IRJET-MODELING AND ANALYSIS OF RRC-BASED SIGNALING STORMS IN 3G NETWORKS
Mobile networks are vulnerable to signaling attacks and storms that are caused by traffic patterns that overload the control plane, and differ from distributed denial of service (DDoS) attacks in the Internet since they directly attack the control plane, and also reserve wireless bandwidth without actually using it. Such attacks can result from malware and mobile botnets, as well as from poorly designed applications, and can cause service outages in 3G and 4G networks which have been experienced by mobile operators. Since the radio resource control (RRC) protocol in 3G and 4G networks is particularly susceptible to such attacks, we analyze their effect with a mathematical model that helps to predict the congestion that is caused by an attack. A detailed simulation model of a mobile network is used to better understand the temporal dynamics of user behavior and signaling in the network and to show how RRC based signaling attacks and storms cause significant problems in the control plane and the user plane of the network. Our analysis also serves to identify how storms can be detected, and to propose how system parameters can be chosen to mitigate their effect.
Content
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
MODELING AND ANALYSIS OF RRC-BASED SIGNALING STORMS IN 3G
NETWORKS
*1Ms.
*1 M.Phil
Vinodini C., *2 Ms. Sangeetha Lakshmi G.., *3 Ms. Ayesha K.,
Research Scholar, Department of Computer Science, D.K.M. College for Women (Autonomous),
Vellore, TamilNadu, India.
*2Assisant
Professor, Department of Computer Science, D.K.M. College for Women (Autonomous),
Vellore, TamilNadu, India.
*3Assistant
Professor, Department of Computer Science, D.K.M. College for women (Autonomous),
Vellore, TamilNadu, India.
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Mobile networks are vulnerable to
signaling attacks and storms that are caused by traffic
patterns that overload the control plane, and differ
from distributed denial of service (DDoS) attacks in the
Internet since they directly attack the control plane,
and also reserve wireless bandwidth without actually
using it. Such attacks can result from malware and
mobile botnets, as well as from poorly designed
applications, and can cause service outages in 3G and
4G networks which have been experienced by mobile
operators. Since the radio resource control (RRC)
protocol in 3G and 4G networks is particularly
susceptible to such attacks, we analyze their effect with
a mathematical model that helps to predict the
congestion that is caused by an attack. A detailed
simulation model of a mobile network is used to better
understand the temporal dynamics of user behavior
and signaling in the network and to show how RRC
based signaling attacks and storms cause significant
problems in the control plane and the user plane of the
network. Our analysis also serves to identify how
storms can be detected, and to propose how system
parameters can be chosen to mitigate their effect.
radio resource control (RRC),
distributed denial of service (DDoS)
Key Words:
I. INTRODUCTION
MART DEVICES have not gone unnoticed by
cyber-criminals, who have started to target mobile
platforms [1]-[4], and subscribers and mobile network
operators (MNOs) face new security challenges [5],
including the identification and mitigation of signaling
attacks and storms, which overload the control plane
through traffic that causes excessive signaling in the
network. The susceptibility of mobile networks’ to such
attacks has been identified [6]-[9], and they have now
© 2015, IRJET
become a reality that MNOs have to face regularly due to
deliberate, malicious actions either by malware running
on the smart devices inside the mobile network, or by
Internet hosts outside the core network.
Thus signaling attacks and storms are indeed an emerging
cyber-security threat in mobile networks, which are a
major component of our cyber infrastructure. As we look
at the future, we can expect that UMTS and LTE networks
will
also
support
major
machine-to-machine
communications [10] where the human being is not in the
loop to identify and remediate against an apparent attack.
In the first instance, we can expect that UMTS will have to
be secured against such attacks and into the future that
LTE should be an increasing
The mobile world witnessed its first bonnet in 2012,
through which an attacker can disrupt mobile services by
a DDoS-like attack, overloading the control plane of the
mobile network through excessive signaling, rather than
the data plane as in traditional DDoS attacks in the
Internet. The attacker usually compromises a large
number of mobile devices forming a mobile Bitnet [16],
which can also be leveraged for other malicious activities
in addition to launching signaling attacks. Although in
principle some of these attacks can be mitigated by smart
routing [17] inside the core network, such facilities are
currently not available.
In order to improve the efficiency of the attack, the
attacker can actively probe the network in order to infer
the network's parameters, and also identify IP addresses
at specific locations within the network [21]. Indeed, a
review of 180 MNOs showed that 51% of them allow
mobile devices to be probed from the Internet, by either
assigning them public IP addresses, allowing IP spoofing,
or permitting mobile-to-mobile probing within the
network. Smart mobile devices are also increasingly used
in emergency management systems, especially in urban
environments. Thus they are likely to be targeted in
conjunction with other physical or cyber attacks in order
ISO 9001:2008 Certified Journal
Page 351
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
to further compromise the safety and confidentiality of
civilians and emergency responders Since the radio
resource control (RRC) protocol in UMTS and LTE
networks is susceptible to signaling attacks, the objective
of this paper is to analyses the effect of RRC-based
signalling attacks and storms in UMTS networks. While
earlier work in this area has focused on signalling
behavior from an energy perspective, we hope to provide
a greater understanding of the bottlenecks and
vulnerabilities in the radio signaling system of mobile
networks in order to pave the way for the detection and
mitigation of signaling attacks and storms. For this
purpose, we first present a probability model of signaling
state transitions for a single UMTS user, from which we
derive analytical results regarding the user's behavior
when attacked and the impact it has on the network. We
also present results from simulation experiments, which
enable us to clarify the temporal dynamics of user
behavior and signalling and to validate the mathematical
model. Then we show how certain specific system
parameters such as time¬outs can be used to lessen or
mitigate the effect of storms and signalling attacks.
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
significantly higher signalling load than normal in the
process as has recently been reported
Recent incidents have shown that the threat of signalling
attacks and storms is very real and that they have the
potential to cause major outages in mobile networks.
Unlike flash crowds which last for a short time during
special occasions and events such as New Year's Eve,
signalling attacks and storms are unpredictable and they
persist until the underlying problem is identified and
resolved by the MNO. Considering their impact on the
availability and security of mobile networks, it is evident
that MNOs have a strong incentive to safeguard their users
from malware and to proactively detect and mitigate
signalling attacks and storms in order to protect their
infrastructure and services
II. SIGNALLING STORMS
Signalling storms are similar to signalling attacks,
but they are mobile applications that frequently establish
and tear-down data connections in order to transfer small
amounts of data. Many mobile applications are designed
and developed by software companies who mainly have an
"Internet" background and thus are not familiar with the
control plane of mobile networks. They therefore assume
that connectivity is a given and design their applications
without taking into account the specifics of mobile
networks. A good example is the case of an Android VoIP
application popular in Japan, which used frequent keepalive messages even when the users were idle, causing a
signalling overload and a major outage in the mobile
network. In a similar incident, the launch of the free
version of the Angry Birds application on Android caused
excessive signalling load due to the frequent
communications
generated
by
the
in-game
advertisements. Such problems have prompted the mobile
network industry to promote best practices for developing
network-friendly applications
Some applications, which may not normally generate
excessive signalling, go haywire when an unexpected
event occurs, such as loss of connectivity to an Internet
server. For example, an important feature of smart phones
is the ability to receive "push notifications" from cloud
services in order to notify the user of an incoming message
or VoIP call. This feature is enabled by having the mobile
device send periodic keep-alive messages to a cloud
server. In normal operation, this keep-alive period is a
large value, e.g. 5 minutes. However, if for any reason the
cloud service becomes unavailable, then the mobile device
will attempt to reconnect more frequently, generating
© 2015, IRJET
RRC states. The figure on the left shows the typical number
of signalling messages exchanged within the RAN for each
transition. The other figures show the approximate energy
consumption and maximum data rate at the UE.RAN) . It
operates between the UMTS terminals, i.e. the user
equipment (UE), and the radio network controller (RNC).
