SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

Slides:

Advertisements

Similar presentations

Fraud in Short Messaging in Mobile Networks

Advertisements

CMP206 – Introduction to Data Communication & Networks Lecture 1 - Networking Fundamentals.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team

Crime Scene Investigation: SMS Spam Data Analysis Ilona Murynets AT&T Security Research Center New York, NY Roger Piqueras Jover AT&T Security.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

Handoff in Hybrid Mobile Data Networks Vijay Dadlani.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

CMPE 80N - Introduction to Networks and the Internet 1 CMPE 80N Winter 2004 Lecture 9 Introduction to Networks and the Internet.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

A Guide to major network components

Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Department Of Computer Engineering

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

CrowdSearch: Exploiting Crowds for Accurate Real-Time Image Search on Mobile Phones Original work by Yan, Kumar & Ganesan Presented by Tim Calloway.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Discovery of Emergent Malicious Campaigns in Cellular Networks Nathaniel Boggs, Wei Wang, Suhas Mathur, Baris Coskun, Carol Pincock © 2013 AT&T Intellectual.

Chapter 6: Packet Filtering

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.

1. There are different assistant software tools and methods that help in managing the network in different things such as: 1. Special management programs.

Communications and Networks Chapter 8. 2 Introduction We live in a truly connected society. Increased connectivity potentially means increased productivity,

Mobile Technologies Introduction Basics of GSM Value Added Services SMS Short Codes Asterisk * LBS.

Distributed Anomaly Detection in Wireless Sensor Networks Ksutharshan Rajasegarar, Christopher Leckie, Marimutha Palaniswami, James C. Bezdek IEEE ICCS2006(Institutions.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Chapter 4 Application Level Security in Cellular Networks.

Load-Balancing Routing in Multichannel Hybrid Wireless Networks With Single Network Interface So, J.; Vaidya, N. H.; Vehicular Technology, IEEE Transactions.

CrowdSearch: Exploiting Crowds for Accurate Real-Time Image Search on Mobile Phones Original work by Tingxin Yan, Vikas Kumar, Deepak Ganesan Presented.

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

Automatic Detection of Emerging Threats to Computer Networks Andre McDonald.

1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.

Cryptography and Network Security Sixth Edition by William Stallings.

Detection and Mitigation of Spam in IP Telephony Networks using Signaling Protocol Analysis MacIntosh, R Vinokurov, D Advances in Wired and Wireless Communication,

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Patrick Traynor, Michael Lin, Machigar Ongtang, Vikhyath Rao, Trent Jaeger, Patrick McDaniel, and Thomas La Porta 2/29/2012.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

SOURCE:2014 IEEE 17TH INTERNATIONAL CONFERENCE ON COMPUTATIONAL SCIENCE AND ENGINEERING AUTHER: MINGLIU LIU, DESHI LI, HAILI MAO SPEAKER: JIAN-MING HONG.

Some Great Open Source Intrusion Detection Systems (IDSs)

Presented by Edith Ngai MPhil Term 3 Presentation

PROVEST: Provenance-based Trust Model for Delay Tolerant Networks

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Definition of Distributed System

Security Methods and Practice CET4884

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.

De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.

Wireless Spoofing Attacks on Mobile Devices

Cybersecurity Simplified: Phishing

Presentation transcript:

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq Rouf

Overview of presentation 2  Introduction to Short Message System (SMS)  SMS architecture, tracing SMSs, SMS proxy  Common threats to SMS systems, existing solutions  Behavior analysis  Statistically accurate metrics  SMS Watchdog  Detection types  Performance analysis  Accuracy and usefulness of protocol

An overview of the SMS architecture, SMS proxies, and common threats on SMS systems. Short Message System 3

Short message system (SMS)  SMSs were introduced in 1980s and have become a fabric of our lives since.  Uses the signal paths necessary to control the telephony traffic.  Not an intended use!  Designed for emergency only.  More than 1 trillion SMSs are delivered each year.  Lucrative target for attackers. 4

Threats to SMS systems 5  Common network attacks launched against SMS:  Spamming Sending unsolicited messages  Spoofing Falsely pretending to be a sender  Phishing Trying to steal device information

