ways, one of which may be referred to as an Architecture for Wireless Attack REsistance (AWARE). AWARE- enabled devices may be modular and can support upgrades in order to counter future attacks.
[0056] In one embodiment of the present invention, an AWARE architecture (e.g., enabled device) may comprise two components: a learning database and profiler, and/ or a detection engine or detector. The learning database is operable to capture and store information about a user during the pre-processing step. The profiler is operable to generate a traffic profile for a given user under normal (i.e., non- attack) conditions. The database and profiler may be one and the same and may be correlated with other user databases and profilers for cross-mobile correlation. The information in these databases is fed to a detector/ detection engine. In one embodiment of the present invention, the detection engine is operable to maintain a threshold for each user and verify if current traffic for a user or set of users violates the corresponding threshold. Depending on the wireless elements that are capable of communicating with an AWARE-enabled device (one that contains a database, profiler and/or a detector), the location of the AWARE-enabled device may be varied:
• Co-located with a Firewall: An AWARE-enabled device can be co-located with a firewall of a wireless service provider. If such a design is chosen, then it is not necessarily assumed that any other part of the wireless infrastructure is aware of the presence of an AWARE-enabled device or interacts with the AWARE- enabled device.
In an embodiment of the present invention, an AWARE-enabled device uses IP layer information such as packet arrivals and information from IP/TCP and application layer headers to build profiles. This assumes that the AWARE-enabled device can look inside a packet. If IPsec (tunnel mode) has been enabled, an
AWARE-enabled device can be co-located with an IPsec gateway in the domain so as to be able to decrypt and inspect packet headers and payloads.
• Between the PDSN and an RNC: In an alternative embodiment of the present invention, an AWARE-enabled device may be placed between a PDSN and an RNC. In such a design, the device may interact with the PDSN, and obtain information as to how packets are distributed to different RNCs. An RNC provides finer grain information, such as: the number of signaling events for a FCH & SCH setup/release, the timestamp(s) of signaling messages, and power control information via a base station that estimates mobile power consumption. It should be understood that, in the event that an
AWARE-enabled device is a stand-alone device, an AWARE-compatible interface may be needed to allow the device to operate with a wireless infrastructure (e.g., firewall).
[0058] In a "least-invasive" design, an AWARE-enabled device simply looks at IP packets that are passed on from a firewall before they reach the PDSN. All of the necessary information is contained in the application, TCP and IP headers and the payload itself. Information needed to build a profile can be extracted from the above headers and payload. [0059] An AWARE-enabled device should be able to communicate with existing firewalls or IPsec gateways. Ideally, an AWARE-enabled device may be co-located at these entities acting as a filter to block suspected traffic. If a AWARE-enabled device is not co-located with the IPsec gateway, there needs to be a so-called security association with the gateway so it can decrypt and process ESP-encapsulated packets in a tunnel mode. Even if an AWARE-enabled device is not co-located with the firewall, there typically is an interface with most commercial firewalls such as Checkpoint's Firewall- 1 that allows the configuration of filters.
[0060] If an AWARE-enabled device is placed between the PDSN and an RNC, more user-specific state information may be gathered
(i.e., which RNC a user belongs to, and potentially other information that can be obtained from an RLP frame). Also, an AWARE-enabled device may obtain mobility related information because a mobile may cross over from one RNC to another. The impact of mobility information on the detection heuristic is worth analyzing, because highly mobile end-users can contribute significantly to the load of an infrastructure. Launching a wireless DoS attack against highly mobile users requires additional tasks, such as more frequent paging, that can add substantially to processing overhead. Also, a mobile may initiate a PPP connection with the PDSN before initiating a transfer.
An AWARE-enabled device may also query the PDSN to obtain a PPP state history.
[0061] In addition to AWARE-enabled devices, the present inventors also recognized that an AWARE related architecture may also require additional devices.
[0062] For example, an AWARE-compatible interface is provided by the present invention. In one embodiment of the present invention, such an interface is operable to query wireless user /mobile state(s). Such an interface also allows an AWARE-enabled device (or devices) to communicate in a secure manner with the wireless infrastructure in order to obtain mobile /user-specific information. It should be noted that such an interface may be included as an option in infrastructures other than a PDSN, because at a minimum, packet arrivals need to be known in order to estimate state information.
[0063] In addition to an interface, the present invention provides for a plug-in detector. [0064] Snort is an open-source IDS mechanism that emulates the functionality of an AWARE-enabled device. Snort is modular and allows new plug-ins to be installed, thus allowing the detection mechanism to be customized and enhanced for defense against current and future attacks. By "plug-in" is meant a generic term that refers to modules that can be added dynamically to alter the behavior of Snort.
[0065] In an additional embodiment of the present invention, a
Snort compatible plug-in incorporating the detection heuristic functions of the present invention is provided. [0066] Other plug-ins are also provided by the present invention.
Again, during their experiments the present inventors utilized Snortsam to interface with a firewall and react to attacks.
[0067] In an additional embodiment of the present invention, a
Snortsam compatible plug-in that allows such interfacing is provided by the present invention. Such a plug-in may be operable to act as filter(s) to block malicious traffic.
[0068] Alternatively, this plug-in may be interfaced with a wireless packet scheduler to reduce the priority of malicious traffic.
[0069] It should be understood that the methods of the present invention, the AWARE-enabled devices, interfaces, and any subcomponents (e.g., learning database, profiler, detector, etc.) may be realized in hardware, software, firmware or some combination of the three. For example, one or more programmable or programmed controllers, processors, etc. may be operable to store one or more programs or code (and data) that, in turn, is operable to carry out the features and functions of the present invention described above and in the claims that follow.