Figure 1 shows the basic architecture of a UMTS network,
depicting the RAN and the core network (CN) elements
comprising the packet-switched domain of the mobile
network. The RNC is the switching and controlling network
element in the RAN. It performs radio resource
management (RRM) functions in order to guarantee the
stability of the radio path and the Quos of radio
connections by efficient sharing and management of radio
resources. The RRC protocol is utilized for all RRM-related
control functions such as the setup, configuration,
maintenance and release of radio bearers between the UE
and the RNC. The RRC protocol also carries all non-access
stratum signalling between the UE and the CN.
In order to manage the radio resources, the RRC
protocol associates a state machine to each UE, which is
maintained, synchronized at the UE and the RNC via RRC
signaling messages. The RNC controls the transitions
between the RRC states based on information it receives
from the UEs and the Node Bs on available radio resources,
conditions of the currently used radio bearers, and
requests for communication activity. As shown in Fig. 2,
ISO 9001:2008 Certified Journal
Page 352
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
there are typically four RRC states, given in order of
increasing energy consumption and data rate: idle, cellPCH, cell-FACH and cell-DCH. In the rest of this paper, we
refer to state cell-X simply as X. Whenever the UE is not in
the idle state, it is in connected mode and has a signalling
connection with the RNC. In connected mode, the location
of the UE is known by the RNC at the level of a single cell,
which is maintained by cell updates sent by the UE either
periodically or when it changes cells. We describe the RRC
states in more detail below.
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
the paging channel. This state is optional and it can be
enabled or disabled by the MNO according to their policies.
Although the PCH state is a low-energy state, the UE still
consumes more power than in the idle state. Therefore,
some MNOs choose to disable the PCH state in order to
allow the UE to return to idle mode quickly and thus
reduce its energy consumption. We will investigate the
effect of the PCH state on signalling loaded.
III RELATED WORK
IDLE: This is the initial state when the UE is turned on. In
this state, the UE does not have a signalling connection
with the RNC, and therefore the RNC does not know the
location of the UE. Its location is known by the CN at the
accuracy of the location area or routing area, which is
based on the latest mobility signalling the UE performed
with the CN. Any downlink activity destined for a UE in idle
mode will require paging in order to locate the UE at the
cell level. Since the UE does not have an RNC connection, it
cannot send any signalling or data until an RNC connection
has been established.
Table : rrc state transitions and number of signaling
messages Exchanged
Fig : Markov model of the signalling behavior of the UE
Fig : RRC states. The figure on the left shows the typical
number of signalling messages exchanged within the
RAN for each transition. The other figures show the
approximate energy consumption and maximum data
rate at the UE.
DCH: The UE is in connected mode, and the radio connection uses resources dedicated to the UE. While in DCH,
the UE may use shared channels, dedicated channels or
both. The data rate of the connection is significantly higher
than the FACH state, but energy use is also higher.
PCH: This is a low-energy state that allows the UE to
maintain its RNC connection and thus stay in connected
mode, but it cannot send or receive any traffic while in this
state. While in PCH, the UE listens to paging occasions on
© 2015, IRJET
The RRC protocol was designed to manage the
limited radio resources among multiple UEs and to
decrease energy use at the UE. It is therefore biased
towards demoting the UE to a lower state as soon as
possible, especially if the UE is in the DCH or FACH state.
Indeed, as the number of smart phones accessing UMTS
networks has increased, the industry has introduced
improvements and changes in order to get more data rate
out of limited radio resources, such as HSDPA and HSUPA,
and to improve the energy use of smart phones. For
example, fast dormancy enables the UE to indicate to the
RNC when it has no more uplink data to send for a speedier
demotion to the PCH or idle state. In addition, some MNOs
choose to disable the PCH state in order to allow the UE to
return to idle mode quickly and thus reduce its energy
consumption. As we will discuss in Sec. VI, this tendency to
perform hasty RRC demotions result in excessive signalling
load in the mobile network, especially in the case of
deliberate attacks or signalling storms that result from
ISO 9001:2008 Certified Journal
Page 353
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
poorly designed applications.
The RNC will customarily release radio resources for a UE
soon after activity ceases in its channel, making those
resources available for other UEs. Thus it uses short
inactivity timers, which are in the order of 2-10 seconds
(see Table I). These short timers make the RRC protocol
susceptible to signalling attacks, as an attacker that
approximately determines the values of the Ti and T2
timers can then launch a devastating attack from a
relatively small number of compromised UEs, as we
discuss in Sec. VI. In addition, when combined with the
"chatty" nature of many mobile applications, the tendency
to deal locate radio channels quickly necessarily leads to
increased RRC signalling in order to reconfigure or setup
channels that were released a short time ago, rendering the
mobile network vulnerable to RRC based signalling storms.
IV. MODELING SIGNALLING BEHAVIOR OF THE UE
Analytical models are a useful way to gain insight
into the main performance interactions within a
telecommunications system. Thus we will first review the
work in [43] for a single UE's signalling behavior which
focuses on the potential of causing signalling storms. We
then extend the analysis to include the effect of congestion
which limits the signalling load that a set of misbehaving
UEs can impose on the network during a storm.
Consider a UE which generates both normal and
malicious connections, and suppose that its RRC state
machine is described by Fig. 2. We will represent the state
evolution of the UE by a Markov model as presented in Fig.
3. Let XL and XH be the rates at which low and high
bandwidth connections are normally made, and /zL and
/zH be the rates at which these connections terminate.
Furthermore, denote by FL the state when the UE is using
the bandwidth of FACH, and by DL and DH the states when
low and high rate requests are handled while the UE is in
DCH. Since the amount of traffic exchanged in states FL and
DL is usually very small, we assume that their durations
are independent but stochastically identical. At the end of
normal usage, the UE transitions from FL to F0 or from
DH,DL to D0, where F0 and D0 are the states when the UE
is inactive in FACH and DCH, and before the timers T2 and
T1 expire. If the UE does not start a new session for some
time, it will be demoted from D0 to F0, and from F0 to P,
and will then return from P to I (i.e. PCH — Idle) when
inactivity timer T3 expires. Since the UE is not able to
communicate in P, the transition P — I is performed by
having the UE first move to FACH, release all signalling
connections, and finally move to I.
The attacking or misbehaving connections falsely
induce the UE to move from one state to another without
the user actually having any usage for such requests. Since
in these cases a transition to an actual bandwidth usage
© 2015, IRJET
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
state does not take place, unless the user starts a new
session, the timers will demote the state of the UE.
Consequently, the attack results in the usage of network
resources both by the computation and state transitions
that occur for session handling, and through bandwidth
reservation that remains unutilised.
