sms defense white paper

© Copyright 2008 Sevis Systems, Inc.

SMS Defense® White Paper

Transparent Mobile-to-Mobile SMS Spam and Fraud Control.

September 15, 2008

© Copyright 2008 Sevis Systems, Inc.

Table of Contents

1. SMS Defense ................................................................................................................................................................. 1

1.1. The Challenge: Prevent Mobile-to-Mobile SMS Spam and Fraud.......................................................................... 1

1.2. The Point Code Based Approach: Route All SMS to an Additional Core Network Node ...................................... 3

1.3. The SMS Defense Solution: Transparent SMS Spam and Fraud Control ............................................................... 5

1.3.1. Core Capabilities .............................................................................................................................................. 5

1.3.2. Architecture ...................................................................................................................................................... 8

2. Defense View............................................................................................................................................................... 10

2.1. Event Log Data Mining ......................................................................................................................................... 10

2.2. CDR Generation .................................................................................................................................................... 11

3. Signaling ASE® System: No Point Code, Many Solutions ......................................................................................... 12

3.1. System Overview................................................................................................................................................... 12

3.2. Technical Specifications........................................................................................................................................ 14

© Copyright 2008 Sevis Systems, Inc. 1

1. SMS Defense

1.1. The Challenge: Prevent Mobile-to-Mobile SMS Spam and Fraud

Mobile-to-mobile SMS spam and fraud comes in many forms and can cause substantial damage with respect to

customer satisfaction, financial performance and network operations. A sample of recent coverage of the problem

includes:

• John White, of the telecommunications analyst firm Portio Research, says, “There’s no doubt text spam is

costing operators real money, but what they’re even more concerned about is the effect it has on the churn

rate of their customers. Phone users who are irritated by spam or are billed for messages they didn’t send

are very likely to move networks. A solution that can stop spam and help maintain good customer relations

is going to be widely welcomed.” (Source: Mobile Europe)

• “Their method is simple but highly effective, enabling the sending for free of thousands of messages that

appear to come from a mobile phone roaming on another network. The result is not only that innocent

mobile operators are carrying unwanted traffic, but that their customers are being deluged with unwanted

offers – and some are even being billed for messages they did not send.” (Source: Mobile Europe)

• Insights into Mobile Spam, World’s First Collaborative Empirical Study released by the University of St.

Gallen, Switzerland, indicates more than 8 in 10 mobile phone users surveyed have received unsolicited

messages and 83% of telecommunications industry respondents perceive mobile spam to be a critical issue.

(Source: International Telecommunications Union)

• “Malicious hackers could take down cellular networks in large cities by inundating their popular text-

messaging services with the equivalent of spam,” said Penn State computer security researchers. (Source:

New York Times)

• “China has ordered telcos to purge spam SMSes of smut and other ‘unhealthy’ influences, including

‘superstitious content’ like fortune telling. The Ministry of Information Industry made the pronouncement

today on its website which declared: ‘Recently, there has been a lot of dirt hidden in the telecommunication

networks. The situation is serious.’” (Source: The Register)

The most common types of mobile-to-mobile SMS spam and fraud active today are summarized in the table below:

Table 1. Common Types of Mobile-to-Mobile SMS Spam and Fraud.

Type How Caused Risk to the Operator

Spamming Unwanted messages are delivered to

subscribers

Irritated subscribers, degraded network

performance, blamed for spam relay

Flooding Remote system sends massive numbers of

messages targeting subscribers and nodes

Overload in the signaling network, home

operator incurs relay operator costs

Faking Foreign system uses identity of a legal

SMSC (i.e. MT faking)

Home operator cannot collect termination

fees

Spoofing Messages sent illegally by simulating

subscribers who are in a roaming situation

(i.e. MO spoofing)

Subscribers wrongfully billed for unsent

messages and perhaps unwanted content

Smishing Messages that appear to be from a valid

company attempt to acquire subscriber

information

Subscriber annoyance, billing issues,

potential to spread viruses which in turn

can result in more spam

Viruses Hacker engine launches messages luring

subscribers to a download site with viruses

Compromised handsets cause customer

service problems and may send unwanted

messages


The overarching provider concerns with respect to the impact mobile-to-mobile SMS spam and fraud can have on a

provider’s customers, network and financial performance are that it:

• Irritates subscribers and in turn increases churn, raises support costs and casts a negative light on the carrier’s brand. Subscribers find spam annoying and many regard it as an invasion of privacy. It also

results in unwarranted charges leading to customer frustration.