Claims

We claim:
1. A method for detecting a signaling attack against a 3G wireless network comprising: measuring a traffic level associated with a mobile device; generating a cost-to-data ratio associated with the measured traffic level and a signaling cost; and comparing the generated ratio to a profiled, reference cost-to- data threshold ratio to determine whether a Denial-of-Service signaling attack is directed at the device.
2. The method as in claim 1 further comprising preventing malicious traffic intended for the mobile device from reaching the device when the generated ratio equals or exceeds the threshold reference ratio.
3. The method as in claim 1 wherein the network is selected from the group comprising a UMTS or CDMA2000 network.
4. The method as in claim 1 further comprising generating the signaling cost from traffic arrival patterns.
5. The method as in claim 1 wherein the traffic level is a relatively low volume of data.
6. A method for detecting a denial-of-service (DoS) attack in a wireless network, comprising:
(a) generating a statistical measure characterizing a relationship between signaling cost and actual data transmitted to or from at least one mobile during normal operation of the wireless network;
(b) comparing the statistical measure to a current measure; and (c) detecting a DoS attack if the current measure differs from the statistical measure by more than a threshold.
7. The method as in claim 6, wherein the statistical measure is based on a ratio of the signaling cost within a specified time interval to an amount of actual data transmitted to or from the at least one mobile within a specified time interval.
8. The method as in claim 7 further comprising estimating the ratio based on a traffic arrival pattern.
9. A 3G wireless network comprising: one or more access nodes adapted to provide access between the wireless network and an Internet; one or more radio network controllers (RNCs) adapted to communicate with the access node; one or more base stations for each RNC adapted to communicate with an RNC and with one or more mobile units; and an architecture adapted to:
(a) generate a statistical measure characterizing a relationship between signaling cost and actual data transmitted to or from at least one mobile during normal operations of the wireless network;
(b) compare the statistical measure to a current measure; and
(c) detect a DoS attack if the current measure differs from the statistical measure by more than a threshold.
10. A device for detecting a Denial-of-Service signaling attack against a 3G wireless network comprising: a database operable to store mobile information; a profiler operable to generate a traffic profile for the mobile associated with non-attack conditions, based on the stored information; and a detector operable to detect an attack by comparing a traffic arrival rate associated with the mobile with a threshold associated with the at least the generated mobile profile.
PCT/US2006/010108 2005-03-31 2006-03-21 Methods and devices for defending a 3g wireless network against a signaling attack WO2006104752A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
KR1020127019442A KR101259775B1 (en) 2005-03-31 2006-03-21 Methods and devices for defending a 3g wireless network against a signaling attack
EP06739051A EP1864471B1 (en) 2005-03-31 2006-03-21 Methods and devices for defending a 3g wireless network against a signaling attack
KR1020077022059A KR101235099B1 (en) 2005-03-31 2006-03-21 Methods and devices for defending a 3g wireless network against a signaling attack
JP2008504141A JP4994359B2 (en) 2005-03-31 2006-03-21 Method and apparatus for protecting 3G wireless networks from signaling attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/094,416 2005-03-31
US11/094,416 US20060230450A1 (en) 2005-03-31 2005-03-31 Methods and devices for defending a 3G wireless network against a signaling attack

Publications (1)

