Patent Application
20250126478
A high-level overview of various aspects of the present technology is provided in this section to introduce a selection of concepts that are further described below in the detailed description section of this disclosure. This summary is not intended to identify key or essential features of the claimed subject matter, nor is it intended to be used as an aid in isolation to determine the scope of the claimed subject matter.
In aspects set forth herein, systems and methods are provided for mitigating exploitation of user equipment (UE). More particularly, in aspects set forth herein, systems and methods enable detection of unauthorized devices/users (e.g., international mobile subscriber identity (IMSI) catcher devices) used to intercept telecommunications network traffic. These unauthorized devices wreak havoc on data security for unsuspecting or vulnerable users. Various products are available to aid in the detection of such unauthorized devices, but Mobile Network Operators (MNO) have an urgent need to identify a solution at the network level to aid in the prevention of these attacks.
Implementations of the present disclosure are described in detail below with reference to the attached drawing figures, wherein:
The subject matter of embodiments of the invention is described with specificity herein to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventors have contemplated that the claimed subject matter might be embodied in other ways, to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the terms “step” and/or “block” may be used herein to connote different elements of methods employed, the terms should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.
Throughout this disclosure, several acronyms and shorthand notations are employed to aid the understanding of certain concepts pertaining to the associated system and services. These acronyms and shorthand notations are intended to help provide an easy methodology of communicating the ideas expressed herein and are not meant to limit the scope of embodiments described in the present disclosure. The following is a list of these acronyms:
Further, various technical terms are used throughout this description. An illustrative resource that fleshes out various aspects of these terms can be found in Newton's Telecom Dictionary, 32d Edition (2022).
As used herein, the term “node” is used to refer to network access technology for the provision of wireless telecommunication services from a base station to one or more electronic devices, such as an eNodeB, gNodeB, etc.
Embodiments of the present technology may be embodied as, among other things, a method, system, or computer-program product. Accordingly, the embodiments may take the form of a hardware embodiment, or an embodiment combining software and hardware. An embodiment takes the form of a computer-program product that includes computer-useable instructions embodied on one or more computer-readable media.
Computer-readable media include both volatile and nonvolatile media, removable and nonremovable media, and contemplate media readable by a database, a switch, and various other network devices. Network switches, routers, and related components are conventional in nature, as are means of communicating with the same. By way of example, and not limitation, computer-readable media comprise computer-storage media and communications media.
Computer-storage media, or machine-readable media, include media implemented in any method or technology for storing information. Examples of stored information include computer-useable instructions, data structures, program modules, and other data representations. Computer-storage media include, but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile discs (DVD), holographic media or other optical disc storage, magnetic cassettes, magnetic tape, magnetic disk storage, and other magnetic storage devices. These memory components can store data momentarily, temporarily, or permanently.
Communications media typically store computer-useable instructions—including data structures and program modules—in a modulated data signal. The term “modulated data signal” refers to a propagated signal that has one or more of its characteristics set or changed to encode information in the signal. Communications media include any information-delivery media. By way of example but not limitation, communications media include wired media, such as a wired network or direct-wired connection, and wireless media such as acoustic, infrared, radio, microwave, spread-spectrum, and other wireless media technologies. Combinations of the above are included within the scope of computer-readable media.
By way of background, a traditional telecommunications network employs a plurality of base stations (i.e., cell sites, cell towers) to provide network coverage. The base stations are employed to broadcast and transmit transmissions to user devices of the telecommunications network. An access point may be considered to be a portion of a base station that may comprise an antenna, a radio, and/or a controller.
As employed herein, a UE (also referenced herein as a user device) or WCD can include any device employed by an end-user to communicate with a wireless telecommunications network. A UE can include a mobile device, a mobile broadband adapter, or any other communications device employed to communicate with the wireless telecommunications network. A UE, as one of ordinary skill in the art may appreciate, generally includes one or more antenna coupled to a radio for exchanging (e.g., transmitting and receiving) transmissions with a nearby base station.