• Results in lost revenue for inter-carrier messages. With SMS fraud, the sender assumes the identity of a

valid subscriber or SMSC, so the operator receives no termination fee.

• Increases operational costs because of the large volumes of unauthorized messages. SMS spam and

fraud can degrade network and SMSC performance and at times severely impact them (in some instances

acting as a Denial of Service network attack).

• Damages the adoption of revenue-producing services. Spam can destroy trust in an operator, leading

subscribers to opt-out of emerging mobile advertising and m-commerce opportunities.

The figure below shows the typical paths that mobile-to-mobile SMS spam and fraud take to gain network access.

The red arrow on the left side of the diagram is meant to demonstrate “On-Net” SMS spam and fraud, meaning it is

generated by a subscriber that is operating within a carrier’s own network. The red arrow originating on the right

side of the diagram is meant to demonstrate “Off-Net” SMS spam and fraud, meaning it originates on another

carrier’s network and gains network access via a carrier’s SS7 carrier-to-carrier interconnect links.

Example of Mobile-to-Mobile SMS Spam and Fraud Gaining Network Access

Figure 1

In order to prevent mobile-to-mobile SMS spam and fraud, every SMS message that originates on a carrier’s own

network or that attempts to enter a carrier’s network via SS7 carrier-to-carrier interconnect links must at some point

prior to being delivered to the destination subscriber be inspected to ensure that the message:

• Is from a legitimate source (in the case of MT faking or MO spoofing).

• Does not contain inappropriate content (in the case of smishing, viruses or unauthorized content).

• Is not part of an unauthorized “mass mail” campaign (in the case of unsolicited spamming).

• Is not part of an attempt to disrupt the operations of the individual subscriber, a network node or the

network itself (in the case of message flooding).


1.2. The Point Code Based Approach: Route All SMS to an Additional Core Network Node

The most common approach currently used to prevent mobile-to-mobile SMS spam and fraud is to deploy a Point

Code Based SMS anti-spam and fraud element(s) within a carrier’s SS7 core network as shown below.

Example of a Point Code Based SMS Anti-Spam and Fraud Solution

Figure 2

The mechanics of identifying mobile-to-mobile SMS faking and spoofing are well established and vary little

between mobile-to-mobile SMS anti-spam and fraud vendors. Therefore, implementation of SMS fraud and spam

identification rules/algorithms is not a significant point of differentiation. Consequently, the more common points

of differentiation between Point Code Based solution vendors include:

• Whether they provide “rudimentary” or “advanced” content inspection.1

• The degree to which messages can be controlled post-inspection.2

• Management system employed (web-based, GUI-based, etc.).

• System performance with respect to number of messages handled per second.

• Pricing model (many use a “per message/transaction” model versus a flat one-time “per link” model).

1 Content inspection can be categorized as being “rudimentary” or “advanced,” with rudimentary inspection being the ability to filter messages

based on specific key words or phrases while enhanced inspection is the ability to perform content analysis within a more adaptive and flexible

search framework. A discussion of content inspection capabilities is relevant when trying to identify spam or smishing activities. 2 Message control can be categorized as being “rudimentary” or “advanced” as well, with rudimentary control being the ability to pass or stop

(block) messages depending on customer-defined control policies while advanced control is the ability to perform additional message control

functions such as message thresholding (throttling).


While Point Code Based solutions may differ among themselves with respect to these capabilities and features, they

all share the same distinct disadvantages because of their Point Code Based nature, disadvantages that include:

• All Off-Net mobile-to-mobile SMS spam and fraud is allowed to enter a carrier’s signaling network

unchecked and consume STP/Gateway resources.

• Every Off-Net and On-Net SMS message must first be routed to the Point Code Based node (or nodes)

before being sent to an SMSC, increasing the amount of SMS traffic in a carrier’s SS7 core and consuming

additional network resources.

• Because this approach requires an SS7 point code, carriers must reengineer their SS7 network and in some

cases deploy intelligent routing mechanisms and additional STP resources to enable the redirection of the

flow of SMS traffic.


