WO2016114690A1 - Methods and nodes for protection of radio access networks - Google Patents

Methods and nodes for protection of radio access networks Download PDF

Info

Publication number
WO2016114690A1
WO2016114690A1 PCT/SE2015/050016 SE2015050016W WO2016114690A1 WO 2016114690 A1 WO2016114690 A1 WO 2016114690A1 SE 2015050016 W SE2015050016 W SE 2015050016W WO 2016114690 A1 WO2016114690 A1 WO 2016114690A1
Authority
WO
WIPO (PCT)
Prior art keywords
channel
message
messages
node
channel required
Prior art date
Application number
PCT/SE2015/050016
Other languages
French (fr)
Inventor
Michael Liljenstam
Oscar Ohlsson
Prajwol KUMAR NAKARMI
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/SE2015/050016 priority Critical patent/WO2016114690A1/en
Publication of WO2016114690A1 publication Critical patent/WO2016114690A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access, e.g. scheduled or random access
    • H04W74/002Transmission of channel access control information
    • H04W74/008Transmission of channel access control information with additional processing of random access related information at receiving side

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The disclosure relates to a method performed in a first node (12, 21) of a radio access network (20). The method comprises receiving, from an access node(11)of the radio access network (20), a channel required message; establishing, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements, and rejecting a channel request related to the channel required message. A method provided in a second node is also provided, and nodes, computer programs and computer program products.

