SMS Defense White Paper

Transparent Mobile-to-Mobile SMS Spam and Fraud Control.

September 15, 2008

Copyright 2008 Sevis Systems, Inc.

Table of Contents

1. SMS Defense ................................................................................................................................................................. 1 1.1. The Challenge: Prevent Mobile-to-Mobile SMS Spam and Fraud.......................................................................... 1 1.2. The Point Code Based Approach: Route All SMS to an Additional Core Network Node ...................................... 3 1.3. The SMS Defense Solution: Transparent SMS Spam and Fraud Control ............................................................... 5 1.3.1. Core Capabilities .............................................................................................................................................. 5 1.3.2. Architecture ...................................................................................................................................................... 8 2. Defense View............................................................................................................................................................... 10 2.1. Event Log Data Mining ......................................................................................................................................... 10 2.2. CDR Generation .................................................................................................................................................... 11 3. Signaling ASE System: No Point Code, Many Solutions ......................................................................................... 12 3.1. System Overview................................................................................................................................................... 12 3.2. Technical Specifications........................................................................................................................................ 14

Copyright 2008 Sevis Systems, Inc.

1. SMS Defense
1.1. The Challenge: Prevent Mobile-to-Mobile SMS Spam and Fraud
Mobile-to-mobile SMS spam and fraud comes in many forms and can cause substantial damage with respect to customer satisfaction, financial performance and network operations. A sample of recent coverage of the problem includes: John White, of the telecommunications analyst firm Portio Research, says, Theres no doubt text spam is costing operators real money, but what theyre even more concerned about is the effect it has on the churn rate of their customers. Phone users who are irritated by spam or are billed for messages they didnt send are very likely to move networks. A solution that can stop spam and help maintain good customer relations is going to be widely welcomed. (Source: Mobile Europe) Their method is simple but highly effective, enabling the sending for free of thousands of messages that appear to come from a mobile phone roaming on another network. The result is not only that innocent mobile operators are carrying unwanted traffic, but that their customers are being deluged with unwanted offers and some are even being billed for messages they did not send. (Source: Mobile Europe) Insights into Mobile Spam, Worlds First Collaborative Empirical Study released by the University of St. Gallen, Switzerland, indicates more than 8 in 10 mobile phone users surveyed have received unsolicited messages and 83% of telecommunications industry respondents perceive mobile spam to be a critical issue. (Source: International Telecommunications Union) Malicious hackers could take down cellular networks in large cities by inundating their popular textmessaging services with the equivalent of spam, said Penn State computer security researchers. (Source: New York Times) China has ordered telcos to purge spam SMSes of smut and other unhealthy influences, including superstitious content like fortune telling. The Ministry of Information Industry made the pronouncement today on its website which declared: Recently, there has been a lot of dirt hidden in the telecommunication networks. The situation is serious. (Source: The Register)

The most common types of mobile-to-mobile SMS spam and fraud active today are summarized in the table below: Table 1. Common Types of Mobile-to-Mobile SMS Spam and Fraud.

Type Spamming Flooding Faking Spoofing

How Caused Unwanted messages are delivered to subscribers Remote system sends massive numbers of messages targeting subscribers and nodes Foreign system uses identity of a legal SMSC (i.e. MT faking) Messages sent illegally by simulating subscribers who are in a roaming situation (i.e. MO spoofing) Messages that appear to be from a valid company attempt to acquire subscriber information Hacker engine launches messages luring subscribers to a download site with viruses

Risk to the Operator Irritated subscribers, degraded network performance, blamed for spam relay Overload in the signaling network, home operator incurs relay operator costs Home operator cannot collect termination fees Subscribers wrongfully billed for unsent messages and perhaps unwanted content Subscriber annoyance, billing issues, potential to spread viruses which in turn can result in more spam Compromised handsets cause customer service problems and may send unwanted messages

Smishing

Viruses

Copyright 2008 Sevis Systems, Inc.

