1. Network/SMS Characteristics
A Novel Detection Mechanism for SMS Attacks on Cellular Network Eun Kyoung Kim, Patrick McDaniel, Thomas La Porta
In cellular network, SMS message traffic shares the control channels (CCHs) with call traffic. Abnormal increase of SMS traffic results in high occupancy of the control channels causing high call blocking rate. Therefore, detecting any malicious attempts to deplete the channel resource by extremely high SMS traffic is very important.
However, it is not trivial to distinguish malicious SMS attack from benign bursty traffic created by legitimate requests since they induce very similar phenomena in cellular network even though they need to be treated differently. We propose a novel detection mechanism that distinguishes malicious SMS attack from benign bursty traffic to quickly discard malicious requests while continuing to serve legitimate ones.
Network/SMS Characteristics
Parameter
Average value
Distribution
Normal traffic arrival rate
0.7 msg/sec
Poisson
Holding time at CCH
4 sec.
Exponential
Response time from the recipient
60 sec.
Pareto
Thread length
5 msg.
Thread duration
8 min.
MSC
SMSC
HLR
VLR BS A B
Destination-MT SMS
Originator-MO SMS
Table 1. Message- and thread-level SMS characteristics
It is observed that a normal SMS thread consists of a series of five messages
on average. That means a normal SMS is supposed to have a reply with a high probability, while an attack message typically cannot expect a high reply rate.
Figure 1. Typical network architecture for SMS
Detection Algorithm
Simulation Results
/* Forming message threads for all incoming messages */
for each message M observed in W do
if M is an outgoing message from L to R then
if T = (R, L) exists then
Increase Rr by 1
endif
if M is an incoming message from R to L then
if M is delivered to L then
Increase Rs by 1
end if
else
Create T = (R, L)
end for
/* Setting response rate threshold */
r = θ *(1-Bavg)
/* Updating attack-likelihood score for each remote host according to its response rate and marking it as malicious or suspicious based on the score */
for each remote host R in T = (R, L) do
if R send or receive a message then
Rrr = Rr/Rs
if (Rrr < r) then
Rc++
Rc = max{Rc--, 0}
if Rc ≥ m then
Mark R as malicious
else if Rc ≥ s then
Mark R as suspicious
Mark R as normal
M : SMS messages collected during one time window W
L/R : local/remote handsets
T : message threads represented by a pair of (sender, receiver)
Rs/r : the number of sent/replied messages from/to R
Rrr : the reply rate for R
Rc : the score representing the likelihood that R is an attacker
θ : the expected reply rates in normal network condition
Bavg : the average blocking rate during W
r : the response rate threshold to determine the likelihood score
m/s : the attack-likelihood score threshold for identifying the malicious/suspicious handsets
We simulated 24 hours of SMS communication. Attack traffic is emitted for one hour from 23 to 24 hours. The aggregated volume of the attack traffic is 8 times more than that of regular traffic. For the mixed attack, flash crowd traffic four-fold the normal traffic is generated in addition to the attack traffic.
(1)
(2)
Figure 2. (1) FNR and (2) FPR of mixed traffic with high intensity without a mitigation technique
(1)
(2)
Figure 3. (1) FNR and (2) FPR of two kinds of attack traffic with low intensity without a mitigation technique with with m = 3
With a mitigation technique : We devise a 3-queue mitigation mechanism which places normal, suspicious, and malicious traffic classified by the detection algorithm into the corresponding queues and schedules each messages using Weighted Fair Queueing.
Figure 4. Blocking rate for mixed attack traffic with low intensity with a mitigation technique with s = 1
Sponsored By National Science Foundation