The Internet belongs to everyone. Let’s keep it that way.

Protect Net Neutrality
Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Improving SS7 Security Using Machine Learning Techniques

The presentation used when defending my master's thesis at NTNU Gjøvik.
by

Kristoffer Jensen

on 21 June 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Improving SS7 Security Using Machine Learning Techniques

Improving SS7 Security Using Machine Learning Techniques
Kristoffer Jensen
Gjøvik, June 15 2016
Agenda
Master's Thesis Goals
Background
Vulnerabilities
Mitigation
Conclusion
Signaling System No. 7
(SS7)
Nervous system of telecommunication systems.

Used in:
The PSTN
2G (GSM)
3G (UMTS)
Family of protocols, used to provide:
Call management
Billing services
Authentication
Mobility management
SMS
... and more
SS7 is essentially the bread and butter of 2G and 3G networks.

In cooperation with 4G LTE, SS7 is essentially what makes telecommunication possible today.
The SS7 Stack
Signaling Transport
(SIGTRAN)
Makes it possible to transfer SS7 messages over IP.
The GSM
Core Network
The Problem
SS7 Design
Created in another era.
Trust between elements and operators.
Lack of security controls.
Liberalization of the telecommunication market
Push towards a freer market.
United States in 1996.
European Union in 1998.
Fewer larger monopolies.
Smaller companies use the existing infrastructure.
Transition to IP technology
IP networking is the future for telecoms.
4G LTE, SIGTRAN.
Easily available, reduced cost.
Custom applications, VoIP.
Consequences
SS7 networks are opening up.
Accessibility, operators and people.
Custom applications.
Rapid expansion.
Merging two communication arenas.
From a historical perspective
Mobile Switching Center
(MSC)
Switches and routes calls, SMS, and data.
Home Location Register
(HLR)
Storage for subscriber info and settings:
Status
Location
Permissions
Subscription information.
Visitor Location Register
(VLR)
Local storage for subscriber information.

Usually co-located with the MSC.
Short Message
Service Centre
(SMSC)
Handles routing and delivering of SMS in the networks.
Equipment Identification Register (EIR)
Stores white, gray, and black lists of mobile equipment.

Used to potentially block stolen devices.
Media Attention
Prerequisites
Connected to the SS7 network.
Provide SS7 capabilities.
Generate arbitrary SS7 messages.
Location Tracking
The CN tracks subscribers.
Attacker can extract that info.
Location identifiers:
MSC/VLR Area.
Location Area Code.
Cell-ID.
Accuracies down to street level.
Fraud
Get free access to services.
Unlock stolen devices.
Steal and/or relinquish monetary values.
Denial of Services
Stop subscribers from calling, sending SMS, and use other services.
Individual or regional targets.
Interception
Interception of calls, SMS, and possibly data.
Can be combined with one-time passwords.
Highjack services relying on SMS as a safe/trusted channel.
Attacks
Interconnectivity
SS7 is inherently interconnected.
Better service and coverage.
Roaming.
Potential access to other SS7.
Misconfiguration
SS7 over IP.
Internet accessibility.
Misconfigured SS7 elements.
Unauthorized access
to devices
Hacking devices.
Unsatisfactory security implementation.
Femtocells.
Why are attacks possible?
Connecting to SS7
Investigate SS7 vulnerabilities and threats
Discover mitigation techniques to SS7 attacks.
Propose an SS7 protection system using machine learning techniques.

Requirements
Telephone number of the target.
International Mobile Subscriber Identity (IMSI).
Address of the currently serving MSC/VLR.
Spoof an SS7 element.

IMSI and addresses:
MAP
sendroutingInfoForSM
Steal subscriber:
MAP
updateLocation
Intercepting SMS
Stealing the subscriber
Example: The intercept SMS attack
Categorizing MAP messages
The MAP messages used in attacks can be categorized based on their needs for exposure.
Category 1
Messages that have no legitimate need for external exposure.

sendIdentification (SI)
anyTimeInterrogation (ATI)
anyTimeModification (ATM)
provideSubscriberLocation (PSL)

Can simply be blocked at the network border.
Category 2
Messages that have no legitimate need for exposure for an operator's own subscribers. But can be received for roaming subscribers.

provideSubscriberInformation (PSI)
insertSubscriberData (ISD)
deletedSubscriberData (DSL)

Must check if subscriber is roaming. Does not protect roaming subscribers.
Category 3
Messages that have legitimate need for external exposure.

updateLocation
sendRoutingInformation(SM/LCS)
sendAuthenticationInfo
registerSS
eraseSS
processUnstructuredSS
cancelLocation

Cannot be blocked.
Security Controls
Firewalls?
Misuse detection?
IDS?
IPS?

Not that simple!
Unfortunately...
All SS7 messages used in attacks are:
Standardized messages.
Inherently legal.
Elements are created to respond and act on these messages.
Stopping SS7 Attacks
Components
Location update.
IMSI, new location, network origin.
Changes the location of the subscriber as seen by the network.
Potential detection mechanisms
Monitor behavior of subscribers and network elements.
Look for abnormalities in that behavior.
Representing and generalizing the behavior.

Machine learning and anomaly detection!
Behavioral changes
Change in traveling behavior.
Traveling a very long distance in a short amount of time.
Suspicious from a human perspective.
Analyzing the intercept SMS attack
Experimental setup
Test machine learning on SS7 data.
Created my own SS7 network.
SS7 Attack Simulator
FOSS implemented in Java.
Forked from Restcomm's jSS7.
Normal traffic.
Attacks.
A real life scenario
VIP.
Target of all attacks.
Moves to and from "work".
Location Area Code (LAC).
Offline experiment
Gathered a sizeable dataset.
Twitter's Anomaly Detection Algorithm.
Seasonal Hybrid Extreme Studentized Deviation (S-H-ESD).
Unsupervised statistical algorithm.
Online analysis
Detect and stop attacks.
Vast amount of data.
Capable software and solutions.
Separate own SS7 from others.
Anomaly-based Network Abuse Detection System
Demonstration of online detection.
FOSS.
Distributed, reliable and scalable.
"Big data".
Apache Spark, ELK stack, Apache Kafka.
Summary
SS7 is vulnerable and being exploited.
Operators must acknowledge that fact.
Protect subscribers' privacy.
Improve network integrity.
Demonstration of machine learning.
A paper was submitted based on the approach in this thesis. It is currently undergoing review.
Further work
Experiments in a real SS7 network.
Improve application of machine learning.
Optimal performance of online detection.
Prevention capabilities.
Risks of machine learning and anomaly detection.
Extend the SS7 Attack Simulator.
Features
Time since last location update.
Frequency of location updates.
Distance traveled since last location update.
Byte length of location update message.
Message network origin.
Traditionally uses the Mobile Application Part for transfer of data.
Thank you for your attention!


Any questions?
https://github.com/polarking
Full transcript