Network/SMS Characteristics

1. HLR VLR BS BS A B SMSC MSC MSC In cellular network, SMS message traffic shares the control channels (CCHs) with call traffic. Abnormal increase of SMS traffic results in high occupancy of the control channels causing high call blocking rate. Therefore, detecting any malicious attempts to deplete the channel resource by extremely high SMS traffic is very important. However, it is not trivial to distinguish malicious SMS attack from benign bursty traffic created by legitimate requests since they induce very similar phenomena in cellular network even though they need to be treated differently. We propose a novel detection mechanism that distinguishes malicious SMS attack from benign bursty traffic to quickly discard malicious requests while continuing to serve legitimate ones. Destination-MT SMS Originator-MO SMS A Novel Detection Mechanism for SMS Attacks on Cellular NetworkEun Kyoung Kim, Patrick McDaniel, Thomas La Porta Table 1. Message- and thread-level SMS characteristics It is observed that a normal SMS thread consists of a series of five messages on average. That means a normal SMS is supposed to have a reply with a high probability, while an attack message typically cannot expect a high reply rate. Figure 1. Typical network architecture for SMS Detection Algorithm Simulation Results /* Forming message threads for all incoming messages */ for each message M observed in W do if M is an outgoing message from L to R then if T = (R, L) exists then Increase Rr by 1 endif endif if M is an incoming message from R to L then if T = (R, L) exists then if M is delivered to L then Increase Rs by 1 end if else if M is delivered to L then Create T = (R, L) Increase Rs by 1 end if end if end if end for /* Setting response rate threshold */ r = θ *(1-Bavg) /* Updating attack-likelihood score for each remote host according to its response rate and marking it as malicious or suspicious based on the score */ for each remote host R in T = (R, L) do if R send or receive a message then Rrr = Rr/Rs if (Rrr < r) then Rc++ else Rc = max{Rc--, 0} end if if Rc ≥ mthen Mark R as malicious else if Rc ≥ sthen Mark R as suspicious else Mark R as normal end if end if end for M : SMS messages collected during one time window W L/R : local/remote handsets T : message threads represented by a pair of (sender, receiver) Rs/r : the number of sent/replied messages from/to R Rrr : the reply rate for R Rc : the score representing the likelihood that R is an attacker θ : the expected reply rates in normal network condition Bavg : the average blocking rate during W r : the response rate threshold to determine the likelihood score m/s : the attack-likelihood score threshold for identifying the malicious/suspicious handsets We simulated 24 hours of SMS communication. Attack traffic is emitted for one hour from 23 to 24 hours. The aggregated volume of the attack traffic is 8 times more than that of regular traffic. For the mixed attack, flash crowd traffic four-fold the normal traffic is generated in addition to the attack traffic. Network/SMS Characteristics (1) (2) Figure 2. (1)FNR and (2) FPR of mixed traffic with high intensity without a mitigation technique (1) (2) Figure 3. (1) FNR and (2) FPR of two kinds of attack traffic with low intensity without a mitigation technique with with m = 3 With a mitigation technique : We devise a 3-queue mitigation mechanism which places normal, suspicious, and malicious traffic classified by the detection algorithm into the corresponding queues and schedules each messages using Weighted Fair Queueing. Figure 4. Blocking rate for mixed attack traffic with low intensity with a mitigation technique with s = 1 Sponsored By National Science Foundation