WO2019113934A1 - Techniques for detecting fake cells in wireless communications - Google Patents

Techniques for detecting fake cells in wireless communications Download PDF

Info

Publication number
WO2019113934A1
WO2019113934A1 PCT/CN2017/116444 CN2017116444W WO2019113934A1 WO 2019113934 A1 WO2019113934 A1 WO 2019113934A1 CN 2017116444 W CN2017116444 W CN 2017116444W WO 2019113934 A1 WO2019113934 A1 WO 2019113934A1
Authority
WO
WIPO (PCT)
Prior art keywords
cell
nas
nas message
detecting
fake
Prior art date
Application number
PCT/CN2017/116444
Other languages
French (fr)
Inventor
Shiau-He Tsai
Vitaly Drapkin
Nitin Pant
Bhanu Kiran JANGA
Peng Hu
Sohrab AHMAD
Jun Deng
Original Assignee
Qualcomm Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Incorporated filed Critical Qualcomm Incorporated
Priority to PCT/CN2017/116444 priority Critical patent/WO2019113934A1/en
Publication of WO2019113934A1 publication Critical patent/WO2019113934A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • aspects of the present disclosure relate generally to wireless communication systems, and more particularly, to detecting fake cells in wireless communications.
  • Wireless communication systems are widely deployed to provide various types of communication content such as voice, video, packet data, messaging, broadcast, and so on. These systems may be multiple-access systems capable of supporting communication with multiple users by sharing the available system resources (e.g., time, frequency, and power) . Examples of such multiple-access systems include code-division multiple access (CDMA) systems, time-division multiple access (TDMA) systems, frequency-division multiple access (FDMA) systems, and orthogonal frequency-division multiple access (OFDMA) systems, and single-carrier frequency division multiple access (SC-FDMA) systems.
  • CDMA code-division multiple access
  • TDMA time-division multiple access
  • FDMA frequency-division multiple access
  • OFDMA orthogonal frequency-division multiple access
  • SC-FDMA single-carrier frequency division multiple access
  • 4G and/or fifth generation (5G) wireless communications technologies have been, or are being, developed to expand and support diverse usage scenarios and applications with respect to current mobile network generations.
  • An example of a 4G network can include a third generation partnership project (3GPP) long term evolution (LTE) network.
  • 3GPP third generation partnership project
  • LTE long term evolution
  • a fake cell can refer to a cell implemented (e.g., by a party that is not a cellular operator) for such purposes of disrupting wireless communications of UEs, to otherwise obtain confidential information from the UEs, etc.
  • TAU tracking area update
  • a fake cell can cause denial-of-service (DoS) to a user equipment (UE) by rejecting TAU requests from the UE, which may cause the UE to remove support for 4G technology for at least a period of time.
  • DoS denial-of-service
  • UE user equipment
  • a fake cell can cause the UE to fallback to a 2G cell (e.g., based on rejecting the TAU requests) , where the 2G cell may exploit further security vulnerabilities associated with 2G technologies, etc.
  • a method for detecting, by a user equipment (UE) , fake cells in wireless communications includes establishing, by the UE, a connection with a cell in a wireless network, performing, by the UE and based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
  • NAS non-access stratum
  • an apparatus for wireless communication includes a transceiver for communicating in a wireless network via one or more antennas, a memory configured to store instructions, and one or more processors communicatively coupled with the transceiver and the memory.
  • the one or more processors are configured to establish a connection with a cell in the wireless network, perform, based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, detect a pattern of NAS message sequences received during the NAS procedure, and bar, based on detecting the pattern of NAS message sequences, connection to the cell.
  • an apparatus for detecting, by a UE, fake cells in wireless communications includes means for establishing, by the UE, a connection with a cell in a wireless network, means for performing, by the UE and based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, means for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and means for barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
  • a computer-readable medium including code executable by one or more processors for detecting, by a UE, fake cells in wireless communications.
  • the code includes code for establishing, by the UE, a connection with a cell in a wireless network, code for performing, by the UE and based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, code for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and code for barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
  • the one or more aspects comprise the features hereinafter fully described and particularly pointed out in the claims.
  • the following description and the annexed drawings set forth in detail certain illustrative features of the one or more aspects. These features are indicative, however, of but a few of the various ways in which the principles of various aspects may be employed, and this description is intended to include all such aspects and their equivalents.
  • FIG. 1 illustrates an example of a wireless communication system, in accordance with various aspects of the present disclosure
  • FIG. 2 is a block diagram illustrating an example of a UE, in accordance with various aspects of the present disclosure
  • FIG. 3 is a flow chart illustrating an example of a method for establishing a connection with a cell, in accordance with various aspects of the present disclosure.
  • FIG. 4 is a block diagram illustrating an example of a MIMO communication system including a base station and a UE, in accordance with various aspects of the present disclosure.
  • a fake cell can refer to a cell implemented (e.g., by a party that is not a cellular operator) for purposes of causing a UE to connect to the fake cell, allowing the fake cell to disrupt wireless communications of the UE, otherwise obtain confidential information from the UE, etc.
  • a fake cell can broadcast system information defined for use in a wireless technology, such as third generation partnership project (3GPP) long term evolution (LTE) , to advertise wireless communications services, and can provide a mechanism for UEs to attach to the fake cell, such as a random access channel (RACH) for performing RACH procedures, etc.
  • 3GPP third generation partnership project
  • LTE long term evolution
  • RACH random access channel
  • UEs can connect to the fake cell, and the fake cell can cause a denial of service (DoS) by overriding a tracking area update (TAU) procedure to reject the UE’s TAU requests, can cause redirection of the UE to a legacy cell, such as a second generation (2G) cell for further exploitation of security vulnerabilities, etc.
  • DoS denial of service
  • TAU tracking area update
  • the fake cells may not be able to sufficiently satisfy a TAU procedure performed by the UE.
  • a number of failed TAU requests may be indicative the UE being attached to a fake cell.
  • HPLMN home public land mobile network
  • the UE can be configured to perform a number of non-access stratum (NAS) requests of a NAS procedure instance before determining to not support LTE communications (at least for a period of time) .
  • NAS procedure instances may include substantially any procedure performed at a NAS layer as part of establishing communications with a cell, such as a TAU procedure, a HPLMN attach procedure, etc.
  • a UE can perform the NAS procedure instance with a cell, and where a number of NAS message sequences are received (e.g., which may be indicative of a NAS request fail) , the UE can consider the cell to be a fake cell, can bar connections to the cell, and can attempt to connect to a different cell. This can avoid the UE falling into a DoS of the fake cell, falling back to a 2G cell, which may be indicated by the fake cell and may be another fake cell for the purpose of compromising information on the UE, etc.
  • fourth-generation (4G) cellular network although significantly improved in security over previous generations, may still have the vulnerability that a UE cannot actively validate the network under certain scenarios. For example, when a UE updates its presence upon entering a new tracking area and receives a network response indicating anomaly, it may not able to authenticate its counterpart.
  • Another example is that there may not be a defined UE mechanism to determine reliability of system configuration for mobility towards previous generations (albeit this may not be essential for acquiring 4G services) . It may be possible, in this regard, for UEs to lose 4G services because of fake base station/cell encounters.
  • the detrimental effect from accessing unsafe network can manifest in UE’s loss of 4G service (referred to as a downgrade attack) , and the subsequent UE exposure to rogue 2G base stations that are allowed by 2G specifications to operate without security and gain illicit control.
  • a downgrade attack UE’s loss of 4G service
  • One way for the unsafe network to accomplish this is DoS attack at the NAS that can force UE’s 4G removal, and another is through extremely biased 4G-to-2G reselection configuration in the system broadcast information.
  • the NAS DoS attack can exhibit multiple levels of sophistication, such as (1) no response to UE’s NAS TAU request (e.g., either no lower-layer connection setup or a bare connection setup without any NAS signaling) or (2) sending identity request in response to NAS TAU followed by rejection (or lower-layer redirect) , where the UE can either (1) remove 4G from its radio access technology (RAT) list after five failed TAUs in a row, or (2) is down-graded/redirected to 2G.
  • RAT radio access technology
  • the biased reselection configuration can be characterized either by (1) limited 4G mobility (e.g., no intra-4G reselection at all or intra-frequency only) , or (2) biased 4G-to-2G parameters (e.g., any 2G cell is qualified for reselection with equal or higher priorities than 4G) .
  • limited 4G mobility e.g., no intra-4G reselection at all or intra-frequency only
  • biased 4G-to-2G parameters e.g., any 2G cell is qualified for reselection with equal or higher priorities than 4G
  • a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer.
  • an application running on a computing device and the computing device can be a component.
  • One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers.
  • these components can execute from various computer readable media having various data structures stored thereon.
  • the components can communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets, such as data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems by way of the signal.
  • a CDMA system may implement a radio technology such as CDMA2000, Universal Terrestrial Radio Access (UTRA) , etc.
  • CDMA2000 covers IS-2000, IS-95, and IS-856 standards.
  • IS-2000 Releases 0 and A are commonly referred to as CDMA2000 1X, 1X, etc.
  • IS-856 (TIA-856) is commonly referred to as CDMA2000 1xEV-DO, High Rate Packet Data (HRPD) , etc.
  • UTRA includes Wideband CDMA (WCDMA) and other variants of CDMA.
  • a TDMA system may implement a radio technology such as Global System for Mobile Communications (GSM) .
  • GSM Global System for Mobile Communications
  • An OFDMA system may implement a radio technology such as Ultra Mobile Broadband (UMB) , Evolved UTRA (E-UTRA) , IEEE 802.11 (Wi-Fi) , IEEE 802.16 (WiMAX) , IEEE 802.20, Flash-OFDM TM , etc.
  • UMB Ultra Mobile Broadband
  • E-UTRA Evolved UTRA
  • Wi-Fi Wi-Fi
  • WiMAX IEEE 802.16
  • IEEE 802.20 Flash-OFDM TM
  • UTRA and E-UTRA are part of Universal Mobile Telecommunication System (UMTS) .
  • 3GPP Long Term Evolution (LTE) and LTE-Advanced (LTE-A) are new releases of UMTS that use E-UTRA.
  • UTRA, E-UTRA, UMTS, LTE, LTE-A, and GSM are described in documents from an organization named “3rd Generation Partnership Project” (3GPP) .
  • CDMA2000 and UMB are described in documents from an organization named “3rd Generation Partnership Project 2” (3GPP2) .
  • the techniques described herein may be used for the systems and radio technologies mentioned above as well as other systems and radio technologies, including cellular (e.g., LTE) communications over a shared radio frequency spectrum band.
  • LTE Long Term Evolution
  • FIG. 1 illustrates an example of a wireless communication system 100 in accordance with various aspects of the present disclosure.
  • the wireless communication system 100 may include one or more base stations 105, one or more UEs 115, and a core network 130.
  • the core network 130 may provide user authentication, access authorization, tracking, internet protocol (IP) connectivity, and other access, routing, or mobility functions.
  • IP internet protocol
  • the base stations 105 may interface with the core network 130 through backhaul links 132 (e.g., S1, etc. ) .
  • the base stations 105 may perform radio configuration and scheduling for communication with the UEs 115, or may operate under the control of a base station controller (not shown) .
  • the base stations 105 may communicate, either directly or indirectly (e.g., through core network 130) , with one another over backhaul links 134 (e.g., X2, etc. ) , which may be wired or wireless communication links.
  • backhaul links 134 e.g., X2, etc.
  • the base stations 105 may wirelessly communicate with the UEs 115 via one or more base station antennas. Each of the base stations 105 may provide communication coverage for a respective geographic coverage area 110.
  • base stations 105 may be referred to as a network entity, a base transceiver station, a radio base station, an access point, a radio transceiver, a NodeB, eNodeB (eNB) , Home NodeB, a Home eNodeB, or some other suitable terminology.
  • the geographic coverage area 110 for a base station 105 may be divided into sectors making up only a portion of the coverage area (not shown) .
  • the wireless communication system 100 may include base stations 105 of different types (e.g., macro or small cell base stations) . There may be overlapping geographic coverage areas 110 for different technologies.
  • the wireless communication system 100 may be or include a Long Term Evolution (LTE) or LTE-Advanced (LTE-A) network.
  • the wireless communication system 100 may also be a next generation network, such as a 5G wireless communication network.
  • LTE/LTE-A networks the term evolved node B (eNB) , gNB, etc. may be generally used to describe the base stations 105, while the term UE may be generally used to describe the UEs 115.
  • the wireless communication system 100 may be a heterogeneous LTE/LTE-A network in which different types of eNBs provide coverage for various geographical regions. For example, each eNB or base station 105 may provide communication coverage for a macro cell, a small cell, or other types of cell.
  • cell is a 3GPP term that can be used to describe a base station, a carrier or component carrier associated with a base station, or a coverage area (e.g., sector, etc. ) of a carrier or base station, depending on context.
