Context Establishment between SGSN and GGSN 

Context in source publication

Context 1

... follows. Section 2 gives a brief summary of the related works. In Section 4, we report different statistics of our real world benign dataset. Section 5 presents the architectural detail of the proposed framework. Section 6 presents the experimental setup and results. Finally in section 7, we conclude the paper with future directions of work. The attacks in the cellular networks are not unprecedented. Some known attacks are directed towards Mobile Stations (MSs) [9] and [10] whereas, some attacks try to disrupt the services in general as mentioned in [11] and [3]. [12] presents a taxonomy of such 3G attacks. The attacks have been classified as Cross-Infrastructure , which are directed from the internet to the cellular networks, and Single Infrastructure attacks which arise from within a cellular network. In [13], Patrick et al. holds the opposite design philosophies of internet and 3G networks responsible for making 3G networks vulnerable to Denial of Service (DoS) attacks, and also demonstrates two more attacks supporting this theory. The author highlights the fact that bandwidth is not the ultimate cause of such attacks rather, it is the inflexibility of architecture of 3G networks that makes these attacks practical. One of the foremost attempt to highlight the vulnerabilities of GPRS core network is presented in [4]. In this work, the author has provided an overview of attacks and flaws associated with GPRS architecture. The report also provides recommendations to avoid such type of attacks. A more detailed categorization of attacks against GPRS is followed in [8]. In this paper, the authors have listed Overbilling attacks, misconfigured WAP’s exploits and a detailed list of GTP risks. The paper proposes an alternative design for network architecture that can be adopted by network operators. The authors also present Check point Firewall product that can provide additional security. Another important contribution in securing GPRS from attacks on the GPRS core is presented in [6]. Dmitriadis et al. presents a threat model with regard to GPRS core network, depicting nine possible attack groups, and also gives a feasibility study of honeynets in 3G networks. The authors propose 3GHNET , a honeynet, for the improvement of GPRS core network security. The authors have compared the advantage of 3GHNET implemented GPRS network over an unprotected network and used concepts from the game theory for comparison. [2] presents a defense mechanism for GTP security threats. The authors propose an event-based description language for the detection of attacks directed towards the GTP protocol. They have classified GTP security concerns as protocol abnormal attacks, infrastructure attacks and resource consumption attacks. They have categorized the GTP protocol into GTP-C, GTP-U and GTP’, which are GTP control plane, GTP user plane and GTP prime respectively and analyzed them separately to perform the decision on the basis of events generated. The authors have tested their architecture on OpenGGSN emulator which is an open source implementation of the core network nodes - SGSN and GGSN [14]. Our work is different from [2] as it aims at securing only the GTP-C category of the GTP protocol from fuzzing attacks. GTP-C packets are most important for the communication between the GSNs. The architecture of our scheme enables us to further categorize the GTP-C packets and analyze them separately. GPRS is an extension GSM, in fact it has been overlaid on the already existing GSM infrastructure [15]. To handle packet data, a Packet Control Unit(PCU) is introduced at Base Transceiver Station(BTS). Besides that two GPRS support nodes(GSNs) have been added to the structure. SGSN is connected with many BTSs analogous to BSC, and serves to transfer data requests over the network. Whereas GGSN facilitates to connect the network to external data network. Any user that intends to send/receive data from external network has to register a context with these two nodes(SGSN and GGSN). The different interfaces of GPRS are shown in Figure 5. The next section is dedicated to the description of this interface, and depicts how communication actually takes place on this interface. For the sake of brevity, we have only considered GTPv1 specifications for the matter at hand. Whenever a user needs to send/receive packet data from external network, it requests the network to activate a PDP context. On receiving such a request, the SGSN sends a Create PDP context Request message containing IMSI number of the user,(Access Point NAme) APN and Tunnel Endpoint Identifiers (TEID) for GTP-C and GTP-U plane, to GGSN. Once the GGSN receives this information, it stores it for future correspondence and sends back Create PDP Context Response containing information elements(IEs to indicate wether the context was