Roger Piqueras Jover

Crime scene investigation: SMS spam data analysis

The Short Messaging Service (SMS), one of the most successful cellular services, generates millions of dollars in revenue for mobile operators. Estimates indicate that billions of text messages are traveling the airwaves daily. Nevertheless, text messaging is becoming a source of customer dissatisfaction due to the rapid surge of messaging abuse activities. Although spam is a well tackled problem in the email world, SMS spam experiences a yearly growth larger than 500%. In this paper we present, to the best of our knowledge, the first analysis of SMS spam traffic from a tier-1 cellular operator. Communication patterns of spammers are compared to those of legitimate cell-phone users and Machine to Machine (M2M) connected appliances. The results indicate that M2M systems exhibit communication profiles similar to spammers, which could mislead spam filters. Beyond the expected results, such as a large load of text messages sent out to a wide target list, other interesting findings are made. For example, the results indicate that the great majority of the spammers connect to the network with just a handful of different hardware models. We find the main geographical sources of messaging abuse in the US. We also find evidence of spammer mobility, voice and data traffic resembling the behavior of legitimate customers.

Enhancing the security of LTE networks against jamming attacks

The long-term evolution (LTE) is the newly adopted technology to offer enhanced capacity and coverage for current mobility networks, which experience a constant traffic increase and skyrocketing bandwidth demands. This new cellular communication system, built upon a redesigned physical layer and based on an orthogonal frequency division multiple access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves the performance of the wireless channel in terms of bits per second per Hertz (bps/Hz). Nevertheless, as all wireless systems, LTE is vulnerable to radio jamming attacks. Such threats have security implications especially in the case of next-generation emergency response communication systems based on LTE technologies. This proof of concept paper overviews a series of new effective attacks (smart jamming) that extend the range and effectiveness of basic radio jamming. Based on these new threats, a series of new potential security research directions are introduced, aiming to enhance the resiliency of LTE networks against such attacks. A spread-spectrum modulation of the main downlink broadcast channels is combined with a scrambling of the radio resource allocation of the uplink control channels and an advanced system information message encryption scheme. Despite the challenging implementation on commercial networks, which would require inclusion of these solutions in future releases of the LTE standard, the security solutions could strongly enhance the security of LTE-based national emergency response communication systems.

Scalability of Machine to Machine systems and the Internet of Things on LTE mobile networks

Machine to Machine (M2M) systems are actively spreading, with mobile networks rapidly evolving to provide connectivity beyond smartphones and tablets. With billions of embedded devices expected to join cellular networks over the next few years, novel applications are emerging and contributing to the Internet of Things (IoT) paradigm. The new generation of mobile networks, the Long Term Evolution (LTE), has been designed to provide enhanced capacity for a large number of mobile devices and is expected to be the main enabler of the emergence of the IoT. In this context, there is growing interest in the industry and standardization bodies on understanding the potential impact of the scalability of M2M systems on LTE networks. The highly heterogeneous traffic patterns of most M2M systems, very different from those of smartphones and other mobile devices, and the surge of M2M connected devices over the next few years, present a great challenge for the network. This paper presents the first insights and answers on the scalability of the IoT on LTE networks, determining to what extent mobile networks could be overwhelmed by the large amount of devices attempting to communicate. Based on a detailed analysis with a custom-built, standards-compliant, large-scale LTE simulation testbed, we determine the main potential congestion points and bottlenecks, and determine which types of M2M traffic present a larger challenge. To do so, the simulation testbed implements realistic statistical M2M traffic models derived from fully anonymized real LTE traces of six popular M2M systems from one of the main tier-1 operators in the United States.

Connection-less communication of IoT devices over LTE mobile networks

The emergence of the Internet of Things (IoT) introduces a vast ecosystem of new network-enabled objects. Although most current cellular IoT services run over 2G and 3G cellular networks, the Long Term Evolution (LTE) is expected to be one of the main platforms for the emergence of new Machine to Machine (M2M) communication systems. Cellular communication protocols were designed and optimized to handle human-originated communications. However, with the forecasted deployment of billions of M2M devices, there is a growing concern in the industry that the cellular core may be overloaded by the sharp increase in control plane signaling load. The traffic characteristics of IoT devices are very different from those of smartphones and can enhance the risk for signaling storms. A new connection-less communication protocol for IoT systems over LTE mobile networks is proposed to spare signaling exchanges at the cellular core for M2M communications. It requires no standards modification and provides an overlaying channel between connected objects and base stations. Its effectiveness is demonstrated through simulations with realistic background network load parameters extracted from real LTE traffic sniffed from a busy downtown Manhattan intersection.

Analysis and detection of SIMbox fraud in mobility networks

Voice traffic termination fraud, often referred to as Subscriber Identity Module box (SIMbox) fraud, is a common illegal practice on mobile networks. As a result, cellular operators around the globe lose billions annually. Moreover, SIMboxes compromise the cellular network infrastructure by overloading local base stations serving these devices. This paper analyzes the fraudulent traffic from SIMboxes operating with a large number of SIM cards. It processes hundreds of millions of anonymized voice call detail records (CDRs) from one of the main cellular operators in the United States. In addition to overloading voice traffic, fraudulent SIMboxes are observed to have static physical locations and to generate disproportionately large volume of outgoing calls. Based on these observations, novel classifiers for fraudulent SIMbox detection in mobility networks are proposed. Their outputs are optimally fused to increase the detection rate. The operators fraud department confirmed that the algorithm succeeds in detecting new fraudulent SIMboxes.

