[go: up one dir, main page]

WO2025122085A1 - A system for detection of signaling anomalies in lte roaming - Google Patents

A system for detection of signaling anomalies in lte roaming Download PDF

Info

Publication number
WO2025122085A1
WO2025122085A1 PCT/TR2023/051837 TR2023051837W WO2025122085A1 WO 2025122085 A1 WO2025122085 A1 WO 2025122085A1 TR 2023051837 W TR2023051837 W TR 2023051837W WO 2025122085 A1 WO2025122085 A1 WO 2025122085A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
server
database
electronic device
messages
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/TR2023/051837
Other languages
French (fr)
Inventor
Bahri ERTEN
Mert DEVA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Turkcell Teknoloji Arastirma Ve Gelistirme AS
Original Assignee
Turkcell Teknoloji Arastirma Ve Gelistirme AS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from TR2023/016558 external-priority patent/TR2023016558A2/en
Application filed by Turkcell Teknoloji Arastirma Ve Gelistirme AS filed Critical Turkcell Teknoloji Arastirma Ve Gelistirme AS
Publication of WO2025122085A1 publication Critical patent/WO2025122085A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent

Definitions

  • the present invention relates to a system for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming.
  • an AIR (Authentication Information Request) message is used for subscriber authentication and a ULR (Update Location Request) message is used to inform the MME (Mobility Management Entity) where the subscriber is registered.
  • the AIR and ULR messages must be sent for the subscriber respectively.
  • the firewalls used in the S6a interface do not check the sequence of AIR and ULR messages sent for the subscriber.
  • an attacker can send ULR messages directly to change the subscriber’s location or to perform a denial of service (DoS) attack on the subscriber.
  • DoS denial of service
  • AIR-ULR control in firewalls attacks such as denial of service attacks and fake location update attacks may also succeed.
  • the Chinese patent document no. CN106304064 discloses a roaming method.
  • an authentication information request instruction sent from mobile terminals included in a server and a roaming network is received at first.
  • the authentication information request instruction received includes the current location information of the mobile terminal. It is ensured that an authentication request is created by means of an authentication terminal previously associated with the location information. Through the authentication request created, it is ensured that the previously set instructions are received and saved to the current network at the current location.
  • the control instruction sends the authentication information and the identity information obtained to the roaming server and transmits it to the mobile terminal. According to the authentication information, the mobile terminal uses the network by registering to the pre-set current network. In the said invention, it is ensured that connection is realized between the roaming server and the mobile terminal.
  • An objective of the present invention is to realize a system for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming.
  • Figure l is a schematic view of the inventive system.
  • the inventive system (1) for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming comprises at least one electronic device (2) which can establish communication with remote servers using any remote communication protocol; at least one database (3) wherein the data of authentication information request and location authentication information request generated while the electronic device (2) receives communication services, are kept under record; and at least one server (4) which is in communication with the database (3) and compares the username AVP (Attribute Value Pair) data, that is included on the ULR data when the ULR data is received, with the AIR data previously received on the database (3) and blocks the message if the comparison does not result in a match.
  • AVP Attribute Value Pair
  • the electronic device (2) included in the inventive system (1) is a device such as smartphone, tablet computer or portable computer that is used to perform data monitoring regarding the communication services received by subscribers and has a key or touch screen for allowing data entry.
  • the said electronic device (2) is configured to establish connection with the server (4) by using any remote communication protocol included in the state of the art and to realize data exchange with the server (4) over this connection established.
  • the electronic device (2) is configured to exchange data with the server (4) by using Internet as a databus.
  • the database (3) included in the inventive system (1) is in communication with the server (4) and configured to be managed by the server (4).
  • the database (3) is configured to keep record of the data of authentication information request (AIR) and update location request (ULR) generated via the mobility management entity (MME) while the electronic device (2) receives communication service, as well as the information on the arrival sequence of these data, therein.
  • AIR authentication information request
  • ULR update location request
  • the server (4) included in the inventive system (1) is configured to establish communication with the electronic device (2) by using any remote communication protocol and to exchange data with the electronic device (2) through this communication established.
  • the server (4) is configured to ensure that the subscriber -who is a user of electronic device (2)- and the MME information sent by the subscriber are kept in the database (3) via SCFW, since the messages sent for the same subscriber do not always arrive at the same SCFW (Sequence Control Firewall) machine.
  • the server (4) is configured to store the IMSI (International Mobile Subscriber Identity) in the username AVP (Attribute Value Pair) and the MME information in the Origin-Host AVP (Attribute Value Pair) in the incoming AIR message in the database (3).
  • IMSI International Mobile Subscriber Identity
  • the server (4) is configured to receive the IMSI in the username AVP (Attribute Value Pair) and the MME in the Origin-Host AVP (Attribute Value Pair) in the incoming ULR message and to check whether these data are included in the database (3).
  • the server (4) is configured to block the message if there is no match as a result of the check.
  • the server (4) is configured to receive PUR (Purge UE Request) and CLR (Cancel Location Request) messages on the S6a interface to SCFW machines.
  • the server (4) is configured to delete the IMSI data included in the received messages, if they are registered in the database (3) with the Origin-Host in the PUR message, since the incoming subscriber in these messages has left the place of registration.
  • the server (4) is configured to delete the data from the database (3) if the IMSI data included in the received messages is registered in the database (3) with the Destination-Host in the CLR message, since the incoming subscriber included in these messages has left the place where s/he was registered. Thus, the subscriber is not kept in the database (3) and the database (3) is prevented from becoming overcrowded.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a system (1) for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming.