The overarching provider concerns with respect to the impact mobile-to-mobile SMS spam and fraud can have on a providers customers, network and financial performance are that it: Irritates subscribers and in turn increases churn, raises support costs and casts a negative light on the carriers brand. Subscribers find spam annoying and many regard it as an invasion of privacy. It also results in unwarranted charges leading to customer frustration. Results in lost revenue for inter-carrier messages. With SMS fraud, the sender assumes the identity of a valid subscriber or SMSC, so the operator receives no termination fee. Increases operational costs because of the large volumes of unauthorized messages. SMS spam and fraud can degrade network and SMSC performance and at times severely impact them (in some instances acting as a Denial of Service network attack). Damages the adoption of revenue-producing services. Spam can destroy trust in an operator, leading subscribers to opt-out of emerging mobile advertising and m-commerce opportunities.

The figure below shows the typical paths that mobile-to-mobile SMS spam and fraud take to gain network access. The red arrow on the left side of the diagram is meant to demonstrate On-Net SMS spam and fraud, meaning it is generated by a subscriber that is operating within a carriers own network. The red arrow originating on the right side of the diagram is meant to demonstrate Off-Net SMS spam and fraud, meaning it originates on another carriers network and gains network access via a carriers SS7 carrier-to-carrier interconnect links. Example of Mobile-to-Mobile SMS Spam and Fraud Gaining Network Access

Figure 1 In order to prevent mobile-to-mobile SMS spam and fraud, every SMS message that originates on a carriers own network or that attempts to enter a carriers network via SS7 carrier-to-carrier interconnect links must at some point prior to being delivered to the destination subscriber be inspected to ensure that the message: Is from a legitimate source (in the case of MT faking or MO spoofing). Does not contain inappropriate content (in the case of smishing, viruses or unauthorized content). Is not part of an unauthorized mass mail campaign (in the case of unsolicited spamming). Is not part of an attempt to disrupt the operations of the individual subscriber, a network node or the network itself (in the case of message flooding).

Copyright 2008 Sevis Systems, Inc.

1.2. The Point Code Based Approach: Route All SMS to an Additional Core Network Node
The most common approach currently used to prevent mobile-to-mobile SMS spam and fraud is to deploy a Point Code Based SMS anti-spam and fraud element(s) within a carriers SS7 core network as shown below.

Example of a Point Code Based SMS Anti-Spam and Fraud Solution

Figure 2

The mechanics of identifying mobile-to-mobile SMS faking and spoofing are well established and vary little between mobile-to-mobile SMS anti-spam and fraud vendors. Therefore, implementation of SMS fraud and spam identification rules/algorithms is not a significant point of differentiation. Consequently, the more common points of differentiation between Point Code Based solution vendors include: Whether they provide rudimentary or advanced content inspection.1 The degree to which messages can be controlled post-inspection.2 Management system employed (web-based, GUI-based, etc.). System performance with respect to number of messages handled per second. Pricing model (many use a per message/transaction model versus a flat one-time per link model).

1 Content inspection can be categorized as being rudimentary or advanced, with rudimentary inspection being the ability to filter messages based on specific key words or phrases while enhanced inspection is the ability to perform content analysis within a more adaptive and flexible search framework. A discussion of content inspection capabilities is relevant when trying to identify spam or smishing activities. 2 Message control can be categorized as being rudimentary or advanced as well, with rudimentary control being the ability to pass or stop (block) messages depending on customer-defined control policies while advanced control is the ability to perform additional message control functions such as message thresholding (throttling).

Copyright 2008 Sevis Systems, Inc.

While Point Code Based solutions may differ among themselves with respect to these capabilities and features, they all share the same distinct disadvantages because of their Point Code Based nature, disadvantages that include: All Off-Net mobile-to-mobile SMS spam and fraud is allowed to enter a carriers signaling network unchecked and consume STP/Gateway resources. Every Off-Net and On-Net SMS message must first be routed to the Point Code Based node (or nodes) before being sent to an SMSC, increasing the amount of SMS traffic in a carriers SS7 core and consuming additional network resources. Because this approach requires an SS7 point code, carriers must reengineer their SS7 network and in some cases deploy intelligent routing mechanisms and additional STP resources to enable the redirection of the flow of SMS traffic.

