Abstract Cascading attacks pose a new threat to thethird generation (3G) wireless telecommunications network.These attacks are dangerous and difficult to detect due totheir remote far-reaching effects. To automate the accuratedetection of these attacks and their remote effects, we devel-oped a telecommunication specification based toolkit calledthe Advanced Cellular Network Vulnerability AssessmentToolkit—aCAT. aCAT is unique due to the incorporation of3G network specific dependency model, infection propaga-tion rules, as well as expert knowledge. These features allowaCAT to accurately and exhaustively identify cascading at-tacks and their remote effects. aCAT illustrates the types ofcascading attacks that may be derived from the specifica-tions, and showcases its utility in uncovering these attacks.
Keywords Mobile telecommunication networks · 3Gnetworks · Vulnerability assessment · Cascading attacks ·Dependency model · Infection propagation rules
1 Introduction
Anytime anywhere accessibility, seamless roaming, inex-pensive handsets with sophisticated applications, and Inter-net connectivity are only a few of the myriad reasons that
K. Kotapati (�) · P. Liu · T.F. La PortaThe Pennsylvania State University, University Park, PA 16802,USAe-mail: [email protected]
have made the 3G network an indispensable part of dailylives of millions of people. The huge success and the popu-larity of these networks may not only be attributed to theirsupport for everyday communication but also to the manylife and mission critical services such as E-911, supportedby the 3G network. Accordingly, from the security point ofview, 3G networks are extremely attractive targets to the ad-versary.
3G networks are attractive to adversaries not only due totheir large subscriber base (which the adversary could tar-get in an attack) but also because of their highly vulnerablenature, making it easy for the adversary to launch an attack.There are two main reasons that account for the highly vul-nerable nature of the 3G network. First, being that, 3G net-works were built for performance and service, security wasadded-on, as and when required. To this day there are manyvulnerabilities that could be effortlessly exploited to causehavoc on infrastructure and services. Second, being the in-troduction of connectivity between the 3G network and theInternet. This connectivity imports not only the high speedcapabilities of the Internet but also its inherent vulnerabili-ties. Thereby making possible cross infrastructure cyber at-tacks—a new breed of attacks, where attacks against the 3Gnetwork may be launched from the Internet.
Although the number of vulnerabilities in the 3G networkare innumerable, existing vulnerability assessment solutionsfor the 3G network are very limited in number. Althoughmany 3G attack scenarios have been identified (e.g., in [1,2, 5, 11, 14, 16, 17, 22, 23, 25, 26]) and a few 3G threattaxonomies have been proposed (e.g., in [21, 26, 41]), priorresearch has not developed any systematic methodology forautomatic vulnerability assessment of 3G networks.
As a result, 3G network designers, developers, vendors,and operators are still unaware of many vulnerabilities. At-tacks enabled by exploiting these vulnerabilities are unfore-
100 K. Kotapati et al.
seen, hence undetected and can have many far-reaching ef-fects which can be very destructive. Such attacks may alsobe launched in a subtle manner (for example, disgruntledemployees surreptitiously corrupting key data items by ex-ploiting unknown vulnerabilities) thereby making them dou-bly difficult to detect and hence dually destructive. These un-expected subtle attacks with far reaching effects may not beidentified by either existing vulnerability assessment tools,or 3G engineers or operators until they cause some seriouseffects.
An illustration of such a subtle attack with far reachingeffects is the alerting attack (presented in Sect. 2.2). Thisattack allows an adversary (e.g., an terrorist) to prevent apolice officer (or an emergency health care provider) fromreceiving an E-911 call in a subtle and undetected manner.Adversaries may use a simple and trivial action such as cor-rupting a single data item in a location distant from the po-lice officer or emergency health care provider. This subtleand simple act of corrupting a data item leads to corruptionof other data items resulting in remote effect on legitimatesubscribers such as preventing a police officer from receiv-ing a emergency call. We refer to attacks such as the alertingattack as cascading attacks. Cascading attacks are so namedbecause local effects of corrupt data items propagates or cas-cades to data items on remote service nodes through vehiclessuch as signaling messages, cached data items, and shareddatabases.
To detect such subtle cascading attacks and expose vul-nerabilities, we developed aCAT (Advanced Cellular net-work vulnerability Assessment Toolkit), a novel 3G net-work vulnerability assessment toolkit. To our best knowl-edge, aCAT is the first toolkit that can automatically identifysubtle cascading attacks using a systematic method (Notethat CAT [20] is a very preliminary version of aCAT).
aCAT incorporates a unique network dependency model,infection propagation rules, and a small amount of expertknowledge to expose subtle cascading attacks. aCAT de-tects these attacks based on user input, which are 3G dataitem(s) that are either directly corrupted by the adversary(called seeds) or the ultimate data item(s) corrupted dueto cascading effect in a remote location (called goals), andsystem input that comprises of telecommunication specifica-tions.
Telecommunication specifications are defined by theThird Generation Partnership Project (3GPP) and are avail-able at no charge at [6]. These specifications detail the func-tional behavior and not the implementation structure of the3G networks. Also they are written using simple flow-likediagrams called the Specification and Description Language(SDL) [15]. Henceforth we will refer to these specificationsas SDL specifications. Equipment and service providers usethese SDL specifications as the basis of their service im-plementations. These specifications may also be used by
adversaries (possibly disgruntled employees) to develop de-bilitating attacks.
When aCAT identifies a subtle and unforeseen cascad-ing attack. It portrays the attack, including its origins andremote cascading effects, in a user friendly attack graph for-mat. Attack graphs illustrate ways in which an attack maybe launched, thereby exposing all vulnerabilities. This al-lows network designers to determine vulnerable points inthe network that need protection.
We have used aCAT to assess vulnerabilities in severalkey services offered by the 3G networks, and found thataCAT can identify interesting and unforeseen cascading at-tacks that are subtle and difficult to detect by other means.These newly identified cascading attacks include the Alert-ing Attack, Power-off Power-on Attack, Mixed Identity At-tack, Call Redirection Attack, and Missed Calls Attack.
aCAT is the first step in conducting automatic and sys-tematic 3G network vulnerability assessment. The merits ofaCAT are summarized as follows.
• aCAT is the first tool that can identify unforeseen cascad-ing attacks.
• aCAT is automatic i.e., given the required input, the vul-nerability assessment process does not require any humanintervention.
• aCAT uses standard specification provided by the 3GPPas the primary input. As a result, aCAT is agnostic to spe-cific 3G network implementations or physical configura-tions, its method is practical, and it has universal applica-bility.
• Using specifications and a comprehensive 3G network de-pendency model, aCAT can perform vulnerability assess-ment in a systematic manner.
• aCAT performs fine-grained vulnerability assessment atthe message level, the process level, and the data itemlevel.
The rest of the paper is organized as follows. In Sect. 2,we give an overview of the problem and our solution. InSect. 3, we detail our attack graph and its features, and inSect. 4, we present the aCAT models. In Sect. 5, we detailour algorithms, and in Sect. 6, we present some interestingattacks detected by aCAT. In Sect. 7, we present the resultsfrom experiments conducted on aCAT, and in Sect. 8, wepresent some observations to our experiments. In Sect. 9,we discuss the related work, and conclude in Sect. 10.
2 Overview
In this section, we present an overview of 3G network, thecascading attack, and the method used to identify these at-tacks.
Dependency relation based vulnerability analysis of 3G networks 101
2.1 Call delivery service in 3G networks
In this section, we use the call delivery service to illustratesome core components (or building blocks) of 3G networks.The call delivery service is a basic 3G service. It is used todeliver incoming calls to any subscriber with a 3G enabledmobile device regardless of their location. Although aCATis a generic tool applicable to all 3G services, throughout thepaper we will continue to refer to this service as the primaryattack target to self-contain our presentation.
3G networks provide service by the exchange of signal-ing messages among its various servers called service nodes.As shown in Fig. 2, the service nodes in the circuit switcheddomain of the 3G network are the Home Location Regis-ter (HLR), the Visitor Location Register (VLR), the MobileSwitching Center (MSC) and the Gateway Mobile Switch-ing Center (GMSC). 3G services are provided across in-terconnected networks, where each network covers a fixedgeographical area (illustrated in Fig. 2). Accordingly, everysubscriber is assigned a home network from where they mayroam to other visiting networks.
Fig. 1 Call delivery service
The home network stores the profile and current loca-tion (pointer to VLR) of all subscribers assigned to it, inthe HLR. In addition, each network administrative area isassigned a VLR. The VLR stores temporary data of sub-scribers currently roaming in its assigned area; this sub-scriber data is received from the HLR of the subscriber.Every VLR is typically assigned a MSC that acts as an in-terface between the radio system and the fixed network, andhandles circuit switched services for subscribers currentlyroaming in its area.
When a subscriber makes a call, the call (signaling mes-sage IAM) is sent to the nearest GMSC which is in chargeof routing calls and passing voice traffic between disparatenetworks (refer Fig. 1). Each signaling message containsdata items used to invoke functions at the destination ser-vice nodes. For example, the IAM signaling message con-tains the data item—called number. This data item is usedto invoke the function that finds the assigned HLR (homenetwork) of the called party, at the GMSC. The GMSC usesthe address of the HLR to inform it of the incoming callusing the signaling message SRI. The SRI message con-tains data items such as the called number and the alertingpattern. The alerting pattern denotes the pattern (PACKET
SWITCHED DATA, SHORT MESSAGE SERVICE or CIRCUIT
SWITCHED CALL) that is used to alert the called mobile sub-scriber.
