Na Ruan,Qi Hu,Lei Gao,Haojin Zhu,Qingshui Xue,Weijia Jia,Jingyu Cui

DOI: https://doi.org/10.1109/glocom.2016.7841555

2016-01-01

Abstract:With rapid growth of LTE network and Voice-over-LTE(VoLTE), detecting and preventing security threats like Denial of Service attack becomes a necessary and urgent requirement. VoLTE is an voice solution based on Internet Protocol and 4G LTE technology, at the same time exposing many vulnerabilities when using packet-switched network. There are many heavy weighted detection systems using content analysis, while high demands of computing resource constraint their practical use. In this paper, we purpose a lightweight detection scheme for VoLTE network security, based on analysis of data traffic flow. To optimize parameters in our scheme, we formulate a Bayesian game model. Bayesian game has the features of incomplete information and asymmetry, similar to practical attack-defense model. Besides, The dynamic Bayesian game is more realistic, since both sides can update believes about their opponents. Simulation results provide some guidances on parameter selection, as well as verifying the superiority of our scheme.

Mingli Wu,Na Ruan,Shiheng Ma,Haojin Zhu,Weijia Jia,Qingshui Xue,Songyang Wu

DOI: https://doi.org/10.1007/978-3-319-60033-8_12

2017-01-01

Abstract:As a new generation voice service, Voice over LTE (VoLTE) has attracted worldwide attentions in both the academia and industry. Different from the traditional voice call based on circuit-switched (CS), VoLTE evolves into the packet-switched (PS) field, which is quite open to the public. Though designed rigorously, similar to VoIP service, VoLTE also suffers from SIP (Session Initiation Protocal) flooding attacks. In this paper, two schemes inspired by Counting Bloom Filter (CBF) are proposed to thwart these attacks. In scheme I, we leverage CBF to accomplish flooding attack detection. In scheme II, we design a versatile CBF-like structure, PFilter, to achieve the same goal. Compared with previous relevant works, our detection schemes gain advantages in many aspects including low-rate flooding attack and stealthy flooding attack. Moreover, not only can our schemes detect the attacks with high accuracy, but also find out the attacker to ensure normal operation of VoLTE. Extensive experiments are performed to well evaluate the performance of the proposed two schemes.

Na Ruan,Mingli Wu,Shiheng Ma,Haojin Zhu,Weijia Jia,Songyang Wu

DOI: https://doi.org/10.1587/transinf.2016inp0023

2017-01-01

IEICE Transactions on Information and Systems

Abstract:As a new generation voice service, Voice over LTE (VoLTE) has attracted worldwide attentions in both the academia and industry. Different from the traditional voice call based on circuit-switched (CS), VoLTE evolves into the packet-switched (PS) field, which has long been open to the public. Though designed rigorously, similar to VoIP services, VoLTE also suffers from SIP (Session Initiation Protocal) flooding attacks. Due to the high performance requirement, the SIP flooding attacks in VoLTE is more difficult to defend than that in traditional VoIP service. In this paper, enlightened by Counting Bloom Filter (CBF), we design a versatile CBF-like structure, PFilter, to detect the flooding anomalies. Compared with previous relevant works, our scheme gains advantages in many aspects including detection of low-rate flooding attack and stealthy flooding attack. Moreover, not only can our scheme detect the attacks with high accuracy, but also find out the attackers to ensure normal operation of VoLTE by eliminating their negative effects. Extensive experiments are performed to well evaluate the performance of the proposed scheme.

Chi-Yu Li,Guan-Hua Tu,chunyi peng,zengwen yuan,yuanjie li,songwu lu,xinbing wang

DOI: https://doi.org/10.1145/2810103.2813618

2015-01-01

Abstract:VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

Zishuai Cheng,Mihai Ordean,Flavio Garcia,Baojiang Cui,Dominik Rys

DOI: https://doi.org/10.56553/popets-2023-0053

2023-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Voice over LTE (VoLTE) and Voice over NR (VoNR), are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.