To perform a signalling attack, the attacker would
need to infer the radio network configuration parameters
(i.e. the timers T and radio link threshold ©), and also
monitor the user's activity in order to estimate when a
transition occurs so as to trigger a new one immediately
afterwards. Naturally there will be an error between the
actual transition time and the estimated one, and we
denote the expected value of the difference between the
two time instants by TL and TH for malicious transitions to
FACH and DCH, respectively. In a similar manner, if the
storm is caused by a misbehaving mobile application, then
TL,TH represent the level of "synchronization" between
the malicious traffic bursts and the UE's state changes; for
instance TH =0 indicates the extreme case in which a high
rate burst is sent immediately after a demotion from DCH.
Finally, let a-1 be the average time needed to
establish and/or release network resources during state
promotion or demotion x — y, and Sxy be the
corresponding state when the UE is waiting in state x for
the transition to complete. Note that this overhead is
incurred only when the UE moves from one RRC state to
another, while changes within the same RRC state (e.g.
from inactive to active)
occur instantaneously and are seamless to the UE. If ns is
the stationary probability that the UE is in state s, then the
average signalling load (msg/s) on the RNC generated by
the UE due to both normal and malicious traffic is:
Yr ( w ) = 717 [(XL + T-1)r/F + (XH + T H 1 ) T I D ] + H P [( X L +
1)TP
Tf1
F
+ (XH +
TDF
+
T H 1 ) T P D ] + [HFo +
T2
-1[TFP
T-
](XH + TH1)TFD +
IF^P + TFI 1F->I]
(1)
+ HP T3 1TPI IF^P,
takes the value 1 ifwhere the
characteristic function 1X the transition x — y is enabled
and 0 otherwise, and w is a congestion parameter which
we define in the following section. The UE also generates
signalling with the CN whenever it moves from or to the
Idle state, leading to an average signalling load on the
SGSN given by:
Yc (w) = HI [(XL + T L 1 ) C I F + ( X H + T f 1 ) c iD]
+ HFo T2f1CFi I F ^ I + H P T3f1cpi I F ^ P -
(2)
A. Modeling Congestion in the Control Plane
The analytical model we just described can be solved in
closed-form when the average transition delays are
ISO 9001:2008 Certified Journal
Page 354
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
known, allowing to determine the conditions and
parameters for which signalling misbehavior has the most
serious consequences on the network functioning. In
normal circumstances, state promotions and demotions
last for few milliseconds that represent only a small
fraction of the total lifetime of a session. However, when
the mobile network servers become overloaded, as in
during a signalling storm, the time needed to establish and
release connections also increases, which in turn limits the
maximum signalling load that a set of misbehaving UEs
can impose on the network. To better understand the
effect of a signalling storm, we develop a simple model for
Which consists of three components:
Communication delay txy [n] comprising
propagation and transmission parts that are
subject to the physical characteristics of the links
traversed by the n-th signalling message
exchanged during the transition. This delay
depends only on the path followed by the message,
and we ignore queuing at the transmission links,
since signalling storms do not affect the data
plane, and thus they do not translate into
congestion in the wireless or wired links.
Average queuing delay w at the RNC signalling
server, which is a function of the number of
normal UEs served by the RNC MN, the number of
misbehaving ones MA, and the RNC signalling load
(1) of both normal YN and misbehaving Y;4 UEs.
Note that we do not represent congestion at the
SGSN, since the CN is less susceptible to signalling
storms, especially when PCH is enabled.
V. SIMULATION OF UMTS NETWORKS AND
SIGNALLING ANOMALIES
The mathematical model we have developed and
described in Sec. IV provides a good approximation of the
signalling behavior of the UE, and enables us to quickly
derive analytical results in order to investigate the effect of
signalling attacks and the values of the various network
parameters, such as the 1Note that signalling message
types are defined by the 3GPP standards and known a
priori
T timers, on signalling load. In order to capture
aspects of the mobile network not explicitly represented in
the mathematical model, we have developed a discrete
event simulation (DES) model of the UMTS network,
focusing on the signalling layer in the RAN. We have
developed models of the UE, Node B, RNC, SGSN and GGSN,
and also models of the "Internet cloud" and Internet hosts
(i.e. servers). While we do not model the circuit-switched
(CS) domain explicitly, the SGSN model contains aspects of
the MSC server necessary to establish and tear-down CS
© 2015, IRJET
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
calls, i.e. voice calls and SMS; our SGSN model is therefore a
hybrid of the SGSN and the MSC server.
The performance of the simulation was an
important consideration in our model design, and in order
to be able to simulate large scale mobile networks, we have
adopted two approaches. First, we have developed our
simulation model so that we support distributed
simulation. We can therefore distribute elements of the
simulated mobile network over multiple logical processes
in order to leverage multiple hosts in a simulation,
allowing us to simulate much larger mobile networks than
would be possible with a single process. Second, we
combine packet-level and call-level representation of
communications in our model. Communications that are
natively message based or burst in nature are represented
at the packet level. These include communications for SMS,
email, web browsing, and instant messaging. Other types of
communications are represented at the call level; examples
include voice calls, VoIP calls, and multimedia streaming.
In the control plane, the UE model consists of the session
management (SM), GPRS mobility management (GMM) and
RRC layers. In the data plane, it contains the application
layer, which has CS and IP applications representing all
user activity, the transport layer (TCP and UDP) and a
simplified IP layer that is adapted for mobile networks. We
have a simplified model of the RLC layer, but we do not
explicitly model the MAC and PHY layers; effects of changes
in radio conditions are modeled as random variations in
the data rate of the radio channels. Uplink and downlink
radio transmissions over a radio bearer (RB) are modeled
by two single server, single FIFO queue pairs, one for each
direction as shown in Fig. 4. The service time at the
transmission server is calculated based on the length of the
currently transmitted RLC packet and the current data rate
for the RB. Changes in the RB data rate are reflected on the
service time of the current packet. Each UE has one
signalling RB and one data RB. In addition to the
transmission delays for the RBs, propagation and
processing delays are also modeled. We also model the
usual
communication
delays
(i.e.
transmission,
propagation and processing delays) over wired links
connecting the different network elements, e.g. between
the RNC and the SGSN. Our RNC model has the RRC,
RANAP, NBAP and GTP protocols. The RRC model in the
RNC consists of a single signaling server and a single FIFO
queue, used to model the processing time for RRC signaling
messages. The server handles two classes of signaling
messages, where one class consists of signaling messages
that effect a state transition x — y (e.g. the RB setup
message), and the second class includes all other signaling
messages.
The
service
ISO 9001:2008 Certified Journal
Page 355
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
Fig: The simulation model of a radio bearer (RB),
consisting of a single server, single FIFO queue pair in
each direction. The uplink and downlink servers are
located at the UE and the Node B, respectively
and deal locate radio resources by the RNC,
whereas a default and smaller service time is used for the
second class. In the analytical results presented in the next
section, K = 1, and v is calculated based on the 5r values as
defined here. As the handler of RRC state transitions, this
server will be one of the main points of interest in our
simulations, and as we discuss in Sec. VI it will become
overloaded as the severity of the signalling attacks
increases.
Web traffic model representing interactive user
browsing. Note that time is not drawn to scale.
Table: PARAMETERS OF THE WEB TRAFFIC MODEL
EXPERIMENTAL RESULT:
We performed simulation experiments in order to
investigate the effect of signaling attacks and storms due to
the RRC protocol on the RAN and the CN. We vary the
number of compromised or misbehaving UEs from 1% to
20% of all UEs. Both normal and misbehaving UEs generate
normal traffic based on the web browsing model described
above. The misbehaving applications are activated
gradually between 20 and 30 minutes from the start of the
simulation in order to prevent artifacts such as a huge
spike of signalling load due to many malicious applications
coming online at the same time. We collect simulation data
only from the period when all misbehaving UEs are active.