1.3. The SMS Defense Solution: Transparent SMS Spam and Fraud Control

1.3.1. Core Capabilities

In contrast to taking a Point Code Based approach to preventing mobile-to-mobile SMS spam and fraud, SMS

Defense resides transparently (i.e. it does not require a point code) on both carrier-to-carrier SS7 interconnect links

and internal SMSC signaling links. With SMS Defense, SMS messages do not have to be routed to a new network

node before being sent to an SMSC. Additionally, off-net SMS spam and fraud can be stopped before it has the

chance to access your external facing STPs/Gateways.

SMS Defense is equipped with the core capabilities needed to manage SMS spamming, flooding, faking, etc. along

with enhanced content filtering and advanced control features that include message thresholding and response. And

because it utilizes the “transparent” Signaling ASE application platform, SMS Defense does not require any network

re-engineering to install it and it can be positioned anywhere within your signaling network, including the Radio

Access Network perimeter or “Access Edge” (i.e. on BSC-MSC links). The SMS Defense application leverages the

Signaling ASE® Platform’s highly distributed SS7 front-end architecture to implement network-wide rules and

polices on any SS7 link.

Example SMS Defense Network Deployment

Figure 3


Table 2. Comparing the Point Code Based Approach to the Network Transparent SMS Defense Approach

Benefit Point Code Approach SMS Defense Approach

Spamming Protection � �

Flooding Protection � �

Faking Protection � �

Spoofing Protection � �

Smishing Protection � �

Virus Protection � �

Enhanced Content Filtering Varies �

Stops spam at the network perimeter �

Does not increase SMS traffic in the SS7 core �

Advanced message control �

No SS7 network re-engineering required �

The table below describes how SMS Defense can be used to control mobile-to-mobile SMS spam and fraud.

Table 3. Controlling Mobile-to-Mobile SMS Spam and Fraud using SMS Defense.

Type How to Prevent with SMS Defense

MO Spoofing

of Home

Network

Subscribers

Implement rules that perform the following:

- Verify the originating MSISDN is legitimate.

- Verify the originating subscriber’s location in the MO matches that stored in the HLR.

- Verify subscriber’s location for inbound MO into the network is not from a location

internal to the network (SMS MOs cannot arrive from such a location on the interconnect

links).

MT Spoofing

of Home

Network

Subscribers


- Verify originating MSISDN is not one of your subscribers:

∼ External SMSCs should not be delivering SMS messages of your subscribers.

∼ If an inbound SMS MT contains one of your MSISDNs as the originating address, then it

has been spoofed.

- Validate premium short codes and alphanumeric addresses that are allowed as Originating

Addresses.

MT Faking Implement rules that perform the following:

- Validate SRI-SM by determining that the originating SMSC address is consistent within

the SCCP (CgPA) and MAP (Service Center Address) layers.

- Validate MT-SMS by determining that the originating SMSC address is consistent within

the SCCP (CgPA) and MAP (Service Center Address) layers.

- MT delivery via the home network to detect and stop faking:

∼ Modify SRI-SM response with virtual MSC location (SCCP Called Party Address) and

IMSI mask (Correlation ID); and store originating GT of SRI-SM, actual MSC location,

and actual IMSI.

∼ Verify that an SRI-SM has occurred previously for a received MT.

∼ Validate originating GT of subsequent MT against originating GT of previous SRI-SM:

� If they match; there is no faking. Replace virtual MSC location with the actual MSC

location and replace the IMSI mask (Correlation ID) with the actual IMSI, and forward

on to destination subscriber.


� If they do not match; the message is faked.

- The system functions as an SMS Router in transparent mode according to 3GPP TR

23.840. As such, the system proxies any delivery status messages back to the originating

SMSC.

SMS Flooding Implement rules that perform the following:

- Monitor peak SMS message rates against expected levels. If observed rates are beyond

expected levels, source is identified for inclusion in a blacklist rule. Each source can be

aged out over a user-configured amount of time.

- Thresholding for known flooding addresses:

∼ Per destination network node (or node type or group).

∼ Per sending network or sending subscriber.

∼ Across all sending networks or all sending subscribers.

- Prevents abnormal traffic spikes from causing congestion to point of service denial.

- Enables optimization for legitimate traffic only.

Virus Implement rules that perform the following:

- Detect and prevent known UDH virus patterns.