English Else

Jianhong Lin,Tianyu Chen,Peng Wang,Chunming Wu

DOI: https://doi.org/10.1109/imcec55388.2022.10019885

2022-01-01

Abstract:With the rapid development of 5G technology, the number of telecom network users is exploding, which brings great pressure to the governance of the whole network. Voice spam, such as fraud, harassment and other illegal voice calls, not only occupy communication resources, but also disturb people's daily life and social order. In light of this, considering different scenario elements, this paper proposes a governance framework that considers time, location and user attributes simultaneously to identify and intercept voice spam. Specifically, we firstly use decision tree algorithm to recognize and classify voice spam in telecom network. Then, based on the frequent itemset theory, the malicious phone IDs are further analyzed and revealed. The telephone numbers are divided into white list, grey list, personal blacklist and group blacklist. Through simulation analysis and practical application in Zhengzhou area, the framework proposed can accurately detect voice spam and timely remind users of potential risks, providing users with secure voice services.

Wenhai Li,Wei Guo,Xiaolei Luo,Xiang Li

DOI: https://doi.org/10.1109/apscc.2010.84

2010-01-01

Abstract:As the core infrastructure of the VoIP, IMS and IPTV, SIP based network is now increasingly been deployed throughout the world. Due mainly to the relatively high flow rate and the exorbitant session maintenance, SIP servers are similarly susceptible to the Denial-of-Service (DoS) Attacks above the IP stack, especially when the Distributed spoofing URI is considered. A hybrid SIP DoS detection method is proposed in this paper to handle three representative flooding attacks, and the CUSUM statistical detection founded on the adaptive sliding window based acquisition is adopted for achieving high accuracy and low latency. Experimental result shows that this method achieves a high rate, low latency and low false alarm rate of SIP flooding detection.

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Linhong Guo,Xiaosong Zhang

DOI: https://doi.org/10.1088/1742-6596/1325/1/012108

2019-01-01

Journal of Physics Conference Series

Abstract:VoLTE (voice over LTE) is widely popular and the potential target for covert communications. The transmission of continuous and large amounts of data over VoLTE enables the construction of a covert channel. The existing covert channel construction scheme based on IPD (inter-packet delay) cannot be applied to VoLTE due to the particularity of the IPD of VoLTE traffics. In this paper, we propose a covert channel with intelligent confrontation for VoLTE traffic. It modulates messages in the relative relationship of voice and video packets based on learning of the characteristics of active attack traffic. The experimental results indicate that the proposed covert channel is undetectable and robust.

Yulong Fu,Hanlu Chen,Qinghua Zheng,Zheng Yan,Raimo Kantola,Xuyang Jing,Jin Cao,Hui Li

DOI: https://doi.org/10.1016/j.jnca.2020.102549

IF: 7.574

2020-01-01

Journal of Network and Computer Applications

Abstract:With the development of wireless communications, Mobile Networks have become an important part of our daily life and fueled the growth of many attractive technologies such as 5G, Internet of Things (IoT) and even Smart City. As a main bearer of current Mobile Networks, LTE/LTE-A carries massive and important business data but is facing more and more serious attack situations, which makes the Security Measurement over it become necessary and important. However, current methods are usually designed from specific malicious detections, which cannot provide the user with a synthetic view of security evaluation. Meanwhile, as the massive amount and poor quality of networking data are considered, the efficiency and accuracy of the current security measurement methods are usually not good. In this paper, we focus on the evaluation basis (the collecting data) of security measurement over LTE/LTE-A networks, and propose an Adaptive Security Data Collection and Composition Recognition (ASDCCR) method for it. We design heuristic algorithms and processing framework in ASDCCR to make the data collection adaptive and synthetic attack recognition become possible. We also verified the proposed method in simulated LTE environment of NS3 to verify the usability and accuracy of the proposed methods.

Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications

Guan-Hua Tu,Chi-Yu Li,Chunyi Peng,Yuanjie Li,Songwu Lu

DOI: https://doi.org/10.1145/2976749.2978393

2016-01-01

Abstract:SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the underlying technology of SMS evolves from the legacy circuit-switched network to the IMS (IP Multimedia Subsystem) system over packet-switched network. In this work, we study the insecurity of the IMS-based SMS. We uncover its security vulnerabilities and exploit them to devise four SMS attacks: silent SMS abuse, SMS spoofing, SMS client DoS, and SMS spamming. We further discover that those SMS threats can propagate towards SMS-powered services, thereby leading to three malicious attacks: social network account hijacking, unauthorized donation, and unauthorized subscription. Our analysis reveals that the problems stem from the loose security regulations among mobile phones, carrier networks, and SMS-powered services. We finally propose remedies to the identified security issues.