As the HLR is aware of the location of the called sub-scriber, it requests call routing information (called roam-ing number) from the VLR, that is in-charge of the areawhere the subscriber is currently roaming using the messagePRN. The HLR then downloads the incoming call profileof the subscriber (including alerting pattern) to the VLR.The VLR assigns a roaming number for routing the call andpasses it on to the HLR (message PRN_ACK) which for-wards it to the GMSC (message SRI_ACK). The GMSCuses this roaming number to route the incoming call (mes-sage IAM) to the MSC where the subscriber is currently
Fig. 2 Alerting attack
102 K. Kotapati et al.
roaming. This MSC requests the incoming call profile forthe called subscriber (message SIFIC) from the VLR andreceives the profile (including alerting pattern) in the PageMS message. The MSC uses the alerting pattern in the in-coming call profile to determine the page type which is themanner in which to alert (message Page) the mobile sta-tion. Thus subscribers receive incoming calls irrespective oftheir locations in the network.
2.2 Example: Cascading attack
In this section, we present a cascading attack called theAlerting Attack, on the call delivery service discussed in theprevious section. This attack was discovered by aCAT usingonly the SDL specifications. This attack highlights the factthat an adversary with access to the SDL specifications candevise cascading attacks without much effort.
In this attack, the adversary targets the data item alert-ing pattern in the SRI signaling message generated by theGMSC. According to the specifications, the alerting patternmay take values PACKET SWITCHED DATA, SHORT MES-SAGE SERVICE, or CIRCUIT SWITCHED CALL. Here, theadversary switches the value of alerting pattern from therequired value of CIRCUIT SWITCHED CALL to the SHORT
MESSAGE SERVICE. Since the alerting pattern is corruptedat the time of assignment and the corrupt value is a sys-tem acceptable value albeit an incorrect value, corruptionnot only remains undetected but also propagates to remoteareas of the network.
The corrupt alerting pattern in the SRI message ispassed on to the HLR. The PRN signaling message sentby the HLR to the VLR contains the corrupt alerting pat-tern. The VLR uses the corrupt alerting pattern to computepage type. Page type is assigned a value corresponding to thevalue of alerting pattern. If the value of alerting pattern isSHORT MESSAGE SERVICE, then page type is assigned thevalue SMS. As the alerting pattern has an incorrect value,the page type is automatically assigned a value correspond-ing to the incorrect value and is thereby automatically cor-rupt. This happens automatically due to normal network op-eration and without any adversary intervention.
The VLR outputs message Page MS to the MSC withcorrupt data item page type. The MSC outputs the signalingmessage Page to the base station (BSS) with corrupt pagetype which is then broadcast in the Page MS message. Ifpage type is incompatible with the type of call (PACKET,CIRCUIT SWITCHED, etc.) expected by the mobile device,the call session may not be received. This attack illustrateshow corruption of a single data item at a single network lo-cation (such as the GMSC), results in propagation of corrup-tion across the network (such as to the BSS), through othercorrupt data items, due to normal network operation.
Thus data corruption in a 3G network has many indirectand remote far reaching cascading effects due to normal net-work operation. Cascading effects result in what is calledthe chaining phenomena of cascading effects. A chain is asequence of k corrupt data items (also called chain items).The first chain item is called the seed (data directly corruptby the adversary), the second chain item is derived from thefirst chain item and so on. The final chain item is called thegoal because it directly serves the adversary’s intent. In thecase of the alerting attack, the seed is the alerting patternand the goal is the page type.
The goal item is usually defined by the effect of theattack on (a) the network operation and; (b) the target sub-scribers. Hence, a goal item has the following two proper-ties: (1) it is the direct cause of the network misoperationand; (2) the caused misoperation directly effects the targetsubscriber.
In real life, adversaries (e.g. disgruntled employees) maygain access to improperly guarded central offices [39],which house telephony equipment. Details of these officesincluding their addresses, photographs and manuals to tele-phony switches may be obtained at websites such as [38,39]. Many telephony switches are based on UNIX-like op-erating systems with software comprised of several millionlines of C code. These switches may be configured to func-tion as a GMSC. Using switch manuals found on websitessuch as [38], one can learn how to log-on to the switch, is-sue commands to get permissions to modify data items andmake changes to software. The adversary can corrupt thealerting pattern as described earlier, using commands simi-lar to the following. Based on the configuration of the switchthe syntax of the commands may vary.
if(alerting_pattern .is. CIRCUIT SWITCHED CALL)
then alerting_pattern= SHORT MESSAGE
SERVICE;
end − if
2.3 Manual attack detection
Using SDL specifications network engineers can manuallypredict attacks. This is because specifications are easy toread, they contain (1) signal flow graphs such as shown inFig. 1, that present a high level picture of network func-tionality; and (2) flow chart like SDL diagrams as shownin Figs. 6b and 6c, that present minute details of the net-work functionality. Minute details of network functional-ity include input message received, data items containedin them, functionality invoked by these data items, and theoutput messages generated. An example of minute networkfunctionality is Fig. 6c, which shows the HLR service node,
Dependency relation based vulnerability analysis of 3G networks 103
Fig. 3 Architecture of aCAT
responding to the incoming message SRI (denoted by dot-ted line in Fig. 1). Specifications provide diagrams similarto Fig. 6c for each and every service node functionality.
Using these diagrams, network engineers can manuallytrace data corruption across service nodes and messagessuch as in the alerting attack case. However, a 3G networkis comprised of hundreds of services such as the call deliv-ery, each service involving hundreds of messages and ser-vices nodes, which in-turn are comprised of thousands ofstate machines. In such cases manually tracing data corrup-tion through service nodes and messages can be very te-dious and error prone. Hence, we need a systematic methodwhich is automatic, fast, efficient and speedy method de-void of human error with a fixed set of rules to track corrup-tion across thousands of service nodes. aCAT is developedfor these reasons. It tracks data corruption propagation ef-ficiently by incorporating SDL specifications, network de-pendency model, and a set of infection propagation rules. Inthe next section, we explain the various features of aCAT.
2.4 Automated solution—aCAT
aCAT is implemented using the Java programming lan-guage. It is made up of a number of subsystems (as shownin Fig. 3). The aCAT-knowledge base contains the 3G net-work knowledge. The major portion of this knowledge isobtained from SDL specifications. A minor portion of thisknowledge is received from experts to compensate for thelimitations in SDL. Data in the knowledge base is formattedusing the unique 3G network dependency model detailed inSect. 4. The integrated data structure is similar to that of theknowledge base; it holds intermediate vulnerability analysisresults.
The GUI subsystem takes in user input in the form ofseeds or goals. The analysis engine comprises of al-gorithms (forward, reverse, and combinatorial). These al-gorithms are incorporated with the 3G specific infection
Fig. 4 Work flow of vulnerability assessment
propagation rules that identify corruption propagation. Us-ing these infection propagation rules, user input, and theaCAT-knowledge base the analysis engine captures the at-tack in the form of an attack graph. We use the term ‘attackgraph’, as our graph is similar to the Internet based attackgraphs [7, 34]. However, there are some major differencesthat are explained in Sect. 9.
Our attack graphs are user friendly and show the propa-gation of corruption through the network. The attack graphexplains in network semantics the origin of the attack andits cascading effects. More specifically it can be said thatthe 3G attack graphs show the network effects of the attack.Using these attack graphs, realistic attack scenarios may bederived. Attack scenarios explain the effect of the attack onthe subscriber in a realistic setting using the English lan-guage.
Each attack graph may have multiple interpretations andgive rise to multiple scenarios. Each scenario gives a dif-ferent perspective on how the attack may effect the sub-scriber. This vulnerability assessment work flow is illus-trated in Fig. 4. In the next section, we detail features ofthe attack graphs and attack scenario derivation.
3 3G attack graph and interpretation
In this section, we present the 3G attack graph and its inter-pretation.
3.1 3G attack graphs
Cascading attacks may also be defined as network state tran-sitions caused by an adversary’s action, where the final tran-sition results in the adversary achieving a goal. aCAT de-duces possible attacks on 3G networks and represents themin the attack graph format. A 3G network specific attackgraph may be defined as a network state transition show-ing the paths through a system starting with the conditionsof the attack, followed by attack action and ending with itscascading effects. The 3G network state may be defined asthe collective state of all its components.
104 K. Kotapati et al.
Fig. 5 Attack graph for attackalerting
Figure 5 shows the attack graph output produced byaCAT. This attack graph output is in telecommunication ter-minology and corresponds to the previously described alert-ing attack. For description purposes, the attack graph hasbeen divided into levels and assigned node labels.
Nodes represent states in the network with respect to theattack and may be broadly classified as conditions, actions,and goal(s). Nodes at the lowest level typically correspondto the conditions that must exist for the attack to occur, suchas adversary’s physical access, target and existing vulnera-bility.
The adversary may have any of the following three lev-els of physical access: (1) access to the air interface withthe help of a physical device; (2) access to links connect-ing central offices; and (3) access to the service nodes. Inthe alerting attack, the adversary has access to the GMSC,
i.e. level 3 physical access which is represented in the attackgraph by Node M. The adversary’s target is always a servicenode such as the GMSC and is represented by Node N. Theadversary may take advantage of vulnerabilities such as inthe service logic (detailed in Sect. 4.3) and represented byNode O. Our attack graphs show all the possible conditionsfor an attack to happen, i.e., we not only see the alertingattack due to corruption of service logic at the GMSC, butalso other possibilities such as the corruption of signalingmessage PRN.
Nodes at higher levels are actions that typically corre-spond to effects of the attack propagating through the net-work. Effects typically include propagation of corruptionbetween service nodes, such as from HLR to VLR (NodeF), propagation of corruption within service nodes, such asalerting pattern corrupting page type (Node D), and so on.
Dependency relation based vulnerability analysis of 3G networks 105
Actions may further be classified as adversary actions, nor-mal network operations or normal subscriber activities. Ad-versary actions (Node I) include the insertion, corruption ordeletion of data, signaling messages and service logic. Nor-mal network operations (Node L) include sending and re-ceiving signaling messages. Subscriber activity may includeupdating personal data or initiating service.
Goal nodes typically occur at the highest level of theattack graph. They indicate corruption of the goal itemsdue to the direct corruption of seeds by the adversary(Node A).