Description

A SYSTEM FOR DETECTION OF SIGNALING ANOMALIES IN LTE ROAMING
Technical Field
The present invention relates to a system for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming.
Background of the Invention
In LTE roaming signaling, an AIR (Authentication Information Request) message is used for subscriber authentication and a ULR (Update Location Request) message is used to inform the MME (Mobility Management Entity) where the subscriber is registered. The AIR and ULR messages must be sent for the subscriber respectively.
In the state of the art, the firewalls used in the S6a interface do not check the sequence of AIR and ULR messages sent for the subscriber. In this case, an attacker can send ULR messages directly to change the subscriber’s location or to perform a denial of service (DoS) attack on the subscriber. Without AIR-ULR control in firewalls, attacks such as denial of service attacks and fake location update attacks may also succeed.
Therefore, there is need for a system which enables to prevent possible attacks and fraud by monitoring the sequence of AIR and ULR messages sent for the subscriber on the S6a interface, based on the requirement that the subscriber must first receive an AIR and then a ULR before the same MME.
The Chinese patent document no. CN106304064, an application included in the state of the art, discloses a roaming method. In the roaming method, an authentication information request instruction sent from mobile terminals included in a server and a roaming network is received at first. The authentication information request instruction received includes the current location information of the mobile terminal. It is ensured that an authentication request is created by means of an authentication terminal previously associated with the location information. Through the authentication request created, it is ensured that the previously set instructions are received and saved to the current network at the current location. The control instruction sends the authentication information and the identity information obtained to the roaming server and transmits it to the mobile terminal. According to the authentication information, the mobile terminal uses the network by registering to the pre-set current network. In the said invention, it is ensured that connection is realized between the roaming server and the mobile terminal.
Summary of the Invention
An objective of the present invention is to realize a system for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming.
Detailed Description of the Invention
“A System for Detection of Signaling Anomalies in LTE Roaming” realized to fulfil the objective of the present invention is shown in the figure attached, in which: Figure l is a schematic view of the inventive system.
The components illustrated in the figure are individually numbered, where the numbers refer to the following:
1. System
2. Electronic device
3. Database
4. Server
The inventive system (1) for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming; comprises at least one electronic device (2) which can establish communication with remote servers using any remote communication protocol; at least one database (3) wherein the data of authentication information request and location authentication information request generated while the electronic device (2) receives communication services, are kept under record; and at least one server (4) which is in communication with the database (3) and compares the username AVP (Attribute Value Pair) data, that is included on the ULR data when the ULR data is received, with the AIR data previously received on the database (3) and blocks the message if the comparison does not result in a match.
The electronic device (2) included in the inventive system (1) is a device such as smartphone, tablet computer or portable computer that is used to perform data monitoring regarding the communication services received by subscribers and has a key or touch screen for allowing data entry. The said electronic device (2) is configured to establish connection with the server (4) by using any remote communication protocol included in the state of the art and to realize data exchange with the server (4) over this connection established. In one preferred embodiment of the invention, the electronic device (2) is configured to exchange data with the server (4) by using Internet as a databus.
The database (3) included in the inventive system (1) is in communication with the server (4) and configured to be managed by the server (4). In one preferred embodiment of the invention, the database (3) is configured to keep record of the data of authentication information request (AIR) and update location request (ULR) generated via the mobility management entity (MME) while the electronic device (2) receives communication service, as well as the information on the arrival sequence of these data, therein.
The server (4) included in the inventive system (1) is configured to establish communication with the electronic device (2) by using any remote communication protocol and to exchange data with the electronic device (2) through this communication established. The server (4) is configured to ensure that the subscriber -who is a user of electronic device (2)- and the MME information sent by the subscriber are kept in the database (3) via SCFW, since the messages sent for the same subscriber do not always arrive at the same SCFW (Sequence Control Firewall) machine. The server (4) is configured to store the IMSI (International Mobile Subscriber Identity) in the username AVP (Attribute Value Pair) and the MME information in the Origin-Host AVP (Attribute Value Pair) in the incoming AIR message in the database (3). The server (4) is configured to receive the IMSI in the username AVP (Attribute Value Pair) and the MME in the Origin-Host AVP (Attribute Value Pair) in the incoming ULR message and to check whether these data are included in the database (3). The server (4) is configured to block the message if there is no match as a result of the check. The server (4) is configured to receive PUR (Purge UE Request) and CLR (Cancel Location Request) messages on the S6a interface to SCFW machines. The server (4) is configured to delete the IMSI data included in the received messages, if they are registered in the database (3) with the Origin-Host in the PUR message, since the incoming subscriber in these messages has left the place of registration. The server (4) is configured to delete the data from the database (3) if the IMSI data included in the received messages is registered in the database (3) with the Destination-Host in the CLR message, since the incoming subscriber included in these messages has left the place where s/he was registered. Thus, the subscriber is not kept in the database (3) and the database (3) is prevented from becoming overcrowded.
Industrial Applicability of the Invention
With the inventive system (1), it is ensured that possible attacks and frauds are prevented by monitoring the sequence of AIR and ULR messages sent for the subscriber on the S6a interface, based on the requirement that the subscriber must receive AIR at first and then ULR from the same MME.
Within these basic concepts; it is possible to develop various embodiments of the inventive “System (1) for Detection of Signaling Anomalies in LTE Roaming”; the invention cannot be limited to examples disclosed herein and it is essentially according to claims.