Description

Methods and nodes for protection of radio access networks
Technical field
The technology disclosed herein relates to methods performed in a first node and a second node of a radio access network, to a first node and a second node for a radio access network, and to corresponding computer programs and computer program products.
Background
Ensuring security of a radio access network infrastructure is important and has been receiving increased attention. One type of attack against a radio access network (RAN) is radio jamming, wherein for instance noise is sent at high power effectively preventing use of a certain frequency band. Another type of attack is flooding the initial random access procedure resulting in Denial-of-Service (DoS) for subscribers in the RAN. In such flooding attack, random access requests are sent repeatedly to exhaust the available signaling channel resources, thereby blocking legitimate users from allocating channels. This type of attack is somewhat more sophisticated than the radio jamming attack in that it requires fewer transmissions and potentially less power, and might therefore be more difficult to detect.
In general, it is difficult to provide protection against this type of attacks as well as other types of attacks, and there is a need for improved protection mechanisms.
Summary
An objective of the present invention is to solve or at least alleviate at least one of the above mentioned problems.
The objective is according to a first aspect achieved by a method performed in a first node of a radio access network. The method comprises receiving, from an access node of the radio access network, a channel required message; establishing, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements; and rejecting a channel request related to the channel required message.
The method enables protection of the availability of network services against faulty terminals, e.g., terminals having a faulty random access behavior, and also against intentional attacks consuming or occupying the network resources through random access requests. By reducing the risk of random access flooding attacks, an improved subscriber experience is achieved in that access to the network is ensured for the subscribers.
The objective is according to a second aspect achieved by a computer program for a first node of a radio access network. The computer program comprises computer program code, which, when executed on at least one processor on the first node causes the first node to perform the method as above.
The objective is according to a third aspect achieved by a computer program product comprising a computer program as above and a computer readable means on which the computer program is stored.
The objective is according to a fourth aspect achieved by a first node for a radio access network. The first node is configured to receive, from an access node of the radio access network, a channel required message; to establish, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements; and to reject a channel request related to the channel required message.
The objective is according to a fifth aspect achieved by a method performed in a second node of a radio access network. The method comprises receiving, from a mobile terminal, a channel request message; establishing, based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information, and rejecting the channel request message.
The objective is according to a sixth aspect achieved by a computer program for a second node of a radio access network. The computer program comprises computer program code, which, when executed on at least one processor on the second node causes the second node to perform the method as above.
The objective is according to a seventh aspect achieved by a computer program product comprising a computer program as above and a computer readable means on which the computer program is stored. The objective is according to an eight aspect achieved by a second node for a radio access network. The second node is configured to: receive, from a mobile terminal, a channel request message; establish, based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information; and reject the channel request message.
Further features and advantages of the present invention will become clear upon reading the following description and the accompanying drawings.
Brief description of the drawings
Figure la illustrates frame structures in GSM. Figure lb illustrates contents of an access burst.
Figure 2 illustrates signaling in a wireless network at initial access to the RAN. Figure 3 illustrates the content of a request reference information element. Figure 4 illustrates the content of an access delay information element. Figure 5 illustrates an embodiment of the invention. Figure 6 illustrates a train-test loop.
Figure 7 is a flowchart illustrating an embodiment of the invention.
Figure 8 illustrates determination of periodicity in accordance with an embodiment of the invention.
Figures 9a, 9b and 9c are flow charts illustrating tracking of resource utilization.
Figure 10 illustrates how to combine various embodiments of the invention.
Figure 11 illustrates an embodiment of the invention.
Figures 12a and 12b illustrate embodiments of the invention.
Figure 13 is a flow chart over steps of a method in a first node in accordance an embodiment of the invention. Figure 14 illustrates schematically a node and means for implementing embodiments of the invention.
Figure 15 is a flow chart over steps of a method in a second node in accordance with embodiments of the invention. Detailed description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular architectures, interfaces, techniques, etc. in order to provide a thorough understanding. In other instances, detailed descriptions of well-known devices, circuits, and methods are omitted so as not to obscure the description with unnecessary detail. Same reference numerals refer to same or similar elements throughout the description.
In order to provide a thorough understanding of the present disclosure, some description of frame structure and random access procedure in a Global System for Mobile Communications (GSM) network is initially given with reference to figures la, ib, 2, 3 and 4. GSM is an example of a type of radio access network technology which may be subject to the attacks described in the background section, and will be used as an example in the following description for describing embodiments of the present invention.
Figure la illustrates frame structures of time division multiple access (TDMA) technology. GSM, for instance, uses TDMA as channel access method. In GSM, the fundamental unit of time is called a time slot 1 which has duration of 576.9 μβ. Eight such time slots constitute a TDMA frame 2, and a traffic multiframe 3 in turn comprises 26 TDMA frames, while a control multiframe 4 comprises 51 TDMA frames. A superframe 5 comprises 51 traffic multiframes 3 or 26 control
multiframes 4. A hyperframe 6 is the longest recurrent time period, comprises 2048 superframes 5, and has a duration of 12,533.76 s.
The physical content of a time slot 1 is called a burst, and eight of these bursts constitute the TDMA frame 2 which has the duration of 4.62 ms. One burst period allocated in each TDMA frame 2 is known as a physical channel. An access burst is one of four types of bursts in GSM and is used for random access. Figure ib illustrates contents of the access burst. In particular, it comprises: tail bits (TB) (8 bits), a synchronization sequence (41 bits), data (36 bits), tail bits (3 bits) and a guard period (GP) (68.25 bits).
Figure 2 illustrates signaling in a wireless network at initial access to the RAN. In GSM, the random access procedure is used by mobile terminals (MTs) 10 to request a dedicated channel from a base transceiver station (BTS) 11, e.g., at call setup. It is noted that the MTs may alternatively be denoted, e.g., as mobile stations (MSs) (used in GSM) or user equipment (UE) (used in in UMTS and LTE). The MT may, e.g., be an MS, a UE, a smartphone, a mobile phone, a tablet computer etc.
At arrow Ai, the MT 10 sends a channel request message to the BTS 11 on a Random Access Channel (RACH), thereby requesting a channel. The channel request message (CHAN REQ) comprises a general description of the reason for the channel request (e.g., answer to paging, location update, emergency call etc.) and a reference number for identification (denoted random reference number). If two MTs request a channel at the same time, and the BTS 11 responds to both of them, the random reference number allows the MT 10 to identify the correct response. The random reference number comprises randomly chosen bits.
The channel request message is passed down to a physical layer and is transmitted in one of the time slots and the frequency configured for RACH. The resulting access burst only occupies part of the timeslot (about 577 μβ); the remaining guard period guarantees that access burst does not fall outside the time slot when the MT 10 is located far away from the BTS 11. Based on the position of the access burst within the time slot, the BTS 11 can calculate the distance to the MT 10 and a corresponding timing advance (TA) is signaled to the MT 10 for final synchronization.
When the BTS 11 receives the channel request message from the MT 10, it determines the frame number (FN) in which the access burst was sent over the air interface (Um) as well as the distance to the MT 10 and the corresponding timing advance (TA). This information, together with the information in the channel request message (the establishment cause and the random reference number), is then forwarded over the Abis interface by the BTS 11 to the BSC 12 in a channel required message (CHAN RQD), indicated at arrow A2.
Upon receiving the channel required message, the BSC 12 configures a dedicated channel with the BTS 11, and reserves necessary radio resources. This involves additional signaling between the BSC 12 and the BTS 11, which signaling is not shown in figure 2. If the channel setup is successful, the channel configuration, e.g., timeslot, carrier frequency, etc., is signaled from the BSC 12 to the BTS 11 in an immediate assignment command (arrow A3).When the immediate assignment command is sent to the BTS 11, the BSC 12 also starts a timer (T3101). If the timer expires and the reserved channel has not been taken into use, the BSC 12 releases the channel at the BTS 11. Such timer may for instance be set to three (3) seconds, but is in general configured by an operator of the radio access network.
At arrow A4, the BTS 11 forwards the channel configuration that it received in the immediate assignment command to the MT 10 in an immediate assignment message.
It is noted that the signaling of figure 2 is illustrated in a simplified form, and other signaling, e.g., paging performed by the BTS 11 prior to the MT 10 sending the channel request, is omitted.
Table 1 below comprises information elements in the channel required message sent from the BTS 11 to the BSC 12. Information elements of particular interest for various embodiments of the present disclosure are the request reference and access delay. The request reference information element comprises both the frame number in which the access burst was sent and the random reference number chosen randomly by the MT 10. The access delay information element channel comprises the timing advance calculated by the BTS 11.