In our graph, edges represent network transitions due toboth normal network actions and adversary actions. Edgeshelp show the global network view of adversary action. Thisis the uniqueness of our attack graph. Transitions due to ad-versary action are indicated by an edge marked by the letter‘A’ (edges connecting level 0 and level 1).
3G attack graphs are obtained by pruning and mergingattack trees constructed by aCAT. Hence individual attacktrees are part of the attack graph shown in Fig. 5. Each at-tack tree shows the attack effects due to corruption of a seedat a specific network location. In the graph, trees are distin-guished by the tree numbers assigned to its nodes. For ex-ample, all the nodes marked with number 2 belong to Tree 2of the graph.
Tree 1 shows the propagation of corruption due to thecorruption of the seed alerting pattern in the GMSC. Tree3 shows the propagation of the alerting attack due to thecorruption of the seed alerting pattern in the signaling mes-sage SRI ending in output message Page MS containingthe incorrect page type goal item. Nodes P, Q, R and Urepresent the conditions for the attack and Node J shows ad-versary action. Nodes F, D, and B show the propagation ofthe attack and Node A depicts the goal node of the alertingattack. These trees show that the vulnerability of the 3G net-work is not limited to one place, but can be realized due tothe corruption of data in many network locations.
Some nodes in the graph belong to multiple trees. Treenumbers are also used to distinguish between AND and ORnodes at a level in the graph. Nodes at a particular level withthe same tree number(s) are AND nodes. For example, atLevel 2, Node F and Node G are AND nodes; both mustoccur for Node D at Level 3 to occur. Nodes at a particularlevel, with different tree numbers and edges connecting tothe same node at a higher level are OR node. For example,at Level 1, Node I and Node J are OR nodes; either one ofthe nodes may occur for Node F at Level 2 to occur. Othernodes have no relation. For example, at Level 2, Node H andNode G have no relation.
This attack graph format is well-suited for telecommuni-cation networks because data corruption propagates throughthe network in various forms during the normal operationof a network; thus, an attack that corrupts a data item may
manifest itself as the corruption of a different data item in adifferent part of the network only after some network oper-ations take place.
3.2 Attack scenario derivation
This section explains the principles involved in the deriva-tion of realistic attack scenarios from attack graphs intelecommunication semantics.
Step 1: End User Effect: Goal node(s) are used to inferthe end effect of the attack on the subscriber. In the alert-ing attack, the goal nodes are Node A at Level 5, and NodeC at Level 4. According to the goal node, the Page mes-sage to the BSS has incorrect goal item ‘page type’. ThePage message is used to inform subscribers of the arrivalof incoming calls and ‘page type’ indicates the type of call.‘Page type’ must be compatible with the subscriber‘s mo-bile device or else the subscriber is not alerted. From thegoal node it may be inferred that Alice, a subscriber of thesystem is not alerted on the arrival of an incoming call andhence does not receive incoming calls.
Step 2: Origin of Attack: Nodes at level 0 indicate the ori-gin of the attack, and hence the location of the attack may beinferred. The alerting attack may originate at the followinglocations: signaling messages SRI, PRN, the service nodeVLR, or the HLR.
Step 3: Attack Propagation and Side effects: Nodes at allother levels show the propagation of corruption across thevarious service nodes in the network. In the alerting attack,from the other levels it may be inferred that the seed is thealerting pattern and the attack spreads from the HLR to theVLR and from the VLR to the MSC. We found that somenon-goal nodes (that indicate the propagation of corruption)also indicate side effects on the user in addition to the goalnode that shows the final effect on the user. Examples ofthese side user effects are provided in the Sect. 6.
Attack Scenario: Using the above guidelines the follow-ing attack scenario may be derived. Trudy, the adversary cor-rupts the alerting pattern of Alice, the victim, at the SRImessage arriving at the HLR.
When there is an incoming call for Alice, her profile isdownloaded from the HLR to the VLR and from the VLR tothe MSC. The call proceeds as usual but Alice is not pagedas required. Hence Alice’s mobile device is unable to detectthe incoming call and the call is missed. This attack is sub-tle to detect because 3G administrators find that the networkprocesses the incoming call correctly and that the subscriberis alerted correctly. They may not find that this alerting pat-tern is incompatible with the mobile device itself. This at-tack is illustrated in Fig. 2.
Using aCAT we have discovered a set of interesting at-tacks besides the alerting attack which we present in Sect. 6.In the next section, we present the models used by aCAT.
106 K. Kotapati et al.
Fig. 6 Example of CEFSM andSDL
4 The aCAT model
In this section, we present the various model and rules usedin the development of aCAT.
4.1 3G network model
Since aCAT uses SDL specifications to derive attacks, wemodel 3G networks using SDL notations. In our model, the3G network is a set of concurrently running service nodescalled blocks that communicate by exchanging signalingmessages. A block has two types of components: data itemsand concurrently running processes. A block Bi is associ-ated with the following 4 types of data items: (1) data pa-rameters contained in signaling messages to and from theblock; (2) up-datable data items stored in an associated data-base (called a data source); (3) cached read-only data items;and (4) other temporary local variables used in processing.
In a block, processes use service logic to perform func-tions. The service logic in every process includes (1) processfunctionality used to compute data items and change thedata associated with the block; (2) database transactions be-tween processes and the associated database; and (3) invo-cation of other processes. Processes may be broadly clas-sified as Mobility Management, Call Handling, Operationsand Maintenance, Fault Recovery, Handover and SubscriberManagement. A process may also be defined as a commu-nicating extended finite state machine (CEFSM) which is aspecial case of the extended finite state machine (EFSM).
Figure 6a shows the CEFSM of a process in the HLR (indi-cated by dotted rectangle in Fig. 1).
4.2 SDL model
SDL is a graphical object-oriented, formal language de-signed for the specification of event-driven, real-time, con-current distributed systems interacting with discrete signals.In basic SDL, the system description is hierarchically struc-tured to describe the local and remote behavior of telecom-munication systems, as Systems, Blocks and Processes. TheSDL System can be mapped to the 3G network; the SDLBlock and Process may be mapped to the block and processdefined in the 3G network model of Sect. 4.1, respectively.
Processes are the basic functional units of SDL systems.Specifications represent all network functions using the SDLprocess. Figure 6b shows the graphical syntax of an SDLprocess. Figure 6c shows the actual SDL fragment for the3G process state transition diagram of Fig. 6a. On compar-ison of Figs. 6a and 6c it is obvious that the SDL processis similar in structure to the 3G process CEFSM. Hence themapping from the 3G CEFSM process to SDL process isone-to-one. The SDL diagrams in Figs. 6b and 6c are repre-sentative of all the diagrams used in SDL specifications.
4.3 Threat model
Our work is focused on the remote cascading effects thatoccur due to propagation of corrupt data items across (mul-tiple) service nodes or blocks. Hence our threat model in-cludes any attack actions (such as various buffer overflows)
Dependency relation based vulnerability analysis of 3G networks 107
Fig. 7 Network dependencymodel
that may produce a seed. Readers interested in how theseactions may be taken may refer to [21].
Based on their effects, we classify the relevant at-tack actions as those that corrupt (1) signaling messages;(2) caches; (3) database records; (4) local variables; and(5) service logic; distorted service logic will indirectly cor-rupt a message, a database record, or a local variable. Referto Fig. 7 for the relationship between items that may beeffected by the attack. In real life, these attack actions in-clude (1) social engineering schemes that give adversariesaccess to service nodes and allow them to corrupt servicelogic; and (2) exploitation of software vulnerabilities thatmay overload the switch resulting in buffer overflow. Be-sides cascading attacks, there are a variety of other 3G at-tacks, as summarized in [21]; however, they are out of thescope of this work.
4.4 Network dependency model and infection propagationrules
In principle, cascading attacks are the result of propagationof corruption between 3G components due to dependencies(relationships) that exist between these components. Henceto uncover these attacks, we define a network dependencymodel to clearly identify relationships between these 3Gcomponents. We also use this network dependency model
to define a set of infection propagation (IP) rules (detailedin Table 1) to capture the propagation of corruption.
Our network dependency model (illustrated in Fig. 7)specifies the basic 3G components as the data items, signal-ing messages, and service logic. In our first IP rule we de-fine what constitutes corruption of these basic components.Subsequently, we categorize dependencies as being within ablock (intra-block) or between blocks (inter-block). In par-ticular, our second IP rule defines that corruption due tointer-block dependencies can exist only due to the exchangeof signaling messages. Figure 7 illustrates this inter-blockdependency in signaling messages M1, M2, and M3. Mes-sage M1 contains corrupt data item dA indicated by d∗
A andhence spreads corruption from block Bi to Bj .
We further classify intra-block dependency as either(1) derivative dependency that defines relationship betweendata items in a block; or (2) process to data source depen-dency that defines relationship between a process and thedata source within a block; or (3) inter-process dependencythat defines relationships between processes within a block.Intra-block dependency is typically invoked in response toan inter-block dependency i.e. the arrival of a signaling mes-sage and the use of data items in these messages as input tothe intra-block dependency (e.g. P1). In summary, an intra-block dependency is invoked by an inter-block dependency.
Derivative dependencies cause the spread of corruptionbetween data items in a block due to the process function-
108 K. Kotapati et al.
Table 1 Infection propagation rules
No. Corruption Infection Propagation Rule
1. Basic com-ponents
A data item da of correct value u at any instant of time t is said to be corrupt iff there exists a value v, of da at thesame instant of time t where u �= v.
A signaling message is said to be corrupt iff there exists a data item contained in the message where the data item hasbeen corrupted directly by an adversary or indirectly due to cascading effects.
The service logic of a process is corrupt iff there exists a set of input data items with correct original value and theoutput item computed with the service logic is corrupt.
2. Inter-blockdependency
Corruption spreads between blocks iff there exists a corrupt signaling message propagating between the respectiveblocks.
