Anda di halaman 1dari 6

Anomaly Detection in Cellular Machine-to-Machine Communications

Ilona Murynets
AT&T Security Research Center, New York, NY

Roger Piqueras Jover

AT&T Security Research Center, New York, NY

AbstractCommunication networks are rapidly evolving with connectivity reaching far beyond cell-phones, computers and tablets. Novel applications are emerging based on the widespread presence of network-enabled sensors and actuators. Machine-toMachine (M2M) devices such as power meters, medical sensors and asset tracking appliances provide a new dimension to telecommunication services. The majority of these novel systems require low bandwidth and base their communications and control protocols on the Short Messaging Service (SMS). SMS-based attacks pose a serious threat to M2M devices and the servers/users communicating with them. Researchers have demonstrated how to remotely control embedded devices and leverage them for malicious message oods. These attacks can potentially be masked by the massive amounts of legitimate text messages traveling the airwaves daily and providing data connectivity to these connected M2M appliances. In this paper we propose two algorithms for detecting anomalous SMS activities and attacks on aggregate, cluster and individual device levels. Once these algorithms detect an anomaly it automatically determines the cause of the anomaly. Effectiveness of the algorithms has been demonstrated on real life SMS communication trafc of M2M devices connected to the network of one of the main tier-1 providers in the US.

I. I NTRODUCTION Wireless networks are extending beyond computers and cellphones. The number of network-enabled objects interacting with each other has been growing very rapidly in recent years. The transition towards IPv6 might drive this trend to a point where every single consumer item could be IP addressable. The convergence of the Internet and cellular mobility networks is enabling new Machine-to-Machine (M2M) communication systems as part of the Internet of Things (IoT) [19]. Currently deployed applications span from connected cars to remote health-care systems [6]. In fact, forecasts preview the health industry as one of the main drivers of the M2M market over the next few years [2]. Machine-to-machine applications are experiencing a drastic growth backed up by large investments from network operators [5]. Current studies forecast M2M systems to be 1000 times more protable than mobile data and as lucrative for operators as the Short Messaging Service (SMS) [15]. In the industry there is consensus that there will be a drastic growth in mobile cellular connectivity from M2M and embedded mobile applications. More than 50 billion non-personal data-only mobile devices are expected to join existing networks in the near future [1].

Enabling reliable security architectures to support such systems is one of the major challenges in the industry. There are important security implications in M2M communications, especially in critical applications such as remote health monitoring and home detention convict control. Embedded devices and their trafc are not owned or managed by the cellular network operator but by the service provider. M2M service suppliers might not have the capability and resources to secure M2M systems against malicious attacks. In this context, network-based security strategies have great potential in securing embedded devices and M2M systems. In this paper we introduce two anomaly detection algorithms for cellular-based M2M communication systems. The proposed algorithms are based on a volumetric and a contactbased analysis. The latter is based on tracking and analyzing the connections (contacts) each device has. The combination of both algorithms is able to detect all kinds of anomalies independently of their intensity and characteristics, including all kinds of Denial of Service (DoS) attacks and internal system or server failures. They aim for a rapid detection and reaction against network anomalies. These algorithms can also be used to monitor M2M device communications to ensure they are not remotely controlled as part of a BotNet. Once an anomaly is detected, the algorithm is capable of a rapid diagnosis. This algorithm is tested on real trafc observations from one of the main tier-1 cellular providers in the United States. We focus on widespread novel M2M applications and systems that interconnect common network-enabled devices with critical security requirements: remote health monitoring and home detention control. Six months of data are analyzed for hundreds of thousands of unique M2M devices in each category. The rest of the paper is organized as follows. Section II reviews the related work on M2M communications security and privacy. Section III describes the data sats used in the analysis and evaluations in this paper. In Section IV a preliminary cluster-based analysis of M2M communications and the anomaly detection algorithms and their corresponding results are presented. Finally, in Section V we have the concluding remarks. II. R ELATED WORK Security and privacy are two of the main challenges of M2M communications and the Internet of Things. The authors of [9]