  • Amacro cell may cover a relatively large geographic area (e.g., several kilometers in radius) and may allow unrestricted access by UEs 115 with service subscriptions with the network provider.
  • Asmall cell may include a lower-powered base station, as compared with a macro cell, that may operate in the same or different (e.g., licensed, unlicensed, etc. ) frequency bands as macro cells.
  • Small cells may include pico cells, femto cells, and micro cells according to various examples.
  • a pico cell for example, may cover a small geographic area and may allow unrestricted access by UEs 115 with service subscriptions with the network provider.
  • a femto cell may also cover a small geographic area (e.g., a home) and may provide restricted access by UEs 115 having an association with the femto cell (e.g., UEs 115 in a closed subscriber group (CSG) , UEs 115 for users in the home, and the like) .
  • An eNB for a macro cell may be referred to as a macro eNB, gNB, etc.
  • An eNB for a small cell may be referred to as a small cell eNB, a pico eNB, a femto eNB, or a home eNB.
  • An eNB may support one or multiple (e.g., two, three, four, and the like) cells (e.g., component carriers) .
  • the communication networks may be packet-based networks that operate according to a layered protocol stack and data in the user plane may be based on the IP.
  • a packet data convergence protocol (PDCP) layer can provide header compression, ciphering, integrity protection, etc. of IP packets.
  • a radio link control (RLC) layer may perform packet segmentation and reassembly to communicate over logical channels.
  • a media access control (MAC) layer may perform priority handling and multiplexing of logical channels into transport channels.
  • the MAC layer may also use HARQ to provide retransmission at the MAC layer to improve link efficiency.
  • the radio resource control (RRC) protocol layer may provide establishment, configuration, and maintenance of an RRC connection between a UE 115 and the base stations 105.
  • the RRC protocol layer may also be used for core network 130 support of radio bearers for the user plane data.
  • the transport channels may be mapped to physical channels.
  • the UEs 115 may be dispersed throughout the wireless communication system 100, and each UE 115 may be stationary or mobile.
  • a UE 115 may also include or be referred to by those skilled in the art as a mobile station, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communications device, a remote device, a mobile subscriber station, an access terminal, a mobile terminal, a wireless terminal, a remote terminal, a handset, a user agent, a mobile client, a client, or some other suitable terminology.
  • a UE 115 may be a cellular phone, a personal digital assistant (PDA) , a wireless modem, a wireless communication device, a handheld device, a tablet computer, a laptop computer, a cordless phone, a wireless local loop (WLL) station, an entertainment device, a vehicular component, or the like.
  • PDA personal digital assistant
  • a UE may be able to communicate with various types of base stations and network equipment including macro eNBs, small cell eNBs, relay base stations, and the like.
  • the communication links 125 shown in wireless communication system 100 may carry UL transmissions from a UE 115 to a base station 105, or downlink (DL) transmissions, from a base station 105 to a UE 115.
  • the downlink transmissions may also be called forward link transmissions while the uplink transmissions may also be called reverse link transmissions.
  • Each communication link 125 may include one or more carriers, where each carrier may be a signal made up of multiple sub-carriers (e.g., waveform signals of different frequencies) modulated according to the various radio technologies described above.
  • Each modulated signal may be sent on a different sub-carrier and may carry control information (e.g., reference signals, control channels, etc. ) , overhead information, user data, etc.
  • the communication links 125 may transmit bidirectional communications using frequency division duplex (FDD) (e.g., using paired spectrum resources) or time division duplex (TDD) operation (e.g., using unpaired spectrum resources) .
  • FDD frequency division duplex
  • TDD time division duplex
  • Frame structures may be defined for FDD (e.g., frame structure type 1) and TDD (e.g., frame structure type 2) .
  • base stations 105 or UEs 115 may include multiple antennas for employing antenna diversity schemes to improve communication quality and reliability between base stations 105 and UEs 115. Additionally or alternatively, base stations 105 or UEs 115 may employ multiple input multiple output (MIMO) techniques that may take advantage of multi-path environments to transmit multiple spatial layers carrying the same or different coded data.
  • MIMO multiple input multiple output
  • Wireless communication system 100 may support operation on multiple cells or carriers, a feature which may be referred to as carrier aggregation (CA) or multi-carrier operation.
  • a carrier may also be referred to as a component carrier (CC) , a layer, a channel, etc.
  • CC component carrier
  • the terms “carrier, ” “component carrier, ” “cell, ” and “channel” may be used interchangeably herein.
  • a UE 115 may be configured with multiple downlink CCs and one or more uplink CCs for carrier aggregation.
  • Carrier aggregation may be used with both FDD and TDD component carriers.
  • one or more of the base stations 105 may include functionality for performing NAS procedure instances with one or more UEs 115 connecting to the base station 105, redirecting UEs 115 to fallback networks (e.g., 2G networks in circuit switched fallback or other fallback where LTE is not available) , etc.
  • wireless communication system 100 may include one or more fake cells 150 that may broadcast system information advertising wireless communication services to one or more UEs 115, without providing backend connectivity to the core network 130.
  • the fake cell 150 can be capable of initiating a DoS attack for LTE services on connected UEs 115, redirecting UEs 115 to a rogue 2G network for exploiting security vulnerabilities of 2G, etc.
  • One or more UEs 115 can include a communicating component 240 for establishing a communication link 125 with one or more cells of a base station 105 (or communication link 152 with fake cell 150) , detecting whether the cell is a fake cell, and possibly barring further connections with the cell. This can help to prevent DoS attacks on the UE 115 by the fake cell 150 and/or other security vulnerability exploitation.
  • FIGS. 2-4 aspects are depicted with reference to one or more components and one or more methods that may perform the actions or operations described herein, where aspects in dashed line may be optional.
  • FIG. 3 the operations described below in FIG. 3 are presented in a particular order and/or as being performed by an example component, it should be understood that the ordering of the actions and the components performing the actions may be varied, depending on the implementation.
  • the following actions, functions, and/or described components may be performed by a specially-programmed processor, a processor executing specially-programmed software or computer-readable media, or by any other combination of a hardware component and/or a software component capable of performing the described actions or functions.
  • a block diagram 200 is shown that includes a portion of a wireless communications system having multiple UEs 115 in communication with a base station 105 via communication links 125, where the base station 105 is also connected to a network 210, which may include one or more components of a core network (e.g., core network 130) .
  • the UEs 115 may be examples of the UEs described in the present disclosure that are configured to detect fake cells.
  • the UE 115 in FIG. 2 may include one or more processors 205 and/or memory 202 that may operate in combination with a communicating component 240 to perform the functions, methods (e.g., method 300 of FIG. 3) , etc., presented in the present disclosure.
  • the communicating component 240 may include one or more components for establishing a communication link or other connection with a cell, detecting whether the cell is a fake cell, possibly barring further connection to the cell by the UE 115, etc.
  • communicating component 240 may include a NAS component 242 for performing a NAS procedure instance with a cell to which the UE 115 is connected, a fake cell detecting component 244 for detecting whether the cell is a fake cell, which may be based on one or more portions of the NAS procedure instance, and/or a cell barring component 246 for possibly barring connection to the cell where it is determined to be a fake cell.
  • NAS component 242 for performing a NAS procedure instance with a cell to which the UE 115 is connected
  • a fake cell detecting component 244 for detecting whether the cell is a fake cell, which may be based on one or more portions of the NAS procedure instance
  • a cell barring component 246 for possibly barring connection to the cell where it is determined to be a fake cell.
  • the one or more processors 205 may include a modem 220 that uses one or more modem processors.
  • the various functions related to the communicating component 240, and/or its sub-components, may be included in modem 220 and/or processor 205 and, in an aspect, can be executed by a single processor, while in other aspects, different ones of the functions may be executed by a combination of two or more different processors.
  • the one or more processors 205 may include any one or any combination of a modem processor, or a baseband processor, or a digital signal processor, or a transmit processor, or a transceiver processor associated with transceiver 270, or a system-on-chip (SoC) .
  • SoC system-on-chip
  • the one or more processors 205 may execute functions and components included in the communicating component 240.
  • communicating component 240, or sub-components thereof may operate at one or more communication layers, such as physical layer or L1, MAC layer or L2, a PDCP/RLC layer or L3, etc., to establish and/or terminate connections to the cells, detect fake cells based on messages from higher layers (e.g., a NAS layer) , etc.
  • the communicating component 240 and each of the sub-components may comprise hardware, firmware, and/or software and may be configured to execute code or perform instructions stored in a memory (e.g., a computer-readable storage medium, such as memory 202 discussed below) .
  • the UE 115 in FIG. 2 may include an RF front end 290 and transceiver 270 for receiving and transmitting radio transmissions to, for example, base stations 105.
  • the transceiver 270 may coordinate with the modem 220 to receive signals that include packets (e.g., and/or one or more related PDUs) .
  • RF front end 290 may be connected to one or more antennas 273 and can include one or more switches 292, one or more amplifiers (e.g., PAs 294 and/or LNAs 291) , and one or more filters 293 for transmitting and receiving RF signals on uplink channels and downlink channels.
  • the components of the RF front end 290 can connect with transceiver 270.
  • the transceiver 270 may connect to one or more of modem 220 and processors 205.
  • the transceiver 270 may be configured to transmit (e.g., via transmitter (TX) radio 275) and receive (e.g., via receiver (RX) radio 280) wireless signals through antennas 273 via the RF front end 290.
  • the transceiver 270 may be tuned to operate at specified frequencies such that the UE 115 can communicate with, for example, base stations 105.
  • the modem 220 can configure the transceiver 270 to operate at a specified frequency and power level based on the configuration of the UE 115 and communication protocol used by the modem 220.
  • the UE 115 in FIG. 2 may further include a memory 202, such as for storing data used herein and/or local versions of applications or communicating component 240 and/or one or more of its sub-components being executed by processor 205.
  • Memory 202 can include any type of computer-readable medium usable by a computer or processor 205, such as RAM, ROM, tapes, magnetic discs, optical discs, volatile memory, non-volatile memory, and any combination thereof.
  • memory 202 may be a computer-readable storage medium that stores one or more computer-executable codes defining communicating component 240 and/or one or more of its sub-components.
  • the UE 115 may include a bus 211 for coupling one or more of the RF front end 290, the transceiver 274, the memory 202, or the processor 205, and to exchange signaling information between each of the components and/or sub-components of the UE 115.
  • the processor (s) 205 may correspond to one or more of the processors described in connection with the UE in FIG. 4.
  • the memory 202 may correspond to the memory described in connection with the UE in FIG. 4.
  • FIG. 3 illustrates a flow chart of an example of a method 300 for connecting to cells in a wireless network.
  • a connection can be established with a cell in a wireless network.
  • communicating component 240 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, etc., can establish the connection with the cell in the wireless network.
  • communicating component 240 can establish the connection as a communication link 125 with a cell of one or more base stations 105, a communication link 152 with a fake cell 150, etc.
  • Communicating component 240 in this regard, can detect wireless services provided by the base station 105, fake cell 150, etc. based on system information broadcast from the base station 105, fake cell 150, etc., and can accordingly attempt to establish the connection.
  • communicating component 240 may establish the connection based on detecting the cell of the base station 105 or fake cell 150, and determining that the cell has more desirable communication properties (e.g., higher signal-to-noise ratio (SNR) , etc. ) than a current cell to which the UE 115 is connected.
  • communicating component 240 may establish the connection as part of handing over communications to the cell of the base station 105, fake cell 150, etc.
  • communicating component 240 may establish the connection at an RRC layer for transmitting further NAS communications, to the cell, at one or more higher layers.
  • a NAS procedure instance can be performed with the cell based on establishing the connection with the cell.
  • NAS component 242 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc., can perform, based on establishing the connection with the cell, an NAS procedure with the cell.
  • NAS component 242 can perform the NAS procedure instance as defined by the wireless communication technology of the cell (e.g., LTE) .
  • attach/TAU requests e.g., as part of an HPLMN attach or TAU procedure
  • the cell e.g., a cell of base station 105 or the fake cell 150
  • a corresponding connection e.g., communication link 125 or 152
  • NAS component 242 can transmit attach/TAU requests and possibly receive attach/TAU responses to the requests.
  • LTE may define a maximum number of NAS message sequences of a NAS procedure instance that may occur before redirecting the UE 115 to a fall back network (e.g., 2G) , where the number can be defined for all NAS procedures, for specific NAS procedures (e.g., 5 requests for HPLMN attach or TAU) , etc. .