Figure imgf000007_0001
Figure 3 illustrates the content of the information element request reference of the channel required message. The first octet is an element identifier, and the second octet comprises the Random Access (RA) value sent by the MT 10 in the channel request message. Typically, the contents of this field are coded in a similar manner as in the channel request message.
The third and fourth octets comprise the "absolute frame number modulo 42432" for the frame number when the access burst was received in the BTS 11. The Ti' field of the second octet is coded as a binary representation of "(FN div 1326) mod 32". The T3 field of the third and fourth octet is coded as a binary representation of the "FN mod 51". The T2 field of the fourth octet is coded as the binary representation of "FN mod 26".
The absolute frame number (FN) is calculated as: FN = 51 x ((T3 - T2) mod 26) + T3 + 51 x 26 x Ti'
The channel required message hence comprises random access information from the channel request message, which comprises a random bit sequence chosen by the MT 10 (the random reference number).
Figure 4 illustrates the content of the information element access delay of the channel required message. The information element access delay comprises the delay of the access burst (i.e., the corresponding channel request message) as measured by the BTS 11 at the random access procedure. The delay is expressed as defined for the Timing Advance (TA) in 3GPP standards but with the range extended to eight (8) bits.
Briefly, the present disclosure provides methods and mechanisms to detect and mitigate certain forms of random access channel flooding attacks, in particular in GSM networks. The present disclosure describes means for detecting and mitigating effects of intentionally malicious signaling on, e.g., the Random Access Channel (RACH) of GSM as well as for signaling that is unintentionally problematic on the RACH, e.g., a device unintentionally deviating from an expected behavior.
Various examples are given for unexpected behavior (and hence also on expected behavior), i.e., a device that fails to conform to technical specifications relating to its wireless communications, and more particularly deviations from expected behavior relating to random access requests. The present disclosure describes several ways of establishing an unexpected behavior of messages in a random access procedure. Below, a few such ways are summarized: 1. Detecting periodicities in requests on the random access channel. Finding a periodicity in channel request message and/or in a related channel required message indicates specification-violating behavior, and indicates one form of implementation for intentional attack. A method for suppressing such identified channel
request/channel required patterns is provided.
2. Detecting abnormal patterns, for instance repetitions, in the random reference numbers. Such repetitions would be in violation of specifications. A method for suppressing such messages is provided.
3. Detecting and suppressing abnormal, in particular excessive, rates of requests originating at a specific distance, using access delay information.
4. Searching for lack of utilization of allocated dedicated signaling resources from random access requests as an indicator of malicious or abnormal activity. For suppression this is combined with one or more of aspects under point 1, 2 and 3 (periodicities, random reference values, or delay information) to find a discernable pattern.
5. In various embodiments, two or more of aspects 1, 2, 3, and 4 may be combined in different ways in order to detect and suppress abnormal random access requests.
Figure 5 illustrates a first environment implementing embodiments of the present disclosure. A radio access network 20 comprises a BTS 11, a BSC 12 and a number of mobile terminals 10. As has been described, it is desirable to establish whether there are MTs 10 that are misbehaving, either unintentionally, e.g., due to malfunctioning, or intentionally, thereby disturbing the radio access network 20. It is noted that other types of attack devices than mobile terminals may be used to intentionally prevent legitimate users from obtaining access to the services provided by the radio access network 20. The present disclosure provides a security function 21, for identifying such MTs 10 having a behavior deviating from an expected behavior; i.e., MTs 10 that do not follow the technical specifications of the radio access network 20. The security function 21 maybe arranged in various different ways: it maybe integrated into the BTS 11 (see figures 12a and 12b), or integrated with the BSC 12 (see figure 11) or be a standalone device. In the embodiment illustrated in figure 5, the security function 21 is implemented as a standalone device, in this context also denoted security node 21 or control node, and is arranged in line and transparent between the BTS 11 and the BSC 12. The security node 21 is interconnected with the BTS 11 and with the BSC 12, e.g., by means of cables, and is able to communicate with both of them.
The security function 21 maybe implemented in various ways, as will be described below, but comprises a message discriminator function 23, a detection function 24 and an action function 25. The message discriminator 23 may identify a certain type of message or a set of messages which is/are to be analyzed for detecting an unexpected behavior. The detection function 24 comprises different ways of finding the unexpected behavior. The detection tools of the detection function 24 comprise the earlier briefly described ways of establishing unexpected behavior: a periodicity detector, in particular frame number periodicity detector, a random access (RA) detector, access delay (AD) and usage detector. A correlator is also illustrated as comprised in the detection function 24. The correlator illustrates the combining of the different ways of establishing the unexpected behavior. Based on the output of the detection function 24, some action can be taken, indicated at action function 25. For instance, if the detection function 24 has identified a certain message or sequence of messages to be following required specifications then the action may be that the message/sequence of messages is allowed. If a certain message or sequence of messages shows an unexpected behavior, then they may be dropped and not handled further by the network nodes.
The earlier mentioned ways of establishing an unexpected behavior of messages, or information elements/information fields thereof, is described in more detail in the following.
FN periodicity
As mentioned earlier, the frame number (FN) is calculated using the fields in the Request Reference Information Element of the channel required message. A motivation for using the periodicity of FN is that if channel request messages are repeatedly sent, e.g., since an attack tool implements a loop that repeatedly sends channel request messages, it is highly probable that there will be approximately a constant time interval between two consecutive channel request messages. This will result in the FNs being approximately equally spaced between each pair of
consecutive channel request messages. Figure 6 illustrates a training-test loop. In particular, figure 6 shows continuous Train and Test loops being executed in specified windows, in particular time windows. Such window is illustrated at the leftmost side of figure 6 by the arrow denoted "Window" which covers part of contiguous sequences of frames with random access slots that may or may not contain requests. The window, i.e., the duration of the training, may be specified in terms of time or in terms of number of messages, the rectangles thus representing either time units or number of messages.
During a first training window (Train l) a number of channel required messages are observed. Then, during a test window (Test 2), it is determined whether or not the channel required messages that have been observed are periodic in the frame numbers. This loop is then repeated (Train 3 and Test 4; Train 5 and Test 6 etc.). It is noted that in some embodiments, wherein the security function 21 is implemented in the BTS 11, the channel request messages maybe used instead, i.e., observed in order to detect periodicities in frame number.
If the frame numbers of two consecutive channel request messages, first and second messages, are separated by a certain period, and this period appears again between the second and a third message, and so on, a channel request repeatedly sent by a MT/attack tool 10 maybe suspected.
Figure 7 is a flowchart illustrating an aspect of the present disclosure. In particular, figure 7 is a flow chart exemplifying the above suggested detection of periodicity of random access requests or related channel required messages. The flow is described using channel required messages, but it is noted that channel request messages may also be used in corresponding manner. The detection procedure 100 starts at box 101, in which a channel required message is received (in the security function 21 or in the BSC 12) or created (in the BTS 11). The channel required message may comprise a time stamp (ts) and a frame number (here, fn).
In box 102, if a list of frame number, fn_list, is empty, then flow continues to box 106, in which the time stamp ts of the current channel required message is set to be the initial time stamp, ts_start. If in box 102, it is determined that there is a non-empty fn_list, then the flow continues to box 103. In box 103, it is checked whether the difference ts-ts_start is larger than the selected window. If no, then the detection procedure 100 is in a training period, and flow continues to box 107. If yes, then flow continues to box 104.
In box 104, a period and a reference frame number is to be found in the fn_list. The period may be determined for instance by using circular auto correlation. A correlation calculated between a series and a lagged version thereof is called autocorrelation. Autocorrelation maybe used for correlating a signal/series with itself, which can be used for finding repeating patterns. The correlation is performed with the same series used once in its original form and once in a lagged form. When the left end of the original series overlaps with the right end of the lagged version and vice-versa, the autocorrelation is called circular autocorrelation.