discuss the emerging threats M2M deployments face due to their unique limitations in terms of connectivity, computational power and energy budget. Different approaches are being adopted, both securing the device itself [22] and proposing network/provider-based architectures [3] that benet from the existing authentication assets of a cellular telecom operator. In parallel, privacy is increasingly becoming one of the major concerns in this kind of system, especially with the surge of applications handling critical information. In this context, [11] analyzes the privacy and security implications of networkenabled medical environments. Despite the increasing focus on securing M2M communications, efforts still have to be made to design effective security architectures and transfer them into actual system deployments. An alarming lack of basic security features in certain applications have allowed researchers to discover new vulnerabilities and attack vectors. Multiple exploits have recently been identied [8], [18], enhancing the concern in this area. Researchers have demonstrated that certain aws in networked appliances can damage the end device and, potentially, even harm human beings. The media covered recently the case of a hacker who demonstrated how to remotely tamper insulin pumps [17]. Other studies have shown the feasibility of gaining control over network-enabled devices by means of deploying rogue base stations [10]. Remotely unlocking the door and igniting the engine of a car has been proven possible as well [21]. Along the same lines, a threat published in a recent study identies a popular geo-location platform that transmits application information as plain-text in the body of text messages, which allows researchers to reverse engineer their communication system [4]. All these make clear the necessity for advanced and accurate attack and misuse detection schemes for M2M networks. Scalability is also a great concern in the scope of the IoT. Forecasts state that M2M trafc will soon become a challenge for network operators [1]. Even in the context of 4G LTE (Long Term Evolution) security, M2M trafc is considered as a big factor in the equation [16]. The huge number of devices trying to connect wirelessly could potentially overwhelm the network due to high trafc volume. Researchers have theoretically demonstrated recently that large loads of SMS communications can potentially overow network links due to the cellular network architecture, resulting in long delays and messages being lost [14], [20]. It is necessary to implement systems capable of monitoring and detecting potential system anomalies caused by trafc overloads. III. DATA The algorithms presented in this paper are tested on a 6 months (November 2011 - April 2012) data sample of real SMS communication from over 430000 individual Machineto-Machine devices. The data is obtained from anonymized Call Detail Records (CDR) of one of the major tier-1 cellular providers in the United States. CDRs are records logged each time a phone call or text message is sent over the network. In the case where the

two communicating ends are connected to the same provider, a duple of records is stored. The Mobile Originated (MO) record logs the data of the transmitting party, while the Mobile Terminated (MT) record stores information of the receiver. Table I lists the CDR elds handled in our analysis. The originating and terminating phone numbers are completely anonymized and only the rst 8 digits of the International Mobile Equipment Identity (IMEI) are parsed, discarding individual serial numbers. This rst portion of the device identier, known as the Type Allocation Code (TAC), determines the manufacturer and model of the wireless device. In the case of an M2M connected device, the TAC identies the embedded cellular modem (e.g. Sierra Wireless Q2687).
Time Orig Term Call type IMEI Transmission/Reception time and date Originating number Terminating number M2M originated/terminated SMS International Mobile Equipment Identity

TABLE I: Call Detailed Record Fields We query data from two popular and widely deployed M2M applications with strong security requirements: personal medical monitoring and personal location monitoring. These systems base a substantial amount of their correspondence on text messages (SMS) sent over the cellular network. In some cases SMSs are the only means of communication enabled at the devices. From within each device type, we collect data for one single anonymized manufacturer/model pair. In both cases we select a personal usage device. To generate each data set, a specic list of the approved embedded devices and their application is obtained from the same US network operator. Device families are identied strictly based on the TAC and we obtain millions of M2M SMS transactions, generating an accurate data set of each category. In total, we process data for over 430,000 individual devices. To complete the study, we query the tier-1 cellular providers Short Code data-base. These special phone numbers are assigned to service providers to deliver M2M applications and are the equivalent to the phone number of the service provider. This further input gives us an insight and information on the gateways these mobile-enabled appliances communicate with. All the results presented in Section IV are generated with real network data from the medical remote monitoring and personal remote monitoring device categories. It is important to highlight that all the results in this paper have been normalized to two arbitrary numbers (one for aggregated and one for individual loads) in order to obfuscate the real messaging load that these M2M devices generate. IV. N ETWORK - BASED M2M A NOMALY D ETECTION The anomaly detection algorithms herein presented are based on contact-based and volumetric approach. A volumetric approach is often applied to anomaly detection in other contexts such as IP networks [13]. Our algorithms aim to detect both large anomalies, such as Distributed Denial of Service (DDoS) attacks as well as other lighter effects such