  • the UE 115 may also configure a defined pattern of NAS message sequences that may occur before considering the cell a fake cell (e.g., for all NAS messages, specific to a type of NAS procedure, etc. ) .
  • the UE 115 may configure the pattern of NAS message sequences as a threshold number of NAS message sequences performed with the cell, where the threshold number can be one less than the maximum number of NAS message sequences (e.g., 4) .
  • UE 115 can store one or more parameters related to the pattern (e.g., the threshold number) in memory 202, such as in an embedded file system (EFS) or other portion of the memory 202.
  • EFS embedded file system
  • the NAS component 242 can operate at the NAS layer to communicate NAS messages with the cell, and can also notify lower layers (e.g., an RRC layer) when certain messages are sent and/or received (or are not received) .
  • NAS component 242 can send a Start message that indicates a type of NAS request (e.g., attach or TAU) and a sequence number indicating the NAS message sequence, to the RRC layer (e.g., to fake cell detecting component 244) .
  • the NAS component 242 can send Finish message to the RRC layer (e.g., to fake cell detecting component 244) to indicate that the NAS request is received by the cell.
  • the Finish message can indicate success or failure of the Start message.
  • the Finish message may also indicate the type of NAS request (e.g., attach or TAU) , the sequence number, and a success/fail indicator for the corresponding NAS request.
  • NAS component 242 can set the success/fail indicator to respectively indicate that the NAS receives a response to the NAS request (whether accept or reject) , or receives no response to the NAS request.
  • Sending the Start and/or Finish messages in this regard can allow the lower layer to terminate a connection with a cell where it is determined to possibly be a fake cell, as described herein.
  • the maximum number of NAS message sequences and/or the pattern of NAS message sequences may be based on the sequence number in these messages received from the NAS layer.
  • the NAS messages received by NAS component 242, and reported to the RRC layer may include at least one of: no response message (e.g., within a threshold period from sending a NAS request) , a response with only an identity request, an identity request plus a TAU reject, a fake authentication request followed by a fake authentication failure message, etc.
  • the RRC layer can be notified of the NAS message sequence, and may accordingly detect possible fake cell activity, as described herein.
  • fake cell detecting component 244 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242, etc., can determine whether the NAS procedure instance has completed. For example, fake cell detecting component 244 can determine whether the NAS procedure instance has completed based on determining whether a Finish message is received from the NAS component 242 for a NAS message sequence, determining whether an extended service request (ESR) message for initiating fallback is received from the cell, etc.
  • ESR extended service request
  • a fake cell detection flag which is described further herein, can optionally be set to false at Block 308, and/or fallback can be optionally initiated at Block 310 (e.g., where the ESR is received) .
  • the fake cell detecting component 244 can set the fake cell detection flag to false, or can otherwise notify an RRC layer that the NAS procedure is complete, and the RRC layer can set the flag.
  • the fake cell detecting component 244 may initiate the fallback to a cell of a different network (e.g., a 2G cell) .
  • the method 300 can eventually proceed to Block 302 to establish a connection with another cell in the network at a later time (e.g., when LTE is again detected, after a configured period of time, etc. ) .
  • fake cell detecting component 244 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242 etc., can determine whether the pattern of NAS message sequences are received in the NAS procedure instance.
  • the NAS component 242 can notify the fake cell detecting component 244 (which may operate at an RRC layer) of indications each NAS message received (e.g., of each message in the NAS message sequence) or not received (e.g., after a threshold period of time) by communicating the Start and/or Finish messages, as the indications, thereto, where the success/fail indicator in the Finish message can indicate whether a NAS message sequence with the cell was successful.
  • the fake cell detecting component 244 which may operate at an RRC layer
  • the fake cell detecting component 244 which may operate at an RRC layer of indications each NAS message received (e.g., of each message in the NAS message sequence) or not received (e.g., after a threshold period of time) by communicating the Start and/or Finish messages, as the indications, thereto, where the success/fail indicator in the Finish message can indicate whether a NAS message sequence with the cell was successful.
  • the fake cell detecting component 244 can determine whether a pattern is detected in the received NAS message sequences based on the indications. In one example, this may include determining whether a sequence number in a received indication of a NAS message achieves the threshold number, whether the NAS message with the sequence number achieving the threshold is a Finish message indicating failure, etc.
  • fake cell detecting component 244 can define the pattern to include a threshold number of NAS message sequences based on a configured maximum number of NAS message sequences (e.g., one less than the maximum) . Where the pattern is not detected (e.g., where the threshold number is not detected in the indications, the threshold numbered NAS message sequence indicates success, etc. ) , method 300 can proceed to Block 304 to continue performing the NAS procedure.
  • fake cell detecting component 244 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242, etc., can determine whether the fake cell detection flag is set to false.
  • fake cell detecting component 244 can initially set the fake cell detection flag to false (e.g., upon UE 115 power up sequence) . Where fake cell detecting component 244 determines that the fake cell detection flag is not set to false (e.g., is set to true) , fallback can be initiated at Block 310.
  • connection to the cell can be barred.
  • cell barring component 246, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc. can bar connection to the cell. For example, detecting the pattern of NAS message sequences can indicate that the cell is likely a fake cell, and thus UE 115 can bar connection thereto.
  • Cell barring component 246 may bar connection to the cell by adding an identifier of the cell to a list of barred cells (e.g., adding an E-UTRAN Global Cell Identifier (EGCI) to the list) .
  • method 300 can proceed to Block 302 to establish a connection with a different cell in the wireless network (e.g., that is not listed in the barred list of cells) .
  • EGCI E-UTRAN Global Cell Identifier
  • the fake cell detection flag can optionally be set to true.
  • fake cell detecting component 244 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc., can set the fake cell detection flag to true (e.g., based on determining the bar connections to the cell) . This can allow the UE 115 to return to a conventional NAS procedure with the next cell in case LTE is actually not available (e.g., rather than continuing to attempt connection with other cells in an attempt to establish LTE communications) .
  • fake cell detecting component 244 can, upon receiving a Start message, determine if a corresponding Finish message is received and whether the fake cell detection flag is false.
  • the Start and Finish messages may come from the NAS component 242 based on corresponding NAS message sequence of a NAS procedure instance being performed. If the fake cell detection flag is false, fake cell detecting component 244 can detect whether the sequence number of the Finish message is below the threshold and whether the Finish message indicates a fail, and if so, communicating component 240 can ignore an LTE-to-GSM (L2G) redirection at the serving cell with which NAS started the attach/TAU.
  • L2G LTE-to-GSM
  • cell barring component 246 can bar the current LTE cell (e.g., using EGCI-based procedures) , fake cell detecting component 244 can set the fake cell detection flag to true, and/or communicating component 240 can select to another available LTE cell (e.g., for more attach/TAU procedure retries before LTE radio access technology (RAT) is removed by the NAS layer) .
  • RAT radio access technology
  • the UE 115 can have another m –n attach/TAU requests to send before LTE is removed as an available RAT (e.g., for a period of time) .
  • fake cell detecting component 244 receives a corresponding Finish message that indicates a success and/or an ESR message
  • communicating component 240 can resume L2G redirection and may reset the fake cell detection flag to false.
  • FIG. 4 is a block diagram of a MIMO communication system 400 including a base station 105 and a UE 115.
  • the MIMO communication system 400 may illustrate aspects of the wireless communication system 100 described with reference to FIG. 1.
  • the base station 105 may be an example of aspects of the base station 105 described with reference to FIGS. 1-2.
  • the base station 105 may be equipped with antennas 434 and 435, and the UE 115 may be equipped with antennas 452 and 453.
  • the base station 105 may be able to send data over multiple communication links at the same time.
  • Each communication link may be called a “layer” and the “rank” of the communication link may indicate the number of layers used for communication. For example, in a 2x2 MIMO communication system where base station 105 transmits two “layers, ” the rank of the communication link between the base station 105 and the UE 115 is two.
  • a transmit (Tx) processor 420 may receive data from a data source. The transmit processor 420 may process the data. The transmit processor 420 may also generate control symbols or reference symbols.
  • a transmit MIMO processor 430 may perform spatial processing (e.g., precoding) on data symbols, control symbols, or reference symbols, if applicable, and may provide output symbol streams to the transmit modulator/demodulators 432 and 433. Each modulator/demodulator 432 through 433 may process a respective output symbol stream (e.g., for OFDM, etc. ) to obtain an output sample stream.
  • Each modulator/demodulator 432 through 433 may further process (e.g., convert to analog, amplify, filter, and upconvert) the output sample stream to obtain a DL signal.
  • DL signals from modulator/demodulators 432 and 433 may be transmitted via the antennas 434 and 435, respectively.
  • the UE 115 may be an example of aspects of the UEs 115 described with reference to FIGS. 1-2.
  • the UE antennas 452 and 453 may receive the DL signals from the base station 105 and may provide the received signals to the modulator/demodulators 454 and 455, respectively.
  • Each modulator/demodulator 454 through 455 may condition (e.g., filter, amplify, downconvert, and digitize) a respective received signal to obtain input samples.
  • Each modulator/demodulator 454 through 455 may further process the input samples (e.g., for OFDM, etc. ) to obtain received symbols.
  • a MIMO detector 456 may obtain received symbols from the modulator/demodulators 454 and 455, perform MIMO detection on the received symbols, if applicable, and provide detected symbols.
  • a receive (Rx) processor 458 may process (e.g., demodulate, deinterleave, and decode) the detected symbols, providing decoded data for the UE 115 to a data output, and provide decoded control information to a processor 480, or memory 482.
  • the processor 480 may in some cases execute stored instructions to instantiate a communicating component 240 (see e.g., FIGS. 1-2) .
  • a transmit processor 464 may receive and process data from a data source.
  • the transmit processor 464 may also generate reference symbols for a reference signal.
  • the symbols from the transmit processor 464 may be precoded by a transmit MIMO processor 466 if applicable, further processed by the modulator/demodulators 454 and 455 (e.g., for SC-FDMA, etc. ) , and be transmitted to the base station 105 in accordance with the communication parameters received from the base station 105.
  • the UL signals from the UE 115 may be received by the antennas 434 and 435, processed by the modulator/demodulators 432 and 433, detected by a MIMO detector 436 if applicable, and further processed by a receive processor 438.
  • the receive processor 438 may provide decoded data to a data output and to the processor 440 or memory 442.
  • the components of the UE 115 may, individually or collectively, be implemented with one or more ASICs adapted to perform some or all of the applicable functions in hardware.
  • Each of the noted modules may be a means for performing one or more functions related to operation of the MIMO communication system 400.
  • the components of the base station 105 may, individually or collectively, be implemented with one or more ASICs adapted to perform some or all of the applicable functions in hardware.
  • Each of the noted components may be a means for performing one or more functions related to operation of the MIMO communication system 400.
  • Information and signals may be represented using any of a variety of different technologies and techniques.
  • data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, computer-executable code or instructions stored on a computer-readable medium, or any combination thereof.
  • a specially-programmed device such as but not limited to a processor, a digital signal processor (DSP) , an ASIC, a FPGA or other programmable logic device, a discrete gate or transistor logic, a discrete hardware component, or any combination thereof designed to perform the functions described herein.
  • DSP digital signal processor
  • a specially-programmed processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.
  • a specially-programmed processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
  • the functions described herein may be implemented in hardware, software executed by a processor, firmware, or any combination thereof. If implemented in software executed by a processor, the functions may be stored on or transmitted over as one or more instructions or code on a non-transitory computer-readable medium. Other examples and implementations are within the scope and spirit of the disclosure and appended claims. For example, due to the nature of software, functions described above can be implemented using software executed by a specially programmed processor, hardware, firmware, hardwiring, or combinations of any of these. Features implementing functions may also be physically located at various positions, including being distributed such that portions of functions are implemented at different physical locations.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium may be any available medium that can be accessed by a general purpose or special purpose computer.
  • computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code means in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor.
  • any connection is properly termed a computer-readable medium.
  • Disk and disc include compact disc (CD) , laser disc, optical disc, digital versatile disc (DVD) , floppy disk and Blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable media.