In conventional cellular communications technology, a 5G telecommunications network comprises a 5G Core Network (5GC) and a gNB. The 5GC architecture, as known to those in the art, relies on a Service-Based Architecture (SBA) framework where the architecture elements are defined in terms of Network Functions (NF) rather than by traditional network entities. Using interfaces of a common framework, any NF can offer its services to other NFs that are permitted to make use of their functions. At times, the network interfaces can experience complete failures, degradations, and the like. This compromises the ability of other NFs to obtain necessary data to establish reliable sessions for UEs.
The present disclosure is directed to mitigating malicious attacks. More particularly, in aspects set forth herein, systems and methods enable detection of unauthorized devices/users (e.g., international mobile subscriber identity (IMSI)-catcher devices) used to intercept telecommunications network traffic. These unauthorized devices wreak havoc on data security for unsuspecting or vulnerable users. Various products are available to aid in the detection of such unauthorized devices, but Mobile Network Operators (MNO) have an urgent need to identify a solution at the network level to aid in the prevention of these attacks.
Accordingly, a first aspect of the present disclosure is directed to a system for mitigating malicious attacks. The system comprises one or more processors; and one or more computer-readable media storing computer-usable instructions that, when executed by the one or more processors, cause the one or more processors to: identify a radio frequency (RF) footprint for one or more cell sites, wherein the RF footprint comprises one or more RF footprint metrics; identify a change in at least one RF footprint metric of the one or more RF footprint metrics at a first cell site; based on the change in the at least one RF footprint metric, determine a presence of an unauthorized device; and initiate a dynamic power level adjustment to change a current power level of the first cell site to a power level higher than the current power level.
A second aspect of the present disclosure is directed to a system for mitigating malicious attacks. The system comprises one or more processors; and one or more computer-readable media storing computer-usable instructions that, when executed by the one or more processors, cause the one or more processors to: identify a radio frequency (RF) footprint for one or more cell sites, wherein the RF footprint comprises one or more RF footprint metrics; identify a change in at least one RF footprint metric of the one or more RF footprint metrics at a first cell site compared to a baseline RF footprint for the first cell site; identify a loss of service for a plurality of user devices at the first cell site; based on the change in the at least one RF footprint metrics and the loss of service, determine a presence of an unauthorized device; and initiate a dynamic power level adjustment to change a current power level of the first cell site to a power level higher than both the current power level and a power level associated with the unauthorized device.
Another aspect of the present disclosure is directed to a method for mitigating malicious attacks. The method comprises: identifying a radio frequency (RF) footprint for one or more cell sites, wherein the RF footprint comprises one or more RF footprint metrics; identifying a change in at least one of RF footprint metrics of the one or more RF footprint metrics at a first cell site; based on the change in the at least one RF footprint metrics, determining a presence of an unauthorized device; and initiating a dynamic power level adjustment to change a current power level of the first cell site to a power level higher than the current power level.
As background, an international mobile subscriber identity (IMSI) is a number that uniquely identifies every user of a telecommunications network. This unique number is associated with each mobile subscriber. An IMSI-catcher is an eavesdropping device used to intercept mobile network traffic and to track down a location for mobile users. The IMSI-catcher acts as a “fake” tower, or middle-man, between the target user device and a service provider's real tower.
Turning to
A network cell may comprise a base station to facilitate wireless communication between a communications device within the network cell, such as communications device 500 described with respect to
The UE 218 may utilize a network to communicate with other computing devices (e.g., mobile device(s), a server(s), a personal computer(s), etc.). In embodiments, the network is a telecommunications network, or a portion thereof. A telecommunications network might include an array of devices or components, some of which are not shown so as to not obscure more relevant aspects of the invention. Components such as terminals, links, and nodes (as well as other components) may provide connectivity in some embodiments. The network may include multiple networks. The network may be part of a telecommunications network that connects subscribers to their immediate service provider. In embodiments, the network is associated with a telecommunications provider that provides services to user devices, such as UE 218. For example, the network may provide voice services to user devices or corresponding users that are registered or subscribed to utilize the services provided by a telecommunications provider.
