System and method for securing communication and information of mobile devices through a controlled cellular communication network

US 10,341,856 B2
Filed: 05/10/2017
Issued: 07/02/2019
Est. Priority Date: 05/10/2016
Status: Active Grant

First Claim

Patent Images

1. A system for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said system comprising:

at least one non-transitory computer readable storage device and one or more processors operatively coupled to the storage device on which are stored modules of instruction code which when executed by said one or more processors implements a Controlled Cellular Network (CCN), interfacing a cellular Public Land Mobile Network (PLMN), said PLMN hosting a plurality of cellular subscribers;

wherein said CCN provides said security services to “

serviced subscribers”

;

wherein said CCN encapsulates communication between UCD of said serviced subscribers and the hosting PLMN, said communication including at least part of;

control, signaling, SMS and data communications;

wherein said CCN is configured to monitor and analyze parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data, including at least one of;

time patterns, volumes, destination address, source address, content and context;

wherein said CCN is configured to identify statistic deviations exceeding predefined thresholds, based on said analysis of parameters and characteristics of said encapsulated communication;

wherein said CCN is configured to identify the occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;

wherein said CCN is configured to identify security threats to the privacy of said serviced subscribers and to the data stored on their UCD and determine said threats'"'"' category and probability, based on said analysis of encapsulated communication;

wherein the said CCN is configured to respond to said security threats in real time or in near-real time and take active measures to avert the said suspected threats;

wherein said active measures including at least one of;

blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;

wherein application of said active measures depends on the category of identified security threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;

wherein said CCN comprises at least one of;

controlled module(s), configured to complement the functionality of respective elements of the hosting cellular PLMN;

a security center module, configured to perform at least one of instantiation, configuration, monitoring, analysis and management of the functionality of each of said controlled modules; and

an administrative module, configured to interface said security center module, and provide an administrator interface for at least one of;

instantiating controlled modules of one or more CCNs;

configuring said controlled modules of said one or more CCNs, to serve serviced subscribers of the hosting cellular PLMN;

presenting alerts regarding the functionality of the CCN and events within the hosting cellular PLMN;

extracting reports regarding the functionality of the CCN and events within the hosting cellular PLMN;

wherein the said security center module comprises at least one of the following modules;

a probe interface module, configured to probe each of the said controlled modules within the CCN, and accumulate data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN;

a data analysis module, configured to perform at least one of;

obtaining the data accumulated by the said probe interface module;

analyzing parameters and characteristics of said encapsulated communication in real time or in near-real time, including at least one of;

time patterns, volumes, destination address, source address, content and context;

identifying statistic deviations exceeding predefined thresholds;

analyzing accumulated historical data, pertaining to parameters and characteristics of said encapsulated communication;

identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis;

identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis;

emitting activity messages to other controlled modules of the CCN to avert the said identified security threats, and emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;

maintaining an events'"'"' database;

a security action management module configured to perform at least one of;

receiving activity messages from the data analysis module;

obtaining parameters of served subscriber'"'"'s profile from a subscribers database;

interfacing and commanding controlled modules within the CCN to carry out security actions that are required to avert the said identified security threat, according to the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile; and

a threats management module, configured to manage and maintain a database of the security threats encountered during the activity of the CCN;

further comprising a UCD Lifeline Module (ULM) embedded within said serviced subscribers'"'"' UCD, on which are stored modules of instruction code, which when executed by the ULM, configure the UCD to initiate lifeline communication to the security action management module or respond to lifeline communication from the security action management module;

wherein;

the said security action management module is configured to initiate lifeline communication to the UCD or respond to lifeline communication from the UCD;

failure of reception of Lifeline communication on the security action management module side is reported to the data analysis module as real-time indication of an attempt to hijack the UCD from the hosting PLMN; and

failure of reception of Lifeline communication on the ULM invokes security actions on the UCD side, said actions including at least one of;

alerting the user regarding failure of lifeline reception and altering at least one of the UCD'"'"'s identity parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a system and a method for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs). The system comprises a Controlled Cellular Network (CCN), interfacing a cellular Public Land Mobile Network (PLMN), hosting a plurality of cellular subscribers. The said CCN system provides said security services to “serviced subscribers” of the hosting PLMN. The CCN encapsulates communication between UCDs of serviced subscribers and the hosting PLMN, including at least part of: control, signaling, SMS and data communications. The CCN is configured to identify security threats to the privacy of serviced subscribers and to the data stored on their UCDs, and determine said threats'"'"' category and probability, based on analysis of said encapsulated communication. CCN is configured to respond to said threats in real or near-real time, and take active measures to avert said suspected threats.