Copyright 2008 Sevis Systems, Inc.

1.3. The SMS Defense Solution: Transparent SMS Spam and Fraud Control
1.3.1. Core Capabilities
In contrast to taking a Point Code Based approach to preventing mobile-to-mobile SMS spam and fraud, SMS Defense resides transparently (i.e. it does not require a point code) on both carrier-to-carrier SS7 interconnect links and internal SMSC signaling links. With SMS Defense, SMS messages do not have to be routed to a new network node before being sent to an SMSC. Additionally, off-net SMS spam and fraud can be stopped before it has the chance to access your external facing STPs/Gateways. SMS Defense is equipped with the core capabilities needed to manage SMS spamming, flooding, faking, etc. along with enhanced content filtering and advanced control features that include message thresholding and response. And because it utilizes the transparent Signaling ASE application platform, SMS Defense does not require any network re-engineering to install it and it can be positioned anywhere within your signaling network, including the Radio Access Network perimeter or Access Edge (i.e. on BSC-MSC links). The SMS Defense application leverages the Signaling ASE Platforms highly distributed SS7 front-end architecture to implement network-wide rules and polices on any SS7 link.

Example SMS Defense Network Deployment

Figure 3

Copyright 2008 Sevis Systems, Inc.

Table 2. Comparing the Point Code Based Approach to the Network Transparent SMS Defense Approach Benefit Spamming Protection Flooding Protection Faking Protection Spoofing Protection Smishing Protection Virus Protection Enhanced Content Filtering Stops spam at the network perimeter Does not increase SMS traffic in the SS7 core Advanced message control No SS7 network re-engineering required Varies Point Code Approach SMS Defense Approach

The table below describes how SMS Defense can be used to control mobile-to-mobile SMS spam and fraud. Table 3. Controlling Mobile-to-Mobile SMS Spam and Fraud using SMS Defense. Type MO Spoofing of Home Network Subscribers How to Prevent with SMS Defense Implement rules that perform the following: - Verify the originating MSISDN is legitimate. - Verify the originating subscribers location in the MO matches that stored in the HLR. - Verify subscribers location for inbound MO into the network is not from a location internal to the network (SMS MOs cannot arrive from such a location on the interconnect links). Implement rules that perform the following: - Verify originating MSISDN is not one of your subscribers: External SMSCs should not be delivering SMS messages of your subscribers. If an inbound SMS MT contains one of your MSISDNs as the originating address, then it has been spoofed. - Validate premium short codes and alphanumeric addresses that are allowed as Originating Addresses. Implement rules that perform the following: - Validate SRI-SM by determining that the originating SMSC address is consistent within the SCCP (CgPA) and MAP (Service Center Address) layers. - Validate MT-SMS by determining that the originating SMSC address is consistent within the SCCP (CgPA) and MAP (Service Center Address) layers. - MT delivery via the home network to detect and stop faking: Modify SRI-SM response with virtual MSC location (SCCP Called Party Address) and IMSI mask (Correlation ID); and store originating GT of SRI-SM, actual MSC location, and actual IMSI. Verify that an SRI-SM has occurred previously for a received MT. Validate originating GT of subsequent MT against originating GT of previous SRI-SM: If they match; there is no faking. Replace virtual MSC location with the actual MSC location and replace the IMSI mask (Correlation ID) with the actual IMSI, and forward on to destination subscriber. 6

MT Spoofing of Home Network Subscribers

MT Faking

Copyright 2008 Sevis Systems, Inc.