- Verify UDH content is correctly formed according to GSM 03.40.

Unwanted

Content


- Screen for pre-defined key words or pattern matches (regular expressions in message text).

- Utilize message fingerprinting algorithms to identify/track spam and smishing attempts.

SMS Defense also comes with the capability to create whitelist rules to ensure that trusted entities are always

allowed to pass so that service agreements are always maintained.

The figure below provides an example of a mobile-to-mobile SMS delivery that is unauthorized. The top half of the

diagram shows what happens in the absence of a mobile-to-mobile SMS anti-spam and fraud solution such as SMS

Defense while the bottom half of the diagram demonstrates how the attempted SMS delivery is stopped with the

presence of SMS Defense on the carrier’s SS7 carrier-to-carrier interconnect links.

Example of an Unauthorized Mobile-to-Mobile SMS Delivery

SMS

Defense

SMS

Defense

Figure 4


1.3.2. Architecture

The figure below highlights SMS Defense’s overall system architecture:

SMS Defense Overall System Architecture

SMS DefPlatform

InterconnectCarrier Network

InterconnectCarrier NetworkSMSC

SMS DefPlatform

STP orGateway

SMSC

InternalNetwork Nodes

Netw

ork

Perim

ete

r

SMSPolicy Server

SS7/Sigtran

IP

ManagementServer

GUI Client

IP Network

SMS DefPlatform

InterconnectCarrier Network

InterconnectCarrier NetworkSMSC

SMS DefPlatform

STP orGateway

SMSC

InternalNetwork Nodes

Netw

ork

Perim

ete

r

SMSPolicy Server

SS7/Sigtran

IP

ManagementServer

GUI Client

IP Network

Figure 5

The SMS Defense system is comprised of four core functional elements all interconnected using secure IP-based

network connections. Together, they form a highly-available, best of breed architecture for defending networks and

subscribers against SMS spam, spoofing, faking and flooding.

The SMS Defense architecture allows operators to leave the flow of SMS traffic alone. It does not require re-

engineering SMS routes within your network. SMS Defense transparently “plugs” into the network as is.

Furthermore, this exclusive architecture enables operators to control all types of inappropriate traffic including

fraudulent calls, SIM box calls and other unauthorized SS7 traffic as provided by Active Fraud Eliminator and

Signaling Defense.

Table 4. SMS Defense System Core Functional Elements.

Function Description

Platform - Responsible for transparent access to signaling messages and policy enforcement (i.e.

blacklist rules, whitelist rules, etc.).

- Provides a distributed front end to the SMS Policy Server.

- Patented, carrier grade platform requiring no SS7 point code to install.

- Can be deployed on SS7 Low Speed or High Speed links and Sigtran based links.

- Automatic link protection provided via hardware-based relays that close automatically if a

failure occurs, immediately connecting T1/E1 paired ports at the physical layer.

- Rack-mountable 2U chassis.

- Chassis clustering provides additional scalability to enable very large deployments.


SMS Policy

Server

- Provides active-active, stateful backend analysis functions.

- Detects and controls SMS spoofing, faking, flooding and viruses.

- Provides keyword content filtering.

- May “pass” control policies to SMS Defense Platform for enforcement.

- Provides “message fingerprinting” algorithms and techniques to identify and track spam

and smishing attempts.

- Connects to the Platforms with redundant IP connections.

- Provides for easy expansion to enable additional processing power and scalability.

- Runs on standard Linux servers and can scale to thousands of messages per second.

Management

Server

- Provides centralized system and application management.

- Allows carriers to simultaneously administer one or more platforms.

- Supports SNMP for forwarding faults and events to other network management systems.

GUI Client - Menu-driven, point and click graphical user interface for policy creation and system

management, to include access to reporting functions.

- Configuration wizards, multi-level security access and intuitive status indicators.

- Java-based and can be loaded on any Windows or Linux computer.

- Network engineers do not have to go out into the field to troubleshoot issues.


2. Defense View Defense View

® provides data mining capabilities for Signaling Defense

®, SMS Defense

® and AFE event logs along

with CDR generation for use in a carrier’s visibility system or FMS.

