|
1.INTRODUCTIONSS7 network is one of the three supporting network of modern communications, SS7 is internationalization, standardization of the general public channel signaling system, SS7 network is an important support of telecommunication network. it was designed with a focus on reliability and efficiency, with a high degree of trust between communication entities and no encryption or defense against attacks. If the network is highly closed, the possibility of being attacked is very small. However, with the development of the network, SS7 network is no longer completely closed, and the vulnerability of the SS7 is increasingly exposed. There is no authentication mechanism between elements, and any elements which is connected to the network can send message to other elements which have roaming relationships around the world. Some countries have lax supervision on the access of the network, so attackers can easily enter the network, which greatly reduces the security of the network and the threshold of attack. This paper firstly analyzes the security threats of SS7 network, then extracts the characteristics of attacks such as location tracking, interception of calls and interception of SMS. On the basis of feature extraction, threat modeling is carried out to extract threat detection rules. Finally, the threat detection model is applied to the experimental network. 2.THE THREATS OF SS7 NETWORKAt present, the calls and SMS services runs in 2 generation mobile communication protocol. For the non_Internet services such as voice and SMS, the service enters the network and runs on the SS7 network. Subscribers can use the service exchange of SS7 to complete the communication between GSM networks and other communication networks, and managing subscribers’ data and mobility database. Some elements of SS7 involved in this paper include Moblie Switch Center (MSC), Visitor Location Register (VLR) and Home Location Register (HLR), Short Message Center (SMSC), and International Mobile Subscriber Identity (IMSI), Mobile Station International ISDN number (MSISDN), Global Title (GT), etc. The architecture of the international SS7 network is shown in Figure 1. The SS7 network is mainly faced with potential threats such as subscriber location tracking, interception of call and interception of SMS, as shown in Figure 2. In view of the threats in SS7 network, this chapter conducts research and analysis from the aspects of protocol defects and elements vulnerabilities. Location tracking mainly involves message such as SRI, PRN, SRIFSM, ATI and PSI, Call interception mainly involves ISD and IDP message. SMS interception mainly involves UL and SRIFSM message. Parameters in each message involve IMSI, MSISDN, MSC, LAC, and CI (Table 1). Table 1.Analysis of the SS7 network threats.
3.THREATS DETECTION MODELLINGThe SS7 network threats are mainly based on the SS7 protocol characteristics of subscribers’ home and roaming places, and the attacker’s methods of attack and technical principles are analysed. the characteristics of the threats which are extracted from the data are used to form a threat detection model. Some concepts need to be defined in threat modeling in this chapter, as shown in Table 2: Table 2.Definition.
3.1Location trackingThe main reason for location tracking is that the attacker sends illegal messages with MSISDN or IMSI to obtain the cell ID of the subscriber. Based on the cell ID, the attacker can track a subscriber with accuracy down to street level. The analysis of the attack is shown in Figures 3 and 4. According to the message flow of location tracking, relevant characteristics and detection rules are extracted as shown in Table 3: Table 3.Characteristics and detection rules of location tracking.
3.2Interception of callsThe main principle of call interception is that the attacker impersonates HLR to send ISD messages to subscriber and inserts fake gsmSCF addresses. When the subscriber initiates a call to the peer subscriber, the subscriber registers the calling party service and sends an IDP message to the fake gsmSCF to ask for the handling measures. After receiving the IDP message, the fake gsmSCF changes the called number to the elements which is under the control of attacker and the attacker records the content of the call as an intermediary. The analysis of the attack is shown in Figure 5. According to the message flow of the interception of calls, relevant characteristics and detection rules are extracted as shown in Table 4: Table 4.Characteristics and detection rules of location tracking.
3.3Interception of SMSThe MAP updateLocation messages are used to inform HLR that the subscriber has moved to a new MSC area, and the interception of SMS works by using a false updateLocation message. Since SMSC sends SRIFSM to HLR which returns the attacker’s fake MSC, any SMS sent to the subscriber will be intercepted by the fake MSC. The attacker is now controlling the message and can store it, change it, and possibly forward it to the original subscriber8. Specific attack flow analysis is shown in Figure 6: According to the principle of SMS interception, relevant characteristics and detection rules are extracted as follows as shown in Table 5: Table 5.Characteristics and detection rules of SMS interception.