3. Derivative The output data item in an AND derivative dependency is corrupt iff all ‘n’ input data items are corrupt.
The output data item in a OR derivative dependency is corrupt iff any one of the ‘n’ input data items are corrupt.
The output data item in a KEY derivative dependency is incorrect iff the key (input item) used to retrieve the outputitem is corrupt.
4. Messages The output message generated by the process is corrupt iff either one of the following is true:
1. The service logic of the process is corrupt.
2. The service logic of the process is not corrupt but either one of the following is true:
A. Input signaling message is corrupt.
B. Data source owned by the block is corrupt.
5. Chaining Chains in cascading effects occur iff one of the following are true:
1. Input data items are corrupt and the AND, OR or KEY dependency results in corrupt output data item(s).
2. Service logic of the process is corrupt resulting in corrupt output data items.
3. Service logic of the process is corrupt resulting in incorrectly written data sources.
4. Service logic of the process is corrupt and invokes incorrect processes.
5. Service logic of the process is corrupt and produces corrupt signaling messages.
ality used in computing these data items. The process func-tionality uses ‘n’ data items (received in messages or ownedby the block) as input (fnInput) with derivative depen-dency operators (Dep_Operator) to derive output dataitems (fnOutput). The derivative dependency operators areAND, OR or KEY. Our IP rule 3 details the spread of cor-ruption due to each derivative dependency operator. In thefollowing, we also use examples to explain the propagationof corruption due to each derivative operator.
Corruption propagation is exhibited by AND dependencyoperator in process P1 of Fig. 7 where, dA and dF are bothcorrupt input items to an AND derivative operator used tocompute and hence corrupt dG. Process P2 exhibits corrup-tion propagation due to the OR dependency operator wheredata items dA and dC are used as input to compute outputitem dF . dF is corrupt as a result of corruption of dA alone.Figure 7 shows P1 using data items dA and dB as the inputkey to a KEY operator to retrieve dH . dH is incorrect as aresult of corrupt dA being used as the retrieval key.
Process to data source dependency exists between proc-esses and the data sources owned by a block. It is due to theprocess reading [Read()] and writing [Write()] data itemsto data sources. Data items used in transactions with the
data sources may be received in a message or owned by theblock itself. Hence a Process to data source dependency cancause corruption to propagate from a process to a data sourcethrough reads and writes. This is illustrated in Fig. 7 byprocess P2 reading corrupt item dA and dC from the associ-ated data source and writing corrupt items dF and dG. Inter-Process dependency occurs between processes in a blockdue to process invocation [Invoke()] of other processes.Corruption propagates in a inter-process dependency whenprocesses invoke other processes using corrupt data as inputin the invocation. This is illustrated in Fig. 7 by process P1
invokes process P2 using incorrect data dH within block Bj.As messages cause corruption to propagate to remote ser-
vice nodes, our IP rule 4 takes the various classes of intra-block dependency into consideration in defining the causesfor corruption of an output message. Finally, all cascadingeffects give rise to chains. By using our IP rule 5, thesechains can be accurately derived.
4.5 Propagation model
We also classify the type of chains. A chain is a result ofthe cascading effect, and it is comprised of a sequence of
Dependency relation based vulnerability analysis of 3G networks 109
SRI Mobile Station International ISDN Number (MSISDN), Alerting Pattern, CUG interlock, CUG outgoing message, ISDN BC,ISDN LLC, ISDN HLC, GMSC Pre-paging support
PRN International Mobile Subscriber Identity (IMSI), Mobile Station International ISDN Number (MSISDN), GSM bearer capa-bility, ISDN BC, ISDN LLC, ISDN HLC, Alerting Pattern, Pre-paging supported
Table 3 aCAT knowledge base: Table B: Processes
Process Initial Input From Function Output To Final
name state message block message block state
SRI_HLR Idle SRI GMSC (1) (ISDN BC ‖ ISDN LLC ‖ ISDNHLC)=GSM Bearer Capability
(4) (HLR Pre-paging support ∧ GMSC Pre-paging support ∧) =Pre-paging support
corrupt chain items, where each chain item is derived fromthe previous one. Although chains can be of many types, webroadly classify them as linear or branching. In the linearchain, a single corrupt chain item is sufficient to corrupt thenext chain item. For example, a single corrupt chain item d1
leads to corruption of chain item di and so on (d1 → di →·· · → dn). The branching chain is specifically caused bythe AND derivative dependency, here all input items in theAND dependency must be corrupt to corrupt the next chainitem. For example, both the chain items d1, d2 in the ANDinput lead to corruption of d3, the next chain item (d1 & d2
→ d3; d3 & d4 & d5 → ·· · → dn).
5 Algorithms
In this section, we present our algorithms and the aCATknowledge base used by these algorithms to build attackgraphs.
5.1 aCAT knowledge base
The aCAT knowledge base contains knowledge of the 3Gservice(s) such as the call delivery service, whose vulnera-bility is subject to analysis. The database is populated usingSDL specifications for call delivery service [3] and expertknowledge. We have also added a minor amount of expertknowledge, in those areas where SDL specification is am-biguous and lacking. Knowledge from the specifications andexperts is formatted with the network dependency model forapplication of IP rules.
The tables in the aCAT knowledge base are shown in Ta-ble 2, and Table 3. Table 2 shows the structure aCAT knowl-edge base Table A and some sample data stored in the table.This table stores the signaling message information and dataparameters contained by them. Sample data shows the dataparameters contained in SRI and PRN signaling messages.This table aims to captures all the data items that may beused to propagate corruption between blocks i.e inter-blockdependencies.
Table 3 shows the structure of the CAT knowledge baseTable B, and some sample data stored in this table. This ta-ble stores the information of the basic functional unit of theSDL system, i.e the process. Every column in this table cor-responds to every component in a SDL Process shown inFig. 6b. Thus, it captures all the aspects of a SDL Process,i.e. the initial, and final states, input and output messages,and functions. This table aims to captures all aspects ofprocess functionality that may be used to propagate corrup-tion within a block, i.e. intra-block dependencies.
On close observation, it can be seen that the sample datacontained in this table is a direct translation of the SDLfragment shown in Fig. 6c with the network dependencyformat applied to it. For example, the function Derive GSMBC from ISDN compatibility information is replaced by theOR derivative dependency f(ISDN BC | ISDN LLC |ISDN HLC)= GSM Bearer Capability (first part);the function Derive basic service from GSM BC is re-placed by an KEY derivative dependency (GSM BearerCapability∼)=Basic Service (second part); andthe function Set Pre-paging support is replaced by an
110 K. Kotapati et al.
Input: Seed;Output: Chain[] = {c0, c1, c2 . . . cn}, finite sequence of corrupt items; c0: Seed & cn: Goal;chain_index: Array index of Chain[]Bchk: Check Point Block: Block containing chain item, or the destination block of the message carrying the chainitem.Let l = {l0, l1 . . . lk} indicate the set of corrupt items in Bchk.Items in Chain and l are corrupt. Chain⇒ corrupt(Chain) and l ⇒ corrupt(l)
Let next indicate the set of corrupt items in Bchk contained in the message propagating from Bchk to next block.Procedure Forward dependency check(seed): 1
1: Chain[0] ← seed; chain_index← 0; Add seed to l
2: repeat3: for (∀ li ∈ l) and (∀ Process in Bchk) do4: if (li ∈ fnInput and Dep_Operator) ⇒ corrupt(fnOutput) then5: Chain[++chain_index] ← fnOutput; Add fnOutput to l { . . . . . . 1,2 of IP rule 5}6: else if (li ∈ {Write(),Read(),fnInput} and Dep_Operator⇒ corrupt(fnOutput) then7: Chain[++chain_index] ← fnOutput; Add fnOutput to l {. . . . . . 3 of IP rule 5}8: else if (li ∈ {Invoke(Px),fn
InputPx } and Dep_Operator) ⇒ corrupt(fnOutput)] then
9: Chain[++chain_index] ← fnOutput; Add fnOutput to l {. . . . . . 4 of IP rule 5}10: end if11: if ∃li ∈ {da, db, . . .} in (message from Bchk to Bj) then12: next= li ∈ {da, db, . . .} in (message from Bchk to Bj)13: l = next; Bchk = Bj { . . . . . . 5 of IP rule 5}14: endif15: end for16: until next �= Ø
Complexity: O(p) where p is number of processes in aCAT knowledge base.
Algorithm 1 Forward algorithm
AND derivative dependency (HLR Pre-paging sup-port ∧ GMSC Pre-paging support ∧) = Pre-paging support (fourth part). These functions are a di-rect translation from the SDL.
We also added some expert knowledge to the table(third part). For example, the MSISDN is used to retrievea number of data parameters, hence we added the follow-ing KEY derivative dependencies [(MSISDN ∼)=IMSI],[(MSISDN ∼)=HLR Pre-paging support],[(MSISDN ∼)=MSCNo., VLRNo., LMSI].
In addition to the derivative dependencies presented inaCAT Table B, the function column of this table may alsocontain the following: (a) process and data source depen-dencies represented by reads Read(dx) and writes to thedatabase Write(dx); and (b) inter-process dependenciesrepresented by invocation to other processes Invoke(dx).
Thus using aCAT Table A, we can identify the inter-blockdependencies and by using aCAT Table B we can identifyall the intra-block dependencies in the network dependencymodel. An illustrative example is the alerting attack, wherethe SRI signaling message arrives at the HLR with a corruptalerting pattern. The aCAT knowledge base captures this in-formation in Table A. On observing the function column of
aCAT Table B in aCAT knowledge base, we can see that thealerting pattern does not corrupt any other data parameters,i.e. does not cause intra-block corruption. But aCAT TableA shows that the output message PRN contains the samealerting pattern and hence captures inter-block corruption.Inter-block corruption occurs as a corrupt alerting patterncontained in the message PRN propagates from the HLR tothe VLR. Thus by observing data items, contained in mes-sages and processes, flow of corruption may be traced.