Each data point in the presented results is an average of
five simulation runs with different random seeds. The
relevant RRC protocol parameters are as given in Table I.
We also present analytical results derived from our
mathematical model together with the simulation results.
We observe that as a result of correctly adjusting the
parameters of the mathematical model based on initial
simulation results, and with the addition of the effect of
congestion into the model, the simulation and analytical
results show a high degree of agreement. We do not
present analytical results for Figs. 8b and 9 to prevent
repetition of similar results, and for Fig. 8a since the
mathematical model does not capture quality-ofexperience.
shows the signalling load in the RAN under DCH
attacks, with PCH enabled and disabled. As TH decreases or
the number of attackers increase, the number of signalling
messages sent and received by the RNC towards the RAN
increases as expected. The rate of increase is dependent on
© 2015, IRJET
ISO 9001:2008 Certified Journal
Page 356
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
1/TH and higher when the number of attackers is high. We
can see that whether the PCH state is enabled does not
affect the behavior of the signalling load in the RAN
significantly, but it still decreases the signalling load. An
interesting observation is that when PCH is disabled, there
is a maximum load when the percentage of attackers is >
8% that is attained with a high TH . This is worrying since
it shows that a maximum signalling load can be induced in
the RAN by signalling storms when a sufficient number of
UEs misbehave without requiring a high level of
synchronization between the misbehaving application and
the RRC state machine. Enabling the PCH state addresses
this issue. Another
(a) PCH enabled (simulation)
(b) PCH disabled (simulation)
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
VI. CONCLUSION
In this paper, we have investigated the effect of
signalling attacks and storms in mobile networks, focusing
on signalling anomalies that exploit the radio resource
control (RRC) protocol. We presented a Markov model of
the signalling behavior of the UE and extended the model
for effects of congestion in the control plane. The analytical
model provides an accurate representation of the RRC
signalling behavior and allows us to reach quick analytical
results.
We have also developed a simulation of a UMTS
mobile network, and simulation experiments were used to
validate the mathematical model, resulting in its
improvement by the addition of concepts not previously
captured and the realistic setting of the model parameters.
We presented simulation and analytical results, looking at
how different components in the mobile network are
affected by signalling attacks and storms.
Our results show that RRC based signalling
anomalies can cause significant problems in both the
control plane and the user plane in the network, and
provide insight into how such attacks and storms can be
detected and mitigated. While we have focused on UMTS
networks in this work, the RRC protocol is also employed
in LTE networks, and any RRC related anomalies would
have a more severe impact in LTE networks since they
employ only two RRC states (connected and idle), and the
mitigating effect of the long T3 timer used in the PCH state
are non-existent in LTE networks.
Work can exploit the insight gained in this paper
for the detection and mitigation of signalling attacks in
mobile networks. One aspect that requires attention is the
identification of possible locations, such as specific cells,
where attacks may originate, and methods related to
search and smart traffic routing may prove valuable in this
context. Another important aspect relates to identifying
sets of representative features for the detection of
signaling attacks and storms, and of the misbehaving UEs.
An important consideration is to prevent false positives as
much as possible so as not to punish normal "heavy" users.
We will also develop system wide models based on
queuing theory that represent a single user in a simple
manner, to study mitigation methods that involve
randomization and adaptively introducing artificial delays
in the state transitions of the UEs so that they may
automatically reduce the negative impact of attacks and
signalling storms.
REFERENCES
(C) PCH enabled (analytical)
© 2015, IRJET
[1] (2013, Jan.) TrendLabs 2012 annual security roundup:
Evolved threats in a post-PC world. Trend Micro. [Online].
Available:http://www.trendmicro.com/cloudcontent/us/p
dfs/security-intelligence/reports/rpt-evolved-threats-ina-post-pc-world.pdf
ISO 9001:2008 Certified Journal
Page 357
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
[2] C. Raiu and D. Emm. (2012, Dec.) Kaspersky se¬curity
bulletin 2012: Malware evolution. Kaspersky Lab. [Online].
Available:http://www.securelist.com/en/analysis/204792
254/Kaspersky_Security_Bulletin_2012_Malware_Evolutin
[9] F. Ricciato, A. Coluccia, and A. DAlconzo, "A review of
DoS attack models for 3G cellular networks from a systemdesign perspective," Computer Communications, vol. 33,
no. 5, pp. 551-558, Mar. 2010.
[3] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner,
"A survey of mobile malware in the wild," in Proc. 1st ACM
W'shop on Security and Privacy in Smartphones and
Mobile Devices (SPSM'11), 2011, pp. 3-14.
[10] T. Taleb and A. Kunz, "Machine type communications
in 3GPP net¬works: Potential, challenges, and solutions,"
IEEE Communications Magazine, vol. 50, no. 3, pp. 178184, Mar. 2012.
[4] M. Chandramohan and H. B. K. Tan, "Detection of
mobile malware in the wild," IEEE Computer, vol. 45, no. 9,
pp. 65-71, Sep. 2012.
[11] A. Ksentini, Y. Hadjadj-Aoul, and T. Taleb, "Cellularbased machine-to-machine: Overload control," IEEE
Network, vol. 26, no. 6, pp. 54-60,
Nov. 2012.
[5] E. Gelenbe, G. Gorbil, D. Tzovaras, S. Liebergeld, D.
Garcia, M. Baltatu, and G. Lyberopoulos, "Security for smart
mobile networks: The NEMESYS approach," in Proceedings
of the 2013 IEEE Global High Tech Congress on Electronics
(GHTCE'13), Nov. 2013.
[6] W. Enck, P. Traynor, P. McDaniel, and T. L. Porta,
"Exploiting open functionality in SMS-capable cellular
networks," in Proceedings of the 12th ACM Conference on
Computer and Communications Security (CCS'05), Nov.
2005, pp. 393-404.
[7] J. Serror, H. Zang, and J. C. Bolot, "Impact of paging
channel overloads or attacks on a cellular network," in
Proceedings of the 5th ACM Workshop on Wireless
Security (WiSe'06), Sep. 2006, pp. 75-84.
[8] P. P. Lee, T. Bu, and T. Woo, "On the detection of
signaling DoS attacks on 3G wireless networks," in
Proceedings ofthe 26th IEEE International Conference on
Computer Communications (INFOCOM'07), May 2007, pp.
1289-1297.
© 2015, IRJET
[12] Y. Chang, C. Zhou, and O. Bulakci, "Coordinated
random access management for network overload
avoidance
in
cellular
machine-to-machine
communications," in Proceedings of the 20th European
Wire¬less Conference, May 2014, pp. 1-6.
[13] H.-L. Fu, P. Lin, H. Yue, G.-M. Huang, and C.-P. Lee,
"Group mobility management for large-scale machine-tomachine mobile networking," IEEE Transactions on
Vehicular Technology, vol. 63, no. 3, pp. 1296¬1305, Mar.
2014.
[14] D. Maslennikov and Y. Namestnikov. (2012, Dec.)
Kaspersky security bulletin 2012: The overall statistics for
2012.
Kaspersky
Lab.