4 MO SMS MO SMS 3 2 1 0 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Date Apr 1 Apr 15 May 1

400 350 300 250 200 150 Nov 15 Dec 1 Dec 15

Jan 1 Jan 15

Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

Fig. 1: Example: normalized number of MO SMSs for one individual M2M device

(a) Normalized aggregated number of MO SMSs

250 200 150 100 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

as a server being down. Detection based on just aggregated data might hide some potential anomalies. At the same time, individual-based analysis of communication patterns could be very inefcient given the sparse nature of M2M trafc. Figure 1 plots an example of the typical messaging behavior of an M2M device. It can be observed that the trafc is indeed low and very sparse. Therefore, we propose to analyze devices by clusters with similar communication patterns. Section IV-A presents a preliminary analysis that identies clusters. Sections IV-B and IV-C describe the proposed contact-based and volumetric anomaly detection algorithms. Examples based on real M2M network data demonstrate performance of the algorithms in both latter sections.

(b) Normalized number of MO SMSs in Cluster 2

80 MO SMS 60 40 20 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(c) Normalized number of MO SMSs in Cluster 3

200 MO SMS 150 100 50 0 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(d) Normalized number of MO SMSs in Cluster 4

Fig. 3: Normalized aggregated time series of MO SMS load for the medical devices network (a,b) and the clusters in Figure 2 (c,d and e) inter-connected with the structure of a social network. Thus, the communication graph of M2M devices is different from the one of cell phone communications. Figure 2 shows a communications graph for a specic anonymized device model (personal medical monitoring) with blue and green colors representing M2M devices and short codes/cell-phones respectively. The red color indicates an edge between two nodes. The vertex set consists of all nodes that send or receive at least one text message to/from an M2M device of the given category during the time period between November 1st and 15th 2011. It is formed by a number of disconnected star-shaped clusters. The majority of M2M devices belong to clusters which have a short code as central node (clusters 2, 3, 4, 5, 6 in Figure 2). Some other M2M devices form star-shaped clusters around themselves (clusters 9 and 10 in Figure 2). A very small number of M2M devices belong to a snowake-shaped cluster (cluster 1 in Figure 2). Nodes in this cluster communicate with multiple devices including a single common short code. The snowake cluster

Fig. 2: M2M communication network: Personal medical monitoring A. Preliminary clustering SMS communications between M2M devices can be represented by a graph, where each node represents an M2M appliance or a short code/device (i.e. smart-phone) it communicates with and each edge represents an SMS exchange between them. Typically communication graphs of cell phone users exhibit a power-law-like distribution of the node degrees. In this distribution a few nodes have very high degree and the majority exhibit a smaller degree. This can be explained by inuence of human social interactions on cell phone usage. On the other hand, M2M devices are machines which are not