5.2 Algorithms
We have designed forward, reverse and combinatorial algo-rithms to detect attacks and build attack graphs in an exhaus-tive depth first search. These algorithms (forward, reverseand combinatorial) are incorporated with the IP rules, andare implemented using the Java programming language.
As shown in Algorithm 1, the forward algorithm takes asinput a single seed, detects the rest of the chain items tillthe goal, and builds the attack graph bottom-up. The reversealgorithm takes as input a single goal, detects the previouschain items till the seed, and builds the attack graph top-down. The combinatorial algorithms takes as input multiple
Dependency relation based vulnerability analysis of 3G networks 111
seeds or goals and searches for chain items that denote thecombined effect of the input.
All of the algorithms are exhaustive as they check everyprocess in the block (indicated by line 3 in Algorithm 1),and succinct as only those states that reach the goal or seedare added to the attack graph. We only discuss the forwardalgorithm (shown in Algorithm 1) in detail due to space lim-itations.
Our forward algorithm works by (1) locating the originof the attack; (2) finding the next chain item which is com-prised of building the attack graph bottom-up; and (3) prun-ing the graph. Our algorithm assumes that the adversary hasthe necessary conditions for the attack to happen.
We define the origin of the attack as the check-point-block Bchk, which is the block at which a chainitem occurs, or the destination block of the message con-taining the chain item. In the case of the alerting attack, theGMSC generates the chain item (alerting pattern) and hencethe GMSC is our first Bchk. This is also shown in Node Nof our attack graph (Fig. 5). By performing the forward de-pendency check at each Bchk, the next chain item may bederived. Hence we perform the first forward dependencycheck at the GMSC. The forward dependency check con-sists of the two parts. Part 1 detects the next chain item(s)at the current Bchk, i.e. intra-block corruption (lines 3–10 inAlgorithm 1). Part 2 detects the next Bchk i.e., inter-blockcorruption (lines 10–13 in Algorithm 1).
Part 1 detects the next chain item(s) in the current Bchkby using [IP rule 5]. Next chain item(s) in the current Bchkmay be detected in the three types of intra-block dependen-cies. The seed (alerting pattern) is assumed to be corruptand stored in the current chain items array, l, contents ofwhich are hence corrupt.
The current chain items array, l may be used in derivingthe next corrupt chain item(s) in the current Bchk, under thefollowing conditions: (1) if the current chain item(s) l is theinput in a ‘derivative dependency’ (lines 3–4 in Algorithm 1)[1, 2 of IP rule 5]; (2) if the current chain item(s) l is usedto corrupt block level data sources during a Write(), andthe same items are read by another process and used as theinput in a ‘derivative dependency’ (lines 5–6 in Algorithm 1)[3 of IP rule 5]; or (3) if the current chain items l are used toinvoke other processes Invoke() and later used as the inputin a ‘derivative dependency’ (lines 7–8 in Algorithm 1) [4 ofIP rule 5]. As the current chain item (alerting pattern) doesnot derive the next chain items in the GMSC, we move onto the next part.
Part 2 detects the next Bchk by using [5 of IP rule 5].The occurrence of the next Bchk may be detected by usinginter-block dependencies (data items in signaling messages).The next Bchk is the block that receives corrupt data itemsin signaling messages from the current Bchk (lines 10–13in Algorithm 1). The HLR receives the current chain item
(alerting pattern) in the SRI message from the GMSC (cur-rent Bchk). Hence the next Bchk is the HLR.
Using part 1 again, we find that the next chain item at thecurrent Bchk (which is the HLR), but as the current chainitem ( alerting pattern) is not used to derive any other itemsin the HLR, we move on to part 2. The VLR is the nextBchk as it receives the current corrupt chain item (alertingpattern) in the PRN message from the HLR (current Bchk).At the VLR, the alerting pattern i.e. current chain item, isthe input to the OR derivative dependency whose output inthe page type. Hence using condition 1 of part 1, we find thenext chain item to be page type.
The forward dependency check is repeated until oneof the following two terminating conditions are reached:(1) there are no outgoing messages from the checkpointblock with corrupt items i.e., next= Ø; or (2) there are nomore messages to explore in the aCAT knowledge-base. Inthe case of the alerting attack, the forward dependency checkstops when it is found that the BSS (current Bchk) does notgenerate any outgoing messages with corrupt items. Duringchain detection, due to telecommunication semantics, loopsarise frequently and may be eliminated by checking loopingconditions and ensuring that the same path is not traversedtwice.
Trees are built as the next chain items are found. As weknow, for seeds at every Bchk i.e. seed at every networklocation, an attack tree is built to show the propagation ofcorruption due to the seed. For example in the alerting at-tack, a tree is built, for every occurrence of the seed (alertingpattern) at every Bchk. As shown in Fig. 5, Tree 1 is built forseed at GMSC, Tree 2 is built for seed at message SRI, andTree 3 is built for seed at message PRN.
In the third phase of the forward algorithm, trees aremerged into graphs. All nodes at a level that are commonto all trees are combined and then pruned to remove redun-dancy. The worst case performance of the algorithms maybe approximated as O(p) where p is number of processes inaCAT knowledge base Table B and its size may be approxi-mated to the number of messages in the service, whose vul-nerability is subject to analysis. In the call delivery service,illustrated in Fig. 1, there are 9 signaling messages, hence pis 9.
We also designed a reverse dependency check, similarto the forward dependency check, which also works in twoparts. To find the previous chain items from the goal, thealgorithm finds the previous Bchk’s.
Combinatorial algorithms take as input multiple seeds orgoals, and use the forward or reverse dependency checks todetect multiple chains of corrupt items as output. The worstcase performance of these algorithms is O(Np), where N
1fnInput,Dep_Operator,fnOutput,Read(),Write(),Invoke() . . . defined in Sect. 5
112 K. Kotapati et al.
Fig. 8 Attack graph for poweroff power on attack
is the total number of chains. Although it is theoreticallyintriguing to study the damaging effects of every possiblecombination of seeds in a 3G network, in practice the adver-sary is only able to produce very few seeds in most cases.Therefore we developed the following practical optimiza-tions when the number of seeds is relatively large:
Optimization 1. The combination of seed input sequenceconsidered while building the tree is the order of input pro-vided by the user i.e., the combinatorial algorithm considersthe first user input as the first corrupt item, the second userinput as the second corrupt item and so on.
Optimization 2. Combinatory algorithms typically builda large number redundant of trees before pruning them.We reduce the number of redundant trees built by aggre-gating a number of seed locations to a single seed loca-tion.
6 Interesting attacks discovered by aCAT
In this section, we present some interesting attacks detectedby aCAT using the algorithms and the aCAT knowledge basedescribed in the previous section. aCAT constructs attackgraphs assuming the worst case pre-conditions to be true.System administrators may also use these attack graphs toperform more advanced network vulnerability checks suchas probabilistic analysis of defense mechanisms and proto-col functionality in the event of attacks.
The alerting attack, power-off power-on attack, mixedidentity attack, missed calls attack are discovered using onlySDL knowledge. The call redirection attack is discoveredwith the help of expert knowledge.
6.1 Power-off power-on attack
The attack graph for the power-off and power-on attack isshown in Fig. 8. With the help of the guidelines defined inSect. 3.2 the following may be derived.
Step 1: End User Effect: Goal nodes (Nodes A, B and C)identify end subscriber effects. Node A identifies that sub-scribers are disabled when they move to a new location asthe previous location cancellation does not occur. Nodes Band C identify that incoming calls are not received by thesubscriber as they may be sent to incorrect locations (NodeB) or because subscriber page messages are sent to incorrectlocations and hence not answered (Node C).
Step 2: Origin of Attack: Nodes at level 0 in Fig. 8 indi-cate the target of the attack is the HLR.
Step 3: Attack Propagation and Side effects: Nodes atother layers indicate the seeds used in the attack as theMSC number and VLR number. The MSC number and VLRnumber together indicate the current location of the sub-scriber. Hence corrupting the MSC number and VLR num-ber corrupts the subscriber location. If the subscriber loca-tion is corrupt the network cannot locate the subscriber whena call arrives, resulting in resetting the location of the sub-scriber. The figure also illustrates the AND derivative de-pendency (Nodes G, H and D) and the branching chain i.e.,both the data items ‘MSC number’ and ‘VLR number’ mustbe corrupt to corrupt data ‘subscriber location’ (dMSC number
& dVLR number → dsubscriber location). Using these guidelinesand general knowledge of the 3G network, the following at-tack scenario may be constructed.
Attack Scenario: This is an attack on the home networktargeting the subscriber. This attack is illustrated in Fig. 9.
Dependency relation based vulnerability analysis of 3G networks 113
Fig. 9 Power off power onattack
Trudy, the adversary, corrupts the ‘MSC number’ and ‘VLRnumber’ of Alice, the victim, to an unresolved value in theHLR. The HLR uses these parameters to locate a subscriberwhen a call request arrives. As the parameters are corrupt,the HLR cannot locate Alice when a call arrives for her. TheHLR thus resets Alice’s ‘MSC number’ and ‘VLR number’effectively de-registering her. After this, Alice cannot re-ceive calls (Node 10). Alice will only begin to receive callsagain if she power-cycles her phone, or if she moves to anew location, location triggering a location update, thus re-freshing the HLR with her correct MSC and VLR numbers.Note, that Trudy does not need to know valid MSC and VLRnumbers for this attack to be effective.
6.2 Mixed identity attack
The attack graph for the mixed identity attack is shown inFig. 10. Using the guidelines in Sect. 3.2 attack scenario(s)may be derived as follows.