[Online].
Available:
http://www.securelist.com/en/analysis/204792255/
Kaspersky_Security_Bulletin_2012JTie_overall_statisticsJfo
r_2012
[15] E. Gelenbe and G. Loukas, "A self-aware approach to
denial of service defence," Computer Networks, vol. 51, no.
5, pp. 1299-1314, April 2007.
ISO 9001:2008 Certified Journal
Page 358
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
MODELING AND ANALYSIS OF RRC-BASED SIGNALING STORMS IN 3G
NETWORKS
*1Ms.
*1 M.Phil
Vinodini C., *2 Ms. Sangeetha Lakshmi G.., *3 Ms. Ayesha K.,
Research Scholar, Department of Computer Science, D.K.M. College for Women (Autonomous),
Vellore, TamilNadu, India.
*2Assisant
Professor, Department of Computer Science, D.K.M. College for Women (Autonomous),
Vellore, TamilNadu, India.
*3Assistant
Professor, Department of Computer Science, D.K.M. College for women (Autonomous),
Vellore, TamilNadu, India.
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Mobile networks are vulnerable to
signaling attacks and storms that are caused by traffic
patterns that overload the control plane, and differ
from distributed denial of service (DDoS) attacks in the
Internet since they directly attack the control plane,
and also reserve wireless bandwidth without actually
using it. Such attacks can result from malware and
mobile botnets, as well as from poorly designed
applications, and can cause service outages in 3G and
4G networks which have been experienced by mobile
operators. Since the radio resource control (RRC)
protocol in 3G and 4G networks is particularly
susceptible to such attacks, we analyze their effect with
a mathematical model that helps to predict the
congestion that is caused by an attack. A detailed
simulation model of a mobile network is used to better
understand the temporal dynamics of user behavior
and signaling in the network and to show how RRC
based signaling attacks and storms cause significant
problems in the control plane and the user plane of the
network. Our analysis also serves to identify how
storms can be detected, and to propose how system
parameters can be chosen to mitigate their effect.
radio resource control (RRC),
distributed denial of service (DDoS)
Key Words:
I. INTRODUCTION
MART DEVICES have not gone unnoticed by
cyber-criminals, who have started to target mobile
platforms [1]-[4], and subscribers and mobile network
operators (MNOs) face new security challenges [5],
including the identification and mitigation of signaling
attacks and storms, which overload the control plane
through traffic that causes excessive signaling in the
network. The susceptibility of mobile networks’ to such
attacks has been identified [6]-[9], and they have now
© 2015, IRJET
become a reality that MNOs have to face regularly due to
deliberate, malicious actions either by malware running
on the smart devices inside the mobile network, or by
Internet hosts outside the core network.
Thus signaling attacks and storms are indeed an emerging
cyber-security threat in mobile networks, which are a
major component of our cyber infrastructure. As we look
at the future, we can expect that UMTS and LTE networks
will
also
support
major
machine-to-machine
communications [10] where the human being is not in the
loop to identify and remediate against an apparent attack.
In the first instance, we can expect that UMTS will have to
be secured against such attacks and into the future that
LTE should be an increasing
The mobile world witnessed its first bonnet in 2012,
through which an attacker can disrupt mobile services by
a DDoS-like attack, overloading the control plane of the
mobile network through excessive signaling, rather than
the data plane as in traditional DDoS attacks in the
Internet. The attacker usually compromises a large
number of mobile devices forming a mobile Bitnet [16],
which can also be leveraged for other malicious activities
in addition to launching signaling attacks. Although in
principle some of these attacks can be mitigated by smart
routing [17] inside the core network, such facilities are
currently not available.
In order to improve the efficiency of the attack, the
attacker can actively probe the network in order to infer
the network's parameters, and also identify IP addresses
at specific locations within the network [21]. Indeed, a
review of 180 MNOs showed that 51% of them allow
mobile devices to be probed from the Internet, by either
assigning them public IP addresses, allowing IP spoofing,
or permitting mobile-to-mobile probing within the
network. Smart mobile devices are also increasingly used
in emergency management systems, especially in urban
environments. Thus they are likely to be targeted in
conjunction with other physical or cyber attacks in order
ISO 9001:2008 Certified Journal
Page 351
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
to further compromise the safety and confidentiality of
civilians and emergency responders Since the radio
resource control (RRC) protocol in UMTS and LTE
networks is susceptible to signaling attacks, the objective
of this paper is to analyses the effect of RRC-based
signalling attacks and storms in UMTS networks. While
earlier work in this area has focused on signalling
behavior from an energy perspective, we hope to provide
a greater understanding of the bottlenecks and
vulnerabilities in the radio signaling system of mobile
networks in order to pave the way for the detection and
mitigation of signaling attacks and storms. For this
purpose, we first present a probability model of signaling
state transitions for a single UMTS user, from which we
derive analytical results regarding the user's behavior
when attacked and the impact it has on the network. We
also present results from simulation experiments, which
enable us to clarify the temporal dynamics of user
behavior and signalling and to validate the mathematical
model. Then we show how certain specific system
parameters such as time¬outs can be used to lessen or
mitigate the effect of storms and signalling attacks.
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
significantly higher signalling load than normal in the
process as has recently been reported
Recent incidents have shown that the threat of signalling
attacks and storms is very real and that they have the
potential to cause major outages in mobile networks.
Unlike flash crowds which last for a short time during
special occasions and events such as New Year's Eve,
signalling attacks and storms are unpredictable and they
persist until the underlying problem is identified and
resolved by the MNO. Considering their impact on the
availability and security of mobile networks, it is evident
that MNOs have a strong incentive to safeguard their users
from malware and to proactively detect and mitigate
signalling attacks and storms in order to protect their
infrastructure and services
II. SIGNALLING STORMS
Signalling storms are similar to signalling attacks,
but they are mobile applications that frequently establish
and tear-down data connections in order to transfer small
amounts of data. Many mobile applications are designed
and developed by software companies who mainly have an
"Internet" background and thus are not familiar with the
control plane of mobile networks. They therefore assume
that connectivity is a given and design their applications
without taking into account the specifics of mobile
networks. A good example is the case of an Android VoIP
application popular in Japan, which used frequent keepalive messages even when the users were idle, causing a
signalling overload and a major outage in the mobile
network. In a similar incident, the launch of the free
version of the Angry Birds application on Android caused
excessive signalling load due to the frequent
communications
generated
by
the
in-game
advertisements. Such problems have prompted the mobile
network industry to promote best practices for developing
network-friendly applications
Some applications, which may not normally generate
excessive signalling, go haywire when an unexpected
event occurs, such as loss of connectivity to an Internet
server. For example, an important feature of smart phones
is the ability to receive "push notifications" from cloud
services in order to notify the user of an incoming message
or VoIP call. This feature is enabled by having the mobile
device send periodic keep-alive messages to a cloud
server. In normal operation, this keep-alive period is a
large value, e.g. 5 minutes. However, if for any reason the
cloud service becomes unavailable, then the mobile device
will attempt to reconnect more frequently, generating
© 2015, IRJET
RRC states. The figure on the left shows the typical number
of signalling messages exchanged within the RAN for each
transition. The other figures show the approximate energy
consumption and maximum data rate at the UE.RAN) . It
operates between the UMTS terminals, i.e. the user
equipment (UE), and the radio network controller (RNC).
