Network/SMS Characteristics A Novel Detection Mechanism for SMS Attacks on Cellular Network Eun Kyoung Kim, Patrick McDaniel, Thomas La Porta In cellular network, SMS message traffic shares the control channels (CCHs) with call traffic. Abnormal increase of SMS traffic results in high occupancy of the control channels causing high call blocking rate. Therefore, detecting any malicious attempts to deplete the channel resource by extremely high SMS traffic is very important. However, it is not trivial to distinguish malicious SMS attack from benign bursty traffic created by legitimate requests since they induce very similar phenomena in cellular network even though they need to be treated differently. We propose a novel detection mechanism that distinguishes malicious SMS attack from benign bursty traffic to quickly discard malicious requests while continuing to serve legitimate ones. Network/SMS Characteristics Parameter Average value Distribution Normal traffic arrival rate 0.7 msg/sec Poisson Holding time at CCH 4 sec. Exponential Response time from the recipient 60 sec. Pareto Thread length 5 msg. Thread duration 8 min. MSC SMSC HLR VLR BS A B Destination-MT SMS Originator-MO SMS Table 1. Message- and thread-level SMS characteristics It is observed that a normal SMS thread consists of a series of five messages on average. That means a normal SMS is supposed to have a reply with a high probability, while an attack message typically cannot expect a high reply rate. Figure 1. Typical network architecture for SMS Detection Algorithm Simulation Results /* Forming message threads for all incoming messages */ for each message M observed in W do if M is an outgoing message from L to R then if T = (R, L) exists then Increase Rr by 1 endif if M is an incoming message from R to L then if M is delivered to L then Increase Rs by 1 end if else Create T = (R, L) end for /* Setting response rate threshold */ r = θ *(1-Bavg) /* Updating attack-likelihood score for each remote host according to its response rate and marking it as malicious or suspicious based on the score */ for each remote host R in T = (R, L) do if R send or receive a message then Rrr = Rr/Rs if (Rrr < r) then Rc++ Rc = max{Rc--, 0} if Rc ≥ m then Mark R as malicious else if Rc ≥ s then Mark R as suspicious Mark R as normal M : SMS messages collected during one time window W L/R : local/remote handsets T : message threads represented by a pair of (sender, receiver) Rs/r : the number of sent/replied messages from/to R Rrr : the reply rate for R Rc : the score representing the likelihood that R is an attacker θ : the expected reply rates in normal network condition Bavg : the average blocking rate during W r : the response rate threshold to determine the likelihood score m/s : the attack-likelihood score threshold for identifying the malicious/suspicious handsets We simulated 24 hours of SMS communication. Attack traffic is emitted for one hour from 23 to 24 hours. The aggregated volume of the attack traffic is 8 times more than that of regular traffic. For the mixed attack, flash crowd traffic four-fold the normal traffic is generated in addition to the attack traffic. (1) (2) Figure 2. (1) FNR and (2) FPR of mixed traffic with high intensity without a mitigation technique (1) (2) Figure 3. (1) FNR and (2) FPR of two kinds of attack traffic with low intensity without a mitigation technique with with m = 3 With a mitigation technique : We devise a 3-queue mitigation mechanism which places normal, suspicious, and malicious traffic classified by the detection algorithm into the corresponding queues and schedules each messages using Weighted Fair Queueing. Figure 4. Blocking rate for mixed attack traffic with low intensity with a mitigation technique with s = 1 Sponsored By National Science Foundation