Step 1: End User Effect: Goal node(s) of Tree 1 and 3(Nodes 23 and 21) identify the end effect as the inabilityof the subscriber to receive incoming calls due to incorrectpaging. Goal node(s) of Trees 2 and 4 (Nodes 34 and 35)identify another effect of the attack as the inability of sub-scribers to authenticate themselves with the network.
Step 2: Origin of Attack: Nodes at level 0 indicate theorigin of the attack. From Fig. 10 it can be inferred that thetwo possible targets of the attack are the HLR or the VLR.
Step 3: Attack Propagation and Side effects: From otherlayers it can be inferred the seed used in the attack is theIMSI (Nodes 9, 12 and 13). The IMSI is the unique identityof a subscriber in the network. Corrupting the IMSI has anumber of side effects, as the IMSI is used as the key to re-
trieve incorrect parameters (Nodes 16, 17, 19 and 22). Cor-rupting the IMSI at the HLR or in signaling messages forincoming calls (Trees 1 and 3), leads to subscribers beingpaged incorrectly leading to loss of incoming calls. When asubscriber moves to a new location, a corrupt IMSI at theHLR leads to registration cancellation of the incorrect sub-scriber in the old location (Tree 2, Node 20) and failed au-thentication of the subscriber at the new location (Tree 2,Node 34). The linear chain is demonstrated by Tree 2.
Using these results and general knowledge of the 3G net-work, the following attack scenarios may be constructed.
Attack Scenario 1: This is an attack on the home networktargeting the network itself. In this attack, the identities of agroup of victims are mapped to a designated victim’s iden-tity. The designated victim is charged for all the calls. Thisattack is illustrated in Fig. 10. Trudy maps the IMSI of allvictims to that of Alice at the HLR. The VLR of locationarea B has uncorrupted data and hence all the mobile de-vices in the victim group are enabled. When Alice movesto a new location, she requests the VLR in the new locationarea A to register her. The VLR in the new location area Aregisters Alice, and requests the HLR to do the same. TheHLR registers Alice and cancels Alice’s previous locationi.e., the current location of rest of the victim group. This re-sults in cancellation of all non-traveler victims. Alice, thedesignated victim is charged for all the victim group’s callsbefore the cancellation; after the cancellation, none of thenon-traveler victims can receive calls.
Attack Scenario 2: Trudy replaces the IMSI of organiza-tion Alice Inc. (victim) in every incoming call, with IMSI ofrival organization (Bob Inc.) (Tree 3, Node 12). Every callarriving at the network for Alice Inc. is received by Bob Inc.
114 K. Kotapati et al.
Fig. 10 Attack graph for mixed identity attack
6.3 Call redirection attack
The attack graph for the call redirection attack is shown inFig. 12. Using the guidelines in Sect. 3.2 attack scenario(s)may be derived as follows.
Step 1: End User Effect: Goal nodes (Nodes 21 and 20)identify the end result of the attack as redirection of incom-
ing calls to other subscribers. This is because the ‘Page mes-sage’ is routed to the incorrect subscriber (due to incorrectgoal items TMSI and LAI).
Step 2: Origin of Attack: Nodes at level 0 in Fig. 12 indi-cate that the target of the attack is the VLR.
Step 3: Attack Propagation and Side effects: Nodes atthe other layers indicate the seed used in the attack is the
Dependency relation based vulnerability analysis of 3G networks 115
Fig. 11 Mixed identity attack
Fig. 12 Attack graph for callredirection attack
116 K. Kotapati et al.
Fig. 13 Call redirection attack
Fig. 14 Attack graph formissed calls attack
Dependency relation based vulnerability analysis of 3G networks 117
Fig. 15 Missed calls attack
MSRN (roaming number). The MSRN is used to route in-coming calls to the designated subscriber. Each incomingcall is assigned a MSRN. By switching the MSRNs (Nodes10 and 11) it is possible to switch the destination of the in-coming call (Nodes 12 and 13) and send the call to the incor-rect subscriber (Nodes 20 and 21). Tree 1 and 2 are examplesof the line cascading effect.
Using the above guidelines and general knowledge ofthe 3G network, the following attack scenario may be con-structed.
Attack Scenario 1: This is an attack on the visiting net-work targeting the network itself. In this attack, the roamingnumber of subscriber Bob is corrupt (possibly by increment-ing or decrementing the number). This results in the redirec-tion of the Bob’s calls to another subscriber Alice (to whomthe corrupt roaming number has been assigned). Hence Al-ice is alerted of the incoming call instead of Bob. Anotherside effect of corrupting the MSRN is that if the MSRN isnot assigned to any other subscriber the call is dropped. Forevery incoming call arriving at the MSC for Bob, the adver-sary changes the roaming number to an unassigned value, inthe incoming call. Hence Bob is not alerted of the incomingcall. Bob can make calls and update his profile but can neverreceive his calls at a particular location and is unaware ofthis problem. This problem may be rectified if Bob travelsto a new location. This attack is illustrated in Fig. 13.
6.4 Missed calls attack
The attack graph for the missed calls attack is shown inFig. 14. With the help of the guidelines defined in Sect. 3.2attack scenarios may be derived as follows.
Step 1: End User Effect: The goal node (Node 13) identi-fies that incoming calls are not received by the subscriber asPage messages are sent to incorrect location (incorrect LAI).Goal node (Node 17) identifies that subscribers are disabledwhen they move to a new location because updates due to lo-cation changes (Update location message) contain incorrect
subscriber identity (incorrect IMSI) resulting in cancellationof the update.
Step 2: Origin of Attack: Nodes at level 0 in Fig. 14 indi-cate that the target of the attack is the VLR.
Step 3: Attack Propagation and Side effects: Nodes atthe other layers indicate the seed used in the attack is theLAI (Location Area Identifier). The LAI identifies the lo-cation the subscriber is currently visiting. The combinationof the TMSI and LAI uniquely identifies a subscriber andtheir current location i.e., at the VLR. Corruption of eitherthe TMSI or the LAI results in corruption of subscribersidentity (Node 14). Node 14 is an illustration of an ORnode.
Using the above guidelines and general knowledge ofthe 3G network, the following attack scenarios may be con-structed.
Attack Scenario 1: This is an attack on the visiting net-work targeting the subscriber. In this attack, the location area(LAI) of the victim is corrupt during the incoming call pro-file download. The corrupt LAI causes the subscriber to bepaged at the incorrect location for incoming calls and re-sults in the subscriber not receiving the call. Subscribers canmake calls and update their profile but can never receive in-coming calls at this particular location. Receiving calls ifmoved to another location is possible. This attack is illus-trated in Fig. 15.
Attack Scenario 2: This is another attack scenario derivedfrom the Tree 2 in the attack graph shown in Fig. 14. This isan attack on the visiting network targeting the network itself.The victim in this attack is Wireless XYZ Inc. (the com-pany providing service in a location area A). Subscriberscurrently visiting this area A, cannot register with the net-work. This because the subscriber’s LAI in the update lo-cation message is corrupt, resulting in retrieval of incorrectIMSI and authentication material (Node 14). The subscriberresponds incorrectly to the incorrect authentication materialand as a result cannot register with the network. An adver-
118 K. Kotapati et al.
Table 4 Forward algorithm experimental results
User input: SDL and expert knowledge SDL knowledge only % Extra goals
No. of seeds No. of nodes No. of goals No. of nodes No. of goals detected
1 26 6 14 3 50%
35 5 30 2 60%
48 7 32 4 42%
2 77 10 69 9 10%
89 11 54 7 36%
103 16 83 10 37%
Table 5 Reverse algorithm experimental results
User input: SDL and expert knowledge SDL knowledge only % Extra goals
No. of seeds No. of nodes No. of goals No. of nodes No. of goals detected
1 23 6 16 4 33%
32 5 28 5 0%
45 7 36 6 14%
2 77 10 71 4 60%
86 11 65 9 18%
103 16 103 16 0%
sary may capture all update location messages on the air in-terface and corrupt the LAI’s thereby preventing subscriberregistration.
7 Experimental results
We conducted experiments to measure the utility of includ-ing expert knowledge into the aCAT knowledge base. Utilityof expert knowledge is measured by comparing the percent-age of attacks detected using SDL knowledge with expertknowledge and by using SDL knowledge only.
In a realistic setting every service node provides a num-ber of services. To simulate this setting, in our experiments,we considered the call origination, location registration, andlocation updating services in-addition to the call deliveryservice. We obtained the SDL knowledge from the speci-fications, for call handling [3], and for mobility [4]. We for-matted this knowledge with the network dependency modeland also some expert input.
All the above services combined together constitute 46signaling messages in total and 46 processes to handle thesesignaling messages. Hence each table in our aCAT knowl-edge base comprises of 46 rows. We tested this aCAT knowl-edge base (which contains combined data of call origina-tion, location registration, location updating, and call de-livery services) for single and double seed combinations in
the forward and reverse algorithms (illustrated in Tables 4and 5).
When the user input corresponded to areas where SDLknowledge is adequate, we found that expert knowledgedoes not show any improvement in number of attacks de-tected. On an average, goals detected by SDL knowledgecover 70% of all the possible goals that are detected withexpert knowledge. The seeds detected by SDL knowledgecover 77% of all of the possible seeds that are identified withexpert knowledge.
In conducting the above experiments, we also observedthat in some cases, corrupting a single data item can effectnot one but multiple services. Our attack graphs presentedin Sect. 6 are a testament to this fact. For example, in themixed identity attack, the adversary corrupts the data item‘IMSI’ (Node 9 in Fig. 10) which effects the delivery of callsin the call delivery service (Node 23 in Fig. 10), subscriberauthentication in location registration service (Node 34 inFig. 10), and subscriber authentication in location updatingservice (Node 35 in Fig. 10).
In effect, the aCAT knowledge base need not be restrictedto the above four services. Any other services (such as SMS,hand over, supplementary and other services) with specifi-cations written in SDL language may be added to the aCATknowledge base by application of our network dependencymodel alone.