Figure 8 illustrates use of circular auto correlation for determining the mentioned period (if any) in a sequence of frame numbers, i.e. the fn_list. In order to allow for some jitter added to the periodicity, periodicity may be determined to exist if the frame number is within a given distance from a period starting from a reference frame number. In the determination, a correlation coefficient maybe used, i.e., a coefficient expressing the strength of the correlation. Thresholds may be set for the correlation: "Threshold high" (strong correlation) and "Threshold low" (low correlation). The "Threshold high" may be seen as a threshold above which it can be assumed that there exists a periodicity of frame numbers (with high certainty). If the correlation coefficient is below "Threshold low", then it may be assumed that there is no periodicity among the frame numbers, while a correlation coefficient at least as high as "Threshold low" may indicate that there is a periodicity, and that it could be worthwhile using another detection tool in addition, e.g., access delay. As a particular example Pearson correlation coefficients may be used and "Threshold high" may be set equal to 0.9, and "Threshold low" maybe set equal to 0.2. The period that is searched for may then be set equal to the first frame number having a correlation coefficient higher than 0.9. If no such period is found, then the period searched for may be set equal to the first frame number having a correlation coefficient higher than 0.2. If there is no period fulfilling any of these criteria, then the search resulted in no found period. As for finding the reference frame number, the frame number of the current channel required message may be set equal to the last noted frame number upon receipt thereof. A certain number of counts of frame numbers maybe required, e.g., three frame number counts during the training window. If there are the required count of frame numbers within the window, then a reference frame number is set equal to the current frame number, i.e., equal to the frame number of the channel required message at hand. If not, the search resulted in no found reference frame number.
For instance, in the example of figure 8, for a sequence of frame numbers 5, 8, 11, 14, 17, a period of three (3) can be detected based on correlation coefficients. The diagram at the right-hand side of figure 8 shows an Auto Correlation Function (ACF) plot of the series illustrated in the table on the left-hand side. At o along the horizontal axis (x-axis), the correlation coefficient is equal to +1, which corresponds to a case of no lag. At 3 along the x-axis, the correlation coefficient is above +0.5, which indicates that there is a period equal to 3. This can also be seen in the table. At x=6, the correlation coefficient is again equal to approximately +0.5, which is expected as 6 is a multiple of 3. The period is seen again at x=9, although the correlation coefficient has a somewhat lower value.
Returning to figure 7, from box 104, flow then continues to box 105, in which the fn_list is emptied. From box 105, the flow continues to box 106, in which ts_start is set equal to the time stamp ts of the current channel required message. The flow then continues to box 107.
In box 107, if the fn_list is empty, then the frame number of the channel required message is added to the fn_list, and the current frame number becomes the first entry of the fn_list. If the fn_list is not empty, then the frame number of the channel required message is added to the fn_list, possibly removing the oldest entry of the fnjist.
In box 108, if no period and reference frame number has been found, then the channel required message is allowed (box 111), as no periodicity was found and hence no deviating behavior. If period and reference frame number was found, then the flow continues to box 109. In box 109, it is determined whether the frame number is periodic with respect to the reference frame number. If no, then the channel required message is again allowed (box 111), else the channel required message is, for instance, dropped (box 110). The channel request message maybe dropped, e.g., by ignoring it and doing nothing in response thereto. The channel request message maybe dropped by rewriting it to an empty message, thereby dropping the content thereof. The determination as to whether the current frame number is periodic with reference to the reference frame number may be done by determining if the frame number of the channel required message is within a given distance from a period starting from the reference frame number. For instance, if the current frame number is within the interval [reference frame number + n*period + allowed jitter, reference frame number + n*period - allowed jitter], wherein n is an integer and n*period hence a multiple of the period, then a periodicity for the current frame number is detected.
The detection procedure 100 described with reference to figures 6, 7 and 8 is exemplified in pseudo code in the following: ts = timestamp
fn_list = list of fn
fn = frame number = 0
fnO = first fn for value in fn_list = 0
fn_last_seen = last seen frame number = 0
ts_start = start time = 0
window = training duration = 1
On reception of Channel Required message
{
ts = timestamp of the channel required message
fn = 51 x((T3 - T2) mod 26) + T3 + 51 x 26 x Tl') if(fn < fn_last_seen)
{
fn += (32 x 51 x 26)
} fn_last_seen = fn if(fn_list is empty)
{
ts start = ts }
else if (ts - ts_start > window)
{
find_period_and_reference ( )
fn_list . clear
ts_start = ts
} fn_list . add ( fn) if (period found && reference found && periodic_wrt_ref ( fn) ) {
drop
}
else
{
Allow
}
} fn_list . add ( fn)
{
if (fnList is empty)
{
fnList . append ( 1 )
fnO = fn
}
else
{
N = 1 + fn - (fnO + fnList. size)
append N 0s to fn_list
fnList [fn - fn0]++
}
} find_period_and_reference ( )
{
THRESHOLD_HIGH = 0.9
THRESHOLD_LOW = 0.2
REQUIRED_REFERENCE_COUNT = 3
SHIFT = 2 circular auto correlation ( fn list) period = first fn with corr_coeff > THRESHOLD_HIGH if (period is empty)
{
period = first fn with corr_coeff > THRESHOLD_LOW
}
if (period is empty)
{
period not found
return
} from last_fn to periodth_last_fn in fn_list
{
if REQUIRED_REFERENCE_COUNT fns are present in period {
reference = current_fn
break
}
} if (reference is empty)
{
reference not found
}
else
{
period and reference found
} periodic_wrt_reference (fn)
{
ALLOWED_DRI FT = 3 if (fn in range of (reference + period ± ALLOWED_DRIFT) ) {
reference = fn
return true
}
else
{
return false
} Random Access (RA) Information Field
As described earlier, the Random Access (RA) value is the second octet of Request Reference Information Element in the channel required message. This is an 8-bit field comprising a random value, generated by the MT in the channel request message. In the 8-bit field, a few leading bits carry information, followed by random reference bits. In various embodiments of the present disclosure, the values of the RA reference are monitored. If the same RA value is detected frequently, it is highly probable that the channel required message corresponding to that RA value is part of an attack.
This basic principle may be implemented in various ways. A first alternative is to create a histogram of the random reference values and set a threshold at some margin above the mean count. Thus, extreme repetitions of the same value would lead to a histogram bin count above the threshold, which could be acted on to suppress further requests with the same value. The threshold value may be set in various other ways as well, for instance based on past experiences or simply to a value above what is seen in normal situations.
Another alternative is to use a two-step approach:
1) A statistical test, for instance Chi-square or Kolmogorov-Smirnov, may be used for determining whether there is a statistically significant deviation (at high confidence) from the expected approximate uniform distribution of reference values.
2) If the statistical test indicates a significant deviation from the mean value, a second step may be performed to identify which reference values occur more frequently than normal, and which are therefore candidates for suppression.
A particular example follows: a) A single value may be identified as the maximum bin count of a Chi- square test or the calculated supremum in a Kolmogorov-Smirnov test. This value is selected to be suppressed and is set to be a reference value count. b) The reference value count may be set to the mean value, and the statistical test may be repeated to determine if additional values should be suppressed. This process may be terminated when the statistical test no longer indicates a significant deviation from a uniform distribution.
Access Delay (AD)
The value of AD is specified in standards, and is typically a value between o and 63, corresponds to the time it takes for the signal from the MT 10 to reach the BTS 11. Each increment in the AD value represents a change of 550 meter in the distance between the MT 10 and the BTS 11. In an embodiment, this value is used to separate a misbehaving MT 10 based on the distance from the BTS 11 at which it is operating.
It is noted that if the security function 21 is implemented in the BTS (illustrated and described later with reference to figures 12a and 12b), a more accurate determination of the distance between the MT 10 and the BTS 11 maybe used. For instance, the distance may be determined based on position of access burst within a time slot, as mentioned earlier.
The access delay as such does not indicate any violation of the specifications, i.e. there is no unexpected behavior to be deduced from the access delay as such.
Therefore, the access delay needs to be combined with other information when used as a discriminator to suppress illegitimate random access request messages or related channel required messages.
An example of such a combination is to detect anomalous rates of random access request messages (or related channel required messages) having a certain access delay. For instance, received random access request messages can be divided into groups by their access delay, and for each such group of messages a method for anomaly detection of received rates may be applied, for instance a simple threshold: if the number of random access requests received from a certain distance (as determined by the access delay) is received at a rate above a threshold rate, then random access request messages with that particular delay value may be suppressed. Ways of combining access delay, e.g. to also distinguish abnormal behavior from unusual traffic load spikes (e.g. large amount of users gathering at an event) will be described later.
Utilization of allocated resources Under normal circumstances the signaling resources, in particular the Dedicated Control Channels (DCCHs) requested through the random access procedure, will, once assigned, be used to exchange signaling messages with the radio access network 20. A foreseeable mode of resource exhaustion attack (e.g. for accomplishing denial of service, DoS), however, is to request resources and then ignore them. Thus, the radio access network 20 assigns dedicated signaling resources that are never actually used. Hence, tracking the utilization of assigned/ allocated resources, in conjunction with the previously described embodiments, provides an additional indicator of attacks or misbehavior.
