Statistical system and method for catching a man-in-the-middle attack in 3G networks

US 9,628,994 B1
Filed: 12/30/2015
Issued: 04/18/2017
Est. Priority Date: 12/30/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A method to detect a fake base station in a 3G cellular network, the 3G cellular network primarily providing 3G coverage and also providing 2G coverage when the 3G coverage is unavailable, the method comprising the steps of:

maintaining a database comprising data collected in real-time from the 3G cellular network, said database storing a 3G subscribers list and a 2G cells white list;

maintaining for a cell c;

(a) a first counter L of 2G calls made by 3G users in the 3G subscribers list in cell c over a pre-determined period of time, and (b) a second counter Lt of all 2G calls made over the pre-determined period of time to include multiple calls made by the same user, and comparing a function of L and Lt against a pre-determined threshold and determining when cell c is a 2G cell and placing cell c into the 2G cells white list, wherein 3G and 2G call volumes in the cell is used to determine when the cell is a 2G cell providing the 2G coverage or a 3G cell providing the 3G coverage, with determined 2G cells being placed in the 2G cells white list;

detecting a 3G subscriber in the 3G subscribers list in the database that is forced to make a 2G call in a 2G cell that is not in the 2G cells white list in the database; and

outputting a warning identifying the 3G subscriber as a victim of man-in-the-middle attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel method and system is introduced leveraging the data collected by a network probe to enhance cellular network capabilities to detect a man in the middle attack without using any software on the 3G mobile terminal. The new capabilities compile and process the data of call records collected from SS7 and location update messages in real time to determine the active 3G subscribers and to tag cells as 2G within a 3G coverage area to instantly identify an unknown cell generated by a fake base station. The system also has a component to notify authorities or to terminate the call once the fraud is identified.

27 Citations

View as Search Results

16 Claims

1. A method to detect a fake base station in a 3G cellular network, the 3G cellular network primarily providing 3G coverage and also providing 2G coverage when the 3G coverage is unavailable, the method comprising the steps of:
- maintaining a database comprising data collected in real-time from the 3G cellular network, said database storing a 3G subscribers list and a 2G cells white list;
  
  maintaining for a cell c;
  
  (a) a first counter L of 2G calls made by 3G users in the 3G subscribers list in cell c over a pre-determined period of time, and (b) a second counter Lt of all 2G calls made over the pre-determined period of time to include multiple calls made by the same user, and comparing a function of L and Lt against a pre-determined threshold and determining when cell c is a 2G cell and placing cell c into the 2G cells white list, wherein 3G and 2G call volumes in the cell is used to determine when the cell is a 2G cell providing the 2G coverage or a 3G cell providing the 3G coverage, with determined 2G cells being placed in the 2G cells white list;
  
  detecting a 3G subscriber in the 3G subscribers list in the database that is forced to make a 2G call in a 2G cell that is not in the 2G cells white list in the database; and
  
  outputting a warning identifying the 3G subscriber as a victim of man-in-the-middle attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the function is L/Lt and the pre-determined threshold is 1.
  - 3. The method of claim 1, wherein the data collected is based on passively monitoring Key Performance Indicators (KPIs) from an A-interface and a lu-CS interface.
  - 4. The method of claim 3, wherein a network probe is used in the passive monitoring.
  - 5. The method of claim 1, wherein the data collected is call signaling data or location update data.
  - 6. The method of claim 1, wherein the 2G cells white list stores, for each stored 2G cell, a cell-ID and a Location Area Code (LAC).
  - 7. The method of claim 1, wherein the database is kept current by periodic or continuous updates of both the 3G subscribers list and the 2G cells white list.