The results of these experiments indicate the usefulnessof SDL knowledge for both aCAT and adversaries. For
Dependency relation based vulnerability analysis of 3G networks 119
aCAT, SDL provides a significant portion of the knowledgebase. For adversaries, SDL provides a rich set of possibleattacks. In fact, it provides information that may be used tolaunch the large majority of possible attacks. Furthermore,the remaining attacks are still possible even without the di-rect targeting of an adversary.
8 Discussion
8.1 Limitations in SDL
Although SDL specifications are free, easy to obtain andcontribute to 70% of the total network knowledge in aCAT.In conducting experiments detailed in the previous section,we identified inadequacies in SDL. We detail how aCAT al-leviates these problems and we prove that aCAT can be aimportant tool in uncovering sophisticated cascading attacksin advance.
SDL is inadequate in certain syntactic, semantic andtechnical areas. In the syntactic and semantic areas, SDLspecifications have: (1) limited expressiveness; and make(2) in-explicit assumptions. Due to these limitations, SDLis inadequate in defining functions (for e.g., function DeriveGSM BC from ISDN compatibility) in process resulting ininaccurate cascading effect detection. aCAT overcomes thisproblem by formatting SDL using the network dependencymodel and detect attacks using infection propagation rules.
In technical areas, SDL is lacking in representing authen-tication, and location functions. In the authentication area,SDL is in-explicit with the data items used and their deriv-ative dependencies, resulting in inaccurate attack detection.aCAT alleviates this problem by the usage of expert knowl-edge.
With respect to location data, SDL does not take intoconsideration the location data items used to route signal-ing messages. Corruption of these items results in incorrectrouting of signaling messages. aCAT alleviates this problemby hard-coding the necessary details.
Adversaries may also alleviate the inadequacies in SDL,and devise much more devastating attacks, by careful in-depth study of the specifications or by gaining unauthorizedaccess to specific requirements documents. We would alsolike to state that attacks can still be devised even withoutthis extra knowledge, even if some of the sophisticated cas-cading effects are unanticipated by the adversary.
8.2 Defenses
So far, we have discussed how aCAT can successfully de-tect cascading attacks. We now discuss how the 3G networkcan defend against such attacks. We would like to point outthat defending against cascading attacks is not an easy task.
This is because, in cascading attacks, corrupt values corre-spond to system acceptable values. Hence just error check-ing is insufficient to detect corruption, that may lead to acascading attack. Error checking must also comprise of con-text checking every time a data item is generated. An ex-ample of such context-based error checking in the alertingattack is, checking the cause for creation of the alerting pat-tern data item. The cause is the arrival of the IAM signalingmessage. The IAM message is an indication of a CIRCUIT
SWITCHED CALL, hence if alerting pattern takes on anyother value other than CIRCUIT SWITCHED CALL, it is anerror and corruption is detected.
Such solutions may be expensive to implement as theymust check context of each and every data item and mayslow down the network drastically. Even so, such context-based error checking solutions may not be successful allthe time, because such solutions may only be able to de-tect corruption at the origin and not after it cascades tosome remote service node. Hence, such context checkingsolutions must be implemented at each and ever servicenode by every service provider. We believe this to be apromising approach. Context-based error checking and at-tack detection will be explored as a part of our futurework.
9 Related work
Our related work covers 3G network vulnerability assess-ment and attack-graph technologies.
3G network vulnerability assessment: Telecommunica-tion specifications [1, 2, 5] specify 3G security and iden-tify security threats. Howard et al. [17], El-Fishway et al.[14], Lo et al. [23], Welch et al. [41], and Clissmann et al.[11] identify attack scenarios on 3G networks while tryingto prove the inadequacy of current security schemes. Theyalso present new architectures for 3G security. Mitchell et al.[24], Boman et al. [9] and Bharghavan et al. [8] discuss thesecurity features available in current 3G networks. Brook-son [10] motivates the need for security. Kotapati et al [21]present a taxonomy of cyber attacks in 3G networks. How-ever, they neither use open specifications to devise cascadingattacks nor perform attack-graph based vulnerability analy-sis.
CAT [20] is the first attempt to apply the Internet attackgraph technology to analyze the vulnerabilities of 3G net-works. Although CAT also uses SDL specifications, aCATis significantly different from CAT because aCAT incorpo-rates: (1) the unique network dependency model and infec-tion propagation rules for accurate chain detection and; (2)expert knowledge for exhaustively uncovering all possiblecascading attacks.
120 K. Kotapati et al.
Attack-graph technologies: In the Internet domain attack-graph technologies have been extensively studied by [7, 12,13, 18, 19, 27–37, 40, 42]. However these technologies arenot designed to handle 3G semantics i.e. dependencies, andinfection propagation rules. The earlier work in this area in-cludes Netkuang [42], a network configuration vulnerabil-ity checker which performs a goal based breath first search.Swiler and Philips [31, 36, 37] generate their attack graphsby backward exploration from the goal given atomic attacksas input. In contrast, our forward algorithm generates attackgraphs by forward exploration from seeds to goals.
Model checking is a major technique proposed for auto-matic attack graph generation and has been used by Ritcheyand Amman [33] for vulnerability analysis of a network,Sheyner et al. [34] for automatic generation of attack graphs,and Ramakrishnan and Sekar [32] for identifying configura-tion vulnerabilities. However, all the above techniques havethe disadvantage of not being scalable. Ammann et al. pro-posed a fix to this problem by exploiting a monotonic as-sumption to achieve scalability [7]. In [30], Ou et al. pro-posed a logic-programming method for scalable networkvulnerability analysis. Jha et al. [18, 19, 35] have analyzedattack graphs in terms of properties such as survivability,reliability, etc. They also present a minimization techniquethat allows analysts to decide which minimal set of securitymeasures guarantee the safety of the system.
The semantics of aCAT attack graphs are fairly differ-ent from Internet attack graphs. For example, in Internet at-tack graphs only exploits can cause state transitions, whilein aCAT attack graphs many state transitions are caused bylegitimate actions. Nevertheless, by viewing the infectionpropagation actions of aCAT as accidental “unintentionalexploits”, the attack graphs generated by aCAT could beconceptually deduced to an Internet attack graph [7, 34].Accordingly, existing attack graph analysis techniques (e.g.,[18, 19, 35]) could be applied to analyze the graphs gen-erated by aCAT. In this sense, existing attack graph analy-sis techniques are complementary to aCAT. Nevertheless, itshould be noticed that the focus of this paper is to generateand interpret 3G specific attack graphs, although analyzingthem is part of our future work.
From the viewpoint of attack graph generation, pleasenote that besides the new cascading attacks identified, themain contribution of this paper is the 3G specific networkdependency model and infection propagation rules, whichare necessary for any attack graph generation method (e.g.,model checking) to work in 3G networks to identify cascad-ing attacks. We propose a light-weight, ad-hoc attack graphgeneration algorithm instead of adopting an existing attackgraph generation method such as model checking and [7]since sometimes a 3G network administrator may not beable to pre-determine completely or precisely which typesof goal nodes satisfy the attacker’s goal and which do not,
while both model checking and [7] require the goal states beexplicitly pre-determined (during vulnerability analysis).
In the sense of exploiting certain network dependenciesto “chain” attack actions together, our work is relevant toalert correlation research (i.e., [12, 13, 27–29, 40]). Nev-ertheless, alert correlation is an intrusion detection activitythat needs alerts to be raised in prior, while aCAT does notneed any alerts.
10 Conclusion
In this paper, we presented a unique solution aCAT for de-tecting new cascading attacks on the 3G network. Cascad-ing attacks pose a great threat to the 3G network as theyare extremely subtle and can have many far reaching re-mote effects. aCAT has many applications, it may be usedfor real-time detection of attack origin, and for detection ofvulnerable areas in the network. aCAT could be mandatedfor use, by wireless telecommunication policy makers, todetect sources of unusual network events and to protect thenetwork from outage due to cascading attacks, during crit-ical events such as 9/11. aCAT can also be used to checkincoming traffic from certain rogue networks (hence tracecorruption). Our future plans include extending aCAT to in-clude feasibility analysis, proposal of defense mechanisms,and automating the process of deriving attack scenarios fromattack graphs.
Acknowledgements This work was supported in part by NSF CCR-0233324, NSF/DHS 0335241, and NSF under award number 0416827.
References
1. 3GPP. (1999). 3g security; security principles and objectives.Technical Standard 3G TS 33.120 V3.0.0, 3G Partnership Project,May 1999.
2. 3GPP. (1999) 3g security; security threats and requirements.Technical Standard 3G TS 21.133 V3.1.0, 3G Partnership Project,Dec. 1999.
4. 3GPP. (1999). Mobile application part (map) specification. Tech-nical Standard 3GPPTS 29.002 V3.4.0, 3G Partnership Project,April 1999.
5. 3GPP. (1999). A guide to 3rd generation security. Technical Stan-dard 3GPP TR 33.900 V1.2.0, 3G Partnership Project, Jan. 2001.
6. G. 3GPP. Third generation partnership project. In http://www.3gpp.org/.
7. Ammann, P., Wijesekera, D., & Kaushik, S. (2002). Scalable,graph-based network vulnerability analysis. In Proceedings of the9th ACM conference on Computer and communications security(CCS ’02) (pp. 217–224), November 2002.
8. Bharghavan, V., & Ramamoorthy, C. (1996). Security issuesin mobile communications. In Proceedings ISADS 95. Secondinternational symposium on autonomous decentralized systems(pp. 19–24), April 1995.
Dependency relation based vulnerability analysis of 3G networks 121
9. Boman, K., Horn, G., Howard, P., & Niemi, V. (2002). Umts se-curity. Electronics Communications Engineering Journal: Specialissue security for mobility, 14(5), 191–204.
10. Brookson, C. B. (1995). Security in current systems. In IEE col-loquium on security in networks, number Digest No. 1995024(pp. 3/1–3/6), February 1995.