The telecommunications network may be accessible to the UE 218 via cell tower 210 (or tower 212 as it relates to UE 222 and UE 224). The cell tower 210 and 212 communicates with a Mobility Management Entity (MME) 214 in the instance of a 4G LTE network. In embodiments, the MME 214 can be replaced with any entity relevant for the respective network (e.g., an Access and Mobility Management Function (AMF) in a 5G Core network). The MME 214 can communicate with data server 216 which may be a data base or another network component providing relevant data needed by the MME 214. The data server 216 can provide scheduled outage events, maintenance schedules, and the like to the MME 214 to provide relevant data when reviewing a Radio Frequency (RF) footprint for each cell site/tower. An RF footprint is associated with each cell site in a network, such as cell tower 210 and cell tower 212. The RF footprint provides data related to network metrics and performance for each cell site including, but not limited to, network configuration information, network performance measurements, a number of users/UEs connected to the cell site, signal strength/power level, UE locations, and the like. The RF footprint can change under various conditions including capacity/load, weather, seasonal influences, etc.
As proposed herein, bad actors or unauthorized devices (i.e., IMSI-catchers) can be identified at the telecommunications network level by leveraging network data. In particular, the RF footprint and changes therein can be utilized to identify potential malicious activity and trigger mitigation efforts to initiate. The MME 214 is aware of the RF footprint for each cell tower for broadcast coverage in a specific area. The MME 214 can also identify anticipated changes from data received/obtained/retrieved from the data server 216. For instance, if a scheduled outage is known by the MME 214, an expected change in the RF footprint for a given site should be expected. Additionally, if a known event is occurring, such as a popular rock band concert or major sporting event, changes in the RF footprint can be anticipated.
In embodiments, these known events can be accounted for to avoid false positives. The MME 214 or the particular cell tower can self-calibrate the RF footprint to adjust for known events. For instance, if there is a scheduled outage, the RF footprint can be proactively calibrated to adjust the metrics that would be expected such that the changes in the RF footprint are not confused with malicious activity.
The change in one or more RF footprint metrics can be identified by the MME 214 by comparing the RF footprint to a known baseline footprint for the specific cell site. Exemplary changes that can be monitored include a change in a number of users connected to the cell site, a change in a number of users dropped from the cell site within a specific time period from one another, and the like. For example, if a number of users over a predetermined threshold drop from the cell site within a predetermined time period of one another, this may be determined to indicate malicious activity and the presence of an unauthorized device. Similarly, when a number of users connected to the cell site decreases past a predetermined threshold, it may be determined that an unauthorized device is the cause. When a change in at least one RF footprint metric is identified by the MME 214, a presence of an unauthorized device (i.e., IMSI-catcher) is determined. The RF footprint can be continuously monitored or evaluated at predetermined time intervals to monitor the activity of IMSI-catchers.
A presence of an IMSI-catcher can also be determined using UE feedback once the UE reconnects to the authentic tower. The UE feedback can include information obtained from the IMSI-catcher while the UE was connected such as the cell site ID, power level information, etc. Thus, when the UE reconnects to the network, the IMSI-catcher's information is known to the network.
IMSI-catchers, or unauthorized devices, generally emit a signal stronger than that of the authentic base station so that UEs in range will want to connect to the IMSI-catcher. The UEs identify a stronger signal and connect to the IMSI-catcher, unaware that the IMSI-catcher is not an authentic tower since there is no two-way authentication required.
Once an IMSI-catcher, or unauthorized device/interceptor, is identified, the MME 214 can initiate a dynamic power level adjustment of the cell site. The MME 214 can leverage MIMO beamforming techniques to adjust/increase the power level of a cell site and target an area associated with the IMSI-catcher. The MME 214 aims to increase the power level such that any UEs that unknowingly connected to the IMSI-catcher will identify the available higher power level and re-connect to the authentic cell tower instead of the IMSI-catcher.
The MME 214 can initiate a power level increase to a power level higher than a current power level for the cell site. The power level increase may also be to a power level higher than a power level of the IMSI-catcher if known from UE feedback. Leveraging MIMO beamforming techniques, an RF beam can be targeted to a specific endpoint such that they are tailed to attack the bad actor's efforts. This avoids increasing power for everyone in the broadcast coverage area and limits the power adjustment to only a predefined area associated with the IMSI-catcher.
As the MME 214 is continuously monitoring the presence of an IMSI-catcher, the power level adjustment can remain in effect for a predetermined period of time or until the IMSI-catcher is no longer detected on the network (i.e., the change in RF footprint metrics is no longer present, the IMSI-catcher drops from the network, etc.).