Abstract

Aspects of the present disclosure describe detecting, by a user equipment (UE), fake cells in wireless communications. The UE can establish a connection with a cell in a wireless network, and can perform, based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer. The UE can detect a pattern of NAS message sequences received during the NAS procedure instance, and based on detecting the pattern of NAS message sequences, can bar connection to the cell.

Description

TECHNIQUES FOR DETECTING FAKE CELLS IN WIRELESS COMMUNICATIONS BACKGROUND
Aspects of the present disclosure relate generally to wireless communication systems, and more particularly, to detecting fake cells in wireless communications.
Wireless communication systems are widely deployed to provide various types of communication content such as voice, video, packet data, messaging, broadcast, and so on. These systems may be multiple-access systems capable of supporting communication with multiple users by sharing the available system resources (e.g., time, frequency, and power) . Examples of such multiple-access systems include code-division multiple access (CDMA) systems, time-division multiple access (TDMA) systems, frequency-division multiple access (FDMA) systems, and orthogonal frequency-division multiple access (OFDMA) systems, and single-carrier frequency division multiple access (SC-FDMA) systems.
These multiple access technologies have been adopted in various telecommunication standards to provide a common protocol that enables different wireless devices to communicate on a municipal, national, regional, and even global level. For example, fourth generating (4G) and/or fifth generation (5G) wireless communications technologies have been, or are being, developed to expand and support diverse usage scenarios and applications with respect to current mobile network generations. An example of a 4G network can include a third generation partnership project (3GPP) long term evolution (LTE) network.
In LTE networks, security vulnerabilities may exist where a fake cell can be provided to exploit the security vulnerabilities and disrupt wireless communications for a user equipment (UE) . A fake cell can refer to a cell implemented (e.g., by a party that is not a cellular operator) for such purposes of disrupting wireless communications of UEs, to otherwise obtain confidential information from the UEs, etc. In the tracking area update (TAU) request procedure of 4G, for example, a fake cell can cause denial-of-service (DoS) to a user equipment (UE) by rejecting TAU requests from the UE, which may cause the UE to remove support for 4G technology for at least a period of time. In another example, a fake cell can cause the UE to fallback to a 2G cell (e.g., based on  rejecting the TAU requests) , where the 2G cell may exploit further security vulnerabilities associated with 2G technologies, etc.
SUMMARY
The following presents a simplified summary of one or more aspects in order to provide a basic understanding of such aspects. This summary is not an extensive overview of all contemplated aspects, and is intended to neither identify key or critical elements of all aspects nor delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more aspects in a simplified form as a prelude to the more detailed description that is presented later.
According to an example, a method for detecting, by a user equipment (UE) , fake cells in wireless communications is provided. The method includes establishing, by the UE, a connection with a cell in a wireless network, performing, by the UE and based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
In another example, an apparatus for wireless communication is provided that includes a transceiver for communicating in a wireless network via one or more antennas, a memory configured to store instructions, and one or more processors communicatively coupled with the transceiver and the memory. The one or more processors are configured to establish a connection with a cell in the wireless network, perform, based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, detect a pattern of NAS message sequences received during the NAS procedure, and bar, based on detecting the pattern of NAS message sequences, connection to the cell.
In yet another example, an apparatus for detecting, by a UE, fake cells in wireless communications is provided. The apparatus includes means for establishing, by the UE, a connection with a cell in a wireless network, means for performing, by the UE and based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, means for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and means for barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
In another example, a computer-readable medium, including code executable by one or more processors for detecting, by a UE, fake cells in wireless communications is provided. The code includes code for establishing, by the UE, a connection with a cell in a wireless network, code for performing, by the UE and based on establishing the connection with the cell, a NAS procedure instance with the cell at a NAS layer, code for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure, and code for barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
To the accomplishment of the foregoing and related ends, the one or more aspects comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative features of the one or more aspects. These features are indicative, however, of but a few of the various ways in which the principles of various aspects may be employed, and this description is intended to include all such aspects and their equivalents.
BRIEF DESCRIPTION OF THE DRAWINGS
The disclosed aspects will hereinafter be described in conjunction with the appended drawings, provided to illustrate and not to limit the disclosed aspects, wherein like designations denote like elements, and in which:
FIG. 1 illustrates an example of a wireless communication system, in accordance with various aspects of the present disclosure;
FIG. 2 is a block diagram illustrating an example of a UE, in accordance with various aspects of the present disclosure;
FIG. 3 is a flow chart illustrating an example of a method for establishing a connection with a cell, in accordance with various aspects of the present disclosure; and
FIG. 4 is a block diagram illustrating an example of a MIMO communication system including a base station and a UE, in accordance with various aspects of the present disclosure.
DETAILED DESCRIPTION
Various aspects are now described with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth  in order to provide a thorough understanding of one or more aspects. It may be evident, however, that such aspect (s) may be practiced without these specific details.
The described features generally relate to enabling a user equipment (UE) to detect a fake cell in a wireless network. A fake cell can refer to a cell implemented (e.g., by a party that is not a cellular operator) for purposes of causing a UE to connect to the fake cell, allowing the fake cell to disrupt wireless communications of the UE, otherwise obtain confidential information from the UE, etc. For example, a fake cell can broadcast system information defined for use in a wireless technology, such as third generation partnership project (3GPP) long term evolution (LTE) , to advertise wireless communications services, and can provide a mechanism for UEs to attach to the fake cell, such as a random access channel (RACH) for performing RACH procedures, etc. Thus, UEs can connect to the fake cell, and the fake cell can cause a denial of service (DoS) by overriding a tracking area update (TAU) procedure to reject the UE’s TAU requests, can cause redirection of the UE to a legacy cell, such as a second generation (2G) cell for further exploitation of security vulnerabilities, etc.
As the fake cells are typically not truly connected to a backend cellular network, the fake cells may not be able to sufficiently satisfy a TAU procedure performed by the UE. Thus, a number of failed TAU requests may be indicative the UE being attached to a fake cell. The same may be true for performing home public land mobile network (HPLMN) attach requests. In one example, the UE can be configured to perform a number of non-access stratum (NAS) requests of a NAS procedure instance before determining to not support LTE communications (at least for a period of time) . Such NAS procedure instances may include substantially any procedure performed at a NAS layer as part of establishing communications with a cell, such as a TAU procedure, a HPLMN attach procedure, etc. Occurrence of sequential failed NAS requests, or otherwise a number of NAS message sequences performed without a successful NAS procedure instance, can be relatively rare, and thus can be used to detect possible connection to the fake cell. As described herein, a UE can perform the NAS procedure instance with a cell, and where a number of NAS message sequences are received (e.g., which may be indicative of a NAS request fail) , the UE can consider the cell to be a fake cell, can bar connections to the cell, and can attempt to connect to a different cell. This can avoid the UE falling into a DoS of the fake cell, falling back to a 2G cell, which may  be indicated by the fake cell and may be another fake cell for the purpose of compromising information on the UE, etc.
For example, fourth-generation (4G) cellular network, although significantly improved in security over previous generations, may still have the vulnerability that a UE cannot actively validate the network under certain scenarios. For example, when a UE updates its presence upon entering a new tracking area and receives a network response indicating anomaly, it may not able to authenticate its counterpart. Another example is that there may not be a defined UE mechanism to determine reliability of system configuration for mobility towards previous generations (albeit this may not be essential for acquiring 4G services) . It may be possible, in this regard, for UEs to lose 4G services because of fake base station/cell encounters.
The detrimental effect from accessing unsafe network can manifest in UE’s loss of 4G service (referred to as a downgrade attack) , and the subsequent UE exposure to rogue 2G base stations that are allowed by 2G specifications to operate without security and gain illicit control. One way for the unsafe network to accomplish this is DoS attack at the NAS that can force UE’s 4G removal, and another is through extremely biased 4G-to-2G reselection configuration in the system broadcast information.
The NAS DoS attack can exhibit multiple levels of sophistication, such as (1) no response to UE’s NAS TAU request (e.g., either no lower-layer connection setup or a bare connection setup without any NAS signaling) or (2) sending identity request in response to NAS TAU followed by rejection (or lower-layer redirect) , where the UE can either (1) remove 4G from its radio access technology (RAT) list after five failed TAUs in a row, or (2) is down-graded/redirected to 2G. In an example, the biased reselection configuration can be characterized either by (1) limited 4G mobility (e.g., no intra-4G reselection at all or intra-frequency only) , or (2) biased 4G-to-2G parameters (e.g., any 2G cell is qualified for reselection with equal or higher priorities than 4G) . Aspects are described herein for improving UE capability for detecting potentially fake cells, and/or barring connection thereto.
The described features will be presented in more detail below with reference to FIGS. 1-4.
As used in this application, the terms “component, ” “module, ” “system” and the like are intended to include a computer-related entity, such as but not limited to hardware, firmware, a combination of hardware and software, software, or software in execution.  For example, a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a computing device and the computing device can be a component. One or more components can reside within a process and/or thread of execution and a component can be localized on one computer and/or distributed between two or more computers. In addition, these components can execute from various computer readable media having various data structures stored thereon. The components can communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets, such as data from one component interacting with another component in a local system, distributed system, and/or across a network such as the Internet with other systems by way of the signal.
Techniques described herein may be used for various wireless communication systems such as CDMA, TDMA, FDMA, OFDMA, SC-FDMA, and other systems. The terms “system” and “network” may often be used interchangeably. A CDMA system may implement a radio technology such as CDMA2000, Universal Terrestrial Radio Access (UTRA) , etc. CDMA2000 covers IS-2000, IS-95, and IS-856 standards. IS-2000 Releases 0 and A are commonly referred to as CDMA2000 1X, 1X, etc. IS-856 (TIA-856) is commonly referred to as CDMA2000 1xEV-DO, High Rate Packet Data (HRPD) , etc. UTRA includes Wideband CDMA (WCDMA) and other variants of CDMA. A TDMA system may implement a radio technology such as Global System for Mobile Communications (GSM) . An OFDMA system may implement a radio technology such as Ultra Mobile Broadband (UMB) , Evolved UTRA (E-UTRA) , IEEE 802.11 (Wi-Fi) , IEEE 802.16 (WiMAX) , IEEE 802.20, Flash-OFDMTM, etc. UTRA and E-UTRA are part of Universal Mobile Telecommunication System (UMTS) . 3GPP Long Term Evolution (LTE) and LTE-Advanced (LTE-A) are new releases of UMTS that use E-UTRA. UTRA, E-UTRA, UMTS, LTE, LTE-A, and GSM are described in documents from an organization named “3rd Generation Partnership Project” (3GPP) . CDMA2000 and UMB are described in documents from an organization named “3rd Generation Partnership Project 2” (3GPP2) . The techniques described herein may be used for the systems and radio technologies mentioned above as well as other systems and radio technologies, including cellular (e.g., LTE) communications over a shared radio frequency spectrum band. The description below, however, describes an LTE/LTE-A  system for purposes of example, and LTE terminology is used in much of the description below, although the techniques are applicable beyond LTE/LTE-A applications (e.g., to 5G networks or other next generation communication systems) .
The following description provides examples, and is not limiting of the scope, applicability, or examples set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as appropriate. For instance, the methods described may be performed in an order different from that described, and various steps may be added, omitted, or combined. Also, features described with respect to some examples may be combined in other examples.
Various aspects or features will be presented in terms of systems that can include a number of devices, components, modules, and the like. It is to be understood and appreciated that the various systems can include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. A combination of these approaches can also be used.
FIG. 1 illustrates an example of a wireless communication system 100 in accordance with various aspects of the present disclosure. The wireless communication system 100 may include one or more base stations 105, one or more UEs 115, and a core network 130. The core network 130 may provide user authentication, access authorization, tracking, internet protocol (IP) connectivity, and other access, routing, or mobility functions. The base stations 105 may interface with the core network 130 through backhaul links 132 (e.g., S1, etc. ) . The base stations 105 may perform radio configuration and scheduling for communication with the UEs 115, or may operate under the control of a base station controller (not shown) . In various examples, the base stations 105 may communicate, either directly or indirectly (e.g., through core network 130) , with one another over backhaul links 134 (e.g., X2, etc. ) , which may be wired or wireless communication links.
The base stations 105 may wirelessly communicate with the UEs 115 via one or more base station antennas. Each of the base stations 105 may provide communication coverage for a respective geographic coverage area 110. In some examples, base stations 105 may be referred to as a network entity, a base transceiver station, a radio base station,  an access point, a radio transceiver, a NodeB, eNodeB (eNB) , Home NodeB, a Home eNodeB, or some other suitable terminology. The geographic coverage area 110 for a base station 105 may be divided into sectors making up only a portion of the coverage area (not shown) . The wireless communication system 100 may include base stations 105 of different types (e.g., macro or small cell base stations) . There may be overlapping geographic coverage areas 110 for different technologies.