Citations

25 Claims

1. A system for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said system comprising:
- at least one non-transitory computer readable storage device and one or more processors operatively coupled to the storage device on which are stored modules of instruction code which when executed by said one or more processors implements a Controlled Cellular Network (CCN), interfacing a cellular Public Land Mobile Network (PLMN), said PLMN hosting a plurality of cellular subscribers;
  
  wherein said CCN provides said security services to “
  
  serviced subscribers”
  
  ;
  
  wherein said CCN encapsulates communication between UCD of said serviced subscribers and the hosting PLMN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  wherein said CCN is configured to monitor and analyze parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  wherein said CCN is configured to identify statistic deviations exceeding predefined thresholds, based on said analysis of parameters and characteristics of said encapsulated communication;
  
  wherein said CCN is configured to identify the occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  wherein said CCN is configured to identify security threats to the privacy of said serviced subscribers and to the data stored on their UCD and determine said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  wherein the said CCN is configured to respond to said security threats in real time or in near-real time and take active measures to avert the said suspected threats;
  
  wherein said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified security threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  wherein said CCN comprises at least one of;
  
  controlled module(s), configured to complement the functionality of respective elements of the hosting cellular PLMN;
  
  a security center module, configured to perform at least one of instantiation, configuration, monitoring, analysis and management of the functionality of each of said controlled modules; and
  
  an administrative module, configured to interface said security center module, and provide an administrator interface for at least one of;
  
  instantiating controlled modules of one or more CCNs;
  
  configuring said controlled modules of said one or more CCNs, to serve serviced subscribers of the hosting cellular PLMN;
  
  presenting alerts regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  extracting reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  wherein the said security center module comprises at least one of the following modules;
  
  a probe interface module, configured to probe each of the said controlled modules within the CCN, and accumulate data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN;
  
  a data analysis module, configured to perform at least one of;
  
  obtaining the data accumulated by the said probe interface module;
  
  analyzing parameters and characteristics of said encapsulated communication in real time or in near-real time, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  identifying statistic deviations exceeding predefined thresholds;
  
  analyzing accumulated historical data, pertaining to parameters and characteristics of said encapsulated communication;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis;
  
  emitting activity messages to other controlled modules of the CCN to avert the said identified security threats, and emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database;
  
  a security action management module configured to perform at least one of;
  
  receiving activity messages from the data analysis module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  interfacing and commanding controlled modules within the CCN to carry out security actions that are required to avert the said identified security threat, according to the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile; and
  
  a threats management module, configured to manage and maintain a database of the security threats encountered during the activity of the CCN;
  
  further comprising a UCD Lifeline Module (ULM) embedded within said serviced subscribers'"'"' UCD, on which are stored modules of instruction code, which when executed by the ULM, configure the UCD to initiate lifeline communication to the security action management module or respond to lifeline communication from the security action management module;
  
  wherein;
  
  the said security action management module is configured to initiate lifeline communication to the UCD or respond to lifeline communication from the UCD;
  
  failure of reception of Lifeline communication on the security action management module side is reported to the data analysis module as real-time indication of an attempt to hijack the UCD from the hosting PLMN; and
  
  failure of reception of Lifeline communication on the ULM invokes security actions on the UCD side, said actions including at least one of;
  
  alerting the user regarding failure of lifeline reception and altering at least one of the UCD'"'"'s identity parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the CCN provides serviced subscribers UCDs at least part of the following functionality:
    - Mobility Management (MM) of the user;
      
      Short Message Services (SMS);
      
      Supplementary Services (SS);
      
      Intelligent Networks (IN) aspects;
      
      Handling of user data communication;
      
      Signaling of incoming calls and SMS;
      
      Incoming and outgoing USSD; and
      
      All CAMEL transactions.
  - 3. The system of claim 1, wherein said at least one controlled modules comprises a controlled Home Location Register (HLR) module (800) and/or controlled Home Subscriber Server (HSS) module, configured, monitored and controlled by the said security center module, to perform at least one of the following:
    - withholding a database upon which information pertaining to said serviced subscribers is kept;
      
      respectively complementing the functionality of HLR and/or HSS modules of the hosting cellular PLMN system (200) from within the CCN;
      
      providing data to the security center module regarding system access to the HSS/HLR databases, Any Time Interrogation (ATI) queries and Send Routing Information (SRI) queries; and
      
      acting upon commands from the security center module by performing at least one of;
      
      applying changes to the CCN'"'"'s HSS and HLR databases, blocking incoming messages and voice calls, and providing altered responses to ATI and SRI system queries.
  - 4. The system of claim 1, wherein said at least one controlled modules comprises a controlled GMSC and/or controlled MME module, configured, monitored and controlled by the said security center module, to perform at least one of the following:
    - respectively complementing the functionality of GMSC (Gateway Mobile Switching Center) and/or MME (Mobility Management Entity) modules of the hosting cellular PLMN from within the CCN;
      
      routing cellular calls between serviced subscribers of the CCN and the hosting PLMN;
      
      providing data to the security center module regarding hosting PLMN control messages; and
      
      acting upon commands from the security center module by blocking suspicious voice-call related messages.
  - 5. The system of claim 1, wherein said at least one controlled modules comprises a controlled GGSN module and/or controlled PGW module, configured, monitored and controlled by the said security center module, to perform at least one of the following:
    - respectively complementing the functionality of GGSN (Gateway GPRS Support Node) and/or PGW (Packet Data Network Gateway) modules of the hosting cellular PLMN system from within the CCN;
      
      routing packet switched data between the CCN and external packet switched networks, including at least one of the Internet, IoT (Internet of Things) devices, M2M networks and connected cars data networks;
      
      providing data to the security center module regarding switched data packets transactions over the PLMN; and
      
      acting upon commands from the security center module by performing at least one of;
      
      blocking the download of suspicious data, blocking the upload of data stored on the UCD, or originated from the UCD, the UCD camera and the UCD microphone, and executing an end-point verification (‘
      
      whois’
      
