Mobile user security
Internetworks of the future will allow and promote universal access.
Users will be able to access the network at a multitude of access points
separated by significant geographic distance and many administrative
boundaries. This phenomenon has introduced new security issues compared
to the traditional fixed networks. This is mostly because of the lack
of physical protection of the mobile network access points and of the
transmission on the radio path. Therefore, in order to protect a mobile
network, there are two complementary security approaches:
The prevention approach consists in reducing the risk of threats by
insuring that users respect the rules of usage of the network services.
A well known mechanism is authentication based on shared secrets.
The detection approach consists in looking for events that are the clues
of an unusual activity on the network. This research, also called
audit security, can be done on-line and it is called intrusion detection.
Because authentication is not sufficient to protect the mobile network
against threats such as:
it is relevant to run both mechanisms in a single security
architecture. Nevertheless, introducing authentication protocols in a
mobile network lead to new security problems.
- The theft of the mobile unit
- Security holes in the software or hardware implementation
- Malicious attacks of the legitimate user
Authentication requires the mobile user to provide an identity and to prove it.
Such disclosure allows an unauthorized third-party to
track the mobile user's movements and current whereabouts.
Depending on the context, access to any information related to a mobile
user's location or activity without his consent can be a serious violation
of his privacy.
This is for all these reasons that we have developed a security architecture
for mobile networks including the following mechanisms:
Without a single central authority, a new set of inter-domain
security mechanisms is needed to allow users to venture into remote
domains while inheriting privileges from their home domain. Solutions
addressing this issue must take into account a somewhat contradictory security
constraint that calls for strict separation of security domains in order to
avoid sharing sensitive user-related security information. Therefore, we
have developed a generic approach for authenticating mobile users in remote
domains that satisfies the domain separation constraint.
an be applied in different mobile-user environments
including wireless networks and mobile user services on traditional
wireline networks. They have been added to KryptoKnight an authentication
and key distribution server developed by the IBM Zurich Research Laboratory.
This new issue might be seen as
a conflicting requirement with respect to authentication: anonymity
requires hiding the user's identity while authentication
requires the user's identity to be revealed in order to be proved.
What is needed is a single mechanism reconciling both authentication
and privacy of a mobile user's identity.
The basic solution to the problem of anonymity is the use of aliases.
Aliases insure anonymity by hiding the user's identity as well as
his relationship with domain authorities.
In order to formalize the problem of anonymity, we have developed
a classification scheme to identify
the different pieces of information which should be protected from
legitimate network entities and unauthorized third parties.
We have also developed an efficient method for the
computation of aliases and apply it to a new set of inter-domain
authentication protocols. We demonstrate that these protocols can
be designed to meet various degrees of privacy requirements.
In designing these protocols, we try to avoid the drawbacks of
authentication protocols in existing mobile network architectures such
as CDPD and GSM.
A GSM network simulator has been implemented in order to test
a distributed intrusion detection architecture for mobile networks.
The reasons for such a choice are twofold. First, the
GSM network does not provide intrusion detection
services to operators. Second, the provision of a wide range of traffic
generators spread over a geographic area is costly and difficult
to achieve. These problems can be overcome by the use of
network simulators. A useful property of such simulators is that
a particular networking trace can be reproduced several times
in order to improve the detection software.
Therefore, the challenge was to model IDAMN in order to detect an intruder
«on-line» while minimizing the overhead incurred at the GSM network.
The basic idea of detecting an intruder relies on the
system ability to learn the normal behavior of the subscriber by creating
a profile. This profile is then sent to a Detector located in the
current area of the mobile users.
An intruder impersonating
the real subscriber will have a different behavior and
thus will generate a significant deviation from the standard profile.
This deviation is in fact data which are collected on the signaling
network. The following three levels of analysis have been defined:
In the case of the level-3 analysis the normal behavior
of the subscriber is defined by three profiles: mobility-
profile, activity-profile and speech-profile. Each profile
will help in raising different intrusion alarms that a ruled
based system will analyze in order to give the final diagnostics.
- Level 1: The resulting procedures allow a
fast intrusion detection analysis by verify
the speed of a mobile user or existing
clones (the same user being active in two
different parts of the network at the same
- Level 2: The system measures the impact
of the subscriber behavior on the different
GSM entities (an abnormal activity of a
MSC may be a symptom of intrusion).
- Level 3: This is the most significant intrusion
detection analysis as the resulting procedure evaluates
every deviation from the normal user's «signature» (normal