In some examples, the wireless communication system 100 may be or include a Long Term Evolution (LTE) or LTE-Advanced (LTE-A) network. The wireless communication system 100 may also be a next generation network, such as a 5G wireless communication network. In LTE/LTE-A networks, the term evolved node B (eNB) , gNB, etc. may be generally used to describe the base stations 105, while the term UE may be generally used to describe the UEs 115. The wireless communication system 100 may be a heterogeneous LTE/LTE-A network in which different types of eNBs provide coverage for various geographical regions. For example, each eNB or base station 105 may provide communication coverage for a macro cell, a small cell, or other types of cell. The term “cell” is a 3GPP term that can be used to describe a base station, a carrier or component carrier associated with a base station, or a coverage area (e.g., sector, etc. ) of a carrier or base station, depending on context.
Amacro cell may cover a relatively large geographic area (e.g., several kilometers in radius) and may allow unrestricted access by UEs 115 with service subscriptions with the network provider.
Asmall cell may include a lower-powered base station, as compared with a macro cell, that may operate in the same or different (e.g., licensed, unlicensed, etc. ) frequency bands as macro cells. Small cells may include pico cells, femto cells, and micro cells according to various examples. A pico cell, for example, may cover a small geographic area and may allow unrestricted access by UEs 115 with service subscriptions with the network provider. A femto cell may also cover a small geographic area (e.g., a home) and may provide restricted access by UEs 115 having an association with the femto cell (e.g., UEs 115 in a closed subscriber group (CSG) , UEs 115 for users in the home, and the like) . An eNB for a macro cell may be referred to as a macro eNB, gNB, etc. An eNB for a small cell may be referred to as a small cell eNB, a pico eNB, a femto eNB, or a home eNB. An eNB may support one or multiple (e.g., two, three, four, and the like) cells (e.g., component carriers) .
The communication networks that may accommodate some of the various disclosed examples may be packet-based networks that operate according to a layered protocol stack and data in the user plane may be based on the IP. A packet data convergence protocol (PDCP) layer can provide header compression, ciphering, integrity protection, etc. of IP packets. A radio link control (RLC) layer may perform packet segmentation and reassembly to communicate over logical channels. A media access control (MAC) layer may perform priority handling and multiplexing of logical channels into transport channels. The MAC layer may also use HARQ to provide retransmission at the MAC layer to improve link efficiency. In the control plane, the radio resource control (RRC) protocol layer may provide establishment, configuration, and maintenance of an RRC connection between a UE 115 and the base stations 105. The RRC protocol layer may also be used for core network 130 support of radio bearers for the user plane data. At the physical (PHY) layer, the transport channels may be mapped to physical channels.
The UEs 115 may be dispersed throughout the wireless communication system 100, and each UE 115 may be stationary or mobile. A UE 115 may also include or be referred to by those skilled in the art as a mobile station, a subscriber station, a mobile unit, a subscriber unit, a wireless unit, a remote unit, a mobile device, a wireless device, a wireless communications device, a remote device, a mobile subscriber station, an access terminal, a mobile terminal, a wireless terminal, a remote terminal, a handset, a user agent, a mobile client, a client, or some other suitable terminology. A UE 115 may be a cellular phone, a personal digital assistant (PDA) , a wireless modem, a wireless communication device, a handheld device, a tablet computer, a laptop computer, a cordless phone, a wireless local loop (WLL) station, an entertainment device, a vehicular component, or the like. A UE may be able to communicate with various types of base stations and network equipment including macro eNBs, small cell eNBs, relay base stations, and the like.
The communication links 125 shown in wireless communication system 100 may carry UL transmissions from a UE 115 to a base station 105, or downlink (DL) transmissions, from a base station 105 to a UE 115. The downlink transmissions may also be called forward link transmissions while the uplink transmissions may also be called reverse link transmissions. Each communication link 125 may include one or more carriers, where each carrier may be a signal made up of multiple sub-carriers (e.g., waveform signals of different frequencies) modulated according to the various radio  technologies described above. Each modulated signal may be sent on a different sub-carrier and may carry control information (e.g., reference signals, control channels, etc. ) , overhead information, user data, etc. The communication links 125 may transmit bidirectional communications using frequency division duplex (FDD) (e.g., using paired spectrum resources) or time division duplex (TDD) operation (e.g., using unpaired spectrum resources) . Frame structures may be defined for FDD (e.g., frame structure type 1) and TDD (e.g., frame structure type 2) .
In aspects of the wireless communication system 100, base stations 105 or UEs 115 may include multiple antennas for employing antenna diversity schemes to improve communication quality and reliability between base stations 105 and UEs 115. Additionally or alternatively, base stations 105 or UEs 115 may employ multiple input multiple output (MIMO) techniques that may take advantage of multi-path environments to transmit multiple spatial layers carrying the same or different coded data.
Wireless communication system 100 may support operation on multiple cells or carriers, a feature which may be referred to as carrier aggregation (CA) or multi-carrier operation. A carrier may also be referred to as a component carrier (CC) , a layer, a channel, etc. The terms “carrier, ” “component carrier, ” “cell, ” and “channel” may be used interchangeably herein. A UE 115 may be configured with multiple downlink CCs and one or more uplink CCs for carrier aggregation. Carrier aggregation may be used with both FDD and TDD component carriers.
In aspects of the wireless communication system 100, one or more of the base stations 105 may include functionality for performing NAS procedure instances with one or more UEs 115 connecting to the base station 105, redirecting UEs 115 to fallback networks (e.g., 2G networks in circuit switched fallback or other fallback where LTE is not available) , etc. In addition, wireless communication system 100 may include one or more fake cells 150 that may broadcast system information advertising wireless communication services to one or more UEs 115, without providing backend connectivity to the core network 130. As described, for example, the fake cell 150 can be capable of initiating a DoS attack for LTE services on connected UEs 115, redirecting UEs 115 to a rogue 2G network for exploiting security vulnerabilities of 2G, etc. One or more UEs 115 can include a communicating component 240 for establishing a communication link 125 with one or more cells of a base station 105 (or communication link 152 with fake cell 150) , detecting whether the cell is a fake cell, and possibly barring further connections  with the cell. This can help to prevent DoS attacks on the UE 115 by the fake cell 150 and/or other security vulnerability exploitation.
Turning now to FIGS. 2-4, aspects are depicted with reference to one or more components and one or more methods that may perform the actions or operations described herein, where aspects in dashed line may be optional. Although the operations described below in FIG. 3 are presented in a particular order and/or as being performed by an example component, it should be understood that the ordering of the actions and the components performing the actions may be varied, depending on the implementation. Moreover, it should be understood that the following actions, functions, and/or described components may be performed by a specially-programmed processor, a processor executing specially-programmed software or computer-readable media, or by any other combination of a hardware component and/or a software component capable of performing the described actions or functions.
Referring to FIG. 2, a block diagram 200 is shown that includes a portion of a wireless communications system having multiple UEs 115 in communication with a base station 105 via communication links 125, where the base station 105 is also connected to a network 210, which may include one or more components of a core network (e.g., core network 130) . The UEs 115 may be examples of the UEs described in the present disclosure that are configured to detect fake cells.
In an aspect, the UE 115 in FIG. 2 may include one or more processors 205 and/or memory 202 that may operate in combination with a communicating component 240 to perform the functions, methods (e.g., method 300 of FIG. 3) , etc., presented in the present disclosure. In accordance with the present disclosure, the communicating component 240 may include one or more components for establishing a communication link or other connection with a cell, detecting whether the cell is a fake cell, possibly barring further connection to the cell by the UE 115, etc. For example, communicating component 240 may include a NAS component 242 for performing a NAS procedure instance with a cell to which the UE 115 is connected, a fake cell detecting component 244 for detecting whether the cell is a fake cell, which may be based on one or more portions of the NAS procedure instance, and/or a cell barring component 246 for possibly barring connection to the cell where it is determined to be a fake cell.
The one or more processors 205 may include a modem 220 that uses one or more modem processors. The various functions related to the communicating component 240,  and/or its sub-components, may be included in modem 220 and/or processor 205 and, in an aspect, can be executed by a single processor, while in other aspects, different ones of the functions may be executed by a combination of two or more different processors. For example, in an aspect, the one or more processors 205 may include any one or any combination of a modem processor, or a baseband processor, or a digital signal processor, or a transmit processor, or a transceiver processor associated with transceiver 270, or a system-on-chip (SoC) . In particular, the one or more processors 205 may execute functions and components included in the communicating component 240. In another example, communicating component 240, or sub-components thereof, may operate at one or more communication layers, such as physical layer or L1, MAC layer or L2, a PDCP/RLC layer or L3, etc., to establish and/or terminate connections to the cells, detect fake cells based on messages from higher layers (e.g., a NAS layer) , etc.
In some examples, the communicating component 240 and each of the sub-components may comprise hardware, firmware, and/or software and may be configured to execute code or perform instructions stored in a memory (e.g., a computer-readable storage medium, such as memory 202 discussed below) . Moreover, in an aspect, the UE 115 in FIG. 2 may include an RF front end 290 and transceiver 270 for receiving and transmitting radio transmissions to, for example, base stations 105. The transceiver 270 may coordinate with the modem 220 to receive signals that include packets (e.g., and/or one or more related PDUs) . RF front end 290 may be connected to one or more antennas 273 and can include one or more switches 292, one or more amplifiers (e.g., PAs 294 and/or LNAs 291) , and one or more filters 293 for transmitting and receiving RF signals on uplink channels and downlink channels. In an aspect, the components of the RF front end 290 can connect with transceiver 270. The transceiver 270 may connect to one or more of modem 220 and processors 205.
The transceiver 270 may be configured to transmit (e.g., via transmitter (TX) radio 275) and receive (e.g., via receiver (RX) radio 280) wireless signals through antennas 273 via the RF front end 290. In an aspect, the transceiver 270 may be tuned to operate at specified frequencies such that the UE 115 can communicate with, for example, base stations 105. In an aspect, for example, the modem 220 can configure the transceiver 270 to operate at a specified frequency and power level based on the configuration of the UE 115 and communication protocol used by the modem 220.
The UE 115 in FIG. 2 may further include a memory 202, such as for storing data used herein and/or local versions of applications or communicating component 240 and/or one or more of its sub-components being executed by processor 205. Memory 202 can include any type of computer-readable medium usable by a computer or processor 205, such as RAM, ROM, tapes, magnetic discs, optical discs, volatile memory, non-volatile memory, and any combination thereof. In an aspect, for example, memory 202 may be a computer-readable storage medium that stores one or more computer-executable codes defining communicating component 240 and/or one or more of its sub-components. Additionally or alternatively, the UE 115 may include a bus 211 for coupling one or more of the RF front end 290, the transceiver 274, the memory 202, or the processor 205, and to exchange signaling information between each of the components and/or sub-components of the UE 115.
In an aspect, the processor (s) 205 may correspond to one or more of the processors described in connection with the UE in FIG. 4. Similarly, the memory 202 may correspond to the memory described in connection with the UE in FIG. 4.
FIG. 3 illustrates a flow chart of an example of a method 300 for connecting to cells in a wireless network.
At Block 302, a connection can be established with a cell in a wireless network. In an aspect, communicating component 240, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, etc., can establish the connection with the cell in the wireless network. For example, communicating component 240 can establish the connection as a communication link 125 with a cell of one or more base stations 105, a communication link 152 with a fake cell 150, etc. Communicating component 240, in this regard, can detect wireless services provided by the base station 105, fake cell 150, etc. based on system information broadcast from the base station 105, fake cell 150, etc., and can accordingly attempt to establish the connection. In one example, communicating component 240 may establish the connection based on detecting the cell of the base station 105 or fake cell 150, and determining that the cell has more desirable communication properties (e.g., higher signal-to-noise ratio (SNR) , etc. ) than a current cell to which the UE 115 is connected. Thus, in an example, communicating component 240 may establish the connection as part of handing over communications to the cell of the base station 105, fake cell 150, etc. In addition, communicating component 240 may  establish the connection at an RRC layer for transmitting further NAS communications, to the cell, at one or more higher layers.
At Block 304, a NAS procedure instance can be performed with the cell based on establishing the connection with the cell. In an aspect, NAS component 242 e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc., can perform, based on establishing the connection with the cell, an NAS procedure with the cell. For example, NAS component 242 can perform the NAS procedure instance as defined by the wireless communication technology of the cell (e.g., LTE) . This may include NAS component 242 sending attach/TAU requests (e.g., as part of an HPLMN attach or TAU procedure) to the cell (e.g., a cell of base station 105 or the fake cell 150) over a corresponding connection (e.g., communication link 125 or 152) in NAS layer communications. For example, NAS component 242 can transmit attach/TAU requests and possibly receive attach/TAU responses to the requests.
In one example, LTE may define a maximum number of NAS message sequences of a NAS procedure instance that may occur before redirecting the UE 115 to a fall back network (e.g., 2G) , where the number can be defined for all NAS procedures, for specific NAS procedures (e.g., 5 requests for HPLMN attach or TAU) , etc. . In accordance with aspects described herein, the UE 115 may also configure a defined pattern of NAS message sequences that may occur before considering the cell a fake cell (e.g., for all NAS messages, specific to a type of NAS procedure, etc. ) . In one example, the UE 115 may configure the pattern of NAS message sequences as a threshold number of NAS message sequences performed with the cell, where the threshold number can be one less than the maximum number of NAS message sequences (e.g., 4) . In an example, UE 115 can store one or more parameters related to the pattern (e.g., the threshold number) in memory 202, such as in an embedded file system (EFS) or other portion of the memory 202.
