2019 s&t cybersecurity and innovation showcase · detecting nides in next generation (ng)9-1-1...
TRANSCRIPT
Solutions Now I Innovations for the Future
2019 S&T Cybersecurity and Innovation Showcase
1
Detecting NIDEs in Next Generation (NG)9-1-1 and Other Communication Networks
Mark Collier |SecureLogix CorporationMarch 18, 2019
2
Funded Contract Information This material is based on research sponsored by the Department of Homeland Security, Science and Technology Directorate via contract number 70RSAT18C00000011.
No Endorsement NotificationAny reference to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the Department of Homeland Security or the United States Government.
Hyperlinked Web sites do not constitute endorsement by DHS of the Web site or the information, products, or services contained therein. DHS does not exercise any editorial control over materials on this website or the information on non-DHS Web sites.
Disclaimer Notification The views, opinions, findings, conclusions, or recommendations expressed in this video are those of the authors and do not necessarily reflect the official policy or position of the Department of Homeland Security (DHS) or the United States Government. The publication of these views by DHS does not confer any individual rights or cause of action against the United States. Users of information in the materials assume all liability from such use.
Team Profile Mark Collier – CTO – Principal Investigator Kelly Minyard – SVP Sales – Transition Dr. Nisar Hundewale – Chief Scientist – Machine Learning Mark O’Brien – Senior Developer – Software Development Dr. Waleed Haddad – Chief Scientist – Detection algorithms Chris Duxler – West/ECaTS – Data/ECaTS dashboard
4
Customer Need
Financial Account Take Over (ATO)
OtherHarassing
Call Patterns
Call floods that crowd-out
legitimate calls
Automated telemarketing calls & spam
Targeted social engineering
AuthenticateFinancial CC
Calls
Harassing Calls
5
Customer Need Telephony Denial of Service (TDoS) attack against D.C. 9-1-1: About 6,000 calls All from the same source number Recorded calls with bible verses
TDoS attacks against multiple counties in D.C. area: Targeted the administrative phones and police department About 6,300 calls in one case Calls were dead air, recorded message, or Arabic language Used non-local, but valid, spoofed source numbers
6
Customer Need
7
Approach – Leverage Work to Date PolicyGuru solution improvements TDoS detection improvements Unique NG9-1-1 improvements Information from existing pilots Continue the existing pilots Integrate Call Authentication Service (CAS)
8
Approach – Define NIDE Taxonomy NIDE == Network Internet Disruptive Event (NIDE) Intentional TDoS Inadvertent TDoS (robocalls, faxes, call pumping) Pool, elevator, or other phone issue Persistent harassing caller Cellular jamming (impact to 9-1-1) Service provider issues and loss of key data Text and video
9
Approach – NIDE Detection Develop machine learning models Augment existing Call Authentication Service (CAS) Integrate with existing PolicyGuru solution Use West/ECaTS dashboard for visualization Develop interface for communication of events Ideally integrate into West NG9-1-1 offering Ideally integrate into EC3 concept
10
Approach – Architecture
11
ServiceProvider Call Handling
System
SIP Trunk
SBCNetwork Tap
ENUM
ENUMAppliance
SIP/RTPProbe
Visualization
Call AuthenticationAnd NIDE Detection
Service
MediationServer
ESRP
NG9-1-1 ESINet
AWS PSAP/NCCIC
Benefits Will result in a solution that protects NG9-1-1 from NIDEs Will distinguish between NIDEs and legitimate events Usable by metro area NG9-1-1 centers Usable by National Cybersecurity & Communications Integration Center (NCCIC) Used by the Emergency Communications Cybersecurity Center (EC3) Will apply to any communication system Possibly extend to legacy systems and text/video
12
Competition/Alternatives Competitors offer less comprehensive solutions: Much less robust detection (spoofing for example)
Some service providers have limited offerings: AT&T and Verizon resell SecureLogix solutions
Ribbon communications: We partner with Cisco and Oracle
Some very small competitors Comtech, Motorola, others
1313
Current Status Defined NIDEs Designed solution architecture Developing prototype and deploying at pilots: Defined visualization screens Started implementation of machine learning detection
Working with pilot partners Working with Office of Emergency Communications (OEC) on EC3
14
Current StatusNG9-1-1
Verizon XHeaders
TRUSTID
Blacklists
NewTech
STIRSHAKEN
Patterns
Numbers
VerizonAPI
Government, DoD, DHS
TDoSEngine
ScamEngine
Call Authentication
ServiceMachine Learning Core
15
Current Status
16
Transition/Completion Activities Solution deployed at two pilot partners Solution deployed at several counties in D.C. area Interest from multiple NG9-1-1 systems Working to integrate solution into AT&T and West offerings Working to integrate solution with EC3 CAS useful in any voice environment
17
Lessons Learned 9-1-1 systems are very vulnerable to TDoS: Primary threat is through mobile calls (80% of calls) Possible to generate attacks through SIP and NSI phones Other types of annoying attacks
Existing NG9-1-1 systems have a lot of variability: No real standard NG9-1-1 Some manage ESInets, some outsource Must access vendor-specific systems
18
Lessons Learned Needed data is not in SIP: Calling number and location
No consensus on call treatment: No Session Border Controllers (SBCs) to interface with Most likely approach is control of queues and priorities
Detection belongs in the cloud: Easy to change, machine learning, EC3
Visualization is critical
19
Solutions Now I Innovations for the Future
2019 S&T Cybersecurity and Innovation Showcase
21