If they do not match; the message is faked. - The system functions as an SMS Router in transparent mode according to 3GPP TR 23.840. As such, the system proxies any delivery status messages back to the originating SMSC. SMS Flooding Implement rules that perform the following: - Monitor peak SMS message rates against expected levels. If observed rates are beyond expected levels, source is identified for inclusion in a blacklist rule. Each source can be aged out over a user-configured amount of time. - Thresholding for known flooding addresses: Per destination network node (or node type or group). Per sending network or sending subscriber. Across all sending networks or all sending subscribers. - Prevents abnormal traffic spikes from causing congestion to point of service denial. - Enables optimization for legitimate traffic only. Implement rules that perform the following: - Detect and prevent known UDH virus patterns. - Verify UDH content is correctly formed according to GSM 03.40. Implement rules that perform the following: - Screen for pre-defined key words or pattern matches (regular expressions in message text). - Utilize message fingerprinting algorithms to identify/track spam and smishing attempts.

Virus

Unwanted Content

SMS Defense also comes with the capability to create whitelist rules to ensure that trusted entities are always allowed to pass so that service agreements are always maintained.

The figure below provides an example of a mobile-to-mobile SMS delivery that is unauthorized. The top half of the diagram shows what happens in the absence of a mobile-to-mobile SMS anti-spam and fraud solution such as SMS Defense while the bottom half of the diagram demonstrates how the attempted SMS delivery is stopped with the presence of SMS Defense on the carriers SS7 carrier-to-carrier interconnect links.

Example of an Unauthorized Mobile-to-Mobile SMS Delivery

SMS Defense

Figure 4 Copyright 2008 Sevis Systems, Inc. 7

1.3.2. Architecture
The figure below highlights SMS Defenses overall system architecture:

SMS Defense Overall System Architecture

GUI Client

SMS Policy Server

IP Network

Network Perimeter

Management Server

SMSC SMS Def Platform SMSC Internal Network Nodes STP or Gateway SMS Def Platform

Interconnect Carrier Network

Interconnect Carrier Network

SS7/Sigtran IP

Figure 5

The SMS Defense system is comprised of four core functional elements all interconnected using secure IP-based network connections. Together, they form a highly-available, best of breed architecture for defending networks and subscribers against SMS spam, spoofing, faking and flooding. The SMS Defense architecture allows operators to leave the flow of SMS traffic alone. It does not require reengineering SMS routes within your network. SMS Defense transparently plugs into the network as is. Furthermore, this exclusive architecture enables operators to control all types of inappropriate traffic including fraudulent calls, SIM box calls and other unauthorized SS7 traffic as provided by Active Fraud Eliminator and Signaling Defense.

Table 4. SMS Defense System Core Functional Elements.

Function Platform

Description - Responsible for transparent access to signaling messages and policy enforcement (i.e. blacklist rules, whitelist rules, etc.). - Provides a distributed front end to the SMS Policy Server. - Patented, carrier grade platform requiring no SS7 point code to install. - Can be deployed on SS7 Low Speed or High Speed links and Sigtran based links. - Automatic link protection provided via hardware-based relays that close automatically if a failure occurs, immediately connecting T1/E1 paired ports at the physical layer. - Rack-mountable 2U chassis. - Chassis clustering provides additional scalability to enable very large deployments.

Copyright 2008 Sevis Systems, Inc.

SMS Policy Server

- Provides active-active, stateful backend analysis functions. - Detects and controls SMS spoofing, faking, flooding and viruses. - Provides keyword content filtering. - May pass control policies to SMS Defense Platform for enforcement. - Provides message fingerprinting algorithms and techniques to identify and track spam and smishing attempts. - Connects to the Platforms with redundant IP connections. - Provides for easy expansion to enable additional processing power and scalability. - Runs on standard Linux servers and can scale to thousands of messages per second.

Management Server

- Provides centralized system and application management. - Allows carriers to simultaneously administer one or more platforms. - Supports SNMP for forwarding faults and events to other network management systems.

GUI Client

- Menu-driven, point and click graphical user interface for policy creation and system management, to include access to reporting functions. - Configuration wizards, multi-level security access and intuitive status indicators. - Java-based and can be loaded on any Windows or Linux computer. - Network engineers do not have to go out into the field to troubleshoot issues.

Copyright 2008 Sevis Systems, Inc.

2. Defense View
Defense View provides data mining capabilities for Signaling Defense, SMS Defense and AFE event logs along with CDR generation for use in a carriers visibility system or FMS.