Publication Number Publication Date
WO2006104752A1 true WO2006104752A1 (en) 2006-10-05

Family

ID=36579743

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/010108 WO2006104752A1 (en) 2005-03-31 2006-03-21 Methods and devices for defending a 3g wireless network against a signaling attack

Country Status (6)

Country Link
US (1) US20060230450A1 (en)
EP (1) EP1864471B1 (en)
JP (1) JP4994359B2 (en)
KR (2) KR101259775B1 (en)
CN (1) CN101151868A (en)
WO (1) WO2006104752A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007075423A2 (en) 2005-12-19 2007-07-05 Lucent Technologies Inc. Methods and devices for defending a 3g wireless network against malicious attacks
JP2010514248A (en) * 2006-12-19 2010-04-30 ケイ ティー コーポレイション Intrusion prevention apparatus and method for point-to-point tunneling communication
CN101803416A (en) * 2007-09-28 2010-08-11 朗讯科技公司 The IP layer service in the related UMTS/GSM network and the method and system of radio layer unit
JP2012253800A (en) * 2006-10-30 2012-12-20 Interdigital Technology Corp Method and apparatus for performing tracking area update and cell reselection in long term evolution system
EP2717504A1 (en) * 2012-06-13 2014-04-09 Huawei Technologies Co., Ltd Method and apparatus for analyzing signaling traffic
WO2014079960A1 (en) * 2012-11-22 2014-05-30 Koninklijke Kpn N.V. System to detect behaviour in a telecommunications network
KR101444899B1 (en) * 2012-07-12 2014-09-26 건국대학교 산학협력단 Detection System and Method for DCH starvation DoS attack in 3G
EP3272075A4 (en) * 2015-03-18 2018-12-05 Hrl Laboratories, Llc System and method to detect attacks on mobile wireless networks based on network controllability analysis
EP3595257A1 (en) * 2018-07-10 2020-01-15 Nokia Solutions and Networks Oy Detecting suspicious sources, e.g. for configuring a distributed denial of service mitigation device

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1771021A1 (en) * 2005-09-29 2007-04-04 Telefonaktiebolaget LM Ericsson (publ) A method and apparatus for allocation of radio resources
DE102006052709B3 (en) * 2006-11-08 2008-06-19 Siemens Ag Arrangement and method for regulating data transmission in a network
KR100889670B1 (en) * 2007-08-08 2009-03-19 삼성에스디에스 주식회사 Method for preventing tcp-based denial-of-service attacks on mobile devices
US9009828B1 (en) 2007-09-28 2015-04-14 Dell SecureWorks, Inc. System and method for identification and blocking of unwanted network traffic
US20090113039A1 (en) * 2007-10-25 2009-04-30 At&T Knowledge Ventures, L.P. Method and system for content handling
US20090209291A1 (en) * 2008-02-19 2009-08-20 Motorola Inc Wireless communication device and method with expedited connection release
KR101301315B1 (en) * 2008-10-30 2013-08-29 닛본 덴끼 가부시끼가이샤 Communication method with user equipment and h(e) nb for minimizing access network extension impact
US8688826B2 (en) * 2009-11-30 2014-04-01 Motorola Mobility Llc Mobile computing device and method with intelligent pushing management
US8745188B2 (en) 2010-06-07 2014-06-03 Novell, Inc. System and method for managing changes in a network datacenter
WO2012166194A1 (en) * 2011-06-01 2012-12-06 Hewlett-Packard Development Company, L.P. Network asset information management
CN103733567B (en) * 2011-08-10 2016-10-12 国际商业机器公司 Nms
KR101149587B1 (en) * 2011-10-31 2012-05-29 한국인터넷진흥원 Method for detecting signaling dos traffic in 3g wcdma networks
CN103988534B (en) * 2011-12-12 2018-09-11 瑞典爱立信有限公司 Method for detecting the lasting Malware on network node
CN103906094B (en) * 2012-12-24 2017-10-17 中国电信股份有限公司 EVDO control channel resource occupation acquisition methods and system
KR101725129B1 (en) * 2013-02-22 2017-04-10 한국전자통신연구원 Apparatus for analyzing vulnerableness of wireless lan
CN104125571A (en) * 2014-07-03 2014-10-29 北京大学 Method for detecting and suppressing pseudo-base station
US10193922B2 (en) * 2015-01-13 2019-01-29 Level 3 Communications, Llc ISP blacklist feed
CN104880056B (en) * 2015-06-23 2017-12-08 湖州师范学院 The method of controlling security of the drying of wood based on snort
US10432650B2 (en) 2016-03-31 2019-10-01 Stuart Staniford System and method to protect a webserver against application exploits and attacks
CN109922075B (en) * 2019-03-22 2020-06-02 中国南方电网有限责任公司 Network security knowledge graph construction method and device and computer equipment
CN112448894B (en) * 2019-09-03 2022-08-19 华为技术有限公司 Method, device, equipment and storage medium for blocking signaling storm
CN113727348B (en) * 2020-05-12 2023-07-11 华为技术有限公司 Method, device, system and storage medium for detecting user data of User Equipment (UE)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217283A1 (en) 2002-05-20 2003-11-20 Scott Hrastar Method and system for encrypted network management and intrusion detection