Claims

1. A system (1) for respectively controlling the authentication information requests and location verification information requests received in order to prevent possible attack and/or fraud transactions by monitoring the sequence in which authentication and location verification messages are sent received while performing LTE roaming; characterized in that it comprises at least one electronic device (2) which can establish communication with remote servers using any remote communication protocol; at least one database (3) wherein the data of authentication information request and location authentication information request generated while the electronic device (2) receives communication services, are kept under record; and at least one server (4) which is in communication with the database (3) and compares the username AVP (Attribute Value Pair) data, that is included on the ULR data when the ULR data is received, with the AIR data previously received on the database (3) and blocks the message if the comparison does not result in a match.
2. A system (1) according to Claim 1; characterized by the electronic device (2) which is a device such as smartphone, tablet computer or portable computer that is used to perform data monitoring regarding the communication services received by subscribers and has a key or touch screen for allowing data entry.
3. A system (1) according to Claim 1 or 2; characterized by the electronic device (2) which is configured to establish connection with the server (4) by using any remote communication protocol and to realize data exchange with the server (4) over this connection established.
4. A system (1) according to Claim 3; characterized by the electronic device (2) which is configured to exchange data with the server (4) by using Internet as a databus.
5. A system (1) according to any of the preceding claims; characterized by the database (3) which is in communication with the server (4) and configured to be managed by the server (4).
6. A system (1) according to any of the preceding claims; characterized by the database (3) which is configured to keep record of the data of authentication information request and update location request generated via the mobility management entity while the electronic device (2) receives communication service, as well as the information on the arrival sequence of these data, therein.
7. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to establish communication with the electronic device (2) by using any remote communication protocol and to exchange data with the electronic device (2) through this communication established.
8. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to ensure that the subscriber -who is a user of electronic device (2)- and the MME information sent by the subscriber are kept in the database (3) via SCFW, since the messages sent for the same subscriber do not always arrive at the same SCFW machine.
9. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to store the IMSI in the username AVP and the MME information in the Origin-Host AVP in the incoming AIR message in the database (3).
10. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to receive the IMSI in the username AVP and the MME in the Origin-Host AVP in the incoming ULR message and to check whether these data are included in the database (3).
11. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to block the message if there is no match as a result of the check and to receive PUR and CLR messages on the S6a interface to SCFW machines.
12. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to delete the IMSI data included in the received messages, if they are registered in the database (3) with the Origin- Host in the PUR message, since the incoming subscriber in these messages has left the place of registration.
13. A system (1) according to any of the preceding claims; characterized by the server (4) which is configured to delete the data from the database (3) if the IMSI data included in the received messages is registered in the database (3) with the Destination-Host in the CLR message, since the incoming subscriber included in these messages has left the place where s/he was registered.
PCT/TR2023/051837 2023-12-06 2023-12-29 A system for detection of signaling anomalies in lte roaming Pending WO2025122085A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR2023016558 2023-12-06
TR2023/016558 TR2023016558A2 (en) 2023-12-06 A SYSTEM THAT ENABLES THE DETECTION OF SIGNALING ANOMALIES IN LTE ROAMING