Once the IMSI-catcher is known, the MME 214 can create or update an exclusion list including the credentials of the IMSI-catcher (e.g., from the UE feedback data). The exclusion list can be communicated to any UE within the MME 214 broadcast coverage area to prevent the UEs from connecting to the IMSI-catcher in the future.
UE feedback data was previously mentioned as providing IMSI-catcher identifying information to the cell site and, in effect, the MME 214, such that the MME 214 can manage and prevent future connections to the IMSI-catcher. The UE feedback data can also be used to increase a probability score of future IMSI-catcher detections. In other words, the UE feedback data can be used as validating data (or not validating) that the detection of the IMSI-catcher was correct. The change in one or more RF footprint metrics associated with that particular UEs connection to the IMSI-catcher can be used to train a model to identify future bad actors. Thus, conditions (e.g., changes in RF footprint metrics) that match the known situation will have a higher confidence level of bad action prediction than those with previously unseen conditions.
Turning to
Referring to
Referring to
The implementations of the present disclosure may be described in the general context of computer code or machine-useable instructions, including computer-executable instructions such as program components, being executed by a computer or other machine, such as a personal data assistant or other handheld device. Generally, program components, including routines, programs, objects, components, data structures, and the like, refer to code that performs particular tasks or implements particular abstract data types. Implementations of the present disclosure may be practiced in a variety of system configurations, including handheld devices, consumer electronics, general-purpose computers, specialty computing devices, etc. Implementations of the present disclosure may also be practiced in distributed computing environments where tasks are performed by remote-processing devices that are linked through a communications network.
As shown in
Memory 512 may take the form of memory components described herein. Thus, further elaboration will not be provided here, but it should be noted that memory 512 may include any type of tangible medium that is capable of storing information, such as a database. A database may be any collection of records, data, and/or information. In one embodiment, memory 512 may include a set of embodied computer-executable instructions that, when executed, facilitate various functions or elements disclosed herein. These embodied instructions will variously be referred to as “instructions” or an “application” for short.
Processor 514 may actually be multiple processors that receive instructions and process them accordingly. Presentation component 516 may include a display, a speaker, and/or other components that may present information (e.g., a display, a screen, a lamp (LED), a graphical user interface (GUI), and/or even lighted keyboards) through visual, auditory, and/or other tactile cues.
Radio 524 represents a radio that facilitates communication with a wireless telecommunications network. Illustrative wireless telecommunications technologies include CDMA, GPRS, TDMA, GSM, and the like. Radio 524 might additionally or alternatively facilitate other types of wireless communications including Wi-Fi, WiMAX, LTE, 3G, 4G, LTE, mMIMO/5G, NR, VOLTE, or other VoIP communications. As can be appreciated, in various embodiments, radio 524 can be configured to support multiple technologies and/or multiple radios can be utilized to support multiple technologies. A wireless telecommunications network might include an array of devices, which are not shown so as to not obscure more relevant aspects of the invention. Components such as a base station, a communications tower, or even access points (as well as other components) can provide wireless connectivity in some embodiments.
The input/output (I/O) ports 518 may take a variety of forms. Exemplary I/O ports may include a USB jack, a stereo jack, an infrared port, a firewire port, other proprietary communications ports, and the like. Input/output (I/O) components 520 may comprise keyboards, microphones, speakers, touchscreens, and/or any other item usable to directly or indirectly input data into the computing device 500.
Power supply 522 may include batteries, fuel cells, and/or any other component that may act as a power source to supply power to the computing device 500 or to other network components, including through one or more electrical connections or couplings. Power supply 522 may be configured to selectively supply power to different components independently and/or concurrently.
Many different arrangements of the various components depicted, as well as components not shown, are possible without departing from the scope of the claims below. Embodiments of our technology have been described with the intent to be illustrative rather than restrictive. Alternative embodiments will become apparent to readers of this disclosure after and because of reading it. Alternative means of implementing the aforementioned can be completed without departing from the scope of the claims below. Certain features and subcombinations are of utility and may be employed without reference to other features and subcombinations and are contemplated within the scope of the claims.