2.1. Event Log Data Mining

Whenever a user policy triggers, it can be configured to generate a log.3 Each time a log is generated, it is stored in a centralized database. Defense View provides a carrier with the means to mine their event logs in order to refine their network policies as well as perform post-event analysis on an individual event and multi-event basis. Examples of the kind of filters available that can be used to mine log data include (a single query can include multiple filters): Rule ID Rule that triggered the log. Message Type Type of message that triggered the log. Originating Point Code The originating point code of message triggering the log(s). Destination Point Code The destination point code of message triggering the log(s). SMS Addresses The originating and destination addresses of the SMS message triggering the log(s) Calling Party Number The Calling Party Number of the message triggering the log(s). Called Party Number The Called Party Number of the message triggering the log(s). Action Action associated with the rule that triggered the log(s). Physical Equipment The Platform(s) and card(s) associated with the log(s). Top Counts Most active. Bottom Counts Least active. Time of Day Time of day (range).

Example: Rule Trigger Event with Message Decode to See Parameter Values

Figure 6
3

Please note an event can be defined as a policy causing a passive trigger whereby an event is generated for a policy but no action beyond archiving that the event happened occurs (i.e. the message is not stopped, modified, rerouted, etc., only archived).

Copyright 2008 Sevis Systems, Inc.

10

Example: Count of Rule Triggers per OPC and DPC Pair

Figure 7

2.2. CDR Generation

The Signaling ASE System (see Section 6) has the capability to generate CDRs for use by 3rd party Fraud Management and Network Visibility systems. CDRs can be generated while the system is either in listening or active mode.

Copyright 2008 Sevis Systems, Inc.

11

3. Signaling ASE System: No Point Code, Many Solutions

3.1. System Overview
Signaling Defense, SMS Defense and Active Fraud Eliminator each utilize the patented Signaling ASE System that is comprised of the ASE Platform (the transparent signaling network element) and the ASE Manager. Unlike other SS7 network elements or application delivery systems, the ASE Platform (image to the right) does not require an SS7 point code, eliminating the need for signaling network re-engineering and enabling rapid system deployment. The ASE platform does not require a point code because it is a layer two node whereas most other SS7/C7 network nodes are layer three devices. This means the ASE platform terminates signaling links up through layer two versus layer three. Point codes live at layer three in SS7/C7, therefore, no point code is required. To account for discarded and/or inserted messages, independent Message Transfer Part (MTP) 2 sequence numbers are maintained on both sides of the platform, just as a layer three node would behave as messages are transferred from one link to another. SS7/C7 link behavior does not change by deploying the ASE platform. It is fully compliant with all SS7/C7 network conformance standards. It does not hinder in any way the normal flow and function of traffic. In fact, all messages pass through by default. The platform does not generate any network management messages either, and link changeovers are still managed by the existing signaling endpoints. The ASE Platform is NEBS certified and was designed for five nines availability. High availability is achieved with automatic link protection (ALP) features and redundant, hot-swappable components. ALP is provided via hardwarebased relays with relay contacts closing automatically if a failure such as power loss, RTM/TIM removal, RTM/TIM hardware failure or TIM software failure (loss of heartbeat) occurs. In the event of a failure, the system immediately connects T1/E1 paired ports at physical layer, removing the TIM from the network quickly and cleanly and enabling the platform to appear as a wire to the network. With ALP and redundant, hot-swappable components, there are multiple layers of protection in hardware and software, ensuring signaling links are always up and running.

Automatic Link Protection

Normal Operation (Bridged)

TIM Applications

ALP Operation (Bypass)

TIM Applications

Heartbeat

TIM MTP Stack

Heartbeat Failure

TIM RTM

H/W Failure
SS7 Link In SS7 Link Out SS7 Link In

X
TIM MTP Stack

SS7 Link Out

Figure 8

Copyright 2008 Sevis Systems, Inc.