2.1. Event Log Data Mining

Whenever a user policy “triggers,” it can be configured to generate a log.3 Each time a log is generated, it is stored

in a centralized database. Defense View provides a carrier with the means to mine their event logs in order to refine

their network policies as well as perform post-event analysis on an individual event and multi-event basis.

Examples of the kind of filters available that can be used to mine log data include (a single query can include

multiple filters):

• Rule ID – Rule that triggered the log.

• Message Type – Type of message that triggered the log.

• Originating Point Code – The originating point code of message triggering the log(s).

• Destination Point Code – The destination point code of message triggering the log(s).

• SMS Addresses – The originating and destination addresses of the SMS message triggering the log(s)

• Calling Party Number – The Calling Party Number of the message triggering the log(s).

• Called Party Number – The Called Party Number of the message triggering the log(s).

• Action – Action associated with the rule that triggered the log(s).

• Physical Equipment – The Platform(s) and card(s) associated with the log(s).

• Top Counts – Most active.

• Bottom Counts – Least active.

• Time of Day – Time of day (range).

Example: Rule Trigger Event with Message Decode to See Parameter Values

Figure 6

3 Please note an event can be defined as a policy causing a “passive trigger” whereby an event is generated for a policy but no action beyond

archiving that the event happened occurs (i.e. the message is not stopped, modified, rerouted, etc., only archived).


Example: Count of Rule Triggers per OPC and DPC Pair

Figure 7

2.2. CDR Generation

The Signaling ASE System (see Section 6) has the capability to generate CDRs for use by 3rd

party Fraud

Management and Network Visibility systems. CDRs can be generated while the system is either in “listening” or

“active” mode.


3. Signaling ASE® System: No Point Code, Many Solutions

3.1. System Overview

Signaling Defense, SMS Defense and Active Fraud Eliminator each utilize the patented Signaling ASE System that

is comprised of the ASE Platform (the transparent signaling network element) and the ASE Manager.

Unlike other SS7 network elements or application delivery systems, the ASE Platform

(image to the right) does not require an SS7 point code, eliminating the need for signaling

network re-engineering and enabling rapid system deployment. The ASE platform does

not require a point code because it is a layer two node whereas most other SS7/C7

network nodes are layer three devices. This means the ASE platform terminates

signaling links up through layer two versus layer three. Point codes live at layer three in SS7/C7, therefore, no point

code is required. To account for discarded and/or inserted messages, independent Message Transfer Part (MTP) 2

sequence numbers are maintained on both sides of the platform, just as a layer three node would behave as messages

are transferred from one link to another.

SS7/C7 link behavior does not change by deploying the ASE platform. It is fully compliant with all SS7/C7

network conformance standards. It does not hinder in any way the normal flow and function of traffic. In fact, all

messages pass through by default. The platform does not generate any network management messages either, and

link changeovers are still managed by the existing signaling endpoints.

The ASE Platform is NEBS certified and was designed for five nines availability. High availability is achieved with

automatic link protection (ALP) features and redundant, hot-swappable components. ALP is provided via hardware-

based relays with relay contacts closing automatically if a failure such as power loss, RTM/TIM removal, RTM/TIM

hardware failure or TIM software failure (loss of heartbeat) occurs. In the event of a failure, the system immediately

connects T1/E1 paired ports at physical layer, removing the TIM from the network quickly and cleanly and enabling

the platform to appear as a wire to the network. With ALP and redundant, hot-swappable components, there are

multiple layers of protection in hardware and software, ensuring signaling links are always “up and running.”

Automatic Link Protection

TIMApplications

Normal Operation

(Bridged)

SS7 Link OutSS7 Link In

TIM MTP StackHeartbeat

H/W Failure

TIMApplications

ALP Operation

(Bypass)

SS7 Link OutSS7 Link In

TIMMTP StackHeartbeat Failure X

RTM

TIM

TIMApplications

Normal Operation

(Bridged)

SS7 Link OutSS7 Link OutSS7 Link InSS7 Link In

TIM MTP StackHeartbeat

H/W Failure

TIMApplications

ALP Operation

(Bypass)

SS7 Link OutSS7 Link OutSS7 Link InSS7 Link In

TIMMTP StackHeartbeat Failure X

RTM

TIM

Figure 8


The ASE System can be utilized in either “listening” or “active” mode. In “listening” mode, it acts much like a

probe in that it can copy all or select SS7 messages and then route them over IP to another device for processing

(useful in visibility and diagnostic applications, location services, etc.). In “active” mode, the ASE System can

perform comprehensive message control, to include being able to, on a message-by-message basis:

• Stop messages

• Threshold messages (allow X of N)

• Modify messages

• Respond to messages

• Re-route or offload messages (over IP for example)

• Insert messages (such as SMS messages)

The ASE Platform supports a diverse set of wireless, wireline and IP protocols and has an open architecture for

rapid development of new software applications. Additionally, the ASE platform scales easily as a layer two node.