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE498270T1 (en) * 2000-05-12 2011-02-15 Niksun Inc SECURITY CAMERA FOR A NETWORK
US7707305B2 (en) * 2000-10-17 2010-04-27 Cisco Technology, Inc. Methods and apparatus for protecting against overload conditions on nodes of a distributed network
US7092357B1 (en) * 2001-11-13 2006-08-15 Verizon Services Corp. Anti-flooding flow-control methods and apparatus
KR100427449B1 (en) * 2001-12-14 2004-04-14 한국전자통신연구원 Intrusion detection method using adaptive rule estimation in nids
CA2414789A1 (en) * 2002-01-09 2003-07-09 Peel Wireless Inc. Wireless networks security system
JP3923346B2 (en) * 2002-03-29 2007-05-30 京セラ株式会社 Wireless communication device
KR100480258B1 (en) * 2002-10-15 2005-04-07 삼성전자주식회사 Authentication method for fast hand over in wireless local area network
US7463590B2 (en) * 2003-07-25 2008-12-09 Reflex Security, Inc. System and method for threat detection and response

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217283A1 (en) 2002-05-20 2003-11-20 Scott Hrastar Method and system for encrypted network management and intrusion detection

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HUANG ET AL.: "Countering Denial-of-Service Attacks Using Congestion Triggered Packet Sampling and Filtering", COMPUTER COMMUNICATIONS AND NETWORKS 2001, PROCEEDINGS. TENTH INTERNATIONAL CONFERENCE ON 15-17 OCT 2001, 15 October 2001 (2001-10-15), pages 490 - 494
YIH HUANG ET AL: "Countering denial-of-service attacks using congestion triggered packet sampling and filtering", COMPUTER COMMUNICATIONS AND NETWORKS, 2001. PROCEEDINGS. TENTH INTERNATIONAL CONFERENCE ON 15-17 OCT. 2001, PISCATAWAY, NJ, USA,IEEE, 15 October 2001 (2001-10-15), pages 490 - 494, XP010562136, ISBN: 0-7803-7128-3 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8965334B2 (en) 2005-12-19 2015-02-24 Alcatel Lucent Methods and devices for defending a 3G wireless network against malicious attacks
EP1964366A2 (en) * 2005-12-19 2008-09-03 Lucent Technologies Inc. Methods and devices for defending a 3g wireless network against malicious attacks
JP2012227964A (en) * 2005-12-19 2012-11-15 Alcatel-Lucent Usa Inc Methods and devices for defending 3g wireless network against malicious attacks
WO2007075423A2 (en) 2005-12-19 2007-07-05 Lucent Technologies Inc. Methods and devices for defending a 3g wireless network against malicious attacks
EP1964366B1 (en) * 2005-12-19 2017-04-12 Alcatel-Lucent USA Inc. Methods and devices for defending a 3g wireless network against malicious attacks
JP2012253800A (en) * 2006-10-30 2012-12-20 Interdigital Technology Corp Method and apparatus for performing tracking area update and cell reselection in long term evolution system
US9860817B2 (en) 2006-10-30 2018-01-02 Interdigital Technology Corporation Method and apparatus for implementing tracking area update and cell reselection in a long term evolution system
JP2010514248A (en) * 2006-12-19 2010-04-30 ケイ ティー コーポレイション Intrusion prevention apparatus and method for point-to-point tunneling communication
CN101803416A (en) * 2007-09-28 2010-08-11 朗讯科技公司 The IP layer service in the related UMTS/GSM network and the method and system of radio layer unit
US9763109B2 (en) 2012-06-13 2017-09-12 Huawei Technologies Co., Ltd. Method and apparatus for analyzing signaling traffic
EP2717504A4 (en) * 2012-06-13 2014-10-01 Huawei Tech Co Ltd Method and apparatus for analyzing signaling traffic
EP2717504A1 (en) * 2012-06-13 2014-04-09 Huawei Technologies Co., Ltd Method and apparatus for analyzing signaling traffic
KR101444899B1 (en) * 2012-07-12 2014-09-26 건국대학교 산학협력단 Detection System and Method for DCH starvation DoS attack in 3G
WO2014079960A1 (en) * 2012-11-22 2014-05-30 Koninklijke Kpn N.V. System to detect behaviour in a telecommunications network
EP3474589A1 (en) * 2012-11-22 2019-04-24 Koninklijke KPN N.V. System to detect behaviour in a telecommunications network
US10924500B2 (en) 2012-11-22 2021-02-16 Koninklijke Kpn N.V. System to detect behaviour in a telecommunications network
CN104982059B (en) * 2012-11-22 2021-07-13 皇家Kpn公司 System for detecting behaviour in a telecommunications network
EP3272075A4 (en) * 2015-03-18 2018-12-05 Hrl Laboratories, Llc System and method to detect attacks on mobile wireless networks based on network controllability analysis
EP3595257A1 (en) * 2018-07-10 2020-01-15 Nokia Solutions and Networks Oy Detecting suspicious sources, e.g. for configuring a distributed denial of service mitigation device