Figure 1 shows the basic architecture of a UMTS network,
depicting the RAN and the core network (CN) elements
comprising the packet-switched domain of the mobile
network. The RNC is the switching and controlling network
element in the RAN. It performs radio resource
management (RRM) functions in order to guarantee the
stability of the radio path and the Quos of radio
connections by efficient sharing and management of radio
resources. The RRC protocol is utilized for all RRM-related
control functions such as the setup, configuration,
maintenance and release of radio bearers between the UE
and the RNC. The RRC protocol also carries all non-access
stratum signalling between the UE and the CN.
In order to manage the radio resources, the RRC
protocol associates a state machine to each UE, which is
maintained, synchronized at the UE and the RNC via RRC
signaling messages. The RNC controls the transitions
between the RRC states based on information it receives
from the UEs and the Node Bs on available radio resources,
conditions of the currently used radio bearers, and
requests for communication activity. As shown in Fig. 2,
ISO 9001:2008 Certified Journal
Page 352
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
there are typically four RRC states, given in order of
increasing energy consumption and data rate: idle, cellPCH, cell-FACH and cell-DCH. In the rest of this paper, we
refer to state cell-X simply as X. Whenever the UE is not in
the idle state, it is in connected mode and has a signalling
connection with the RNC. In connected mode, the location
of the UE is known by the RNC at the level of a single cell,
which is maintained by cell updates sent by the UE either
periodically or when it changes cells. We describe the RRC
states in more detail below.
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
the paging channel. This state is optional and it can be
enabled or disabled by the MNO according to their policies.
Although the PCH state is a low-energy state, the UE still
consumes more power than in the idle state. Therefore,
some MNOs choose to disable the PCH state in order to
allow the UE to return to idle mode quickly and thus
reduce its energy consumption. We will investigate the
effect of the PCH state on signalling loaded.
III RELATED WORK
IDLE: This is the initial state when the UE is turned on. In
this state, the UE does not have a signalling connection
with the RNC, and therefore the RNC does not know the
location of the UE. Its location is known by the CN at the
accuracy of the location area or routing area, which is
based on the latest mobility signalling the UE performed
with the CN. Any downlink activity destined for a UE in idle
mode will require paging in order to locate the UE at the
cell level. Since the UE does not have an RNC connection, it
cannot send any signalling or data until an RNC connection
has been established.
Table : rrc state transitions and number of signaling
messages Exchanged
Fig : Markov model of the signalling behavior of the UE
Fig : RRC states. The figure on the left shows the typical
number of signalling messages exchanged within the
RAN for each transition. The other figures show the
approximate energy consumption and maximum data
rate at the UE.
DCH: The UE is in connected mode, and the radio connection uses resources dedicated to the UE. While in DCH,
the UE may use shared channels, dedicated channels or
both. The data rate of the connection is significantly higher
than the FACH state, but energy use is also higher.
PCH: This is a low-energy state that allows the UE to
maintain its RNC connection and thus stay in connected
mode, but it cannot send or receive any traffic while in this
state. While in PCH, the UE listens to paging occasions on
© 2015, IRJET
The RRC protocol was designed to manage the
limited radio resources among multiple UEs and to
decrease energy use at the UE. It is therefore biased
towards demoting the UE to a lower state as soon as
possible, especially if the UE is in the DCH or FACH state.
Indeed, as the number of smart phones accessing UMTS
networks has increased, the industry has introduced
improvements and changes in order to get more data rate
out of limited radio resources, such as HSDPA and HSUPA,
and to improve the energy use of smart phones. For
example, fast dormancy enables the UE to indicate to the
RNC when it has no more uplink data to send for a speedier
demotion to the PCH or idle state. In addition, some MNOs
choose to disable the PCH state in order to allow the UE to
return to idle mode quickly and thus reduce its energy
consumption. As we will discuss in Sec. VI, this tendency to
perform hasty RRC demotions result in excessive signalling
load in the mobile network, especially in the case of
deliberate attacks or signalling storms that result from
ISO 9001:2008 Certified Journal
Page 353
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
poorly designed applications.
The RNC will customarily release radio resources for a UE
soon after activity ceases in its channel, making those
resources available for other UEs. Thus it uses short
inactivity timers, which are in the order of 2-10 seconds
(see Table I). These short timers make the RRC protocol
susceptible to signalling attacks, as an attacker that
approximately determines the values of the Ti and T2
timers can then launch a devastating attack from a
relatively small number of compromised UEs, as we
discuss in Sec. VI. In addition, when combined with the
"chatty" nature of many mobile applications, the tendency
to deal locate radio channels quickly necessarily leads to
increased RRC signalling in order to reconfigure or setup
channels that were released a short time ago, rendering the
mobile network vulnerable to RRC based signalling storms.
IV. MODELING SIGNALLING BEHAVIOR OF THE UE
Analytical models are a useful way to gain insight
into the main performance interactions within a
telecommunications system. Thus we will first review the
work in [43] for a single UE's signalling behavior which
focuses on the potential of causing signalling storms. We
then extend the analysis to include the effect of congestion
which limits the signalling load that a set of misbehaving
UEs can impose on the network during a storm.
Consider a UE which generates both normal and
malicious connections, and suppose that its RRC state
machine is described by Fig. 2. We will represent the state
evolution of the UE by a Markov model as presented in Fig.
3. Let XL and XH be the rates at which low and high
bandwidth connections are normally made, and /zL and
/zH be the rates at which these connections terminate.
Furthermore, denote by FL the state when the UE is using
the bandwidth of FACH, and by DL and DH the states when
low and high rate requests are handled while the UE is in
DCH. Since the amount of traffic exchanged in states FL and
DL is usually very small, we assume that their durations
are independent but stochastically identical. At the end of
normal usage, the UE transitions from FL to F0 or from
DH,DL to D0, where F0 and D0 are the states when the UE
is inactive in FACH and DCH, and before the timers T2 and
T1 expire. If the UE does not start a new session for some
time, it will be demoted from D0 to F0, and from F0 to P,
and will then return from P to I (i.e. PCH — Idle) when
inactivity timer T3 expires. Since the UE is not able to
communicate in P, the transition P — I is performed by
having the UE first move to FACH, release all signalling
connections, and finally move to I.
The attacking or misbehaving connections falsely
induce the UE to move from one state to another without
the user actually having any usage for such requests. Since
in these cases a transition to an actual bandwidth usage
© 2015, IRJET
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
state does not take place, unless the user starts a new
session, the timers will demote the state of the UE.
Consequently, the attack results in the usage of network
resources both by the computation and state transitions
that occur for session handling, and through bandwidth
reservation that remains unutilised.
To perform a signalling attack, the attacker would
need to infer the radio network configuration parameters
(i.e. the timers T and radio link threshold ©), and also
monitor the user's activity in order to estimate when a
transition occurs so as to trigger a new one immediately
afterwards. Naturally there will be an error between the
actual transition time and the estimated one, and we
denote the expected value of the difference between the
two time instants by TL and TH for malicious transitions to
FACH and DCH, respectively. In a similar manner, if the
storm is caused by a misbehaving mobile application, then
TL,TH represent the level of "synchronization" between
the malicious traffic bursts and the UE's state changes; for
instance TH =0 indicates the extreme case in which a high
rate burst is sent immediately after a demotion from DCH.