      ) network command.
  - 6. The system of claim 1, wherein said at least one controlled modules comprises a controlled Short Messaging Service Center (SMSC) module, configured, monitored and controlled by the said security center module, to perform at least one of the following:
    - complementing the functionality of the SMSC module of the hosting cellular PLMN system from within the CCN;
      
      routing Short Messages (SMS, EMS, MMS, USSD) between the CCN and the hosting PLMN;
      
      providing data to the security center module regarding Short Messaging (SMS, EMS, MMS, USSD) control and data messages over the PLMN; and
      
      acting upon commands from the security center module by blocking or manipulating suspicious SMS, EMS, MMS and USSD communication transactions.
  - 7. The system of claim 1, wherein at least one component of the CCN is implemented as a service, and executed on the same physical machines as the home PLMN or hosting PLMN hardware components.
  - 8. The system of claim 1, wherein the data analysis module is further configured to:
    - monitor incoming and outgoing communication pertaining to specific mobile applications executing on the UCD;
      
      detect deviations within predefined threshold in said communication from expected communication patterns of said specific mobile applications, wherein said communication patterns include at least one of;
      
      source address, destination address, communication volume, communication patterns and communication timing; and
      
      analyze said detected deviations to identify illegitimate activity of mobile applications.

9. A system-for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said system comprising:
- at least one non-transitory computer readable storage device and one or more processors operatively coupled to the storage device on which are stored modules of instruction code which when executed by said one or more processors implements a Controlled Cellular Network (CCN), interfacing a cellular Public Land Mobile Network (PLMN), said PLMN hosting a plurality of cellular subscribers;
  
  wherein said CCN provides said security services to “
  
  serviced subscribers”
  
  ;
  
  wherein said CCN encapsulates communication between UCD of said serviced subscribers and the hosting PLMN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  wherein said CCN is configured to monitor and analyze parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  wherein said CCN is configured to identify statistic deviations exceeding predefined thresholds, based on said analysis of parameters and characteristics of said encapsulated communication;
  
  wherein said CCN is configured to identify the occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  wherein said CCN is configured to identify security threats to the privacy of said serviced subscribers and to the data stored on their UCD and determine said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  wherein the said CCN is configured to respond to said security threats in real time or in near-real time and take active measures to avert the said suspected threats;
  
  wherein said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified security threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  wherein said CCN comprises at least one of;
  
  controlled module(s), configured to complement the functionality of respective elements of the hosting cellular PLMN;
  
  a security center module, configured to perform at least one of instantiation, configuration, monitoring, analysis and management of the functionality of each of said controlled modules; and
  
  an administrative module, configured to interface said security center module, and provide an administrator interface for at least one of;
  
  instantiating controlled modules of one or more CCNs;
  
  configuring said controlled modules of said one or more CCNs, to serve serviced subscribers of the hosting cellular PLMN;
  
  presenting alerts regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  extracting reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  wherein the said security center module comprises at least one of the following modules;
  
  a probe interface module, configured to probe each of the said controlled modules within the CCN, and accumulate data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN;
  
  a data analysis module, configured to perform at least one of;
  
  obtaining the data accumulated by the said probe interface module;
  
  analyzing parameters and characteristics of said encapsulated communication in real time or in near-real time, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  identifying statistic deviations exceeding predefined thresholds;
  
  analyzing accumulated historical data, pertaining to parameters and characteristics of said encapsulated communication;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis;
  
  emitting activity messages to other controlled modules of the CCN to avert the said identified security threats, and emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database;
  
  a security action management module configured to perform at least one of;
  
  receiving activity messages from the data analysis module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  interfacing and commanding controlled modules within the CCN to carry out security actions that are required to avert the said identified security threat, according to the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  a threats management module, configured to manage and maintain a database of the security threats encountered during the activity of the CCN;
  
  further comprising a UCD Lifeline Module (ULM) embedded within said serviced subscribers'"'"' UCD, on which are stored modules of instruction code, which when executed by the ULM, configure the UCD to initiate lifeline communication to the security action management module or respond to lifeline communication from the security action management module;
  
  wherein;
  
  said ULM is configured to send to the said security action management module real-time information regarding the status and whereabouts of the UCD through the Lifeline communication channel, said information including at least one of;
  
  properties of the hosting PLMN, events of IRAT handover during voice calls, and events of BTS handover during voice calls;
  