is the one gathering the highest number of non-M2M devices in the whole M2M network for this specic device model. Other common structures observed in all M2M communication networks are point to point connections. This is typically the case of personal networked appliances connected to, for example, the owners smart-phone. Anomalies in M2M devices are often cluster-dependent. An example of this can be observed in Figure 3. Figure 3 (a) plots the aggregated number of MO SMSs generated by the devices in the personal medical monitoring category. In parallel, Figures 3 (b)-(d) display the number of MO SMS sent by devices in the second, third and fourth clusters. One can observe that the anomalies (spikes) in the aggregated data on November 15, February 1, March 3, 16, 20 were caused by devices from Cluster 2, while the anomaly on April 5 was caused by Clusters 3 and 4. At the same time, an anomaly on December 10 in Cluster 3 data was masked by the large load of messages from other clusters in the aggregated data. B. Contact-based anomaly detection This section describes the proposed contact-based anomaly detection algorithm. Based on the knowledge extracted from the Preliminary Clustering in Section IV-A, when a new M2M device joins the network, just a few messages are necessary to determine what cluster it belongs to. Once a new M2M device i sends or receives a rst text message (at time ti ), a training period starts. A list hi (ti + T ) of anonymized phone numbers that the device has communications with during this period is stored. The training period duration T can be from one hour to one week depending on the device category and the load it generates.
11 000 10 000 9000 8000 7000 6000 5000 4000 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

( a)
600 500 400 300 200 100 0 Nov 1Nov 15 Dec 1Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1Mar 15 Apr 1 Apr 15 May 1 Time New Contacts

than 1% of all nodes in the network are combined into a single bigger cluster. Let Hj (t) = i:ti +T <t hi (t) dene the aggregated contact history of cluster j at time t. During the testing period, for a given device i from cluster j , the current contacts ci ( ) are monitored during a time window . The number of new contacts and the number of new contacts of the whole cluster are calculated as ni ( ) = |ci ( )\hi (ti + T )| and Ni ( ) = |ci ( )\Hj ( )| respectively. Note that a new contact is a message sent to or received from a device that had not been observed during the training period. The algorithm monitors the number of new device contacts K j s( ) = i=1 ni ( ), where Kj is the number of M2M devices in cluster j . The total number of new cluster contacts is Kj S ( ) = i=1 Ni ( ). Whenever s( ) > 1 or S ( ) > 2 , an alarm is raised. 1 and 2 are the detection thresholds. This contact-based algorithm provides detection capabilities against DDoS attacks both originated from a botnet of remotely controlled M2M appliances or against the actual M2M cellular infrastructure (i.e. M2M nodes and short codes). Note that this algorithm allows for anomaly detection and diagnosis. Once a deviation from the expected messaging pattern is detected, one can determine what device or cluster of devices generated the anomaly. The performance of the algorithm is demonstrated by detecting an articial DDoS attack in the remote medical monitoring device message load. Anomalous trafc is injected in the data corresponding to February 20th. It consists of one message sent to an unknown external short code by 1000 randomly selected M2M devices. Figure 4 (a) plots the aggregated number of MO SMSs with the injected anomaly. Note that the anomaly is hidden in the data due to the large amount of overall trafc generated by this M2M device category. Therefore, it would be very challenging to detect the anomaly using a volumetricbased detection method. However, the proposed contact-based method succeeds in detecting the anomaly. Figure 4 (b) plots the alarm control chart s( ), which highlights a clear spike in the number of new contacts for Cluster 2. In this case, is a 1 day sliding window between November 15th and May 1st and the threshold 1 equals to 100. Nevertheless, a contact-based method is less efcient in detecting other kinds of irregularities, such as system failures that lead to, for example, a whole cluster of M2M devices being down. In order to tackle such situations, a volumetricbased anomaly detection algorithm is introduced. C. Volumetric-based anomaly detection In this section, a volumetric cluster-based method for anomaly detection and diagnosis is presented. This algorithm allows to identify and track devices and short codes involved in system failure anomalies. It uses both cluster and individual levels data. 1 On the individual level, it monitors four time series mk i ( t) , (k1 = 1, ..., 4): the number of MO and MT SMSs and the number of MO and MT contacts for customer i at time t. On the cluster level, ten time-series are monitored for each cluster j Mik2 , k2 = 1, ..., 10: the number of mobile originated (MO)


( b) Fig. 4: Contact-based anomaly detection: Normalized aggregated nomber of MO SMSs (a) and anomaly detection control chart for Cluster 2 (b) After the training period, devices are assigned to one of the existing clusters based on their communication history hi (T ). If the history does not match any of the existing clusters, a new cluster is formed. Note that clusters containing fewer

