Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Improving SS7 Security Using Machine Learning Techniques
Transcript of Improving SS7 Security Using Machine Learning Techniques
Gjøvik, June 15 2016
Master's Thesis Goals
Signaling System No. 7
Nervous system of telecommunication systems.
Family of protocols, used to provide:
... and more
SS7 is essentially the bread and butter of 2G and 3G networks.
In cooperation with 4G LTE, SS7 is essentially what makes telecommunication possible today.
The SS7 Stack
Makes it possible to transfer SS7 messages over IP.
Created in another era.
Trust between elements and operators.
Lack of security controls.
Liberalization of the telecommunication market
Push towards a freer market.
United States in 1996.
European Union in 1998.
Fewer larger monopolies.
Smaller companies use the existing infrastructure.
Transition to IP technology
IP networking is the future for telecoms.
4G LTE, SIGTRAN.
Easily available, reduced cost.
Custom applications, VoIP.
SS7 networks are opening up.
Accessibility, operators and people.
Merging two communication arenas.
From a historical perspective
Mobile Switching Center
Switches and routes calls, SMS, and data.
Home Location Register
Storage for subscriber info and settings:
Visitor Location Register
Local storage for subscriber information.
Usually co-located with the MSC.
Handles routing and delivering of SMS in the networks.
Equipment Identification Register (EIR)
Stores white, gray, and black lists of mobile equipment.
Used to potentially block stolen devices.
Connected to the SS7 network.
Provide SS7 capabilities.
Generate arbitrary SS7 messages.
The CN tracks subscribers.
Attacker can extract that info.
Location Area Code.
Accuracies down to street level.
Get free access to services.
Unlock stolen devices.
Steal and/or relinquish monetary values.
Denial of Services
Stop subscribers from calling, sending SMS, and use other services.
Individual or regional targets.
Interception of calls, SMS, and possibly data.
Can be combined with one-time passwords.
Highjack services relying on SMS as a safe/trusted channel.
SS7 is inherently interconnected.
Better service and coverage.
Potential access to other SS7.
SS7 over IP.
Misconfigured SS7 elements.
Unsatisfactory security implementation.
Why are attacks possible?
Connecting to SS7
Investigate SS7 vulnerabilities and threats
Discover mitigation techniques to SS7 attacks.
Propose an SS7 protection system using machine learning techniques.
Telephone number of the target.
International Mobile Subscriber Identity (IMSI).
Address of the currently serving MSC/VLR.
Spoof an SS7 element.
IMSI and addresses:
Stealing the subscriber
Example: The intercept SMS attack
Categorizing MAP messages
The MAP messages used in attacks can be categorized based on their needs for exposure.
Messages that have no legitimate need for external exposure.
Can simply be blocked at the network border.
Messages that have no legitimate need for exposure for an operator's own subscribers. But can be received for roaming subscribers.
Must check if subscriber is roaming. Does not protect roaming subscribers.
Messages that have legitimate need for external exposure.
Cannot be blocked.
Not that simple!
All SS7 messages used in attacks are:
Elements are created to respond and act on these messages.
Stopping SS7 Attacks
IMSI, new location, network origin.
Changes the location of the subscriber as seen by the network.
Potential detection mechanisms
Monitor behavior of subscribers and network elements.
Look for abnormalities in that behavior.
Representing and generalizing the behavior.
Machine learning and anomaly detection!
Change in traveling behavior.
Traveling a very long distance in a short amount of time.
Suspicious from a human perspective.
Analyzing the intercept SMS attack
Test machine learning on SS7 data.
Created my own SS7 network.
SS7 Attack Simulator
FOSS implemented in Java.
Forked from Restcomm's jSS7.
A real life scenario
Target of all attacks.
Moves to and from "work".
Location Area Code (LAC).
Gathered a sizeable dataset.
Twitter's Anomaly Detection Algorithm.
Seasonal Hybrid Extreme Studentized Deviation (S-H-ESD).
Unsupervised statistical algorithm.
Detect and stop attacks.
Vast amount of data.
Capable software and solutions.
Separate own SS7 from others.
Anomaly-based Network Abuse Detection System
Demonstration of online detection.
Distributed, reliable and scalable.
Apache Spark, ELK stack, Apache Kafka.
SS7 is vulnerable and being exploited.
Operators must acknowledge that fact.
Protect subscribers' privacy.
Improve network integrity.
Demonstration of machine learning.
A paper was submitted based on the approach in this thesis. It is currently undergoing review.
Experiments in a real SS7 network.
Improve application of machine learning.
Optimal performance of online detection.
Risks of machine learning and anomaly detection.
Extend the SS7 Attack Simulator.
Time since last location update.
Frequency of location updates.
Distance traveled since last location update.
Byte length of location update message.
Message network origin.
Traditionally uses the Mobile Application Part for transfer of data.
Thank you for your attention!