Figures 9a, 9b and 9c describe ways of performing such utilization tracking. The access pattern, indicated by * in the figures 9a and 9b, may for instance be based on channel request messages received with the same access delay, or channel request messages or channel required request messages having a periodicity, or with anomalous random reference values, as previously described. In the following, the channel request message is used for describing the procedures, but it is noted that in other embodiments channel required messages could be used instead or in addition. The channel required messages are related to the channel request messages, as they are created by the BTS in response to receiving channel request messages from the MT.
Figure 9a is a flow chart illustrating a first procedure 200 for tracking utilization of allocated signaling resources. In box 201, a channel request message is received in the BTS 11.
In box 202 the information in the channel request message maybe stored. Such information may e.g. be the mentioned random reference value, detected
periodicities etc.
In box 203, it is determined if the information matches an access pattern. As mentioned, the access pattern maybe based on channel request messages received with the same access delay etc. If the determination results in no match, the flow ends at box 204. If the determination on the other hand results in a match, flow continues to box 205. In box 205, a counter counting channel request messages that match a certain access pattern is increased by one. Next, in box 206, a count of number of signaling messages for this certain access pattern is retrieved (described with reference to figure 9 c).
In box 207, it is determined whether or not some criterion is fulfilled that indicates that a high percentage of allocated resources are unused. An example of such criterion is to determine if the following is true: number of DCCH messages , , , ,
< threshold
number of requests in pattern
If true, then the DCCH signaling resources assigned in response to the channel request message or channel required message have not been used and flow continues to box 209. In box 209, the channel request message is therefore suppressed, and not processed further. The allocated signaling resources may be released, and flow then ends in box 210. If the outcome of the determination of box 207 is that the criterion is not fulfilled, then the channel request message is presumably not part of an attack and flow ends in box 208.
Figure 9b is a flow chart illustrating a second procedure 300 for tracking utilization of allocated signaling resources. In box 301, an assignment is observed. If the method is implemented in the BTS 11, either the immediate assignment command received from the BSC 12 or the immediate assignment message can be observed. If the method is implemented in the BSC 12, then the immediate assignment command is observed (refer to figure 2 and related description).
In box 302, it is determined if the channel request message matches a pattern. If the determination results in no match, the flow ends at box 303. If the determination on the other hand results in a match, flow continues to box 304.
In box 304, identifiers of the dedicated control channel allocated in response to the channel request message (/assignment) are stored. Flow then continues to box 305, wherein a counter of number of messages sent over the DCCH signaling channel for the channel request message is set to zero. Flow then continues to box 306. In box 306 it is established whether there is a counter for the pattern at hand. If yes, then flow ends (box 307), if no then flow continues to box 308.
In box 308, a counter is created for counting the number of messages sent over the DCCH signaling channel. The counter is also set to zero, and the flow ends in box 309.
Figure 9c is a flow chart illustrating a third procedure 400 for tracking utilization of allocated signaling resources. In box 401, DCCH messages are observed, and flow continues to box 402.
In box 402, it is determined whether there is a counter for this DCCH signaling channel. If no, the flow ends in box 403. If yes, flow continues to box 404.
In box 404, since there is a counter of messages sent over this DCCH signaling channel, the counter is increased. Flow then continues to box 405.
In box 405, it is determined if there exists a counter for this pattern (which counter is created according to the second procedure 300 of figure 9b). If there is no such counter, then the flow ends in box 406. If yes, flow continues to box 407.
In box 407, the counter of DCCH messages for this pattern is incremented, and flow ends in box 408. This is repeated for each DCCH message.
Combination of methods
Different combinations of the previously described features are possible, giving rise to further embodiments of the invention, and figure 10 exemplifies this by a procedure 500.
A Training loop, as described earlier, e.g., with reference to figures 6 and 7 for FN periodicity, may be implemented also in order to observe the random access (RA) information field, the access delay (AD), and resource utilization. In a corresponding Test loop, if the RA value of the received channel request/ channel required message belongs to the list of RA values marked to be blocked (box 501) from the Train loop, the message is dropped (box 508) right away and not processed further. Similarly if the AD value of the message is used for identifying the message to be part of an attack and thus to be causing resource leak (box 502), the message is again dropped right away (box 508).
When RA and AD of the message are not in the list of values marked as blocked, then FN periodicity detected during the Train loop (box 504) may be used next. The AD of the periodic FN may also be on the list marked as blocked (box 503). If the FN of the received message is, with high (parameterized) correlation coefficient, a periodic FN (box 506), the message is dropped right away (box 508). If the correlation coefficient is not high enough, the message is dropped only if the AD of the message is same as the AD of the periodic FN (box 503, 504, 505).
Generally, it is advantageous if as much information as possible obtained from the different embodiments is made use of as they are combined. An embodiment that combines information to gradually separate out sets of anomalous messages is described in pseudo-code below.
Parameters:
• TR >= 0, a resource (e.g. DCCHs) observation time
• Tw > 0, a time window of observed channel request messages/channel required messages (denoted "messages" in the following)
The procedure below may be used to analyze messages observed during a certain time window, and then to be able to take actions to suppress certain messages in the subsequent time window.
1. IF all resources have been occupied for a time >= TR THEN
This step defines that the procedure can be invoked only when resources have been exhausted, which is a safety measure against false positives.
2. Observe messages during time window Tw, while tracking resource utilization according to previous description (e.g. as described in relation to figures 9a, 9b, 9c) 3. Separate set of messages, M, m time window into
disjoint subsets, Md, based on message delay d.
In this step 3, messages with different delay d are separated into different sets, in particular into disjoint subsets Md . For each such subset, the methods for detecting repeated Request IDs (steps 5 - 10) of the messages and detecting periodicities (steps 11 - 13) among frame numbers of the messages are applied. The delay information is used to separate out senders (MTs) in conjunction with the other methods.
4. FOR EACH message subset Md DO
5. Let message set MR,d = 0
6. IF Request IDs in set Md are not approximately uniformly distributed (determined as described previously) THEN
7. Using previously described method, form set MRid of messages from Md with repeated Request IDs
8. Use Request IDs found in MR,d to suppress in next time window, OR optionally only suppress Request IDs if corresponding messages have low resource utilization
9. END IF
10. Form set of remaining messages Md ' = Md - MR,d
11. Using previously described method, check Md λ for periodicity and form set MP,d of messages with periodicity P.
12. Use the identified periodicity to suppress messages in the next time window, OR optionally only suppress messages with periodicity if resource utilization is also indicated low. 13. Form set of remaining messages Md λ ' = Md λ - MP , d
14 IF Md λ ' messages have low resource utilization THEN
15. Suppress all messages with delay d in next time window
In steps 14 and 15, the remaining set of messages can be tested for resource utilization. This allows for the possibility of identifying misbehaving senders at a particular distance (delay), even if it does not exhibit repeated IDs or periodicity. l6. END IF
Figure 11 illustrates an embodiment in which the security function 21 is implemented as being integrated in the BSC 12. Similar to the embodiment of figure 5, i.e., wherein the security function is a standalone security node 21 arranged in line between the BTS 11 and the BSC 12, the arrangement of figure 11 implements the various ways of establishing deviating message behavior based on the channel required messages that the BTS 11 creates and sends to the BSC 12. In these two embodiments (illustrated in figures 5 and 11), the channel request messages (sent from the MT 10 to the BTS 11) are typically not available. It is however noted that information in the channel request messages received by the BTS 11 is passed on into the channel required messages, sent from the BTS 11 to BSC 12 (possibly via the security node 21 if implemented as a standalone node).
Figures 12a and 12b illustrate embodiments of the present disclosure wherein the security function is implemented in the BTS 11. When the methods are implemented in the BTS 11, there is an extra option available: the BTS 11 has access to the received channel request messages sent by the MT 10. The BTS 11 may use the channel request messages that it receives from the MTs for detecting an unexpected behavior (or use the channel required messages as has been pointed out also throughout the description of the various embodiments), e.g., by detecting periodicities of frame numbers.
Figure 12a illustrates an embodiment, wherein the various ways for establishing that there is an attempted attack may be based on the channel request messages. A burst sent from the MT 10 is received. If the burst is other than an access burst (e.g., a normal burst or synchronization burst), then a corresponding message is created and sent to the BSC 12 over the Abis interface. If the received burst is an access burst then it is decoded, and input to the security function 21 (detection function 24 thereof) that is an integrated part of the BTS 11. The security function 21 may, e.g., detect periodicities of frame numbers determined based on channel request messages. If the output of the security node 21 is that a channel request message is to be dropped, then no channel required message needs to be created. If the output of the security function 21 is that the channel request message is allowed, then the related channel required message maybe created in conventional manner and be sent to the BSC 12.
Figure 12b illustrates another embodiment, wherein the BTS 11 again receives bursts from the MT 10 and creates messages based thereon. The message discriminator 23 directly forwards messages other than channel request messages to the BSC 12.