8. A system to detect a fake base station in a 3G cellular network, the 3G cellular network primarily providing 3G coverage and also providing 2G coverage when the 3G coverage is unavailable, the system comprising:
- a database configured to store signaling data or location update data collected in real-time from the 3G cellular network, said database storing a 3G subscribers list and a 2G cells white list; and
  
  an analyzer configured to analyze stored data and detecting a 3G subscriber in the 3G subscribers list in the database that is forced to make a 2G call in a 2G cell that is not in the 2G cells white list in the database; and
  
  outputting a notification identifying the 3G subscriber as a victim of man-in-the-middle attack,wherein the analyzer maintains for a cell c;
  
  (a) a first counter L of 2G calls made by 3G users in the 3G subscribers list in cell c over a pre-determined period of time, and (b) a second counter Lt of all 2G calls made over the pre-determined period of time to include multiple calls made by the same user, and where the analyzer compares a function of L and Lt against a pre-determined threshold to determine when cell c is a 2G cell and placing cell c into the 2G cells white list, andwherein 3G and 2G call volumes in the cell is used to determine when the cell is a 2G cell providing the 2G coverage or a 3G cell providing the 3G coverage, with determined 2G cells being placed in the 2G cells white list.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The system of claim 8, wherein the function is L/Lt and the pre-determined threshold is 1.
  - 10. The system of claim 8, wherein the data collected is based on passively monitoring Key Performance Indicators (KPIs) from an A-interface and a lu-CS interface.
  - 11. The system of claim 10, wherein a network probe is used in the passive monitoring.
  - 12. The system of claim 8, wherein the 2G cells white list stores, for each stored 2G cell, a cell-ID and a Location Area Code (LAC).
  - 13. The system of claim 8, wherein the database is kept current by periodic or continuous updates of both the 3G subscribers list and the 2G cells white list.
  - 14. The system of claim 8, wherein the system further comprises a detector to determine if the attack is performed towards a user that is in a critical user list.
  - 15. The system of claim 8, wherein the notification is any of the following:
    - a SNMP trap, a web services notification or an SMS.

16. An article of manufacture having non-transitory computer readable storage medium having instructions executable by a processor to implement a method to detect a fake base station in a 3G cellular network, the 3G cellular network primarily providing 3G coverage and also providing 2G coverage when the 3G coverage is unavailable, the method implemented by a processor comprising:
- maintaining a database comprising data collected in real-time from the 3G cellular network, said database storing a 3G subscribers list and a 2G cells white list;
  
  maintaining for a cell c;
  
  (a) a first counter L of 2G calls made by 3G users in the 3G subscribers list in cell c over a pre-determined period of time, and (b) a second counter Lt of all 2G calls made over the pre-determined period of time to include multiple calls made by the same user, and comparing a function of L and Lt against a pre-determined threshold and determining when cell c is a 2G cell and placing cell c into the 2G cells white list, wherein 3G and 2G call volumes in the cell is used to determine when the cell is a 2G cell providing the 2G coverage or a 3G cell providing the 3G coverage, with determined 2G cells being placed in the 2G cells white list;
  
  detecting a 3G subscriber in the 3G subscribers list in the database that is forced to make a 2G call in a 2G cell that is not in the 2G cells white list in the database;
  
  outputting a warning identifying the 3G subscriber as a victim of man-in-the-middle attack, andwherein 3G and 2G call volumes in a specific cell within the 3G cellular network is used to determine when the specific cell is a 2G cell providing the 2G coverage or a 3G cell providing the 3G coverage, with determined 2G cells being placed in the 2G cells white list as follows;
  
  maintaining for a cell c;
  
  (a) a first counter L of 2G calls made by 3G users in the 3G subscribers list in cell c over a pre-determined period of time, and (b) a second counter Lt of all 2G calls made over the pre-determined period of time to include multiple calls made by the same user; and
  
  comparing a function of L and Lt against a pre-determined threshold and determining when cell c is a 2G cell, and when so, placing cell c into the 2G cells white list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Argela Yazilim Ve Bilisim Teknolojileri San. Ve Tic A.S.
Original Assignee
Argela Yazilim Ve Bilisim Teknolojileri San. Ve Tic A.S.
Inventors
Gunyel, Mahir, Koyuncu, Onur, Bayraktar, Ismail, Gorkemli, Burak
Primary Examiner(s)
Ajayi, Joel

Application Number

US14/984,911
Time in Patent Office

475 Days
Field of Search

455410, 455436-448
US Class Current
CPC Class Codes

H04W 12/122   Counter-measures against at...

H04W 24/08   Testing, supervising or mon...

H04W 64/00   Locating users or terminals...

H04W 68/12   Inter-network notification

H04W 88/08   Access point devices

Statistical system and method for catching a man-in-the-middle attack in 3G networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Statistical system and method for catching a man-in-the-middle attack in 3G networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links