Previously attempted solutions 6  IP-based solutions:  Signature-based detection schemes to examine mobile network traffic  Power usage of mobile applications  Machine-learning based approach to discriminate at the level of APIs  Information-theoretical solutions:  Analysis of message size, distribution, service time distribution  User clique analysis, similar to spam protection

Limitation of traditional methods 7  No determination of mobility  Mobility of malicious device is not considered  One-size-fits-all solutions  Attempting to use solutions that are not scaled for SMS  Power requirements  Solutions are not suitable for battery-operated devices  Computational complexity  Cellular phones have less computational ability compared to servers and workstations

Features of proposed solutions 8  Apply a protection mechanism at the SMS Center  Implemented at the server, where most control and information are available  Collect usage data over five months to create a trace of usage  Used to train a pattern recognition script  An SMS proxy in Italy was used to collect data.  Four unique schemes used in combination  Combination of four systems will work better than one “silver bullet” solution

SMS Architecture  Alphabet soup:  BSS – Base Station System  SGSN – Serving GPRS Support Node  GGSN – Gateway GPRS Support Node  MSC – Mobile Switching Center  SMSC – SMS Center 9 Protection applied here

An overview of statistical methods that can be useful in analyzing the trace of SMS users. Behavior analysis 10

Trace analysis 11

Usage analysis (1/4) 12  Number of messages and unique sender/receiver per day over 5 months  Increased usage as users increase with time

Usage analysis (2/4) 13  Average number of messages for persistent users (daily/weekly)  Anomalous spikes make the system unreliable

Usage analysis (3/4) 14  Average number of receivers per persistent user (daily/weekly)  Similar spike in usage observed

Usage analysis (4/4) 15  Average entropies for persistent users (daily/weekly)  Entropy is a better measure, but not a full solution

Window-based analysis 16

COV > 1 for window-based behaviors 17  Window-based behaviors of SMS users bear lower variation than their temporally periodic behaviors.  “COV > 1” means “high variation”  Not useful for anomaly detection

Similarity measure 18  The following equation is used to get the recipient similarity metric:  Relative entropy is used as a comparison of distributions to determine similarity:  Jensen-Shannon (JS) divergence used  Provides relative symmetry

COV > 1 for similarity measure 19  Divergence analysis shows better performance compared to previous metrics.

An overview of how SMS Watchdog is designed to make use of statistical analyses of behavioral patterns. SMS Watchdog 20

Threat models 21  Two families of threats were considered:  Blending attacks Occurs when an SMS user’s account is used to send messaged for a different person. Trojan horse Spoofing SMS proxy  Broadcast attacks Mirrors the behaviors of mobile malware that send out phishing or spamming messages

Workflow of SMS Watchdog 22  The proposed solution works in three steps:  Monitoring Maintains a window size, h, for each user that has subscribed for this service Also keeps a count, k, of number of SMSs sent  Anomaly detection Watches for anomalous behaviors (explained later)  Alert handling Sends an alert to the SMS user using a different medium

Anomaly detection 23  Anomaly detection is done in multiple steps:  Decision on detection window size Minimize the COV of the JS-divergence after grouping recipients (to maximize the level of similarity)  Mean-based anomaly detection Leverages average number of unique recipients and average entropy within each block (both show low variation) Checks if the mean of these two metrics vary radically  Similarity-based anomaly detection In a light-weight version, it is proposed that historic information be condensed into a set of recipients and a distributional function

Threat determination metric 24

Evaluation of experimental performance observed by the authors. Performance analysis 25

False positive rates 26

Detecting blending attacks 27  Entire dataset was divided into pairs of two  Observations:  Similarity-based (S- and D-type) schemes detect better Contains more information in the detection metrics  H- and D-type perform better than R- and S-type Consider not only the set of unique recipients, but also the distribution of the number of SMSs send to each recipient

Detecting broadcast attacks 28

Hybrid detection 29  Two hybrid schemes proposed:  R/H/S/D Any flag is treated as anomalous  S/D Only S- and D-type flags are treated as anomalous  Performance of hybrid detections schemes:

Self-reported limitations 30  SMS Watchdog fails to detect the following cases:  SMS faking attacks  Transient accounts that are set up for phishing  Behavioral training that is not covered

Questions? 31