D. Orlando,I. Palamà,S. Bartoletti,G. Bianchi,N. Blefari Melazzi,I. Palama

DOI: https://doi.org/10.1109/lwc.2021.3089636

IF: 6.3

2021-09-01

IEEE Wireless Communications Letters

Abstract:In this letter, we propose three schemes designed to detect attacks over the air interface in cellular networks. These decision rules rely on the generalized likelihood ratio test, and are fed by data that can be acquired using common off-the-shelf receivers. In addition to more classical (barrage/smart) noise jamming attacks, we further assess the capability of the proposed schemes to detect the stealthy activation of a rogue base station. The evaluation is carried out through an experimentation of a LTE system concretely reproduced using Software-Defined Radios. Illustrative examples confirm that the proposed schemes can effectively detect air interface threats with high probability.

computer science, information systems,telecommunications,engineering, electrical & electronic

QIU Jun-sha,MEI Lin,WANG Kong-lin,HU Guang-min

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.12.0060

2011-01-01

Abstract:First this paper proposed two detection methods based on either call statistic or traffic signal analysis respectively according to the attack types,then designed a detection system with two stage strategy,which comprised rough detection appl-ying the two methods and precise detection to confirm the attack and find out the source.Simulation shows that the scheme is effective and real-time in detecting typical attacks and can be practically applied,which provides a solution to deal with the new security issue introduced by network convergence.

Tian Xie,Guan-Hua Tu,Bangjie Yin,Chi-Yu Li,Chunyi Peng,Mi Zhang,Hui Liu,Xiaoming Liu

DOI: https://doi.org/10.48550/arXiv.1811.11274

2018-11-29

Abstract:Since 2016, all of four major U.S. operators have rolled out nationwide Wi-Fi calling services. They are projected to surpass VoLTE (Voice over LTE) and other VoIP services in terms of mobile IP voice usage minutes in 2018. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS (IP Multimedia Subsystem) technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrustful Wi-Fi networks and the Internet. This exposure to insecure networks may cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA (Authentication and Key Agreement), IPSec (Internet Protocol Security), etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first study of exploring security issues of the operational Wi-Fi calling services in three major U.S. operators' networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover four vulnerabilities which stem from improper standard designs, device implementation issues and network operation slips. By exploiting the vulnerabilities, together with several state-of-the-art computer visual recognition technologies, we devise two proof-of-concept attacks: user privacy leakage and telephony harassment or denial of voice service (THDoS); both of them can bypass the security defenses deployed on mobile devices and the network infrastructure. We have confirmed their feasibility and simplicity using real-world experiments, as well as assessed their potential damages and proposed recommended solutions.

Cryptography and Security

Guan-Hua Tu,Yuanjie Li,Chunyi Peng,Chi-Yu Li,Muhammad Taqi Raza,Hsiao-Yun Tseng,Songwu Lu

DOI: https://doi.org/10.48550/arXiv.1510.08531

2015-10-29

Cryptography and Security

Abstract:Mobile Internet is becoming the norm. With more personalized mobile devices in hand, many services choose to offer alternative, usually more convenient, approaches to authenticating and delivering the content between mobile users and service providers. One main option is to use SMS (i.e., short messaging service). Such carrier-grade text service has been widely used to assist versatile mobile services, including social networking, banking, to name a few. Though the text service can be spoofed via certain Internet text service providers which cooperated with carriers, such attacks haven well studied and defended by industry due to the efforts of research community. However, as cellular network technology advances to the latest IP-based 4G LTE, we find that these mobile services are somehow exposed to new threats raised by this change, particularly on 4G LTE Text service (via brand-new distributed Mobile-Initiated Spoofed SMS attack which is not available in legacy 2G/3G systems). The reason is that messaging service over LTE shifts from the circuit-switched (CS) design to the packet-switched (PS) paradigm as 4G LTE supports PS only. Due to this change, 4G LTE Text Service becomes open to access. However, its shields to messaging integrity and user authentication are not in place. As a consequence, such weaknesses can be exploited to launch attacks (e.g., hijack Facebook accounts) against a targeted individual, a large scale of mobile users and even service providers, from mobile devices. Current defenses for Internet-Initiated Spoofed SMS attacks cannot defend the unprecedented attack. Our study shows that 53 of 64 mobile services over 27 industries are vulnerable to at least one threat. We validate these proof-of-concept attacks in one major US carrier which supports more than 100 million users. We finally propose quick fixes and discuss security insights and lessons we have learnt.