12

The ASE System can be utilized in either listening or active mode. In listening mode, it acts much like a probe in that it can copy all or select SS7 messages and then route them over IP to another device for processing (useful in visibility and diagnostic applications, location services, etc.). In active mode, the ASE System can perform comprehensive message control, to include being able to, on a message-by-message basis: Stop messages Threshold messages (allow X of N) Modify messages Respond to messages Re-route or offload messages (over IP for example) Insert messages (such as SMS messages)

The ASE Platform supports a diverse set of wireless, wireline and IP protocols and has an open architecture for rapid development of new software applications. Additionally, the ASE platform scales easily as a layer two node. It can support large deployments by simply clustering systems together via secure IP. Clustering is a straightforward process given that no point codes are required and the platforms backplane supports packet switching. This enables a distributed architecture that can support even the largest global networks. Multiple systems function and are managed as a single logical entity. With the ASE Platform, carriers can support the largest global networks. The ASE Manager provides centralized system and application management. Its distributed client/server architecture allows carriers to simultaneously administer multiple platforms. Alerts are sent via broadcast, pager, e-mail or SNMP to inform clients of any alarm situation, and the management interfaces of any platform or client can be encrypted. The ASE Client ensures an intuitive provisioning experience with its menu-driven, point and click graphical user interface. System management is performed with user-friendly features including: configuration wizards, multilevel security access and intuitive visual status indicators. With the ASE Client, network engineers do not have to go into the field to analyze or troubleshoot any issues. The Java-based client can be loaded on any Windows or Linux computer.

Copyright 2008 Sevis Systems, Inc.

13

3.2. Technical Specifications

The proceeding specifications apply to the Signaling ASE system and in turn SMS Defense: Table 5. Signaling ASE Technical Specifications. Protocols ANSI - T1.111 MTP - T1.113 ISUP - T1.112 SCCP - T1.114 TCAP - AIN 0.1/0.2 - IN - ANSI-41 D - WIN Platform Specifications (Cont.) Chassis - 2 U high, rack-mountable chassis - 19 (482.6 mm) or 23 (584.2 mm) rack mount - Packet switching backplane - 3 trunk interface module slots - Up to 12 T1/E1s per platform - Up to 48 transparent low speed SS7 links per chassis - Up to 3 transparent ATM high speed links per chassis - Chassis clustering - Alarm status display module - Telco alarm interface (dry/wet contact relay) - 5 10/100 Base-T Ethernet ports - Hardware/software status reporting Management Server Architecture - Centralized client/server - Dual processor - RAID 5 - Hot-plug hard drives - Hot-plug redundant power supplies - Java-based GUI client

ITU/ETSI/3GPP - Q.701 Q.705, Q.707 MTP - Q.761 Q.764 ISUP - Q.711 Q.714 SCCP - Q.771 Q.774 TCAP - Q.721 Q.724 TUP - INAP CS-1/CS-2 - GSM MAP - CAMEL

Event Management - Event filtering with audible event notification - Hardware/software status reporting

Sigtran - M3UA - M2PA

Application - SMPP - SS7oIP

Platform Specifications Power Supplies and Fans - N+1 redundancy - Hot swappable - DC (-48V) - A and B DC power feed Temperature Range - Operating: -5C to +55C (23F to 131F) - Storage: -40C to +70C (-40F to +158F)

Trunk Interface Module - Up to four T1/E1s - Up to 16 transparent low speed SS7 links - Up to 1 transparent ATM high speed link - A, B, C, D, E, F links - Channel associated signaling - T1/E1, RJ-48C - Hot swappable - 3 10/100 Base-T Ethernet ports - Drop and insert grooming - Automatic link protection - LED status indicators - Rear transition module

Performance Management - CPU and memory utilization monitoring - Link status monitoring - Detailed platform/server statistics

Security Management - User-configurable multi-level security access - User authentication and activity timeout - Encrypted management interfaces

User management - Concurrent users - User messaging

Regulatory Compliance - NEBS Level III certified - ETSI 300 019 2-1 to 2-4 - CE - FCC Part 15, Class A (CSA)

Copyright 2008 Sevis Systems, Inc.

14