Also Published As

Publication number Publication date
KR101235099B1 (en) 2013-02-20
CN101151868A (en) 2008-03-26
KR20070116612A (en) 2007-12-10
JP2008537385A (en) 2008-09-11
KR20120099286A (en) 2012-09-07
US20060230450A1 (en) 2006-10-12
EP1864471B1 (en) 2012-09-26
KR101259775B1 (en) 2013-05-06
EP1864471A1 (en) 2007-12-12
JP4994359B2 (en) 2012-08-08

Similar Documents

Publication Publication Date Title
EP1864471B1 (en) Methods and devices for defending a 3g wireless network against a signaling attack
EP1708538B1 (en) Detection of power-drain denial-of-service attacks in wireless networks
Lee et al. On the detection of signaling DoS attacks on 3G wireless networks
Lee et al. On the detection of signaling DoS attacks on 3G/WiMax wireless networks
Arshad et al. COLIDE: A collaborative intrusion detection framework for Internet of Things
Agarwal et al. An efficient scheme to detect evil twin rogue access point attack in 802.11 Wi-Fi networks
US8965334B2 (en) Methods and devices for defending a 3G wireless network against malicious attacks
US7398317B2 (en) Thwarting connection-based denial of service attacks
EP3404949B1 (en) Detection of persistency of a network node
Malekzadeh et al. Validating Reliability of OMNeT++ in Wireless Networks DoS Attacks: Simulation vs. Testbed.
Seth et al. Denial of service attacks and detection methods in wireless mesh networks
CN102238049A (en) Method for detecting denial of service (DoS) attacks in media access control (MAC) layer
Hafiz et al. Profiling and mitigating brute force attack in home wireless LAN
Wu et al. Defending against DoS attacks on 3G cellular networks via randomization method
Khan et al. Real-time cross-layer design for a large-scale flood detection and attack trace-back mechanism in IEEE 802.11 wireless mesh networks
Rachedi et al. Impacts and solutions of control packets vulnerabilities with IEEE 802.11 MAC
Kumar et al. An analysis of tcp syn flooding attack and defense mechanism
Ettiane et al. Protection mechanisms for signaling dos attacks on 3g mobile networks: Comparative study and future perspectives
Anto et al. A survey on DoS attacks and detection schemes in wireless mesh Networks
Joe Sctp with an improved cookie mechanism for mobile ad-hoc networks
Pacherkar et al. PROV5GC: Hardening 5G Core Network Security with Attack Detection and Attribution Based on Provenance Graphs
Mishra et al. A Novel Approach for Detection and Prevention of DOS Attack in Wireless Mesh Network
Park et al. Design of detection system against the denial of service attack in 3G1x system
Santhanam et al. Selfishness and Security Schemes for Wireless Mesh Network
Anto et al. A Survey on DoS Attacks and Detection

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200680010186.2

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2006739051

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 1020077022059

Country of ref document: KR

ENP Entry into the national phase

Ref document number: 2008504141

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

WWE Wipo information: entry into national phase

Ref document number: 1020127019442

Country of ref document: KR