1 / 33

A Framework for Detecting Malformed SMS Attack

The 8th FTRA International Conference on Secure and Trust Computing, data management, and Applications ( STA 2011 ). A Framework for Detecting Malformed SMS Attack. Outline. Introduction Malformed message detection framework Evaluation and experimental results Conclusion . Introduction

wright
Download Presentation

A Framework for Detecting Malformed SMS Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The 8th FTRA International Conference on Secure and Trust Computing, data management, and Applications ( STA 2011) A Framework for Detecting Malformed SMS Attack

  2. Outline • Introduction • Malformed message detection framework • Evaluation and experimental results • Conclusion

  3. Introduction • Malformed message detection framework • Evaluation and experimental results • Conclusion

  4. SMS Deliver Process BSC: Base Station Controller IWMSC: Interworking MSC GMSC: Gateway MSC MSC: Mobile Switch Center SMS_SUBMIT SMS_DELIVER

  5. Short Message Service ( SMS ) • A message sent to and from a mobile phone are first sent to an intermediate component called the Short Message Service Center (SMSC) • The SMS message exists in 2 formats • SMS_SUBMIT: mobile phone to SMSC • SMS_DELIVER: SMSC to mobile phone

  6. GSMModem • The SMS received on a mobile phone is handled through the GSMmodem • Provides an interface withthe GSM network and the application processor of a smart phone • Controlled through standardized AT commands Responsible for the communication between application processor and the modem Apps Telephony Stack AT commands AT Result Codes Responsible for cellular communications Modem

  7. Example: SMS_DELIVER ///ATResult Code + the length of SMS Complete SMS string in hex.

  8. Malformed SMS attack • Cause the application processor to reach an undefined state • Significant processing delays • Unauthorized access • Denying legitimate users access • … Apps Telephony Stack However, malformed message detection in mobile phones has received little attention Modem

  9. In this Paper… • A malformed message detection framework was proposed • Automatically extracts novel syntactical features to detect a malformed SMS at the access layer of mobile phones

  10. Introduction • Malformed message detection framework • Evaluation and experimental results • Conclusion

  11. Common Idea • Anomalies are deviations from a learnt normal model [Patrick Dssel, et al.] • Learning→Normal model→Anomaly detection • Supported by our pilot studies • The distance values of malformed messages are normally greater than those of benign messages

  12. SMS Detection Framework Message Analyzer Classification Feature Extraction Feature Selection

  13. Message Analyzer • Message dissection • Transform incoming SMS messages into a format from which we can extract intelligent features • Extracts the complete SMS message string i.e. the second line of AT Result code Feature Extraction Feature Selection Classification Message Analyzer

  14. Extraction of String Features • Mine features from an incoming SMS message • Exploit the properties of a suffix tree • Use a set of attribute stringsto model the content of the incoming message • Entrenching function : Extracts the ( attribute, value ) pair from the suffix tree • attribute: a feature string a • value: the frequency of a from the nodes of the suffix tree • Example Message Analyzer Feature Extraction Feature Selection Classification

  15. Raw Model Vectors • For the purpose of training, we prepared a training data set 𝛫: • Set of messages used for training, 𝛫={ m1,…,mk} • After each mipasses through the entrenching function, we have ourraw model Message Analyzer Feature Extraction Feature Selection Classification

  16. Feature Selection • The high dimensionality of the raw model will result in large processing overheads • Remove redundant features having low classification potential • Not at the cost of a high false alarm rate Message Analyzer Feature Selection Feature Extraction Classification

  17. Selection Techniques • Use 3 selection mechanisms to obtain 3 distinct model set of attributes • Information Gain (IG) • Gain Ratio (GR) • Chi Squared (CH) Message Analyzer Feature Selection Feature Extraction Classification

  18. Distance/Divergence • For a given vector of pairs, compute the deviation ( message score, distance ) of the vector • Use 2 well-known distance measures to obtain the score • Manhattan distance (md) • Itakura-Saito Divergence (isd) Message Analyzer Feature Extraction Feature Selection Classification

  19. Classification • Threshold value • The largest distance score of a message in the training model • Raise an alarm • If the distance score of an incoming SMS is greater than the threshold value Message Analyzer Feature Extraction Feature Selection Classification

  20. Review Training is only required in the beginning threshold message score

  21. Introduction • Malformed message detection framework • Evaluation and experimental results • Conclusion

  22. Evaluation • Collect real world dataset of SMS message • ≥ 5000 benign datasets • Developed modem terminal interface to collect more than 5000 real world benign SMS dataset • ≥ 5000 malformed datasets • SMS injection framework ( Mulliner, C., et al., 2009)

  23. Experimental Goal • To select the best feature selection technique and distance measure • 3 feature selection modules • Information Gain (IG) • Gain Ratio (GR) • Chi-squared (CH) • 2 distance measures • Manhattan distance (md) • Itakura-Saito Divergence (isd)

  24. Parameters and Definitions • Used 4 parameters to define the detection accuracy and the false alarm rate • True Positive (TP), False Positive (FP), False Negative (FN), True Negative (TN) • Detection Rate • False Alarm Rate

  25. Results: Receiver Operating Characteristic Curves ROC using Manhattan Distance ROC using Itakura-Saito Divergence

  26. Results: Overheads • Training and Threshold calculation overheads in ( ms/100 SMS ) • Testing overheads in ( ms/1 SMS ) using Information Gain, Gain Ratio and Chisquared for Manhattan distance and Itakura-Saito Divergence Provides the best performance Average training time = 3.5s/100SMS Average detection time of a malformed message = 10ms

  27. Introduction • Malformed message detection framework • Evaluation and experimental results • Conclusion

  28. Conclusion • A real time malformed message detection framework • Tested on real datasets of SMS messages • Successfully detects malformed messages with a detection accuracy of more than 98% • The future research will focus on further optimizing and deploying it on real world mobile devices and smart phones

  29. Q & A

  30. Example of a Suffix Tree • Extract feature strings from an incoming message m=0110223 • The set of attribute strings is thus generated Message Analyzer Feature Extraction Feature Selection Classification

  31. Example of Entrenching Function • Message m=0110223 • Set of attribute: • {3, 0, 1, 2, 23, 223, 110223, 10223, 0223, 0110223} • Vector of pairs • =(3, 1), (0, 2), (1, 2), (2, 2), (23, 1), (223, 1)… Message Analyzer Feature Extraction Feature Selection Classification

  32. The RIL in the context of Android's Telephony system architecture [ref]

  33. Modules that implement telephony functionality

More Related