The team
Homepage








Publications
Research projects
Teaching
Open positions
Eurecom

Mobile user security

Internetworks of the future will allow and promote universal access. Users will be able to access the network at a multitude of access points separated by significant geographic distance and many administrative boundaries. This phenomenon has introduced new security issues compared to the traditional fixed networks. This is mostly because of the lack of physical protection of the mobile network access points and of the transmission on the radio path. Therefore, in order to protect a mobile network, there are two complementary security approaches:

  • Prevention
  • Detection
The prevention approach consists in reducing the risk of threats by insuring that users respect the rules of usage of the network services. A well known mechanism is authentication based on shared secrets. The detection approach consists in looking for events that are the clues of an unusual activity on the network. This research, also called audit security, can be done on-line and it is called intrusion detection.

Because authentication is not sufficient to protect the mobile network against threats such as:

  • The theft of the mobile unit
  • Security holes in the software or hardware implementation
  • Malicious attacks of the legitimate user
it is relevant to run both mechanisms in a single security architecture. Nevertheless, introducing authentication protocols in a mobile network lead to new security problems.

Authentication requires the mobile user to provide an identity and to prove it. Such disclosure allows an unauthorized third-party to track the mobile user's movements and current whereabouts. Depending on the context, access to any information related to a mobile user's location or activity without his consent can be a serious violation of his privacy. This is for all these reasons that we have developed a security architecture for mobile networks including the following mechanisms:

Authentication of Mobile Users

Without a single central authority, a new set of inter-domain security mechanisms is needed to allow users to venture into remote domains while inheriting privileges from their home domain. Solutions addressing this issue must take into account a somewhat contradictory security constraint that calls for strict separation of security domains in order to avoid sharing sensitive user-related security information. Therefore, we have developed a generic approach for authenticating mobile users in remote domains that satisfies the domain separation constraint.

The protocols an be applied in different mobile-user environments including wireless networks and mobile user services on traditional wireline networks. They have been added to KryptoKnight an authentication and key distribution server developed by the IBM Zurich Research Laboratory.

Anonymity and Untraceability in Mobile Networks

This new issue might be seen as a conflicting requirement with respect to authentication: anonymity requires hiding the user's identity while authentication requires the user's identity to be revealed in order to be proved. What is needed is a single mechanism reconciling both authentication and privacy of a mobile user's identity.

The basic solution to the problem of anonymity is the use of aliases. Aliases insure anonymity by hiding the user's identity as well as his relationship with domain authorities.

In order to formalize the problem of anonymity, we have developed a classification scheme to identify the different pieces of information which should be protected from legitimate network entities and unauthorized third parties.

We have also developed an efficient method for the computation of aliases and apply it to a new set of inter-domain authentication protocols. We demonstrate that these protocols can be designed to meet various degrees of privacy requirements. In designing these protocols, we try to avoid the drawbacks of authentication protocols in existing mobile network architectures such as CDPD and GSM.

IDAMN: An Intrusion Detection Architecture for Mobile Networks

A GSM network simulator has been implemented in order to test a distributed intrusion detection architecture for mobile networks. The reasons for such a choice are twofold. First, the GSM network does not provide intrusion detection services to operators. Second, the provision of a wide range of traffic generators spread over a geographic area is costly and difficult to achieve. These problems can be overcome by the use of network simulators. A useful property of such simulators is that a particular networking trace can be reproduced several times in order to improve the detection software.

Therefore, the challenge was to model IDAMN in order to detect an intruder «on-line» while minimizing the overhead incurred at the GSM network. The basic idea of detecting an intruder relies on the system ability to learn the normal behavior of the subscriber by creating a profile. This profile is then sent to a Detector located in the current area of the mobile users.

An intruder impersonating the real subscriber will have a different behavior and thus will generate a significant deviation from the standard profile. This deviation is in fact data which are collected on the signaling network. The following three levels of analysis have been defined:

  • Level 1: The resulting procedures allow a fast intrusion detection analysis by verify the speed of a mobile user or existing clones (the same user being active in two different parts of the network at the same time).

  • Level 2: The system measures the impact of the subscriber behavior on the different GSM entities (an abnormal activity of a MSC may be a symptom of intrusion).

  • Level 3: This is the most significant intrusion detection analysis as the resulting procedure evaluates every deviation from the normal user's «signature» (normal behavior profile).
In the case of the level-3 analysis the normal behavior of the subscriber is defined by three profiles: mobility- profile, activity-profile and speech-profile. Each profile will help in raising different intrusion alarms that a ruled based system will analyze in order to give the final diagnostics.

Research team

  • R. Molva
  • D. Samfat

[Webmaster] - [NSTeam] - Eurecom - 09/11/98