  said real-time information is propagated from the security action management module to the data analysis module; and
  
  the data analysis module is configured to analyze said information, and identify at least one of following suspicious events and scenarios;
  
  illegitimate IRAT handover;
  
  illegitimate BTS handover;
  
  hijacking attempts of the UCD from its home PLMN or visited PLMN to other networks; and
  
  illegitimate altering of UCD communication encryption properties.
- View Dependent Claims (11, 12)
- - 11. The system of claim 9, wherein said alteration of one or more UCD identity parameter values may be invoked:
    - according to a time based trigger;
      
      locally on the UCD, according to any logic preconfigured on the ULM or SISE;
      
      locally by the ULM or SISE, in response to a failure to receive Lifeline communication;
      
      remotely, according to any logic preconfigured on the identity mediation module;
      
      remotely by the identity mediation module, in response to failure to receive Lifeline communication;
      
      remotely by the identity mediation module, in response to an event on the hosting PLMN;
      
      remotely by the identity mediation module, in response to an activity message from the data analysis module, following an identified suspected threat, including IMSI catcher and Man-in-the-Middle (MitM) attacks;
      
      orany combination of the above.
  - 12. The system of claim 9, wherein serviced subscribers'"'"' ULMs are configured to possess a set of fallback identity parameter values, whereupon the event of a lifeline communication failure between the security action module and the ULM of a serviced subscriber'"'"'s UCD:
    - the ULM will invoke an alteration of UCD identity parameter values to the said fallback values;
      
      the UCD will revert to using said set of fallback parameter values, and thus will be re-introduced to the CCN bearing the said fallback UCD identity parameter values; and
      
      the ULM will optionally restart the UCD in cases that require such a restart, in order to ensure the enforcement of said alteration of identity parameter values on the UCD.

10. A system for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said system comprising:
- at least one non-transitory computer readable storage device and one or more processors operatively coupled to the storage device on which are stored modules of instruction code which when executed by said one or more processors implements a Controlled Cellular Network (CCN), interfacing a cellular Public Land Mobile Network (PLMN), said PLMN hosting a plurality of cellular subscribers;
  
  wherein said CCN provides said security services to “
  
  serviced subscribers”
  
  ;
  
  wherein said CCN encapsulates communication between UCD of said serviced subscribers and the hosting PLMN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  wherein said CCN is configured to monitor and analyze parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  wherein said CCN is configured to identify statistic deviations exceeding predefined thresholds, based on said analysis of parameters and characteristics of said encapsulated communication;
  
  wherein said CCN is configured to identify the occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  wherein said CCN is configured to identify security threats to the privacy of said serviced subscribers and to the data stored on their UCD and determine said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  wherein the said CCN is configured to respond to said security threats in real time or in near-real time and take active measures to avert the said suspected threats;
  
  wherein said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified security threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  wherein said CCN comprises at least one of;
  
  controlled module(s), configured to complement the functionality of respective elements of the hosting cellular PLMN;
  
  a security center module, configured to perform at least one of instantiation, configuration, monitoring, analysis and management of the functionality of each of said controlled modules; and
  
  an administrative module, configured to interface said security center module, and provide an administrator interface for at least one of;
  
  instantiating controlled modules of one or more CCNs;
  
  configuring said controlled modules of said one or more CCNs, to serve serviced subscribers of the hosting cellular PLMN;
  
  presenting alerts regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  extracting reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  wherein the said security center module comprises at least one of the following modules;
  
  a probe interface module, configured to probe each of the said controlled modules within the CCN, and accumulate data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN;
  
  a data analysis module, configured to perform at least one of;
  
  obtaining the data accumulated by the said probe interface module;
  
  analyzing parameters and characteristics of said encapsulated communication in real time or in near-real time, including at least one of;
  
  time patterns, volumes, destination address, source address, content and context; and
  
  identifying statistic deviations exceeding predefined thresholds;
  
  analyzing accumulated historical data, pertaining to parameters and characteristics of said encapsulated communication;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis;
  
  emitting activity messages to other controlled modules of the CCN to avert the said identified security threats, and emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database;
  
  a security action management module configured to perform at least one of;
  
  receiving activity messages from the data analysis module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  interfacing and commanding controlled modules within the CCN to carry out security actions that are required to avert the said identified security threat, according to the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  a threats management module, configured to manage and maintain a database of the security threats encountered during the activity of the CCN;
  
  further comprising a UCD Lifeline Mobdule (ULM) embedded within said serviced subscribers'"'"' UCD, on which are stored modules of instruction code, which when executed by the ULM, configure the UCD to initiate lifeline communication to the security action management module or respond to lifeline communication from the security action management module;
  
  wherein;
  
  said security center module further comprises an identity mediation module, configured to dynamically alter the value of one or more serviced subscribers'"'"' UCD identity parameters, said identity parameters including at least one of IMSI, IMEI, IMEISV, MSISDN, Ki, Kc, TMSI, PTMSI, TLLI, ESN;
  