Channel request message are input to the security function 21, in particular the detection function 24 thereof and the described determination of deviating behavior is performed. This embodiment is thus similar to the embodiment of figure 5, with the exception of the security function 21 being integrated with the BTS 11.
An advantage of the embodiments of figures 12 and 12b is that the BTS 11 may have access to more fine grained information about the channel request message than what is put in the channel required message. For example, the access delay maybe determined with higher accuracy.
The various embodiments and features that have been described maybe combined in different ways, examples of which are provided next, with reference first to figure 13.
Figure 13 is a flow chart over steps of a method in a first node in accordance with the present disclosure. The first node maybe the security node 21 implemented as a standalone node between the BTS 11 and the BSC 12, or it could be the BSC 12 including the security function 21 (refer to figures 5 and 11, respectively and related description).
A method 30 is provided that maybe performed in a first node 12, 21 of a radio access network 20. The method provides protection of the radio access network 20, e.g., in that the availability of network services is ensured by detecting misbehaving terminals and taking appropriate action, e.g., dropping the channel required message. The method 30 comprises receiving 31, from an access node 11 of the radio access network 20, a channel required message. The channel required message is created in the access node 11 (e.g. the BTS 11) in response to a channel request message received from a mobile terminal 10 and received by the first node 12, 21.
The method 30 comprises establishing 32, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements. Establishing that some property of the channel required message, in particular an information element of the channel required message, deviates from an expected behavior enables proper action to be taken in response thereto. A message deviating from an expected behavior maybe a message that does not follow, or does not seem to follow, the technical specifications for the radio access technology at hand, e.g. GSM. That is, expected behavior for the channel required message is to follow the technical specifications.
The method 30 comprises rejecting 33 a channel request related to the channel required message, when the channel required message has been identified as a message that does not follow expected behavior. For instance, if the channel required message has a frame number which exhibits periodicity in view of a set of previous frame numbers, then the channel required message can swiftly be dropped, and thereby prevent signaling resources of the radio access network 20 from being exhausted. Rejecting the channel request, i.e., rejecting a request for a channel, prevents resources from being unnecessarily tied up.
In an embodiment, the establishing 32 comprises determining that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages. As mentioned earlier, in an ongoing attack on the radio access network 20, channel request messages maybe repeatedly sent in a loop, presumably with approximately the same time difference between two consecutive messages. Then the frame numbers of the channel required messages will also be equally spaced. Thereby it may be established that there is a deviating behavior among channel required messages. The sequence of channel required message may, but need not, be consecutive messages. A periodicity of messages that are part of an attack may be detected even when a sequence of messages are interspersed with legitimate messages that are not part of such an attack.
The frame number may be determined to exhibit a periodicity, e.g., by means of the procedure as described with reference to figures 7 and 8 (see, e.g., box 109 of figure 7 and related description).
In various embodiments, the establishing 32 comprises determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold rate. That is, if the current random reference parameter value has been used, within a time period, more frequently than expected, then the channel required message has a deviating behavior.
In a variation of the above embodiment, the threshold rate is set based on an expected distribution of allowed values, and the determining comprises determining that an observed distribution of random reference values of the set of previous channel required messages significantly deviates from the expected distribution.
In variations of the above two embodiments, the method 30 comprises suppressing further channel request messages having the same value of the random reference values as the channel request message just being rejected. If the same value of the random reference value of the channel required message at hand (and which is rejected) occurs again in a subsequent channel required message, also these can be rejected. This may be done based only on the random reference value, even in case the deviating behavior is established for other information elements as well.
In an embodiment, the method 30 comprises, prior to the rejecting 33 the channel request related to the channel required message, determining that a radio resource allocated in response to the channel required message was not utilized.
In a variation of the above embodiment, the determining comprises determining that the channel required message matches a pattern shown by a set of previous channel required messages corresponding to unused allocated radio resources.
In an embodiment, the establishing 32 further comprises determining that the access delay of the channel required message is the same access delay as for a set of channel required messages (in particular a set of previous channel required messages). As mentioned earlier, if it is determined that an abnormal rate of channel required messages have the same access delay, i.e., the MTs sending the corresponding channel request messages are located at the same distance from the BTS 11, then this knowledge may be used, in combination with some other of the described detection techniques, to establish that the channel required message is part of an attack against the radio access network 20. More specifically, it maybe established that the channel required messages are, with high probability, originating from a single device (MT), from which it may be concluded that the messages are part of an attack. The channel required message maybe rejected, e.g., when the set of channel required messages are received at a rate exceeding a threshold rate, or when radio resources allocated in response to the set of channel required messages failed to be utilized.
In various embodiments, the establishing 32 comprises two or more of:
- detecting that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages,
- determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold value,
- determining that a radio resource allocated in response to the channel required message was not utilized, and
- determining that the access delay information element of the channel required message has the same access delay value as a set of channel required messages received at a rate exceeding a threshold rate.
Figure 14 illustrates schematically nodes of the radio access system 20 and means for implementing embodiments of the method of the present disclosure. The various embodiments of the method 30 as described e.g. in relation to figure 13 maybe implemented in the radio access system 20, and in particular in a first node thereof, e.g., in the BSC 12 or in the security node 21 in embodiments, wherein it is a standalone device. The first node 12, 21 comprises a processor 40, 60 comprising any combination of one or more of a central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), application specific integrated circuit etc. capable of executing software instructions stored in a memory 41, 61 which can thus be a computer program product 41, 61. The processor 40, 60 can be configured to execute any of the various embodiments of the method for instance as described in relation to figure 13.
The memory 41, 61 can be any combination of read and write memory (RAM) and read only memory (ROM), Flash memory, magnetic tape, Compact Disc (CD)-ROM, digital versatile disc (DVD), Blu-ray disc etc. The memory 41, 61 also comprises persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The first node 12, 21 may also comprise an input/output device 43, 63 (indicated by I/O in figure 14) for communicating with other entities. Such input/output device 43, 63 may for instance comprise a communication interface. The input/output device 43, 63 maybe a wired connection to a node of the radio access network 20 directly or via additional network nodes. For instance, in case the first node 12 is the BSC 12, then it may communicate with the BTS 11 directly and/ or via the security node 21, when the security node is a standalone node.
The present disclosure provides computer programs 42, 62 for the first node 12, 21. The computer program s 42, 62 comprises computer program code, which, when executed on at least one processor 40, 60 on the first node 12, 21 causes the first node 12, 21 to perform the method 30 according to any of the described embodiments thereof.
The present disclosure also encompasses computer program products 41, 61 comprising a computer program 42, 62 for implementing the embodiments of the method as described, and a computer readable means on which the computer program 42, 62 is stored. The computer program product 41, 61 may, as mentioned earlier, be any combination of random access memory (RAM) or read only memory (ROM), Flash memory, magnetic tape, Compact Disc (CD)-ROM, digital versatile disc (DVD), Blu-ray disc etc. A first node 12, 21 for a radio access network 20 is provided, in particular for protecting the radio access network 20. The first node 12, 21 of the radio access network 20 is configured to: receive, from an access node 11, a channel required message; to establish, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements; and to reject a channel request related to the channel required message.
The first node 12, 21 maybe configured to perform the above steps e.g. by comprising a processor 40, 60 and memory 41, 61, the memory 41, 61 containing instructions executable by the processor 40, 60, whereby the first node 12, 21 is operative to perform the steps.
In an embodiment, the first node 12, 21 is configured to establish by determining that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages.
In an embodiment, the first node 12, 21 is configured to establish by determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold rate.
In a variation of the above embodiment, the threshold rate is set based on an expected distribution of allowed values, and wherein the determining comprises determining that an observed distribution of random reference parameter values of the set of previous channel required messages significantly deviates from the expected distribution.