Baojiang Cui,Shengbo Feng,Qinshu Xiao,Ming Li

DOI: https://doi.org/10.1109/bwcca.2015.42

2015-01-01

Abstract:Through the analysis of LTE protocol and its security threat, this paper profoundly researches the security mechanism of RLC layer protocol in LTE protocol and the security detection technology of LTE protocol. In this paper, we use the improved fuzzing test technology to detect the potential security vulnerabilities in LTE protocol. In order to improve the efficiency, this paper improves the random Fuzzing test technology, proposes a new data mutation algorithm based on protocol format. By comparing the number of test cases, this paper verified the validity of the algorithm on the theory. According to the algorithm, we designed the fuzzing test framework, and detected LTE protocol based on N3-3 simulation platform. Through detection we have found a security defect in the RLC layer protocol, and it is verified that the security defect detection method of LTE protocol based on format fuzzing test is effective.

Jiaqi Li,Zhifeng Zhao,Rongpeng Li

DOI: https://doi.org/10.48550/arxiv.1708.04571

2017-01-01

Abstract:As an inevitable trend of future 5G networks, Software Defined architecture has many advantages in providing central- ized control and flexible resource management. But it is also confronted with various security challenges and potential threats with emerging services and technologies. As the focus of network security, Intrusion Detection Systems (IDS) are usually deployed separately without collaboration. They are also unable to detect novel attacks with limited intelligent abilities, which are hard to meet the needs of software defined 5G. In this paper, we propose an intelligent intrusion system taking the advances of software defined technology and artificial intelligence based on Software Defined 5G architecture. It flexibly combines security function mod- ules which are adaptively invoked under centralized management and control with a globle view. It can also deal with unknown intrusions by using machine learning algorithms. Evaluation results prove that the intelligent intrusion detection system achieves a better performance.

Hongliang Zhu,Bin Tian,Fei Wang,Yang Xin,Yixian Yang

DOI: https://doi.org/10.1109/wicom.2011.6040151

2011-01-01

Abstract:In this paper, we proposed a security system which can accomplish several various functions. The primary applications of this system includes: (1) lawful interception for the data of voip, email, instant message and other kinds of data; (2) filtering abnormality data packages; (3) blocking the illegal URL or sites; (4) performing net traffic and flow analysis and user behavior analysis; (5) doing network bandwidth monitoring, DDOS traffic cleaning; (6) SPAM filtering and so on. All the problems we involved are the most concerned by the operators engaged in telecommunication. The system architecture and the function we designed are based on the research of Lawful Interception (ETSI).

Kaiming Fang,Guanhua Yan

DOI: https://doi.org/10.1007/978-3-319-98989-1_2

2018-01-01

Abstract:The proliferation of 4G/LTE (Long Term Evolution)-capable mobile devices calls for new techniques and tools for assessing their vulnerabilities effectively and efficiently. Existing methods require significant human efforts, such as manual examination of LTE protocol specifications or manual analysis of LTE network traffic, to identify potential vulnerabilities. In this work, we investigate the possibility of automating vulnerability assessment of 4G/LTE mobile devices based on AI (Artificial Intelligence) techniques. Towards this end, we develop LEFT (LTE-Oriented Emulation-Instrumented Fuzzing Testbed), which perturbs the behavior of LTE network modules to elicit vulnerable internal states of mobile devices under test. To balance exploration and exploitation, LEFT uses reinforcement learning to guide behavior perturbation in an instrumented LTE network emulator. We have implemented LEFT in a laboratory environment to fuzz two key LTE protocols and used it to assess the vulnerabilities of four COTS (Commercial Off-The-Shelf) Android mobile phones. The experimental results have shown that LEFT can evaluate the security of 4G/LTE-capable mobile devices automatically and effectively.