  said identity mediation module communicates the said alteration of identity parameter values through said Lifeline communication channel to the ULM on the serviced subscribers'"'"' UCD;
  
  said ULM module is configured to receive said required alteration of identity parameter values through said lifeline communication channel;
  
  said ULM module is configured to propagate required alteration of values of identity parameters stored on the Subscriber Identity Storage Element (SISE), to said SISE, said parameters including at least one of IMSI, Ki and Kc;
  
  said SISE is configured to apply said required alteration of values to identity parameter stored on the SISE, said parameters including at least one of IMSI, Ki and Kc;
  
  said ULM module is configured to apply changes to values of UCD identity parameter stored on the UCD; and
  
  said identity mediation module is configured to dynamically mediate between said altered UCD identity parameter values and the original UCD identity parameters, thus facilitating the routing of the UCD communication with the hosting PLMN or visited network using the altered identity parameters.

13. A method for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said method implemented by one or more processors operatively coupled to a non-transitory computer readable storage device, on which are stored modules of instruction code that when executed cause the one or more processors to perform:
- interfacing a cellular Public Land Mobile Network (PLMN) hosting a plurality of cellular subscribers, with a Controlled Cellular Network (CCN);
  
  providing security services to “
  
  serviced subscribers”
  
  by said CCN;
  
  encapsulating communication between the UCDs of said serviced subscribers and hosting PLNM by said CCN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  monitoring and analyzing parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data by the CCN, said parameters and characteristics including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  identifying by the CCN statistic deviations in said parameters and characteristics exceeding predefined thresholds, based on said analysis of said encapsulated communication-;
  
  identifying by the CCN occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  identifying by the CCN security threats to the privacy of said serviced subscribers, and to the data stored on their UCDs, and determining said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  responding to said security threats in real time or in near-real time, and taking active measures to avert the said suspected threats, said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  instantiating at least one controlled module, within the CCN, configured t complement the functionality of respective elements of the hosting cellular PLMN;
  
  configuring said controlled modules by a security center module;
  
  monitoring, analyzing and managing of the functionality of each of said controlled modules comprising the CCN by the said security center module;
  
  providing an administrative interface, by means of an administrative module operatively coupled to said security center module, enabling an administrator to;
  
  instantiate controlled modules of one or more CCNs;
  
  configure the components of one or more CCNs to serve serviced subscribers of the hosting cellular PLMN;
  
  present alerts regarding the functionality of the CCN and its components;
  
  present alerts regarding the occurrence of events and scenarios within the hosting cellular PLMN; and
  
  extract reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  probing each of the said controlled modules within the CCN, and accumulating data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN by a probe interface module;
  
  propagating the data accumulated by the said probe interface module to a data analysis module;
  
  analyzing by the said data analysis module parameters and characteristics of said encapsulated communication in real time or in near-real time, said parameters including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  analyzing statistic deviations in the values of said parameters and characteristics exceeding predefined thresholds by the said data analysis module;
  
  analyzing accumulated historical data, pertaining to said parameters and characteristics of said encapsulated communication by the said data analysis module;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis by the data analysis module;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis by the data analysis module;
  
  emitting activity messages from the data analysis module to other controlled modules of the CCN to avert the said identified security threats, and/or emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database, withholding important events and scenarios that occurred within the CCN and/or hosting PLMN;
  
  receiving activity messages from said data analysis module to a security action management module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  commanding controlled modules by the security action management module, to carry out security actions as dictated by said activity messages from said data analysis module, and avert said identified security threats, said security actions depending on;
  
  category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  maintaining a database of the security threats encountered during the activity of the CCN;
  
  initiating lifeline communication by said security action management module to the UCD, or responding to lifeline communication from the UCD by the security action management module;
  
  reporting failure of reception of lifeline communication on the security action management module side to the data analysis module as real-time indication of an attempt to hijack the UCD from the hosting PLMN; and
  
  invoking security actions by the UCD in response to failure of reception of lifeline communication on the ULM side, said actions including at least one of;
  
  alerting the user regarding said failure of lifeline reception and altering at least one of the UCD'"'"'s identity parameters.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, further providing serviced subscribers UCDs at least part of the following functionality by the CCN:
    - Mobility Management (MM) of the user;
      
      Short Message Services (SMS);
      
      Supplementary Services (SS);
      
      Intelligent Networks (IN) aspects;
      
      Handling of user data communication;
      
      Signaling of incoming calls and SMS;
      