Finally, let a-1 be the average time needed to
establish and/or release network resources during state
promotion or demotion x — y, and Sxy be the
corresponding state when the UE is waiting in state x for
the transition to complete. Note that this overhead is
incurred only when the UE moves from one RRC state to
another, while changes within the same RRC state (e.g.
from inactive to active)
occur instantaneously and are seamless to the UE. If ns is
the stationary probability that the UE is in state s, then the
average signalling load (msg/s) on the RNC generated by
the UE due to both normal and malicious traffic is:
Yr ( w ) = 717 [(XL + T-1)r/F + (XH + T H 1 ) T I D ] + H P [( X L +
1)TP
Tf1
F
+ (XH +
TDF
+
T H 1 ) T P D ] + [HFo +
T2
-1[TFP
T-
](XH + TH1)TFD +
IF^P + TFI 1F->I]
(1)
+ HP T3 1TPI IF^P,
takes the value 1 ifwhere the
characteristic function 1X the transition x — y is enabled
and 0 otherwise, and w is a congestion parameter which
we define in the following section. The UE also generates
signalling with the CN whenever it moves from or to the
Idle state, leading to an average signalling load on the
SGSN given by:
Yc (w) = HI [(XL + T L 1 ) C I F + ( X H + T f 1 ) c iD]
+ HFo T2f1CFi I F ^ I + H P T3f1cpi I F ^ P -
(2)
A. Modeling Congestion in the Control Plane
The analytical model we just described can be solved in
closed-form when the average transition delays are
ISO 9001:2008 Certified Journal
Page 354
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
known, allowing to determine the conditions and
parameters for which signalling misbehavior has the most
serious consequences on the network functioning. In
normal circumstances, state promotions and demotions
last for few milliseconds that represent only a small
fraction of the total lifetime of a session. However, when
the mobile network servers become overloaded, as in
during a signalling storm, the time needed to establish and
release connections also increases, which in turn limits the
maximum signalling load that a set of misbehaving UEs
can impose on the network. To better understand the
effect of a signalling storm, we develop a simple model for
Which consists of three components:
Communication delay txy [n] comprising
propagation and transmission parts that are
subject to the physical characteristics of the links
traversed by the n-th signalling message
exchanged during the transition. This delay
depends only on the path followed by the message,
and we ignore queuing at the transmission links,
since signalling storms do not affect the data
plane, and thus they do not translate into
congestion in the wireless or wired links.
Average queuing delay w at the RNC signalling
server, which is a function of the number of
normal UEs served by the RNC MN, the number of
misbehaving ones MA, and the RNC signalling load
(1) of both normal YN and misbehaving Y;4 UEs.
Note that we do not represent congestion at the
SGSN, since the CN is less susceptible to signalling
storms, especially when PCH is enabled.
V. SIMULATION OF UMTS NETWORKS AND
SIGNALLING ANOMALIES
The mathematical model we have developed and
described in Sec. IV provides a good approximation of the
signalling behavior of the UE, and enables us to quickly
derive analytical results in order to investigate the effect of
signalling attacks and the values of the various network
parameters, such as the 1Note that signalling message
types are defined by the 3GPP standards and known a
priori
T timers, on signalling load. In order to capture
aspects of the mobile network not explicitly represented in
the mathematical model, we have developed a discrete
event simulation (DES) model of the UMTS network,
focusing on the signalling layer in the RAN. We have
developed models of the UE, Node B, RNC, SGSN and GGSN,
and also models of the "Internet cloud" and Internet hosts
(i.e. servers). While we do not model the circuit-switched
(CS) domain explicitly, the SGSN model contains aspects of
the MSC server necessary to establish and tear-down CS
© 2015, IRJET
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
calls, i.e. voice calls and SMS; our SGSN model is therefore a
hybrid of the SGSN and the MSC server.
The performance of the simulation was an
important consideration in our model design, and in order
to be able to simulate large scale mobile networks, we have
adopted two approaches. First, we have developed our
simulation model so that we support distributed
simulation. We can therefore distribute elements of the
simulated mobile network over multiple logical processes
in order to leverage multiple hosts in a simulation,
allowing us to simulate much larger mobile networks than
would be possible with a single process. Second, we
combine packet-level and call-level representation of
communications in our model. Communications that are
natively message based or burst in nature are represented
at the packet level. These include communications for SMS,
email, web browsing, and instant messaging. Other types of
communications are represented at the call level; examples
include voice calls, VoIP calls, and multimedia streaming.
In the control plane, the UE model consists of the session
management (SM), GPRS mobility management (GMM) and
RRC layers. In the data plane, it contains the application
layer, which has CS and IP applications representing all
user activity, the transport layer (TCP and UDP) and a
simplified IP layer that is adapted for mobile networks. We
have a simplified model of the RLC layer, but we do not
explicitly model the MAC and PHY layers; effects of changes
in radio conditions are modeled as random variations in
the data rate of the radio channels. Uplink and downlink
radio transmissions over a radio bearer (RB) are modeled
by two single server, single FIFO queue pairs, one for each
direction as shown in Fig. 4. The service time at the
transmission server is calculated based on the length of the
currently transmitted RLC packet and the current data rate
for the RB. Changes in the RB data rate are reflected on the
service time of the current packet. Each UE has one
signalling RB and one data RB. In addition to the
transmission delays for the RBs, propagation and
processing delays are also modeled. We also model the
usual
communication
delays
(i.e.
transmission,
propagation and processing delays) over wired links
connecting the different network elements, e.g. between
the RNC and the SGSN. Our RNC model has the RRC,
RANAP, NBAP and GTP protocols. The RRC model in the
RNC consists of a single signaling server and a single FIFO
queue, used to model the processing time for RRC signaling
messages. The server handles two classes of signaling
messages, where one class consists of signaling messages
that effect a state transition x — y (e.g. the RB setup
message), and the second class includes all other signaling
messages.
The
service
ISO 9001:2008 Certified Journal
Page 355
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
Fig: The simulation model of a radio bearer (RB),
consisting of a single server, single FIFO queue pair in
each direction. The uplink and downlink servers are
located at the UE and the Node B, respectively
and deal locate radio resources by the RNC,
whereas a default and smaller service time is used for the
second class. In the analytical results presented in the next
section, K = 1, and v is calculated based on the 5r values as
defined here. As the handler of RRC state transitions, this
server will be one of the main points of interest in our
simulations, and as we discuss in Sec. VI it will become
overloaded as the severity of the signalling attacks
increases.
Web traffic model representing interactive user
browsing. Note that time is not drawn to scale.
Table: PARAMETERS OF THE WEB TRAFFIC MODEL
EXPERIMENTAL RESULT:
We performed simulation experiments in order to
investigate the effect of signaling attacks and storms due to
the RRC protocol on the RAN and the CN. We vary the
number of compromised or misbehaving UEs from 1% to
20% of all UEs. Both normal and misbehaving UEs generate
normal traffic based on the web browsing model described
above. The misbehaving applications are activated
gradually between 20 and 30 minutes from the start of the
simulation in order to prevent artifacts such as a huge
spike of signalling load due to many malicious applications
coming online at the same time. We collect simulation data
only from the period when all misbehaving UEs are active.
Each data point in the presented results is an average of
five simulation runs with different random seeds. The
relevant RRC protocol parameters are as given in Table I.
We also present analytical results derived from our
mathematical model together with the simulation results.