In an embodiment, the first node 12, 21 is configured to, prior to the rejecting the channel request related to the channel required message, determine that a radio resource allocated in response to the channel required message was not utilized.
In a variation of the above embodiment, the first network node 12, 21 is configured to determine by determining that the channel required message matches a pattern shown by a set of previous channel required messages corresponding to unused allocated radio resources. In an embodiment, the first node 12, 21 is configured to establish by further determining that the access delay of the channel required message is the same access delay as for a set of channel required messages.
The computer program products, or the memories, comprises instructions executable by the processor 40, 60. Such instructions maybe comprised in a computer program, or in one or more software modules or function modules.
Means are provided, e.g., function modules, that can be implemented using software instructions such as computer program executing in a processor and/ or using hardware, such as application specific integrated circuits, field programmable gate arrays, discrete logical components etc., or any combination thereof.
In particular, a first node for a radio access network is provided. The first node comprises first means for receiving, from an access node, a channel required message. Such first means may for instance comprise an input/output device 43, 63 as described earlier, and/ or it may comprise any type of processing circuitry for receiving data.
The first node comprises second means for establishing, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements. Such second means may comprise processing circuitry adapted to perform such establishing. The second means may for instance comprise software modules, as mentioned earlier.
The first node comprises third means for rejecting a channel request related to the channel required message. The third means may comprise processing circuitry adapted to perform such rejecting. The third means may for instance comprise software modules, as mentioned earlier.
Figure 15 is a flow chart over steps of a method in a second node in accordance with the present disclosure. The second node 11, 21 maybe the security node 21
implemented as a standalone node between the BTS 11 and the BSC 12, or it may be the BTS 11 including the security node 21 (refer to figures 5 and 12a, 12b, respectively and related description). A method 70 for a radio access network 20 is provided, in particular for protecting the radio access network 20. The method 70 maybe performed in a second node 11, 21 of the radio access network 20, as described above. The method 70 comprises receiving 71, from a mobile terminal 10, a channel request message.
The method 70 comprises establishing 72, based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information.
The method 70 comprises rejecting 73 the channel request message. The channel request message maybe rejected, e.g., by ignoring it and doing nothing in response to the establishing 72 of the information deviating from an expected behavior. In some embodiments, a channel request reject message maybe sent to the mobile
terminal 10 in response to receiving the channel request message. The channel request message maybe rejected by rewriting it to an empty message, thereby dropping the content thereof. In still other embodiments, the request for a channel related to the channel required message corresponding to the channel request message is rejected.
In various embodiments, the establishing 72 comprises determining that a frame number established based on the channel request message or the related channel require message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel request messages or related channel required messages..
In various embodiments, the establishing 72 comprises determining that a current random reference parameter value of the channel request message or the related channel required message has been used in a set of previous channel request messages or set of previous related channel required messages, respectively at a rate above a threshold rate.
In a variation of the above embodiment, the threshold rate is set based on an expected distribution of allowed values, and wherein the determining comprises determining that an observed distribution of random reference parameter values of the set of previous channel request messages significantly deviates from the expected distribution. In various embodiments, the method 70 comprises, prior to the rejecting 73 the channel request message, determining that a radio resource allocated in response to the channel request message was not utilized.
In a variation of the above embodiment, the determining comprises determining that the channel request message or the channel required message matches a pattern shown by a set of previous channel request messages or channel required messages corresponding to unused allocated radio resources.
In various embodiments, the establishing 72 further comprises determining that the access delay based on the reception time of the channel request message is the same access delay as for a set of channel request messages.
With reference again to figure 14, the second node 11, 21 comprises a processor 50 comprising any combination of one or more of a central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), application specific integrated circuit etc. capable of executing software instructions stored in a memory 51 which can thus be a computer program product 51. The processor 50 can be configured to execute any of the various embodiments of the method for instance as described in relation to figure 15.
The memory 51 can be any combination of read and write memory (RAM) and read only memory (ROM), Flash memory, magnetic tape, Compact Disc (CD)-ROM, digital versatile disc (DVD), Blu-ray disc etc. The memory 51 also comprises persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.
The second node 11, 21 may also comprise an input/output device 53 (indicated by I/O in figure 14) for communicating with other entities. Such input/output device 53 may for instance comprise a communication interface. The input/ output device 53 may be a wired connection to a node of the radio access network 20 directly or via additional network nodes. For instance, in case the second node 11 is the BTS 11, then it may communicate with the BSC 12 directly and/or via the security node 21, when the security node is a standalone node. The present disclosure provides a computer program 52 for the second node 11, 21. The computer 52 comprises computer program code, which, when executed on at least one processor 50 on the second node 11, 21 causes the second node 11, 21 to perform the method 70 according to any of the described embodiments thereof.
The present disclosure also encompasses a computer program product 51 comprising a computer program 52 for implementing the embodiments of the method as described, and a computer readable means on which the computer program 52 is stored. The computer program product 51 may, as mentioned earlier, be any combination of random access memory (RAM) or read only memory (ROM), Flash memory, magnetic tape, Compact Disc (CD)-ROM, digital versatile disc (DVD), Blu- ray disc etc.
A second node 12, 21 for a radio access network 20 is provided. The second node 12, 21 is configured to receive, from a mobile terminal 10, a channel request message; to establish, based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information; and to reject the channel request message.
The second node 11, 21 maybe configured to perform the above steps e.g. by comprising a processor 50 and memory 51 the memory 51 containing instructions executable by the processor 50, whereby the second node 11, 21 is operative to perform the steps.
In an embodiment, the second node 12, 21, is configured to establish by determining that a frame number established based on the channel request message or the related channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel request messages or related channel required messages.
In an embodiment, the second node 12, 21, is configured to establish by determining that a current random reference parameter value of the channel request message or the related channel required message has been used in a set of previous channel request messages or set of previous related channel required messages, respectively at a rate above a threshold rate. In a variation of the above embodiment, the threshold rate is set based on an expected distribution of allowed values, and configured to determine by determining that an observed distribution of random reference parameter values of the set of previous channel request messages significantly deviates from the expected distribution.
In an embodiment, the second node 12, 21, is configured to, prior to the rejecting the channel required message, determine that a radio resource allocated in response to the channel required message was not utilized.
In a variation of the above embodiment, the second node 12, 21 is configured to determine by determining that the channel request message or the channel required message matches a pattern shown by a set of previous channel request messages or channel required messages corresponding to unused allocated radio resources.
In an embodiment, the second node 12, 21, is configured to establish by determining that the access delay of the channel request message is the same access delay as for a set of channel request messages.
The computer program product, or the memory, comprises instructions executable by the processor 50. Such instructions maybe comprised in a computer program, or in one or more software modules or function modules.
Means are provided, e.g., function modules, that can be implemented using software instructions such as computer program executing in a processor and/or using hardware, such as application specific integrated circuits, field programmable gate arrays, discrete logical components etc., or any combination thereof.
A second node of a radio access network is provided. The second node comprises first means for receiving, from a mobile terminal, a channel request message. Such first means may for instance comprise an input/output device 53 as described earlier, and/ or it may comprise any type of processing circuitry for receiving wireless signaling.
The second node comprises second means for establishing, based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information. Such second means may comprise processing circuitry adapted to perform such establishing. The second means may for instance comprise software modules, as mentioned earlier.
The second node comprises third means for rejecting the channel request message. The third means may comprise processing circuitry adapted to perform such rejecting. The third means may for instance comprise software modules, as mentioned earlier.
The invention has mainly been described herein with reference to a few
embodiments. However, as is appreciated by a person skilled in the art, other embodiments than the particular ones disclosed herein are equally possible within the scope of the invention, as defined by the appended patent claims.