      Incoming and outgoing USSD; and
      
      All CAMEL transactions.
  - 15. The method of claim 13, further comprising the steps of:
    - instantiating a controlled Home Location Register (HLR) module and/or controlled Home Subscriber Server (HSS) module, configured, monitored and controlled by the said security center module;
      
      maintaining by said controlled HLR and/or controlled HSS module a database upon which information pertaining to said serviced subscribers is kept;
      
      complementing the functionality of HLR (Home Location Register) and/or HSS (Home Subscriber Server) modules of the hosting cellular PLMN system from within the CCN, respectively by said controlled HLR and/or controlled HSS module;
      
      providing data to the security center module regarding system access to the HSS/HLR databases, ATI queries and SRI queries by said controlled HLR and/or controlled HSS module; and
      
      acting upon commands from the security center module by said controlled HLR and/or controlled HSS module, by performing at least one of;
      
      applying changes to the CCN'"'"'s HSS and HLR databases;
      
      blocking incoming messages and voice calls; and
      
      providing altered responses to Any Time Interrogation (ATI) and Send Routing Information (SRI) system queries.
  - 16. The method of claim 13, further comprising the steps of:
    - instantiating a controlled Gateway Mobile Switching Center (GMSC) module, and/or controlled Mobility Management Entity module (MME) module, configured, monitored and controlled by the said security center module;
      
      complementing the functionality of GMSC and/or MME modules of the hosting cellular PLMN from within the CCN, respectively by said controlled GSMC module and/or controlled MME module;
      
      routing cellular calls between serviced subscribers of the CCN and the hosting PLMN by said controlled GSMC module and/or controlled MME module;
      
      providing data to the security center module regarding hosting PLMN control messages by said controlled GSMC module and/or controlled MME module; and
      
      blocking suspicious voice-call related messages by said controlled GSMC module and/or controlled MME module, upon commands from the security center module.
  - 17. The method of claim 13, further comprising the steps of:
    - instantiating a controlled Gateway GPRS Support Node (GGSN) module and/or controlled Packet Data Network Gateway (PGW) module, configured, monitored and controlled by the said security center module;
      
      complementing the functionality of GGSN and/or PGW modules of the hosting cellular PLMN system from within the CCN (100), respectively by the said controlled GGSN module and/or controlled PGW module;
      
      routing packet switched data between the CCN and external packet switched networks, including at least one of the Internet, IoT (Internet of Things) devices M2M (Machine to Machine) networks and connected cars data networks by the said controlled GGSN module and/or controlled PGW module;
      
      providing data to the security center module regarding switched data packets transactions over the PLMN by the said controlled GGSN module and/or controlled PGW module; and
      
      acting upon commands from the security center module by the said controlled GGSN module and/or controlled PGW module, by performing at least one of;
      
      blocking the download of suspicious data;
      
      blocking the upload of data stored on the UCD, or originated from the UCD, the UCD camera and the UCD microphone; and
      
      executing an end-point verification (‘
      
      whois’
      
      ) network command.
  - 18. The method of claim 13, further comprising the steps of:
    - instantiating a controlled Short Messaging Service Center (SMSC) module, configured, monitored and controlled by the said security center module;
      
      complementing the functionality of the SMSC of the hosting cellular PLMN system from within the CCN (100) by the said controlled SMSC module;
      
      routing Short Messages (SMS, EMS, MMS, USSD) between the CCN and the hosting PLMN by the said controlled SMSC module;
      
      providing data to the security center module regarding Short Messaging (SMS, EMS, MMS, USSD) control and data messages over the PLMN by the said controlled SMSC module; and
      
      blocking or manipulating suspicious SMS, EMS, MMS and USSD communication transactions by the said controlled SMSC module, upon commands from the security center module.
  - 19. The method of claim 13, wherein at least one component of the CCN is implemented as a service, and executed on the same physical machines as the home PLMN or hosting PLMN hardware components.
  - 20. The method of claim 13, further comprising the steps of:
    - monitoring of incoming and outgoing communication pertaining to specific mobile applications executing on the UCD by the data analysis module;
      
      detecting deviations within predefined threshold in said communication from expected communication patterns of said specific mobile applications, by the data analysis module, wherein said communication patterns include at least one of;
      
      source address, destination address, communication volume, communication patterns and communication timing; and
      
      analyzing said detected deviations to identify illegitimate activity of mobile applications.
  - 21. The method of claim 13, further comprising the step of configuring the UCD Lifeline Module (ULM) embedded within said serviced subscribers'"'"' UCD to initiate lifeline communication to the security action management module or respond to lifeline communication from the security action management module.

22. A method for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said method implemented by one or more processors operatively coupled to a non-transitory computer readable storage device, on which are stored modules of instruction code that when executed cause the one or more processors to perform:
- interfacing a cellular Public Land Mobile Network (PLMN) hosting a plurality of cellular subscribers, with a Controlled Cellular Network (CCN);
  
  providing security services to “
  
  serviced subscribers”
  
  by said CCN;
  
  encapsulating communication between the UCDs of said serviced subscribers and hosting PLMN by said CCN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  monitoring and analyzing parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data by the CCN, said parameters and characteristics including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  identifying by the CCN statistic deviations in said parameters and characteristics exceeding predefined thresholds, based on said analysis of said encapsulated communication;
  
  identifying by the CCN occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  identifying by the CCN security threats to the privacy of said serviced subscribers, and to the data stored on their UCDs, and determining said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  responding to said security threats in real time or in near-real time, and taking active measures to avert the said suspected threats, said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified threat, the identified threats probability, and the serviced subscriber'"'"'s profile;
  