In addition, the NAS component 242 can operate at the NAS layer to communicate NAS messages with the cell, and can also notify lower layers (e.g., an RRC layer) when certain messages are sent and/or received (or are not received) . For example, NAS component 242 can send a Start message that indicates a type of NAS request (e.g., attach or TAU) and a sequence number indicating the NAS message sequence, to the RRC layer (e.g., to fake cell detecting component 244) . In addition, the NAS component 242 can send Finish message to the RRC layer (e.g., to fake cell detecting component 244) to  indicate that the NAS request is received by the cell. The Finish message can indicate success or failure of the Start message. The Finish message may also indicate the type of NAS request (e.g., attach or TAU) , the sequence number, and a success/fail indicator for the corresponding NAS request. For example, NAS component 242 can set the success/fail indicator to respectively indicate that the NAS receives a response to the NAS request (whether accept or reject) , or receives no response to the NAS request. Sending the Start and/or Finish messages in this regard can allow the lower layer to terminate a connection with a cell where it is determined to possibly be a fake cell, as described herein.
In one example, the maximum number of NAS message sequences and/or the pattern of NAS message sequences (e.g., the threshold number of NAS message sequences) may be based on the sequence number in these messages received from the NAS layer. In addition, the NAS messages received by NAS component 242, and reported to the RRC layer (e.g., to fake cell detecting component 244) may include at least one of: no response message (e.g., within a threshold period from sending a NAS request) , a response with only an identity request, an identity request plus a TAU reject, a fake authentication request followed by a fake authentication failure message, etc. In any case, the RRC layer can be notified of the NAS message sequence, and may accordingly detect possible fake cell activity, as described herein.
At 306, it can be determined whether the NAS procedure instance has completed. In an aspect, fake cell detecting component 244, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242, etc., can determine whether the NAS procedure instance has completed. For example, fake cell detecting component 244 can determine whether the NAS procedure instance has completed based on determining whether a Finish message is received from the NAS component 242 for a NAS message sequence, determining whether an extended service request (ESR) message for initiating fallback is received from the cell, etc. If so, for example, a fake cell detection flag, which is described further herein, can optionally be set to false at Block 308, and/or fallback can be optionally initiated at Block 310 (e.g., where the ESR is received) . In this example, the fake cell detecting component 244 can set the fake cell detection flag to false, or can otherwise notify an RRC layer that the NAS procedure is complete, and the RRC layer can set the flag. In addition, in this example, the fake cell detecting component 244 may initiate the fallback to a cell of a different  network (e.g., a 2G cell) . The method 300 can eventually proceed to Block 302 to establish a connection with another cell in the network at a later time (e.g., when LTE is again detected, after a configured period of time, etc. ) .
Where the NAS procedure is not complete at Block 306, at Block 312, it can be determined whether a pattern of NAS message sequences are received in the NAS procedure instance. In an aspect, fake cell detecting component 244, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242 etc., can determine whether the pattern of NAS message sequences are received in the NAS procedure instance. In an example, the NAS component 242 can notify the fake cell detecting component 244 (which may operate at an RRC layer) of indications each NAS message received (e.g., of each message in the NAS message sequence) or not received (e.g., after a threshold period of time) by communicating the Start and/or Finish messages, as the indications, thereto, where the success/fail indicator in the Finish message can indicate whether a NAS message sequence with the cell was successful.
In this example, the fake cell detecting component 244 can determine whether a pattern is detected in the received NAS message sequences based on the indications. In one example, this may include determining whether a sequence number in a received indication of a NAS message achieves the threshold number, whether the NAS message with the sequence number achieving the threshold is a Finish message indicating failure, etc. In an example, as described, fake cell detecting component 244 can define the pattern to include a threshold number of NAS message sequences based on a configured maximum number of NAS message sequences (e.g., one less than the maximum) . Where the pattern is not detected (e.g., where the threshold number is not detected in the indications, the threshold numbered NAS message sequence indicates success, etc. ) , method 300 can proceed to Block 304 to continue performing the NAS procedure.
Where the pattern of NAS message sequences is detected at Block 312, at Block 314, it can be determined whether the fake cell detection flag is equal to false. In an aspect, fake cell detecting component 244, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, NAS component 242, etc., can determine whether the fake cell detection flag is set to false. In one example, fake cell detecting component 244 can initially set the fake cell detection flag to false (e.g., upon UE 115 power up sequence) . Where fake cell detecting component 244 determines  that the fake cell detection flag is not set to false (e.g., is set to true) , fallback can be initiated at Block 310.
Where the fake cell detection flag is determined to be set to false at Block 314, at Block 316, connection to the cell can be barred. In an aspect, cell barring component 246, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc., can bar connection to the cell. For example, detecting the pattern of NAS message sequences can indicate that the cell is likely a fake cell, and thus UE 115 can bar connection thereto. Cell barring component 246 may bar connection to the cell by adding an identifier of the cell to a list of barred cells (e.g., adding an E-UTRAN Global Cell Identifier (EGCI) to the list) . In this example, method 300 can proceed to Block 302 to establish a connection with a different cell in the wireless network (e.g., that is not listed in the barred list of cells) .
In addition, at Block 318, the fake cell detection flag can optionally be set to true. In an aspect, fake cell detecting component 244, e.g., in conjunction with processor (s) 205, memory 202, transceiver 270, communicating component 240, etc., can set the fake cell detection flag to true (e.g., based on determining the bar connections to the cell) . This can allow the UE 115 to return to a conventional NAS procedure with the next cell in case LTE is actually not available (e.g., rather than continuing to attempt connection with other cells in an attempt to establish LTE communications) .
In a specific example based on the aspects described above, fake cell detecting component 244 can, upon receiving a Start message, determine if a corresponding Finish message is received and whether the fake cell detection flag is false. As described, the Start and Finish messages may come from the NAS component 242 based on corresponding NAS message sequence of a NAS procedure instance being performed. If the fake cell detection flag is false, fake cell detecting component 244 can detect whether the sequence number of the Finish message is below the threshold and whether the Finish message indicates a fail, and if so, communicating component 240 can ignore an LTE-to-GSM (L2G) redirection at the serving cell with which NAS started the attach/TAU. If, however, the sequence number of the Finish message achieves (e.g., is equal to) the threshold, cell barring component 246 can bar the current LTE cell (e.g., using EGCI-based procedures) , fake cell detecting component 244 can set the fake cell detection flag to true, and/or communicating component 240 can select to another available LTE cell (e.g., for more attach/TAU procedure retries before LTE radio access technology (RAT)  is removed by the NAS layer) . In one example, where the barring/selection process occurs at the threshold number of attach/TAU requests (e.g., a number, n, which is less than the configured maximum number, m, of attach/TAU requests) , the UE 115 can have another m –n attach/TAU requests to send before LTE is removed as an available RAT (e.g., for a period of time) .
If, in this specific example, fake cell detecting component 244 receives a corresponding Finish message that indicates a success and/or an ESR message, communicating component 240 can resume L2G redirection and may reset the fake cell detection flag to false.
FIG. 4 is a block diagram of a MIMO communication system 400 including a base station 105 and a UE 115. The MIMO communication system 400 may illustrate aspects of the wireless communication system 100 described with reference to FIG. 1. The base station 105 may be an example of aspects of the base station 105 described with reference to FIGS. 1-2. The base station 105 may be equipped with  antennas  434 and 435, and the UE 115 may be equipped with  antennas  452 and 453. In the MIMO communication system 400, the base station 105 may be able to send data over multiple communication links at the same time. Each communication link may be called a “layer” and the “rank” of the communication link may indicate the number of layers used for communication. For example, in a 2x2 MIMO communication system where base station 105 transmits two “layers, ” the rank of the communication link between the base station 105 and the UE 115 is two.
At the base station 105, a transmit (Tx) processor 420 may receive data from a data source. The transmit processor 420 may process the data. The transmit processor 420 may also generate control symbols or reference symbols. A transmit MIMO processor 430 may perform spatial processing (e.g., precoding) on data symbols, control symbols, or reference symbols, if applicable, and may provide output symbol streams to the transmit modulator/ demodulators  432 and 433. Each modulator/demodulator 432 through 433 may process a respective output symbol stream (e.g., for OFDM, etc. ) to obtain an output sample stream. Each modulator/demodulator 432 through 433 may further process (e.g., convert to analog, amplify, filter, and upconvert) the output sample stream to obtain a DL signal. In one example, DL signals from modulator/ demodulators  432 and 433 may be transmitted via the  antennas  434 and 435, respectively.
The UE 115 may be an example of aspects of the UEs 115 described with reference to FIGS. 1-2. At the UE 115, the  UE antennas  452 and 453 may receive the DL signals from the base station 105 and may provide the received signals to the modulator/ demodulators  454 and 455, respectively. Each modulator/demodulator 454 through 455 may condition (e.g., filter, amplify, downconvert, and digitize) a respective received signal to obtain input samples. Each modulator/demodulator 454 through 455 may further process the input samples (e.g., for OFDM, etc. ) to obtain received symbols. A MIMO detector 456 may obtain received symbols from the modulator/ demodulators  454 and 455, perform MIMO detection on the received symbols, if applicable, and provide detected symbols. A receive (Rx) processor 458 may process (e.g., demodulate, deinterleave, and decode) the detected symbols, providing decoded data for the UE 115 to a data output, and provide decoded control information to a processor 480, or memory 482.
The processor 480 may in some cases execute stored instructions to instantiate a communicating component 240 (see e.g., FIGS. 1-2) .
On the uplink (UL) , at the UE 115, a transmit processor 464 may receive and process data from a data source. The transmit processor 464 may also generate reference symbols for a reference signal. The symbols from the transmit processor 464 may be precoded by a transmit MIMO processor 466 if applicable, further processed by the modulator/demodulators 454 and 455 (e.g., for SC-FDMA, etc. ) , and be transmitted to the base station 105 in accordance with the communication parameters received from the base station 105. At the base station 105, the UL signals from the UE 115 may be received by the  antennas  434 and 435, processed by the modulator/ demodulators  432 and 433, detected by a MIMO detector 436 if applicable, and further processed by a receive processor 438. The receive processor 438 may provide decoded data to a data output and to the processor 440 or memory 442.
The components of the UE 115 may, individually or collectively, be implemented with one or more ASICs adapted to perform some or all of the applicable functions in hardware. Each of the noted modules may be a means for performing one or more functions related to operation of the MIMO communication system 400. Similarly, the components of the base station 105 may, individually or collectively, be implemented with one or more ASICs adapted to perform some or all of the applicable functions in  hardware. Each of the noted components may be a means for performing one or more functions related to operation of the MIMO communication system 400.
The above detailed description set forth above in connection with the appended drawings describes examples and does not represent the only examples that may be implemented or that are within the scope of the claims. The term “example, ” when used in this description, means “serving as an example, instance, or illustration, ” and not “preferred” or “advantageous over other examples. ” The detailed description includes specific details for the purpose of providing an understanding of the described techniques. These techniques, however, may be practiced without these specific details. In some instances, well-known structures and apparatuses are shown in block diagram form in order to avoid obscuring the concepts of the described examples.
Information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, computer-executable code or instructions stored on a computer-readable medium, or any combination thereof.
The various illustrative blocks and components described in connection with the disclosure herein may be implemented or performed with a specially-programmed device, such as but not limited to a processor, a digital signal processor (DSP) , an ASIC, a FPGA or other programmable logic device, a discrete gate or transistor logic, a discrete hardware component, or any combination thereof designed to perform the functions described herein. A specially-programmed processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A specially-programmed processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.
The functions described herein may be implemented in hardware, software executed by a processor, firmware, or any combination thereof. If implemented in software executed by a processor, the functions may be stored on or transmitted over as one or more instructions or code on a non-transitory computer-readable medium. Other examples and implementations are within the scope and spirit of the disclosure and  appended claims. For example, due to the nature of software, functions described above can be implemented using software executed by a specially programmed processor, hardware, firmware, hardwiring, or combinations of any of these. Features implementing functions may also be physically located at various positions, including being distributed such that portions of functions are implemented at different physical locations. Also, as used herein, including in the claims, “or” as used in a list of items prefaced by “at least one of” indicates a disjunctive list such that, for example, a list of “at least one of A, B, or C” means A or B or C or AB or AC or BC or ABC (i.e., A and B and C) .
Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium may be any available medium that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code means in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL) , or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, include compact disc (CD) , laser disc, optical disc, digital versatile disc (DVD) , floppy disk and Blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above are also included within the scope of computer-readable media.
The previous description of the disclosure is provided to enable a person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the common principles defined herein may be applied to other variations without departing from the spirit or scope of the disclosure. Furthermore, although elements of the described aspects and/or embodiments may be described or claimed in the singular, the plural is contemplated unless limitation to the  singular is explicitly stated. Additionally, all or a portion of any aspect and/or embodiment may be utilized with all or a portion of any other aspect and/or embodiment, unless stated otherwise. Thus, the disclosure is not to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (36)