Claims

Claims
1. A method (30) performed in a first node (12, 21) of a radio access network (20), the method (30) comprising:
- receiving (31), from an access node (11) of the radio access network (20), a channel required message,
- establishing (32), based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements, and
- rejecting (33) a channel request related to the channel required message.
2. The method (30) as claimed in claim 1, wherein the establishing (32) comprises determining that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages.
3. The method (30) as claimed in claim 1 or 2, wherein the establishing (32) comprises determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold rate.
4. The method (30) as claimed in claim 3, wherein the threshold rate is set based on an expected distribution of allowed values, and wherein the determining comprises determining that an observed distribution of random reference parameter values of the set of previous channel required messages significantly deviates from the expected distribution.
5. The method (30) as claimed in any of the preceding claims, comprising, prior to the rejecting (33) the channel request related to the channel required message, determining that a radio resource allocated in response to the channel required message was not utilized.
6. The method (30) as claimed in claim 5, wherein the determining comprises determining that the channel required message matches a pattern shown by a set of previous channel required messages corresponding to unused allocated radio resources.
7. The method (30) as claimed in any of claims 2-6, wherein the establishing (32) further comprises determining that the access delay of the channel required message is the same access delay as for a set of channel required messages.
8. The method (30) as claimed in claim 1, wherein the establishing (32) comprises two or more of:
- detecting that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages,
- determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold value,
- determining that a radio resource allocated in response to the channel required message was not utilized, and
- determining that the access delay information element of the channel required message has the same access delay value as a set of channel required messages received at a rate exceeding a threshold rate.
9. A computer program (42) for a first node (12, 21) of a radio access network (20), the computer program (42) comprising computer program code, which, when executed on at least one processor (40) on the first node (12, 21) causes the first node (12, 21) to perform the method (30) according to any one of claims 1-8.
10. A computer program product (41) comprising a computer program (42) as claimed in claim 10 and a computer readable means on which the computer program (42) is stored.
11. A first node (12, 21) for a radio access network (20), configured to:
- receive, from an access node (11), a channel required message of the radio access network (20), - establish, based on at least one information element of the channel required message, that the information element deviates from an expected behavior of such information elements, and
- reject a channel request related to the channel required message.
12. The first node (12, 21) as claimed in claim 11, configured to establish by
determining that a frame number of the channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel required messages.
13. The first node (12, 21) as claimed in claim 11 or 12, configured to establish by determining that a current random reference parameter value of the channel required message has been used in a set of previous channel required messages at a rate above a threshold rate.
14. The first node (12, 21) as claimed in claim 13, wherein the threshold rate is set based on an expected distribution of allowed values, and wherein the determining comprises determining that an observed distribution of random reference parameter values of the set of previous channel required messages significantly deviates from the expected distribution.
15. The first node (12, 21) as claimed in any of claims 11-14, configured to, prior to the rejecting the channel request related to the channel required message, determine that a radio resource allocated in response to the channel required message was not utilized.
16. The first node (12, 21) as claimed in claim 15, configured to determine by determining that the channel required message matches a pattern shown by a set of previous channel required messages corresponding to unused allocated radio resources.
17. The first node (12, 21) as claimed in any of claims 12-16, configured to establish by further determining that the access delay of the channel required message is the same access delay as for a set of channel required messages.
18. A method (70) performed in a second node (11, 21) of a radio access network (20), the method (70) comprising:
- receiving (71), from a mobile terminal (10), a channel request message,
- establishing (72), based on information in or relating to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information, and
- rejecting (73) the channel request message.
19. The method (70) as claimed in claim 18, wherein the establishing (72) comprises determining that a frame number established based on the channel request message or the related channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel request messages or the related channel required messages.
20. The method (70) as claimed in claims 18 or 19, wherein the establishing (71) comprises determining that a current random reference parameter value of the channel request message or the related channel required message has been used in a set of previous channel request messages or set of previous related channel required messages, respectively at a rate above a threshold rate.
21. The method (70) as claimed in claim 20, wherein the threshold rate is set based on an expected distribution of allowed values, and wherein the determining comprises determining that an observed distribution of random reference parameter values of the set of previous channel request messages significantly deviates from the expected distribution.
22. The method (70) as claimed in any of claims 18-21, comprising, prior to the rejecting (73) the channel request message, determining that a radio resource allocated in response to the channel required message was not utilized.
23. The method (70) as claimed in claim 22, wherein the determining comprises determining that the channel request message or the channel required message matches a pattern shown by a set of previous channel request messages or channel required messages corresponding to unused allocated radio resources.
24. The method (70) as claimed in any of claims 18-23, wherein the establishing (72) further comprises determining that the access delay based on reception time of the channel request message is the same access delay as for a set of channel request messages.
25. A computer program (52) for a second node (11, 21) of a radio access network (20), the computer program (52) comprising computer program code, which, when executed on at least one processor (50) on the second node (11, 21) causes the second node (11, 21) to perform the method (70) according to any one of claims 18-24.
26. A computer program product (51) comprising a computer program (52) as claimed in claim 25 and a computer readable means on which the computer program (52) is stored.
27. A second node (11, 21) for a radio access network (20), configured to:
- receive, from a mobile terminal (10), a channel request message,
- establish, based on information in or relation to the channel request message or a related channel required message, that the information deviates from an expected behavior of such information, and
- reject the channel request message.
28. The second node (11, 21) as claimed in claim 27, configured to establish by determining that a frame number established based on the channel request message or the related channel required message exhibits a periodicity with respect to a set of frame numbers of a sequence of channel request messages or the related channel required messages.
29. The second node (11, 21) as claimed in claim 27 or 28, configured to establish by determining that a current random reference parameter value of the channel request message or the related channel required message has been used in a set of previous channel request messages or set of previous related channel required messages, respectively at a rate above a threshold rate.
30. The second node (11, 21) as claimed in claim 29, wherein the threshold rate is set based on an expected distribution of allowed values, and configured to determine by determining that an observed distribution of random reference parameter values of the set of previous channel request messages significantly deviates from the expected distribution.
31. The second node (11, 21) as claimed in any of claims 27-30, configured to, prior to the rejecting the channel request message, determine that a radio resource allocated in response to the channel required message was not utilized.
32. The second node (11, 21) as claimed in claim 31, configured to determine by determining that the channel request message or the channel required message matches a pattern shown by a set of previous channel request messages or channel required messages corresponding to unused allocated radio resources.
33. The second node (11, 21) as claimed in any of claims 27-32, configured to establish by determining that the access delay based on the reception time of the channel request message is the same access delay as for a set of channel request messages.
PCT/SE2015/050016 2015-01-13 2015-01-13 Methods and nodes for protection of radio access networks WO2016114690A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2015/050016 WO2016114690A1 (en) 2015-01-13 2015-01-13 Methods and nodes for protection of radio access networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2015/050016 WO2016114690A1 (en) 2015-01-13 2015-01-13 Methods and nodes for protection of radio access networks

Publications (1)

Publication Number Publication Date
WO2016114690A1 true WO2016114690A1 (en) 2016-07-21

Family

ID=52462379

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2015/050016 WO2016114690A1 (en) 2015-01-13 2015-01-13 Methods and nodes for protection of radio access networks

Country Status (1)

Country Link
WO (1) WO2016114690A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2386294A (en) * 2002-03-06 2003-09-10 Lucent Technologies Inc Alleviating denial of service attacks in mobile network
US20120155274A1 (en) * 2010-12-20 2012-06-21 Yi-Pin Eric Wang DENIAL OF SERVICE (DoS) ATTACK PREVENTION THROUGH RANDOM ACCESS CHANNEL RESOURCE REALLOCATION
EP2574090A1 (en) * 2011-09-23 2013-03-27 Research In Motion Limited Managing mobile device applications

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2386294A (en) * 2002-03-06 2003-09-10 Lucent Technologies Inc Alleviating denial of service attacks in mobile network
US20120155274A1 (en) * 2010-12-20 2012-06-21 Yi-Pin Eric Wang DENIAL OF SERVICE (DoS) ATTACK PREVENTION THROUGH RANDOM ACCESS CHANNEL RESOURCE REALLOCATION
EP2574090A1 (en) * 2011-09-23 2013-03-27 Research In Motion Limited Managing mobile device applications

Similar Documents

Publication Publication Date Title
EP2656651B1 (en) DENIAL OF SERVICE (DoS) ATTACK PREVENTION THROUGH RANDOM ACCESS CHANNEL RESOURCE REALLOCATION
US8953538B2 (en) Network access method and system for machine type communications
CN105992347B (en) Uplink signal sending method, user equipment and base station
EP3491875B1 (en) Data transmitting and receiving methods and apparatuses
US10412635B2 (en) Resource use method, device and system
US20150305014A1 (en) Random access method and apparatus and system
CN109802732B (en) Monitoring method and related device for downlink control channel
WO2013000690A1 (en) Control channel decoding of neighboring cells
US11026104B2 (en) Communications when encountering aggressive communication systems
EP3886524A1 (en) Terminal device, network node and method for random access in coverage enhancement operation
CN108207027B (en) Random access method and equipment
CN108307408B (en) Detection method, device and base station for recognizing false detection caused by interference
Jang et al. A preamble collision resolution scheme via tagged preambles for cellular IoT/M2M communications
CN106797650B (en) Low latency transmission configuration
EP2958259B1 (en) Method for transmitting feedback information, user equipment and evolved node b
WO2013113276A1 (en) Radio network channel allocation method, device and system
EP3573400B1 (en) Method for reassigning root sequence index and apparatus therefor
WO2016114690A1 (en) Methods and nodes for protection of radio access networks
CN114499782A (en) Beam failure recovery method, device, terminal and storage medium
US20130252582A1 (en) Radio access network apparatus, controlling method, mobile communication system, and non-transitory computer readable medium embodying instructions for controlling a device
Li et al. An effective approach to detect random access preamble in lte systems in low snr
KR101565696B1 (en) System and method for random access procedure based on spatial group
US20240057052A1 (en) A method for transmission of ssb, a method for obtaining ssb, a related network node and a related wireless device
CN109417776B (en) Method and equipment for transmitting message
JP6437192B2 (en) Base station apparatus and message discard control method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15703121

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15703121

Country of ref document: EP

Kind code of ref document: A1