1400 1200 1000 800 600 400 200 Nov 15 Dec 1 Dec 15


Jan 1 Jan 15

Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(a) Normalized aggregated number of M2M MO SMSs

1200 1000 800 600 400 200 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(a) The rst principal component


(b) Normalized number of M2M MO SMSs in Cluster C1

100 MO SMS 80 60 40 20 0 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(b) Lag 1 difference of the rst principal component for Cluster C1

(c) Normalized number of M2M MO SMSs in Cluster C2

100 MO SMS 80 60 40 20 Nov 15 Dec 1 Dec 15 Jan 1 Jan 15 Feb 1 Feb 15 Mar 1 Mar 15 Apr 1 Apr 15 May 1 Date

(c) Histogram of Lag 1 Difference of the rst principal component for cluster C1

Fig. 6: Principal Component Analysis devices. Figures 5 (a) and (b)-(d) plot the aggregated and cluster-level load of MO SMSs respectively. Observation of Figures 5 (a) and (b) clearly indicate that devices from cluster C1 contributed to the anomalies in the aggregated data. Principle component analysis is performed for data in cluster C1. Figures 6 (a) and (b) show the rst principal component and its lag 1 difference. Figure 6 (c) plots that values of the lag 1 difference of the rst principle component that are above 200 or below -200 are outliers and identies anomalies in the M2M SMS trafc on February 16th, March 20th, 23rd and 28th. Once the anomaly is detected, it is important to identify which specic devices contributed to it. All the devices that generated the anomaly on February 16th were detected using the drawdown measure. As expected, all these devices belong to cluster C1. Figure 7 plots the MO SMS trafc of 3 of these identied devices. Simple observation of the gure highlights the clear and abrupt declines in the trafc of the devices that generated the anomaly on February 16th. V. C ONCLUSIONS This paper presents two accurate anomaly detection algorithms for M2M communication systems over cellular networks. Once an anomaly is detected, they are capable of an accurate diagnosis. This allows the detection of both system failures and actual malicious attacks against the M2M infrastructure. Both algorithms can also identify M2M embedded

(d) Normalized number of M2M MO SMSs in Cluster C3

Fig. 5: Normalized aggregated time series of MO SMS load for the home detention network (a) and for 3 sample clusters (b,c,d) and mobile terminated (MT) messages, the number of unique SMS originating and terminating M2M devices, the number of unique non-M2M senders and recipients and their entropies. Note, that MO SMSs are those sent by M2M devices and cellphones to the M2M short codes while MT SMSs are sent in the opposite direction. Principal Component Analysis (PCA) [12] is used to reduce the data dimensionality and extract uncorrelated features. If principal components are autocorrelated a differencing of the time series is applied. Anomalies in the principal components are detected by a density-based outlier detection algorithm and their timing {t1 , t2 , ..., tG } is monitored. In order to diagnose the cause of the anomaly at time tg (g = 1, ..., G) and identify the M2M devices involved in it, the following drawdown 1 [7] measure is used: D(tg ) = max[0, maxt(0,tg ) mk i ( t) k1 mi (tg )]. In the event that the drawdown goes above a predened threshold, an alarm is raised for that specic device. In order to show how the algorithm works we study data for the second device category: anonymized personal monitoring

