dynamic real-time security for seamless service ... · pdf filedynamic real-time security for...
TRANSCRIPT
Erol Gelenbe
Fellow of the French National Academy of Engineering
www.nemesys-project.eu
No. 317888
Dynamic Real-Time Security for Seamless
Service Provisioning in the Mobile
Ecosystem
Your Euros at Work ..
ICL, TUB, CERTH, Telecom Italia IT, COSMOTE, HISPASEC
www.nemesys-project.eu
No. 317888
Critical Applications
Private Communications: Eavesdropping & Deceit
Access and Update of Sensitive Data – E Health,
Business Data, False Data, Deceit
The Internet of Things – Smart Grid, Smart
Vehicles, Cyber-Technical Systems
Mobile Economy, Bitcoin, Payments
Mobile Security -- Why is it Important ??
www.nemesys-project.eu
No. 317888
www.nemesys-project.eu
No. 317888
Context and Tools NEMESYS Components
Observation: Dynamic Data Collection
External Data Sets
SECSIM: Simulator for Dynamic Security -
Signaling Storm Detection and Mitigation
Mobile Honeypots
Analytics, Visualization – Root
Cause Analysis
Rooting Security
www.nemesys-project.eu
No. 317888
Observation, Analyics and
Visualisation
Property/factors specific testing
The Visualization and Analysis
Placing Honeypots
Convergence time
Scalability
Processing complexity
Visual Correlation evaluation
User Perception
Integrability Evaluation
Detection of attacks
Analysis of signalling storms Disruption of Mobile Networks & Cyber-Technical Systems
Development of signalling storm detectors and mitigators
Changes in Standards with regard to Signalling
Attracting Attacks via Honeypots Where and How
Exploiting Resource Consumption (e.g. Computing time, Energy) & Billing
Real-time detector for signalling anomalies and a graph based algorithm for detecting billing
related attacks System Instability & Energy Cost of Signalling Attacks
Lightweight Technologies for Base Stations – Femtocells Risks
Anomaly detection framework for femtocell architectures and virtualisation to protect users and
femtocell devices
Specific anomaly detection algorithms running on top of this framework
www.nemesys-project.eu
No. 317888
Technical issues
5
Apps on mobile devices generating data traffic that results in excessive signalling load, causing outages, possible system breakdowns and performance degradations
Apps may not necessarily be malicious but together they act like a distributed denial-of-service attack (DDoS)
Root causes are due to interworking between the entire mobile ecosystem: smartphones, operating systems, apps, the network configuration, cloud services, and users
Poorly designed apps (e.g. incidents reported by DoCoMo [1], SK Telecom [2] and Nokia [3])
Outages in mobile cloud services [4]
Malware infections [5] (e.g. adware, SMS trojans, botnets)
Unwanted traffic from the Internet [6] (e.g. scanning worms, backscatter DoS traffic)
www.nemesys-project.eu
No. 317888
Detection based on signalling protocols
Signalling storms
6
[1] DoCoMo demands Google's help with signalling storm http://www.rethink-wireless.com/2012/01/30/docomo-demands-googles-signalling-storm.htm
[2] Operators Urge Action Against Chatty Apps http://www.lightreading.com/operators-urge-action-against-chatty-apps/d/d-id/687399#msgs
[3] Angry Birds + Android + ads = network overload http://www.itwire.com/business-it-news/networking/47823-angry-birds-%20-android-%20-ads-=-network-
overload
[4] OTT service blackouts trigger signaling overload in mobile networks http://blogs.nsn.com/mobile-networks/2013/09/16/ott-service-blackouts-trigger-signaling-
overload-in-mobile-networks/
[5] J. Li et al, “Characterizing high-frequency subscriber sessions in cellular data networks,” in Proc. IFIP Networking Conf. 2013.
[6] F. Ricciato et al., “On the impact of unwanted traffic onto a 3G network,” in Proc. SecPerU’06.
www.nemesys-project.eu
No. 317888
Radio resource control (RRC) state machine
7
Systems have been designed to:
Save spectrum
Stay in states with lower battery consumption
The cost in terms of signalling load is paid during state transitions
www.nemesys-project.eu
No. 317888
Congestion due to attacks
Signalling storms do not always translate into congestion in the data plane
The affected signalling servers are the RNC (3G) and MME (4G)
8
State transition model
9
www.nemesys-project.eu
No. 317888
Detection based on Signalling System Load & Types
10
Root Cause Analysis
Anomalous users Behavioral similarity
Core network impact
www.nemesys-project.eu
No. 317888
www.nemesys-project.eu
No. 317888
European R & D for Future Security and Privacy
Build Test-Beds for Cyberdefense with Large Scale Usecases
such as the IoT
Develop Sophisticated Dynamic Detection & Mitigation
Systems for existing and future systems
Revisit Networking Routing and Signaling Protocols for
Enhanced Security
Use Security and Privacy to Add Value to European Industry
and Commerce
Mobile Security – Prepare for the Future