4.1The experimental networkMobile operators must recognize the fact that SS7 is no longer secured. The SS7 network threat detection model need apply as soon as possible. Considering that the SS7 data involved subscriber privacy, the data which used in test modified based on real network, and simulated in the communication among the operate A, B, C. Each operator represents a network connected to the international SS7, the network architecture and the information of the elements are shown in Figure 7. The simulated attack data are generated on the experimental network. All the simulated data are derived from real data and conformed to the MAP message specification. In addition to simulating the normal data, we also simulated the attack data which is initiated by the element of the operate C, and there are five main types : (1) SRIFSM message is used to obtain subscriber’s imsi and MSC information; (2) PSI message is used to obtain subscriber location information; (3) ATI message is used to obtain subscriber’s location information; (4) UL messages is used to Intercept SMS; (5) ISD messages and IDP message are used to Intercept calls. Msisdn and IMSI are used to uniquely represent subscribers in these data. To test the capability of threat detection model in an SS7 network, we defined that the Person A belongs to Chinese operator A, and roaming in the Philippines operator B. In order to facilitate mobile management, mobile operators need to track the location information of mobile terminals at all times. When person A moves to a new location in startup state, it will report its MSC to HLR through updateLocation message. 4.2Threat detection applicationTo detect abnormal data on the network, Tshark is used to collect and parse the original traffic. After the data is preprocessed, it will be imported to the HDFS and be loaded to the Hive warehouse. Then the abnormal attack behavior will be extracted by loading the threat detection model, and the threat alarm information is formed. The detection process is shown in Figure 8. Through the application of threat detection model in SS7 original traffic, we can extract some abnormal structured messages, as shown in Figures 9-11, and the attack traffic is visualized on the map, as shown in Figure 12. In the data of location tracking, we can find that the attacker (GT:3165123452) sends SRIFSM message to the subscriber to obtain the imsi of the subscriber, and then the attacker sends PSI message to the subscriber to obtain the cell-level location of the subscriber by imitating HLR. In the data of call interception, we can find that the attacker (GT:3165123452) sends ISD message to the subscriber to insert fake gsmSCF address (GT:3165123452). When the subscriber initiates a call, the MSC asks gsmSCF for the real phone number of the called subscriber. The fake gsmSCF rewirtes the number to 3165123452 which is under the control of attacker. Both subscribers can talk to each other, while the attacker records the conversation. In the data of SMS interception, we can find that the attacker (GT:3165123452) sends a false updateLocation message to HLR after the subscriber initiates a updateLocation message in the roaming place, telling HLR that the subscriber has moved to the current MSC (GT:3165123452), then all of the SMS messages sent to subscribers will be routed to the attacker. 5.CONCLUSIONIn this paper we have described some of the current threats towards the SS7 network, and built threat analysis and detection models for location tracking, interception of calls, interception of SMS, etc. and extracted threat features to form threat detection rules. Based on the simulated network, we generated normal traffic and attack traffic, and carried out the application of threat detection models. These models can also be applied to the real SS7 network to reduce the threat of SS7 network. In future work, we will apply machine learning and other knowledge to further discover unknown threats in SS7 network. REFERENCESTobias, E.,
“Locating mobile phones using signalling system #7,”
25th Chaos Communication Congress, 25C3 7
(2008). Google Scholar
Eustratios, M., Attacks on SS7, 2 29 University of Piraeus, chapter2019). Google Scholar
Ullah, K., Rashid, I., Afzal, H., Iqbal, W., Bangash, Y. A. and Abbas, H.,
“SS7 vulnerabilities—A survey & implementation of machine learning vs rule based filtering for detection of SS7 network attacks,”
IEEE Communications Surveys & Tutorials, 15
(2020). Google Scholar
Division,
“Study paper on SS7 security,”
Telecommunication Engineering Centre,
(2019). Google Scholar
Tobias, E.,
“SS7: Locate. track. Manipulate,”
31st Chaos Communication Congress, 31C3 32
–37
(2014). Google Scholar
Sergey, P.,
“Stealthy SS7 attacks,”
Positive Technologies, 46
–47
(2017). Google Scholar
Kristoffer, J., Improving SS7 Security Using Machine Learning Techniques, 4 27
–28 Norwegian University of Science and Technology, chapter2016). Google Scholar
Poornima, P. and Subrata, A.,
in IEEE International Conference on Advanced Networks and Telecommunications Systems,
3
(2018). Google Scholar
|