We observe that as a result of correctly adjusting the
parameters of the mathematical model based on initial
simulation results, and with the addition of the effect of
congestion into the model, the simulation and analytical
results show a high degree of agreement. We do not
present analytical results for Figs. 8b and 9 to prevent
repetition of similar results, and for Fig. 8a since the
mathematical model does not capture quality-ofexperience.
shows the signalling load in the RAN under DCH
attacks, with PCH enabled and disabled. As TH decreases or
the number of attackers increase, the number of signalling
messages sent and received by the RNC towards the RAN
increases as expected. The rate of increase is dependent on
© 2015, IRJET
ISO 9001:2008 Certified Journal
Page 356
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
1/TH and higher when the number of attackers is high. We
can see that whether the PCH state is enabled does not
affect the behavior of the signalling load in the RAN
significantly, but it still decreases the signalling load. An
interesting observation is that when PCH is disabled, there
is a maximum load when the percentage of attackers is >
8% that is attained with a high TH . This is worrying since
it shows that a maximum signalling load can be induced in
the RAN by signalling storms when a sufficient number of
UEs misbehave without requiring a high level of
synchronization between the misbehaving application and
the RRC state machine. Enabling the PCH state addresses
this issue. Another
(a) PCH enabled (simulation)
(b) PCH disabled (simulation)
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
VI. CONCLUSION
In this paper, we have investigated the effect of
signalling attacks and storms in mobile networks, focusing
on signalling anomalies that exploit the radio resource
control (RRC) protocol. We presented a Markov model of
the signalling behavior of the UE and extended the model
for effects of congestion in the control plane. The analytical
model provides an accurate representation of the RRC
signalling behavior and allows us to reach quick analytical
results.
We have also developed a simulation of a UMTS
mobile network, and simulation experiments were used to
validate the mathematical model, resulting in its
improvement by the addition of concepts not previously
captured and the realistic setting of the model parameters.
We presented simulation and analytical results, looking at
how different components in the mobile network are
affected by signalling attacks and storms.
Our results show that RRC based signalling
anomalies can cause significant problems in both the
control plane and the user plane in the network, and
provide insight into how such attacks and storms can be
detected and mitigated. While we have focused on UMTS
networks in this work, the RRC protocol is also employed
in LTE networks, and any RRC related anomalies would
have a more severe impact in LTE networks since they
employ only two RRC states (connected and idle), and the
mitigating effect of the long T3 timer used in the PCH state
are non-existent in LTE networks.
Work can exploit the insight gained in this paper
for the detection and mitigation of signalling attacks in
mobile networks. One aspect that requires attention is the
identification of possible locations, such as specific cells,
where attacks may originate, and methods related to
search and smart traffic routing may prove valuable in this
context. Another important aspect relates to identifying
sets of representative features for the detection of
signaling attacks and storms, and of the misbehaving UEs.
An important consideration is to prevent false positives as
much as possible so as not to punish normal "heavy" users.
We will also develop system wide models based on
queuing theory that represent a single user in a simple
manner, to study mitigation methods that involve
randomization and adaptively introducing artificial delays
in the state transitions of the UEs so that they may
automatically reduce the negative impact of attacks and
signalling storms.
REFERENCES
(C) PCH enabled (analytical)
© 2015, IRJET
[1] (2013, Jan.) TrendLabs 2012 annual security roundup:
Evolved threats in a post-PC world. Trend Micro. [Online].
Available:http://www.trendmicro.com/cloudcontent/us/p
dfs/security-intelligence/reports/rpt-evolved-threats-ina-post-pc-world.pdf
ISO 9001:2008 Certified Journal
Page 357
International Research Journal of Engineering and Technology (IRJET)
Volume: 02 Issue: 07 | Oct-2015
www.irjet.net
e-ISSN: 2395 -0056
p-ISSN: 2395-0072
[2] C. Raiu and D. Emm. (2012, Dec.) Kaspersky se¬curity
bulletin 2012: Malware evolution. Kaspersky Lab. [Online].
Available:http://www.securelist.com/en/analysis/204792
254/Kaspersky_Security_Bulletin_2012_Malware_Evolutin
[9] F. Ricciato, A. Coluccia, and A. DAlconzo, "A review of
DoS attack models for 3G cellular networks from a systemdesign perspective," Computer Communications, vol. 33,
no. 5, pp. 551-558, Mar. 2010.
[3] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner,
"A survey of mobile malware in the wild," in Proc. 1st ACM
W'shop on Security and Privacy in Smartphones and
Mobile Devices (SPSM'11), 2011, pp. 3-14.
[10] T. Taleb and A. Kunz, "Machine type communications
in 3GPP net¬works: Potential, challenges, and solutions,"
IEEE Communications Magazine, vol. 50, no. 3, pp. 178184, Mar. 2012.
[4] M. Chandramohan and H. B. K. Tan, "Detection of
mobile malware in the wild," IEEE Computer, vol. 45, no. 9,
pp. 65-71, Sep. 2012.
[11] A. Ksentini, Y. Hadjadj-Aoul, and T. Taleb, "Cellularbased machine-to-machine: Overload control," IEEE
Network, vol. 26, no. 6, pp. 54-60,
Nov. 2012.
[5] E. Gelenbe, G. Gorbil, D. Tzovaras, S. Liebergeld, D.
Garcia, M. Baltatu, and G. Lyberopoulos, "Security for smart
mobile networks: The NEMESYS approach," in Proceedings
of the 2013 IEEE Global High Tech Congress on Electronics
(GHTCE'13), Nov. 2013.
[6] W. Enck, P. Traynor, P. McDaniel, and T. L. Porta,
"Exploiting open functionality in SMS-capable cellular
networks," in Proceedings of the 12th ACM Conference on
Computer and Communications Security (CCS'05), Nov.
2005, pp. 393-404.
[7] J. Serror, H. Zang, and J. C. Bolot, "Impact of paging
channel overloads or attacks on a cellular network," in
Proceedings of the 5th ACM Workshop on Wireless
Security (WiSe'06), Sep. 2006, pp. 75-84.
[8] P. P. Lee, T. Bu, and T. Woo, "On the detection of
signaling DoS attacks on 3G wireless networks," in
Proceedings ofthe 26th IEEE International Conference on
Computer Communications (INFOCOM'07), May 2007, pp.
1289-1297.
© 2015, IRJET
[12] Y. Chang, C. Zhou, and O. Bulakci, "Coordinated
random access management for network overload
avoidance
in
cellular
machine-to-machine
communications," in Proceedings of the 20th European
Wire¬less Conference, May 2014, pp. 1-6.
[13] H.-L. Fu, P. Lin, H. Yue, G.-M. Huang, and C.-P. Lee,
"Group mobility management for large-scale machine-tomachine mobile networking," IEEE Transactions on
Vehicular Technology, vol. 63, no. 3, pp. 1296¬1305, Mar.
2014.
[14] D. Maslennikov and Y. Namestnikov. (2012, Dec.)
Kaspersky security bulletin 2012: The overall statistics for
2012.
Kaspersky
Lab.
[Online].
Available:
http://www.securelist.com/en/analysis/204792255/
Kaspersky_Security_Bulletin_2012JTie_overall_statisticsJfo
r_2012
[15] E. Gelenbe and G. Loukas, "A self-aware approach to
denial of service defence," Computer Networks, vol. 51, no.
5, pp. 1299-1314, April 2007.
ISO 9001:2008 Certified Journal
Page 358