Publications (1)

Publication Number Publication Date
WO2025122085A1 true WO2025122085A1 (en) 2025-06-12

Family

ID=95979501

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2023/051837 Pending WO2025122085A1 (en) 2023-12-06 2023-12-29 A system for detection of signaling anomalies in lte roaming

Country Status (1)

Country Link
WO (1) WO2025122085A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011047382A2 (en) * 2009-10-16 2011-04-21 Tekelec Methods, systems, and computer readable media for providing diameter signaling router with integrated monitoring and/or firewall functionality
US20190044932A1 (en) * 2017-08-01 2019-02-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (mme) authentication for outbound roaming subscribers using diameter edge agent (dea)
KR102380259B1 (en) * 2020-11-20 2022-03-30 주식회사 윈스 Diameter attack detection method and apparatus for stealing user location information in mobile core network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011047382A2 (en) * 2009-10-16 2011-04-21 Tekelec Methods, systems, and computer readable media for providing diameter signaling router with integrated monitoring and/or firewall functionality
US20190044932A1 (en) * 2017-08-01 2019-02-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (mme) authentication for outbound roaming subscribers using diameter edge agent (dea)
KR102380259B1 (en) * 2020-11-20 2022-03-30 주식회사 윈스 Diameter attack detection method and apparatus for stealing user location information in mobile core network

Similar Documents

Publication Publication Date Title
EP4183154B1 (en) Methods, systems, and computer readable media for mitigating 5g roaming security attacks using security edge protection proxy (sepp)
EP4218168B1 (en) Methods, systems, and computer readable media for mitigating 5g roaming spoofing attacks
US11818570B2 (en) Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
EP3662630B1 (en) Methods, systems, and computer readable media for mobility management entity (mme) authentication for outbound roaming subscribers using diameter edge agent (dea)
KR101262405B1 (en) Method, system and apparatus for providing security in an unlicensed mobile access network or a generic access network
US20200153830A1 (en) Network authentication method, related device, and system
CN116325658A (en) Method, system and computer readable medium for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US12015923B2 (en) Methods, systems, and computer readable media for mitigating effects of access token misuse
WO2021138072A1 (en) Methods, systems, and computer readable media for implementing indirect general packet radio service (gprs) tunneling protocol (gtp) firewall filtering using diameter agent and signal transfer point (stp)
CN110754101B (en) Methods, systems, and computer-readable storage media for protecting subscriber information associated with user equipment
US20070186000A1 (en) Secure traffic redirection in a mobile communication system
US9215594B2 (en) Subscriber data management
US20240163271A1 (en) Methods, systems, and computer readable media for detecting stolen access tokens
CN112423299A (en) Method and system for wireless access based on identity authentication
WO2022100889A1 (en) Content filtering support for protocols with encrypted domain name server
WO2025122085A1 (en) A system for detection of signaling anomalies in lte roaming
US8428553B2 (en) Method and apparatus for protecting a core network
US20240147238A1 (en) Diameter spoofing detection and post-spoofing attack prevention
KR100510669B1 (en) Method of Establishing a Destination Call in a Packet Radio Service Network and System for the same
TR2023016558A2 (en) A SYSTEM THAT ENABLES THE DETECTION OF SIGNALING ANOMALIES IN LTE ROAMING
CN119814355A (en) Network communication method, device, equipment and medium based on zero trust system
CN112312389A (en) Communication information transmission method, device, storage medium, and electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23960984

Country of ref document: EP

Kind code of ref document: A1