It can support large deployments by simply clustering systems together via secure IP. Clustering is a

straightforward process given that no point codes are required and the platform’s backplane supports packet

switching. This enables a distributed architecture that can support even the largest global networks. Multiple

systems function and are managed as a single logical entity. With the ASE Platform, carriers can support the largest

global networks.

The ASE Manager provides centralized system and application management. Its distributed client/server architect-

ure allows carriers to simultaneously administer multiple platforms. Alerts are sent via broadcast, pager, e-mail or

SNMP to inform clients of any alarm situation, and the management interfaces of any platform or client can be

encrypted.

The ASE Client ensures an intuitive provisioning experience with its menu-driven, point and click graphical user

interface. System management is performed with user-friendly features including: configuration wizards, multi-

level security access and intuitive visual status indicators. With the ASE Client, network engineers do not have to

go into the field to analyze or troubleshoot any issues. The Java-based client can be loaded on any Windows or

Linux computer.


3.2. Technical Specifications

The proceeding specifications apply to the Signaling ASE system and in turn SMS Defense:

Table 5. Signaling ASE Technical Specifications.

Protocols

ANSI

- T1.111 MTP

- T1.113 ISUP

- T1.112 SCCP

- T1.114 TCAP

- AIN 0.1/0.2

- IN

- ANSI-41 D

- WIN

ITU/ETSI/3GPP

- Q.701 – Q.705, Q.707 MTP

- Q.761 – Q.764 ISUP

- Q.711 – Q.714 SCCP

- Q.771 – Q.774 TCAP

- Q.721 – Q.724 TUP

- INAP CS-1/CS-2

- GSM MAP

- CAMEL

Sigtran

- M3UA

- M2PA

Application

- SMPP

- SS7oIP

Platform Specifications

Power Supplies and Fans

- N+1 redundancy

- Hot swappable

- DC (-48V)

- A and B DC power feed

Temperature Range

- Operating: -5°C to +55°C (23°F

to 131°F)

- Storage: -40°C to +70°C (-40°F

to +158°F)

Platform Specifications (Cont.)

Chassis

- 2 U high, rack-mountable

chassis

- 19” (482.6 mm) or 23” (584.2

mm) rack mount

- Packet switching backplane

- 3 trunk interface module slots

- Up to 12 T1/E1s per platform

- Up to 48 transparent low speed

SS7 links per chassis

- Up to 3 transparent ATM high

speed links per chassis

- Chassis clustering

- Alarm status display module

- Telco alarm interface (dry/wet

contact relay)

- 5 10/100 Base-T Ethernet ports

- Hardware/software status

reporting

Trunk Interface Module

- Up to four T1/E1s

- Up to 16 transparent low speed

SS7 links

- Up to 1 transparent ATM high

speed link

- A, B, C, D, E, F links

- Channel associated signaling

- T1/E1, RJ-48C

- Hot swappable

- 3 10/100 Base-T Ethernet ports

- Drop and insert grooming

- Automatic link protection

- LED status indicators

- Rear transition module

Regulatory Compliance

- NEBS Level III certified

- ETSI 300 019 2-1 to 2-4

- CE

- FCC Part 15, Class A (CSA)

Management Server

Architecture

- Centralized client/server

- Dual processor

- RAID 5

- Hot-plug hard drives

- Hot-plug redundant power

supplies

- Java-based GUI client

Event Management

- Event filtering with audible

event notification

- Hardware/software status

reporting

Performance Management

- CPU and memory utilization

monitoring

- Link status monitoring

- Detailed platform/server

statistics

Security Management

- User-configurable multi-level

security access

- User authentication and activity

timeout

- Encrypted management

interfaces

User management

- Concurrent users

- User messaging

sms defense white paper

Documents