Is it really you?: user identification via adaptive behavior fingerprinting

The increased popularity of mobile devices widens opportunities for a user either to lose the device or to have the device stolen and compromised. At the same time, user interaction with a mobile device generates a unique set of features such as dialed numbers, timestamps of communication activities, contacted base stations, etc. This work proposes several methods to identify the user based on her communications history. Specifically, the proposed methods detect an abnormality based on the behavior fingerprint generated by a set of features from the network for each user session. We present an implementation of such methods that use features from real SMS, and voice call records from a major tier 1 cellular operator. This can potentially trigger a rapid reaction upon an unauthorized user gaining control of a lost or stolen terminal, preventing data compromise and device misuse. The proposed solution can also detect background malicious traffic originated by, for example, a malicious application running on the mobile device. Our experiments with annonymized data from 10,000 users, representing over 14 million SMS and voice call detail records, show that the proposed methods are scalable and can continuously identify millions of mobile users while preserving data privacy, and achieving low false positives and high misuse detection rates with low storage and computation overhead.

Anomaly detection in cellular Machine-to-Machine communications

Communication networks are rapidly evolving with connectivity reaching far beyond cell-phones, computers and tablets. Novel applications are emerging based on the widespread presence of network-enabled sensors and actuators. Machine-to-Machine (M2M) devices such as power meters, medical sensors and asset tracking appliances provide a new dimension to telecommunication services. The majority of these novel systems require low bandwidth and base their communications and control protocols on the Short Messaging Service (SMS). SMS-based attacks pose a serious threat to M2M devices and the servers/users communicating with them. Researchers have demonstrated how to remotely control embedded devices and leverage them for malicious message floods. These attacks can potentially be masked by the massive amounts of legitimate text messages traveling the airwaves daily and providing data connectivity to these connected M2M appliances. In this paper we propose two algorithms for detecting anomalous SMS activities and attacks on aggregate, cluster and individual device levels. Once these algorithms detect an anomaly they automatically determine the cause of the anomaly. Effectiveness of the algorithms has been demonstrated on real life SMS communication traffic of M2M devices connected to the network of one of the main tier-1 providers in the US.

Firecycle: A scalable test bed for large-scale LTE security research

LTE (Long Term Evolution) is the latest cellular communications standard to provide advanced mobile services that go beyond traditional voice and short messaging traffic. Mobility networks are experiencing a drastic evolution with the advent of Machine to Machine (M2M) systems and the Internet of Things (IoT), which is expected to result in billions of connected devices in the near future. In parallel, the security threat landscape against communication networks has rapidly evolved over the last few years, with major Distributed Denial of Service (DDoS) attacks and the substantial spread of mobile malware. In this paper we introduce Firecycle, a new modeling and simulation platform for next-generation LTE mobility network security research. This standards compliant platform is suitable for large-scale security analysis of threats against a real LTE mobile network. It is designed with the ability to be distributed over the cloud, with an arbitrary number of virtual machines running different portions of the network, thus allowing simulation and testing of a full-scale LTE mobility network with millions of connected devices. Moreover, the mobile traffic generated by the platform is modeled from real data traffic observations from one of the major tier-1 operators in the US.

How an SMS-based malware infection will get throttled by the wireless link

As smart phones increase in popularity, they become an attractive target for attackers and spammers. This paper presents a new simulation model that evaluates the effects of an SMS-based malware infection in GSM and UMTS networks. It is the first known work that accounts for the wireless link of the network in modeling of malware propagation. The paper demonstrates propagation of the SMS-transmitted malware in a densely populated metropolitan area. It shows that spreading rate of cellular malware is tightly bounded by the actual network architecture and strongly diverges from the pattern seen in regular wired Internet-connected networks.

Detecting Malicious Activity on Smartphones Using Sensor Measurements

Mobile devices have long been targets of malware attacks, exploiting the inherent trust that users place in them. They possess unique features, such as continuous internet connectivity, the ability to make premium phone calls and send premium SMS messages, storing sensitive information, and programmatically turning on the camera or microphone. Compromising these features opens up new attack possibilities and enlarges revenue streams for attackers. Despite various existing solutions for detecting mobile malware through binary analysis techniques, mobile malware infections have steadily been on the rise. This paper presents a novel system for detecting the malicious behavior based on smartphone sensor measurements. The system identifies various unique trigger events that should only occur via user action, such as sending SMS messages or turning on the camera or microphone, and determines whether the user initiated them. It can detect various categories of malware, including spamming botnets, premium service fraud, and spyware. The initial version of the prototype is implemented by modifying the default Android SMS messaging app to show that malware sending malicious messages can be detected based on smartphone sensor measurements.