  instantiating at least one controlled module, within the CCN, configured to complement the functionality of respective elements of the hosting cellular PLMN;
  
  configuring said controlled modules by a security center module;
  
  monitoring, analyzing and managing of the functionality of each of said controlled modules comprising the CCN by the said security center module;
  
  providing an administrative interface, by means of an administrative module operatively coupled to said security center module, enabling an administrator to;
  
  instantiate controlled modules of one or more CCNs;
  
  configure the components of one or more CCNs to serve serviced subscribers of the hosting cellular PLMN;
  
  present alerts regarding the functionality of the CCN and its components;
  
  present alerts regarding the occurrence of events and scenarios within the hosting cellular PLMN; and
  
  extract reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  probing each of the said controlled modules within the CCN, and accumulating data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN by a probe interface module;
  
  propagating the data accumulated by the said probe interface module to a data analysis module;
  
  analyzing by the said data analysis module parameters and characteristics of said encapsulated communication in real time or in near-real time, said parameters including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  analyzing statistic deviations in the values of said parameters and characteristics exceeding predefined thresholds by the said data analysis module;
  
  analyzing accumulated historical data, pertaining to said parameters and characteristics of said encapsulated communication by the said data analysis module;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis by the data analysis module;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis by the data analysis module;
  
  emitting activity messages from the data analysis module to other controlled modules of the CCN to avert the said identified security threats, and/or emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database, withholding important events and scenarios that occurred within the CCN and/or hosting PLMN;
  
  receiving activity messages from said data analysis module to a security action management module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  commanding controlled modules by the security action management module, to carry out security actions as dictated by said activity messages from said data analysis module, and avert said identified security threats, said security actions depending on;
  
  category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  maintaining a database of the security threats encountered during the activity of the CCN;
  
  sending to the said security action management module real-time information by the ULM, regarding the status and whereabouts of the UCD through the lifeline communication channel, said information including at least one of;
  
  properties of the hosting PLMN, events of IRAT handover during voice calls, and events of BTS handover during voice calls;
  
  propagating said real-time information from the security action management module to the data analysis module; and
  
  analyzing said information by the data analysis module, and identifying at least one of following suspicious events and scenarios;
  
  illegitimate IRAT handover;
  
  illegitimate BTS handover;
  
  hijacking attempts of the UCD from its home PLMN or visited PLMN to other networks; and
  
  illegitimate altering of UCD communication encryption properties.

23. A method for providing security services, for securing the privacy of cellular network subscribers and the security of data stored on the said subscribers'"'"' User Cellular Devices (UCDs), said method implemented by one or more processors operatively coupled to a non-transitory computer readable storage device, on which are stored modules of instruction code that when executed cause the one or more processors to perform:
- interfacing a cellular Public Land Mobile Network (PLMN) hosting a plurality of cellular subscribers, with a Controlled Cellular Network (CCN);
  
  providing security services to “
  
  serviced subscribers”
  
  by said CCN;
  
  encapsulating communication between the UCDs of said serviced subscribers and hosting PLMN by said CCN, said communication including at least part of;
  
  control, signaling, SMS and data communications;
  
  monitoring and analyzing parameters and characteristics of said encapsulated communication in real time or in relation to historically acquired data by the CCN, said parameters and characteristics including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  identifying by the CCN statistic deviations in said parameters and characteristics exceeding predefined thresholds, based on said analysis of said encapsulated communication;
  
  identifying by the CCN occurrence of predefined suspicious events and scenarios, based on said analysis of said encapsulated communication;
  
  identifying by the CCN security threats to the privacy of said serviced subscribers, and to the data stored on their UCDs, and determining said threats'"'"' category and probability, based on said analysis of encapsulated communication;
  
  responding to said security threats in real time or in near-real time, and taking active measures to avert the said suspected threats, said active measures including at least one of;
  
  blocking or diverting communication, alerting serviced subscribers and/or system administrators, responding to system queries with altered data, and logging of suspicious events and scenarios;
  
  wherein application of said active measures depends on the category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  instantiating at least one controlled module, within the CCN, configured to complement the functionality of respective elements of the hosting cellular PLMN;
  
  configuring said controlled modules by a security center module;
  
  monitoring, analyzing and managing of the functionality of each of said controlled modules comprising the CCN by the said security center module;
  
  providing an administrative interface, by means of an administrative module operatively coupled to said security center module, enabling an administrator to;
  
  instantiate controlled modules of one or more CCNs;
  
  configure the components of one or more CCNs to serve serviced subscribers of the hosting cellular PLMN;
  
  present alerts regarding the functionality of the CCN and its components;
  
  present alerts regarding the occurrence of events and scenarios within the hosting cellular PLMN; and
  
  extract reports regarding the functionality of the CCN and events within the hosting cellular PLMN;
  