  1. A method for detecting, by a user equipment (UE) , fake cells in wireless communications, comprising:
    establishing, by the UE, a connection with a cell in a wireless network;
    performing, by the UE and based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, wherein the NAS procedure instance includes at least one of an attach procedure or a tracking area update (TAU) procedure;
    detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure instance; and
    barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
  2. The method of claim 1, wherein detecting the pattern of NAS message sequences comprises detecting a threshold number of NAS message sequences received during the NAS procedure instance.
  3. The method of claim 2, further comprising:
    determining a maximum number of NAS message sequences configured in a memory of the UE, wherein the threshold number of NAS message sequences is one less than the maximum number of NAS message sequences.
  4. The method of claim 2, wherein detecting the threshold number of NAS message sequences comprises determining that a sequence number in a received NAS message sequence is equal to the threshold number.
  5. The method of claim 4, further comprising determining that a fake cell detection flag is set to false, wherein barring connection to the cell is based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false.
  6. The method of claim 5, further comprising setting, based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false, the fake cell detection flag to true.
  7. The method of claim 1, further comprising establishing, based at least in part on barring connection to the cell, a different connection with a different cell.
  8. The method of claim 7, further comprising setting a fake cell detection flag to false based on performing another NAS procedure instance with the different cell.
  9. The method of claim 1, wherein detecting the pattern number of NAS message sequences is performed at a radio resource control (RRC) layer.
  10. An apparatus for wireless communication, comprising:
    a transceiver for communicating in a wireless network via one or more antennas;
    a memory configured to store instructions; and
    one or more processors communicatively coupled with the transceiver and the memory, wherein the one or more processors are configured to:
    establish a connection with a cell in the wireless network;
    perform, based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, wherein the NAS procedure instance includes at least one of an attach procedure or a tracking area update (TAU) procedure;
    detect a pattern of NAS message sequences received during the NAS procedure instance; and
    bar, based on detecting the threshold number of NAS messages, connection to the cell.
  11. The apparatus of claim 10, wherein the one or more processors are configured to detect the pattern of NAS message sequences at least in part by detecting a  threshold number of NAS message sequences received during the NAS procedure instance.
  12. The apparatus of claim 11, wherein the one or more processors are further configured to determine a maximum number of NAS message sequences configured in the memory of the UE, wherein the threshold number of NAS message sequences is one less than the maximum number of NAS message sequences.
  13. The apparatus of claim 11, wherein the one or more processors are configured to detect the threshold number of NAS message sequences at least in part by determining that a sequence number in a received NAS message sequence is equal to the threshold number.
  14. The apparatus of claim 13, wherein the one or more processors are further configured to determine that a fake cell detection flag is set to false, wherein the one or more processors are configured to bar connection to the cell based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false.
  15. The apparatus of claim 14, wherein the one or more processors are further configured to set, based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false, the fake cell detection flag to true.
  16. The apparatus of claim 10, wherein the one or more processors are further configured to establish, based at least in part on barring connection to the cell, a different connection with a different cell.
  17. The apparatus of claim 16, wherein the one or more processors are further configured to set a fake cell detection flag to false based on performing another NAS procedure instance with the different cell.
  18. The apparatus of claim 10, wherein the one or more processors are configured to detect the pattern of NAS message sequences at a radio resource control (RRC) layer.
  19. An apparatus for detecting, by a user equipment (UE) , fake cells in wireless communications, comprising:
    means for establishing, by the UE, a connection with a cell in a wireless network;
    means for performing, by the UE and based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, wherein the NAS procedure instance includes at least one of an attach procedure or a tracking area update (TAU) procedure;
    means for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure instance; and
    means for barring, by the UE and based on detecting the pattern of NAS message sequences, connection to the cell.
  20. The apparatus of claim 19, wherein the means for detecting the pattern of NAS message sequences comprises detects a threshold number of NAS message sequences received during the NAS procedure instance.
  21. The apparatus of claim 20, further comprising:
    means for determining a maximum number of NAS message sequences configured in a memory of the UE, wherein the threshold number of NAS message sequences is one less than the maximum number of NAS message sequences.
  22. The apparatus of claim 20, wherein the means for detecting detects the threshold number of NAS message sequences at least in part by determining that a sequence number in a received NAS message sequence is equal to the threshold number.
  23. The apparatus of claim 22, further comprising means for determining that a fake cell detection flag is set to false, wherein barring connection to the cell based at least in part on the means for detecting the sequence number in the received NAS message  sequence is equal to the threshold number and determining that the fake cell detection flag is set to false.
  24. The apparatus of claim 23, further comprising means for setting, based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false, the fake cell detection flag to true.
  25. The apparatus of claim 19, further comprising means for establishing, based at least in part on barring connection to the cell, a different connection with a different cell.
  26. The apparatus of claim 25, further comprising means for setting a fake cell detection flag to false based on performing the NAS procedure with the different cell.
  27. The apparatus of claim 19, wherein the means for detecting detects the pattern of NAS message sequences at a radio resource control (RRC) layer.
  28. A computer-readable medium, comprising code executable by one or more processors for detecting, by a user equipment (UE) , fake cells in wireless communications, the code comprising:
    code for establishing, by the UE, a connection with a cell in a wireless network;
    code for performing, by the UE and based on establishing the connection with the cell, a non-access stratum (NAS) procedure instance with the cell at a NAS layer, wherein the NAS procedure instance includes at least one of an attach procedure or a tracking area update (TAU) procedure;
    code for detecting, by the UE, a pattern of NAS message sequences received during the NAS procedure instance; and
    code for barring, by the UE and based on detecting the threshold number of NAS message sequences, connection to the cell.
  29. The computer-readable medium of claim 28, wherein the code for detecting the pattern of NAS message sequences comprises detects a threshold number of NAS message sequences received during the NAS procedure instance.
  30. The computer-readable medium of claim 29, further comprising:
    code for determining a maximum number of NAS message sequences configured in a memory of the UE, wherein the threshold number of NAS message sequences is one less than the maximum number of NAS message sequences.
  31. The computer-readable medium of claim 29, wherein the code for detecting detects the threshold number of NAS message sequences at least in part by determining that a sequence number in a received NAS message sequence is equal to the threshold number.
  32. The computer-readable medium of claim 31, further comprising code for determining that a fake cell detection flag is set to false, wherein barring connection to the cell based at least in part on the code for detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false.
  33. The computer-readable medium of claim 32, further comprising code for setting, based at least in part on detecting the sequence number in the received NAS message sequence is equal to the threshold number and determining that the fake cell detection flag is set to false, the fake cell detection flag to true.
  34. The computer-readable medium of claim 28, further comprising code for establishing, based at least in part on barring connection to the cell, a different connection with a different cell.
  35. The computer-readable medium of claim 34, further comprising code for setting a fake cell detection flag to false based on performing the NAS procedure with the different cell.
  36. The computer-readable medium of claim 28, wherein the code for detecting detects the pattern of NAS message sequences at a radio resource control (RRC) layer.
PCT/CN2017/116444 2017-12-15 2017-12-15 Techniques for detecting fake cells in wireless communications WO2019113934A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/116444 WO2019113934A1 (en) 2017-12-15 2017-12-15 Techniques for detecting fake cells in wireless communications