11. Clissmann, C., & Patel, A. (1994). Security for mobile users oftelecommunication services. In Universal personal communica-tions, ICUPC ’94 (pp. 350–353), October 1994.
12. Cuppens, F., & Miège, A. (2002). Alert correlation in a cooper-ative intrusion detection framework. In Proceedings of the 2002IEEE symposium on security and privacy (pp. 202–215), May2002.
13. Cuppens, F., & Ortalo, R. (2000). Lambda: A language to model adatabase for detection of attacks. In Recent advances in intrusiondetection (pp. 197–216).
14. El-Fishway, N. A., Nofal, M. A., & Tadros, A. M. (2003). Animprovement on secure communication in PCS. In Performance,computing, and communications conference, 2003. Conferenceproceedings of the 2003 IEEE international (pp. 175–182), April2003.
15. Ellsberger, J., Hogrefe, D., & Sarma, A. (1997). SDL, formalobject-oriented language for communicating systems. PrenticeHall.
16. Enck, W., Traynor, P., McDaniel, P., & La Porta, T. F. (2005). Ex-ploiting open functionality in sms-capable cellular networks. InCCS ’05: Proceedings of the 12th ACM conference on computerand communications security. ACM Press.
17. Howard, P., Walker, M., & Wright, T. (2001). Towards a coher-ent approach to third generation system security. In Second in-ternational conference, 3G mobile communication technologies(pp. 21–27), Nov. 2001.
18. Jha, S., Sheyner, O., & Wing, J. (2002). Two formal analysis ofattack graphs. In Proceedings of the 15th IEEE Computer Secu-rity Foundations Workshop (CSFW’02) (p. 49). Washington, DC,USA: IEEE Computer Society, June 2002.
19. Jha, S., Sheyner, O., & Wing, J. M. (2002). Minimization and reli-ability analyses of attack graphs. Technical Report CMU-CS-02-109, February 2002.
20. Kotapati, K., Liu, P., & La Porta, T. F. (2006). CAT – A practi-cal graph & SDL based toolkit for vulnerability assessment of 3Gnetworks. In Proceedings of the 21st IFIP TC-11 international in-formation security conference, “Security and privacy in dynamicenvironments”, SEC 2006, May 2006.
21. Kotapati, K., Liu, P., Sun, Y., & La Porta, T. F. (2005). A taxonomyof cyber attacks on 3G networks. In Lecture notes in computer sci-ence. Proceedings IEEE international conference on intelligenceand security informatics, ISI (pp. 631–633). Springer-Verlag, May2005.
22. Lee, C., Hwang, M., & Yang, W. (1999). Enhanced privacy andauthentication for the global system for mobile communications.Wireless Networks, 5(4), 231–243.
23. Lo, C. C., & Chen, Y. J. (1999). Secure communication mech-anisms for GSM networks. In Lecture notes in computer science.IEEE transactions on consumer electronics (pp. 1074–1080), Nov.1999.
24. Mitchell, C. (1995). Security techniques. Proceedings of the IEEelectronics division colloquium on security in networks, 14(IEE(London) Digest No: 1995/024):2/1–2/6, February 1995.
25. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., &Weaver, N. (2003). Inside the slammer worm. IEEE Security andPrivacy, 1(4), 33–39.
26. Moore, T., Kosloff, T., Keller, J., Manes, G., & Shenoi, S. (2002).Signaling System 7 (SS7) network security. In Proceedings of theIEEE 45th midwest symposium on circuits and systems, August2002.
27. Ning, P., Cui, Y., & Reeves, D. S. (2002). Constructing attack sce-narios through correlation of intrusion alerts. In Proceedings ofthe 9th ACM conference on Computer & Communications Secu-rity (CCS ’02) (pp. 245–254), Nov. 2002.
28. Ning, P., & Xu, D. (2003). Learning attack strategies from intru-sion alerts. In Proceedings of the 10th ACM conference on Com-puter and Communications Security (CCS ’03) (pp. 200–209),Oct. 2003.
29. Ning, P., Xu, D., Healey, C. G., & St. Amant, R. A. (2004). Build-ing attack scenarios through integration of complementary alertcorrelation methods. In Proceedings of the 11th annual Networkand Distributed System Security Symposium (NDSS ’04) (pp. 97–111), Feb. 2004.
30. Ou, X., Govindavajhala, S., & Appel, A. (2005). MulVAL: Alogic-based network security analyzer. In Proceedings of the 14thUsenix security symposium (pp. 113–128), August 2005.
31. Phillips, C., & Swiler, L. P. (1998). A graph-based system fornetwork-vulnerability analysis. In Proceedings of the 1998 work-shop on New security paradigms (NSPW ’98).
32. Ramakrishnan, C. R., & Sekar, R. C. (2002). Model-based analysisof configuration vulnerabilities. Journal of Computer Security.
33. Ritchey, R. W., & Ammann, P. (2000). Using model checking toanalyze network vulnerabilities. In Proceedings 2000 IEEE com-puter society symposium on security and privacy (vol. 00, pp. 156–165). Los Alamitos: IEEE Computer Society.
34. Sheyner, O., Haines, J., Jha, S., Lippmann, R., & Wing, J. M.(2002) Automated generation and analysis of attack graphs. InProceedings of the 2002 IEEE symposium on security and privacy,May 2002.
35. Sheyner, O., & Wing, J. (2005). Tools for generating and analyzingattack graphs. In Lecture notes in computer science. Proceedingsof formal methods for components and objects (pp. 344–371).
36. Swiler, L., Phillips, C., Ellis, D., & Chakerian, S. (2001).Computer-attack graph generation tool. In Proceedings of theDARPA information survivability conference and exposition II,June 2001.
37. Swiler, L. P., Philips, C., & Gaylor, T. (1998). A graph-basednetwork vulnerability analysis system. SandiaReport SAND97-3010/1, Sandia National Laboratories, January 1998.
38. Switch. 5ESS switch. http://www.alleged.com/telephone/5ESS/.39. Telcoman. CENTRAL OFFICES. http://www.thecentraloffice.
com/.40. Templeton, S. J., & Levitt, K. (2000). A requires/provides model
for computer attacks. In Proceedings of the 2000 workshop onNew security paradigms (NSPW ’00) (pp. 31–38). New York:ACM Press, September 2000.
41. Welch, D., & Lathrop, S. (2003). Wireless security threat taxon-omy. In IEEE workshop on information assurance. IEEE Systems,Man and Cybernetics Society Information Assurance Workshop(pp. 76–83), Jun. 2003.
42. Zerkle, D., & Levitt, K. (1996). NetKuang – A multi-host config-uration vulnerability checker. In Proceedings of the sixth USENIXsecurity symposium (pp. 195–201).
Kameswari Kotapati received her Bachelorof Engineering degree from the University ofMadras at Chennai, India in 1999. She receivedher M.S. degree in Electrical and ComputerEngineering from University of Massachusetts,Dartmouth in 2002. She is currently a Ph.D.candidate in the department of Computer Sci-ence and Engineering at the Pennsylvania StateUniversity. Her research interests include wire-less network security and protocols, mobility
management, and security modeling techniques.
122 K. Kotapati et al.
Peng Liu received his B.S. and M.S. degreesfrom the University of Science and Technologyof China, and his Ph.D. degree from GeorgeMason University in 1999. Dr. Liu is an as-sociate professor of Information Sciences andTechnology and director of the Cyber Secu-rity Lab at Penn State. His research interestsare in all areas of computer and network secu-rity.He is the founding program co-chair of the
ACM Workshop on Survivable and Self-Regenerative Systems. He wasthe proceedings chair of ACM Conference on Computer and Commu-nications Security (CCS) for 2004 and 2003. He is a program com-mittee member of over thirty-five international conferences and work-shops, including ACM Conference on Computer and CommunicationsSecurity (CCS), INFOCOM, European Symposium on Research inComputer Security (ESORICS), and the World Wide Web Conference(WWW). He is a referee for over twenty journals, including the ACMTransactions on Information and Systems Security and the Journal ofComputer Security. He is on the editorial board of Elsevier ComputerStandards & Interfaces Journal.Dr. Liu has published a book and about 80 refereed technical papers.His research has been sponsored by DARPA, NSF, DOE, DHS, AFRL,NSA, CISCO, HP, Japan JSPS, and Penn State. Dr. Liu is a recipient ofthe DOE Early CAREER PI Award. More information about Peng Liucan be found at http://ist.psu.edu/s2.
Thomas F. La Porta received his B.S.E.E. andM.S.E.E. degrees from The Cooper Union, NewYork, NY, and his Ph.D. degree in electricalengineering from Columbia University, NewYork, NY. He is Distinguished Professor in theComputer Science and Engineering Departmentat Penn State. He is the director of the Network-ing Research Center at Penn State. Prior to join-ing Penn State, Dr. La Porta was with Bell Lab-oratories since 1986. He was the director of the
Mobile Networking Research Department in Bell Laboratories, Lu-cent Technologies where he led various projects in wireless and mo-bile networking. He is an IEEE Fellow, Bell Labs Fellow, receivedthe Bell Labs Distinguished Technical Staff Award, and an Eta KappaNu Outstanding Young Electrical Engineer Award in 1996. He alsowon Thomas Alva Edison Patent Award in 2005. His research interestsinclude mobility management, signaling and control for wireless net-works, mobile data systems, and protocol design.Dr. La Porta was the founding Editor-in-Chief of the IEEE Transac-tions on Mobile Computing, and an associate editor for the ACM/KluwerJournal of Mobile Networking and Applications as well as the KICSJournal of Communications and Networks. He served as editor-in-chiefof IEEE Personal Communications Magazine (now called IEEE Wire-less Communications) for three years and is currently a senior advisor.He has published over fifty technical papers and holds 28 patents. Hewas an adjunct faculty member at Columbia University for seven yearswhere he taught courses on mobile networking and protocol design.