  probing each of the said controlled modules within the CCN, and accumulating data regarding transactions, events and scenarios occurring on the hosing PLMN and data regarding communication between elements of the CCN and the hosting PLMN by a probe interface module;
  
  propagating the data accumulated by the said probe interface module to a data analysis module;
  
  analyzing by the said data analysis module parameters and characteristics of said encapsulated communication in real time or in near-real time, said parameters including at least one of;
  
  time patterns, volumes, destination address, source address, content and context;
  
  analyzing statistic deviations in the values of said parameters and characteristics exceeding predefined thresholds by the said data analysis module;
  
  analyzing accumulated historical data, pertaining to said parameters and characteristics of said encapsulated communication by the said data analysis module;
  
  identifying the occurrence of predefined suspicious events and scenarios on the hosing PLMN based on said analysis by the data analysis module;
  
  identifying security threats to the privacy of serviced subscribers and data stored on their UCD based on said analysis by the data analysis module;
  
  emitting activity messages from the data analysis module to other controlled modules of the CCN to avert the said identified security threats, and/or emitting alert messages to said administrative module and/or UCD to notify against said identified security threats;
  
  maintaining an events'"'"' database, withholding important events and scenarios that occurred within the CCN and/or hosting PLMN;
  
  receiving activity messages from said data analysis module to a security action management module;
  
  obtaining parameters of served subscriber'"'"'s profile from a subscribers database;
  
  commanding controlled modules by the security action management module, to carry out security actions as dictated by said activity messages from said data analysis module, and avert said identified security threats, said security actions depending on;
  
  category of identified threat, the identified threat'"'"'s probability, and the serviced subscriber'"'"'s profile;
  
  maintaining a database of the security threats encountered during the activity of the CCN;
  
  dynamically altering the value of one or more serviced subscribers'"'"' UCD identity parameters by an identity mediation module, said identity parameters including at least one of IMSI, IMEI, IMEISV, MSISDN, Ki, Kc, TMSI, PTMSI, TLLI, ESN;
  
  communicating said alteration of identity parameter values from the identity mediation module (1700) to the ULM on the serviced subscribers'"'"' UCD through said Lifeline communication channel;
  
  receiving said required alteration of identity parameter values by said ULM module through said lifeline communication channel;
  
  propagating the required alteration of values of identity parameters stored on the Subscriber Identity Storage Element (SISE), to said SISE, said parameters including at least one of IMSI, Ki and Kc;
  
  applying by said SISE the said required alteration of values of serviced subscribers'"'"' UCD identity parameters stored on the SISE, said parameters including at least one of IMSI, Ki and Kc;
  
  applying by said ULM required changes to values of UCD identity parameters stored on the UCD; and
  
  dynamically mediating between said altered UCD identity parameter values and the original UCD identity parameters by said identity mediation module, thus facilitating the routing of the UCD communication with the hosting PLMN or visited network using the altered identity parameters.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, further comprising the step of invoking said alteration of one or more UCD identity parameter values according to at least one of the following configurations:
    - according to a time based trigger;
      
      locally on the UCD, according to any logic preconfigured on the ULM or SISE;
      
      locally by the ULM or SISE, in response to a failure to receive Lifeline communication;
      
      remotely, according to any logic preconfigured on the identity mediation module;
      
      remotely by the identity mediation module, in response to failure to receive Lifeline communication;
      
      remotely by the identity mediation module, in response to an event on the hosting PLMN;
      
      remotely by the identity mediation module, in response to an activity message from the data analysis module, following an identified suspected threat, including IMSI catcher and Man-in-the-Middle (MitM) attacks;
      
      orany combination of the above.
  - 25. The method of claim 23, further comprising the steps of:
    - configuring the serviced subscribers'"'"' ULMs to possess a set of fallback identity parameter values; and
      
      upon the event of a lifeline communication failure between the security action module and the ULM of a serviced subscriber'"'"'s UCD, the ULM will invoke alteration of UCD identity parameter values to said set of fallback values;
      
      reverting to using said set of fallback identity parameter values by the UCD, thus re-introduced the UCD to the CCN, bearing the said fallback UCD identity parameter values;
      
      optionally invoking a UCD restart by the ULM, in cases that require such a restart order to ensure the enforcement of said alteration of identity parameter values on the UCD.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
FirstPoint Mobile Guard Ltd.
Original Assignee
FirstPoint Mobile Guard Ltd.
Inventors
Weinberg, Adam, Fixler, Dror, Krauz, Achiel
Primary Examiner(s)
Eng, George
Assistant Examiner(s)
Du, Hung K

Application Number

US15/591,717
Publication Number

US 20170332232A1
Time in Patent Office

783 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04W 12/02   Protecting privacy or anony...

H04W 12/12   Detection or prevention of ...

H04W 4/14   Short messaging services, e...

H04W 84/042   Public Land Mobile systems,...

Y04S 40/20   Information technology spec...

System and method for securing communication and information of mobile devices through a controlled cellular communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing communication and information of mobile devices through a controlled cellular communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links