Presentation is loading. Please wait.

Presentation is loading. Please wait.

SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq."— Presentation transcript:

1 SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq Rouf

2 Overview of presentation 2  Introduction to Short Message System (SMS)  SMS architecture, tracing SMSs, SMS proxy  Common threats to SMS systems, existing solutions  Behavior analysis  Statistically accurate metrics  SMS Watchdog  Detection types  Performance analysis  Accuracy and usefulness of protocol

3 An overview of the SMS architecture, SMS proxies, and common threats on SMS systems. Short Message System 3

4 Short message system (SMS)  SMSs were introduced in 1980s and have become a fabric of our lives since.  Uses the signal paths necessary to control the telephony traffic.  Not an intended use!  Designed for emergency only.  More than 1 trillion SMSs are delivered each year.  Lucrative target for attackers. 4

5 Threats to SMS systems 5  Common network attacks launched against SMS:  Spamming Sending unsolicited messages  Spoofing Falsely pretending to be a sender  Phishing Trying to steal device information

6 Previously attempted solutions 6  IP-based solutions:  Signature-based detection schemes to examine mobile network traffic  Power usage of mobile applications  Machine-learning based approach to discriminate at the level of APIs  Information-theoretical solutions:  Analysis of message size, distribution, service time distribution  User clique analysis, similar to email spam protection

7 Limitation of traditional methods 7  No determination of mobility  Mobility of malicious device is not considered  One-size-fits-all solutions  Attempting to use solutions that are not scaled for SMS  Power requirements  Solutions are not suitable for battery-operated devices  Computational complexity  Cellular phones have less computational ability compared to servers and workstations

8 Features of proposed solutions 8  Apply a protection mechanism at the SMS Center  Implemented at the server, where most control and information are available  Collect usage data over five months to create a trace of usage  Used to train a pattern recognition script  An SMS proxy in Italy was used to collect data.  Four unique schemes used in combination  Combination of four systems will work better than one “silver bullet” solution

9 SMS Architecture  Alphabet soup:  BSS – Base Station System  SGSN – Serving GPRS Support Node  GGSN – Gateway GPRS Support Node  MSC – Mobile Switching Center  SMSC – SMS Center 9 Protection applied here

10 An overview of statistical methods that can be useful in analyzing the trace of SMS users. Behavior analysis 10

11 Trace analysis 11

12 Usage analysis (1/4) 12  Number of messages and unique sender/receiver per day over 5 months  Increased usage as users increase with time

13 Usage analysis (2/4) 13  Average number of messages for persistent users (daily/weekly)  Anomalous spikes make the system unreliable

14 Usage analysis (3/4) 14  Average number of receivers per persistent user (daily/weekly)  Similar spike in usage observed

15 Usage analysis (4/4) 15  Average entropies for persistent users (daily/weekly)  Entropy is a better measure, but not a full solution

16 Window-based analysis 16

17 COV > 1 for window-based behaviors 17  Window-based behaviors of SMS users bear lower variation than their temporally periodic behaviors.  “COV > 1” means “high variation”  Not useful for anomaly detection

18 Similarity measure 18  The following equation is used to get the recipient similarity metric:  Relative entropy is used as a comparison of distributions to determine similarity:  Jensen-Shannon (JS) divergence used  Provides relative symmetry

19 COV > 1 for similarity measure 19  Divergence analysis shows better performance compared to previous metrics.

20 An overview of how SMS Watchdog is designed to make use of statistical analyses of behavioral patterns. SMS Watchdog 20

21 Threat models 21  Two families of threats were considered:  Blending attacks Occurs when an SMS user’s account is used to send messaged for a different person. Trojan horse Spoofing SMS proxy  Broadcast attacks Mirrors the behaviors of mobile malware that send out phishing or spamming messages

22 Workflow of SMS Watchdog 22  The proposed solution works in three steps:  Monitoring Maintains a window size, h, for each user that has subscribed for this service Also keeps a count, k, of number of SMSs sent  Anomaly detection Watches for anomalous behaviors (explained later)  Alert handling Sends an alert to the SMS user using a different medium

23 Anomaly detection 23  Anomaly detection is done in multiple steps:  Decision on detection window size Minimize the COV of the JS-divergence after grouping recipients (to maximize the level of similarity)  Mean-based anomaly detection Leverages average number of unique recipients and average entropy within each block (both show low variation) Checks if the mean of these two metrics vary radically  Similarity-based anomaly detection In a light-weight version, it is proposed that historic information be condensed into a set of recipients and a distributional function

24 Threat determination metric 24

25 Evaluation of experimental performance observed by the authors. Performance analysis 25

26 False positive rates 26

27 Detecting blending attacks 27  Entire dataset was divided into pairs of two  Observations:  Similarity-based (S- and D-type) schemes detect better Contains more information in the detection metrics  H- and D-type perform better than R- and S-type Consider not only the set of unique recipients, but also the distribution of the number of SMSs send to each recipient

28 Detecting broadcast attacks 28

29 Hybrid detection 29  Two hybrid schemes proposed:  R/H/S/D Any flag is treated as anomalous  S/D Only S- and D-type flags are treated as anomalous  Performance of hybrid detections schemes:

30 Self-reported limitations 30  SMS Watchdog fails to detect the following cases:  SMS faking attacks  Transient accounts that are set up for phishing  Behavioral training that is not covered

31 Questions? 31

Download ppt "SMS WATCHDOG: PROFILING SOCIAL BEHAVIORS OF SMS USERS FOR ANOMALY DETECTION Authors: Guanhua Yan, Stephan Eidenbenz, Emannuele Galli Presented by: Ishtiaq."

Similar presentations

Fraud in Short Messaging in Mobile Networks

Fraud in Short Messaging in Mobile Networks
CMP206 – Introduction to Data Communication & Networks Lecture 1 - Networking Fundamentals.

CMP206 – Introduction to Data Communication & Networks Lecture 1 - Networking Fundamentals.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.

Early Detection of Outgoing Spammers in Large-Scale Service Provider Networks Yehonatan Cohen Daniel Gordon Danny Hendler Ben-Gurion University Yehonatan.
Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team 2009.07.20.

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team
Crime Scene Investigation: SMS Spam Data Analysis Ilona Murynets AT&T Security Research Center New York, NY Roger Piqueras Jover AT&T Security.

Crime Scene Investigation: SMS Spam Data Analysis Ilona Murynets AT&T Security Research Center New York, NY Roger Piqueras Jover AT&T Security.
TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.

TrustMe: Anonymous Management of Trust Relationships in Decentralized P2P Systems Aameek Singh and Ling Liu Presented by: Korporn Panyim.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Handoff in Hybrid Mobile Data Networks Vijay Dadlani.

Handoff in Hybrid Mobile Data Networks Vijay Dadlani.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CMPE 80N - Introduction to Networks and the Internet 1 CMPE 80N Winter 2004 Lecture 9 Introduction to Networks and the Internet.

CMPE 80N - Introduction to Networks and the Internet 1 CMPE 80N Winter 2004 Lecture 9 Introduction to Networks and the Internet.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
A Guide to major network components

A Guide to major network components
Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:

Exploiting Open Functionality in SMS-Capable Cellular Networks Authors: William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta Publication:
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google