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/116444 WO2019113934A1 (en) 2017-12-15 2017-12-15 Techniques for detecting fake cells in wireless communications

Publications (1)

Publication Number Publication Date
WO2019113934A1 true WO2019113934A1 (en) 2019-06-20

Family

ID=66819774

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/116444 WO2019113934A1 (en) 2017-12-15 2017-12-15 Techniques for detecting fake cells in wireless communications

Country Status (1)

Country Link
WO (1) WO2019113934A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114286344A (en) * 2021-12-14 2022-04-05 中国联合网络通信集团有限公司 Pseudo base station determination method, pseudo base station determination device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103503411A (en) * 2011-05-05 2014-01-08 瑞典爱立信有限公司 Security mechanism for mobile users
US20170223538A1 (en) * 2014-08-04 2017-08-03 Lg Electronics Inc. Method for authenticating terminal in wireless communication system, and device for same
WO2017135702A1 (en) * 2016-02-02 2017-08-10 Samsung Electronics Co., Ltd. Method and apparatus for managing non-integrity protected message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103503411A (en) * 2011-05-05 2014-01-08 瑞典爱立信有限公司 Security mechanism for mobile users
US20170223538A1 (en) * 2014-08-04 2017-08-03 Lg Electronics Inc. Method for authenticating terminal in wireless communication system, and device for same
WO2017135702A1 (en) * 2016-02-02 2017-08-10 Samsung Electronics Co., Ltd. Method and apparatus for managing non-integrity protected message

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI ET AL.: "Discussion on denial of service (DoS) attack by using NAS reject messages,", 3GPP TSG CT WGI MEETING #95 CL-154300, 16 November 2015 (2015-11-16) - 20 November 2015 (2015-11-20), XP051039044 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114286344A (en) * 2021-12-14 2022-04-05 中国联合网络通信集团有限公司 Pseudo base station determination method, pseudo base station determination device, server and storage medium
CN114286344B (en) * 2021-12-14 2023-07-28 中国联合网络通信集团有限公司 Pseudo base station determining method, pseudo base station determining device, server and storage medium

Similar Documents

Publication Publication Date Title
US10674360B2 (en) Enhanced non-access stratum security
US10834651B2 (en) Techniques for managing handovers in an unlicensed radio frequency spectrum band
US20200351256A1 (en) Access stratum security for efficient packet processing
US11463871B2 (en) Techniques for deriving security keys for a cellular network based on performance of an extensible authentication protocol (EAP) procedure
US11456848B2 (en) Synchronization in wireless communications
US11032704B2 (en) Techniques for subscription-based authentication in wireless communications
US20220150896A1 (en) Channel raster design in wireless communications
US20160095023A1 (en) Reducing attach delay for a multi-sim ue
KR102400942B1 (en) Methods for backhaul operations in millimeter wave networks
US9668232B2 (en) Enabling device-to-device discovery
US10594534B2 (en) Communicating synchronization signals in wireless communications
KR102497081B1 (en) Multi-radio access technology synchronization signal
US9392498B2 (en) Intelligent mode selection for circuit switched fall back devices
US10805949B2 (en) Processing retransmissions in semi-persistently scheduled wireless communications
WO2019113934A1 (en) Techniques for detecting fake cells in wireless communications
WO2019119394A1 (en) Techniques for prioritizing frequency channels for reselection in wireless communications
WO2019113940A1 (en) Techniques for detecting fake cells in wireless communications
WO2016155543A1 (en) Techniques for redirecting a mobile device to a high-speed dedicated network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17934740

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17934740

Country of ref document: EP

Kind code of ref document: A1