[1] More than 50 billion connected devices. Ericsson White Paper, Ericsson, February 2011. wp-50-billions.pdf. [2] M2M News Weekly. Connected World Magazine, January 2012. NEWS120103083345260. [3] S. Agarwal, C. Peylo, R. Borgaonkar, and J. Seifert. Operator-based over-the-air m2m wireless sensor network security. In Intelligence in Next Generation Networks (ICIN), 2010 14th International Conference on, pages 1 5, oct. 2010. [4] D. Bailey. War Texting: Weaponizing Machine to Machine. In BlackHat USA, 2011. isec bh2011 war texting.pdf. [5] K. Benedict. M2M News Weekly. Sys-Con Media, December 2011. [6] A. Berg. Gadgets: New Connected Devices Put Smartphones in the Middle. Wireless Week, January 2012. gadgets-new-connected-devices-smartphones-in-the-middle/. [7] A. Chekhlov, S. Uryasev, and M. Zabarankin. Drawdown measure in portfolio optimization. 2003. [8] M. Hatamoto. The reality of hacking medical devices. DailyTech, September 2011. [9] C. Hongsong, F. Zhongchuan, and Z. Dongyan. Security and trust research in m2m system. In Vehicular Electronics and Safety (ICVES), 2011 IEEE International Conference on, pages 286 290, july 2011. [10] Hunz. Machine-to-Machine (M2M) Security. In Chaos Communication Conference Camp, 2011. attachments/1883 m2m.pdf. [11] A. Jara, M. Zamora, and A. Skarmeta. An architecture based on internet of things to support mobility and security in medical environments. In Consumer Communications and Networking Conference (CCNC), 2010 7th IEEE, pages 1 5, jan. 2010. [12] I. Jolliffe and MyiLibrary. Principal component analysis, volume 2. Wiley Online Library, 2002. [13] A. Lakhina, M. Crovella, and C. Diot. Characterization of network-wide anomalies in trafc ows. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 201206. ACM, 2004. [14] I. Murynets and R. Piqueras Jover. How an SMS-Based malware infection will get throttled by the wireless link. In IEEE ICC 2012 Communication and Information Systems Security Symposium (ICC12 CISS), Ottawa, Ontario, Canada, June 2012. [15] T. Norman. Machine-to-Machine trafc worldwide: forecasts and analysis 20112016. Technical Report, Analysys Mason, September 2011. [16] A. R. Prasad. 3GPP SAE/LTE Security. In NIKSUN WWSMC, July 2011. WWSMC July26 AnandRPrasad.pdf. [17] J. Robertson. Hacker Shows Off Lethal Attack By Controlling Wireless Medical Device. Bloomberg Tech Blog, February 2012. http://preview. [18] M. Smith. Hacking For Privacy: 2 days for amateur hacker to hack smart meter, fake readings. NetworkWorld, January 2012. http://www. [19] M. Starsinic. System architecture challenges in the home m2m network. In Applications and Technology Conference (LISAT), 2010 Long Island Systems, pages 1 7, may 2010. [20] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta. On cellular botnets: measuring the impact of malicious devices on a cellular network core. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 09, pages 223234, New York, NY, USA, 2009. ACM. [21] C. Trout. Hackers break into Subaru Outback via text message. Engadget, August 2011. [22] A. Ukil, J. Sen, and S. Koilakonda. Embedded security for internet of things. In Emerging Trends and Applications in Computer Science (NCETACS), 2011 2nd National Conference on, pages 1 6, march 2011.

Fig. 7: Example of the normalized number of MO SMSs from 3 devices causing the anomaly in Figure 5 devices that have been compromised and are under remote control by an external attacker. The algorithms can be combined in order to provide detection capabilities against all kinds of anomalies. The rst algorithm is contact-based and is proven to be efcient against DDoS attacks and other anomalies characterized by an increase in the SMS load or a redirection of the SMS load aiming to saturate a specic node. The second algorithm is volumetric-based and can detect anomalies characterized by a decrease in the trafc load. This could be caused by system failures such as servers being down or a large-scale failure of M2M connected devices. Both algorithms are tested with 6 months of real network data from over 430000 networked M2M devices in the form of SMS Call Detail Records. Results are obtained for two device categories with strong security requirements, namely personal medical monitoring and personal location monitoring. One anonymized device model from each category is analyzed. The presented results indicate the effectiveness in detecting DDoS loads that are masked by the large load of legitimate messaging trafc most M2M systems generate. A malicious anomaly is injected in the trafc and detected by the contactbased method. In parallel, the volumetric detection engine successfully identied an anomaly caused by several M2M connected devices within a given cluster being down.