established successfully), End User Address field (which contains the IP address assigned by the GGSN to the user) and TEID for both GTP-C and GTP-U plane. Figure 2 demonstrates how a context is established between the two nodes, and how do SGSN and GGSN recognize tunnels at their ends, both in User and Control plane. When SGSN sends a Create PDP context Request to the GGSN as shown in Figure 2(a), it advertises a T EID S and an IP S address for User plane and a T EID and an IP (subscript S is used for SGSN) for Control plane to the GGSN, to be used in future by the GGSN when addressing the specified tunnel at SGSN. SGSN uses the same parameters(the T EID S / IP S that it advertised) to discern between different tunnels operating at SGSN. Similarly, when GGSN responds with a Create PDP context Response message as shown in Figure 2(b), it advertises a T EID G and IP G for User plane as well as for the Control plane to the SGSN, which are to be used in future by the SGSN when addressing a specific tunnel at GGSN. The GGSN uses these parameters to discern between different tunnels operating at GGSN. Also, the port numbers are fixed for both Control and User plane data. Similar to the Create PDP Context Request/Response messages, Delete PDP Request/Response messages also exist, which are used to delete an active tunnel. Since the payload of user is tunneled through the G n interface, it becomes a natural choice for analysis when it comes to anomaly/intrusion detection in the core network. A compromised SGSN or GGSN can host attacks to other criti- cal systems, such as the Mobile Switching Center (MSC), home location register (HLR), visitor location register (VLR) and other SGSN/GGSN nodes of the network. Such attacks directly affect crucial information such as subscriber identity database residing in the HLR, charging/ billing gateways (CG/BG), handoff operations which involves VLR etc. In this section we describe the benign and malformed GTP dataset that we have used in this study. We also give a brief description of our fuzzing algorithm used to generate malformed GTP packets. Our benign dataset consists of real world GTP-v1 traffic collected at the n interface. The traffic was logged at GPRS core network node , during the peak usage hours of the day. All type of GTP packets were captured however, our analysis is based on only GTP-C packets, which are responsible for the creation and dele- tion of user sessions between the GSNs. Table 1 provides different statistics of the data set. The total number of PDP contexts shows the number of GTP tunnels created, updated or deleted between the SGSN and the GGSN. It is obvious that there are unequal number of requests and responses, which is due to window cen- soring phenomenon [16]. This means that user sessions initiated during the data logging period are not torn down before the end of the logging process. We performed fuzzing of each type of GTP-C packet separately. The format of the GTP packets is shown in Figure 3. For fuzzing, we have employed standard bit-fuzzing technique used for other IP-based protocols, i.e., for 1% fuzzing a bit is randomly selected from a packet and is inverted. Similarly for n % fuzzing, we select n % bits randomly from a packet and invert them. In this way, we have generated 24 different fuzzed datasets for each GTP-C packet category corresponding to 2%, 5%, 10% and 20% fuzzing of each n -gram where, n varies from 1 to 6. Our fuzzed dataset consists of packets with fuzzed fields such as message type field. Fuzzing this type of field changes the message type, for example, from Create PDP Context Request message(message type=0x10) to some other message type, which may result in a message type that is not recognizable by the GGSN or in a message type that GGSN is not expected to receive. In addition, there are some information elements following the mandatory header in the message that are more apposite for fuzzing. This is because each type of packet uses the extension header information elements differently. More specifically, the information elements(IEs) are divided into TV (Type, Value) or TLV (Type,Length,Value) format. Figure 4 shows details of the formatting of such IEs. Our fuzzed dataset include packets with fuzzed TV-formatted IE’s because when we fuzz such a field, the length of the fuzzed field may increase from that of the expected length known to the GGSN, making the IEs following it to be unreadable. The fuzzed packet dataset also contains fuzzed values of TLV-formatted IEs fields, end user address, access point name (APN), protocol configuration options (PCO) and GPRS serving node (GSN) address IEs. Table 2 describes the possible impact of fuzzing different fields of GTP packet. In this section, we present the architectural detail of the proposed intrusion detection framework, which consists of a bi-directional detection module at the G n interface. Figure 5 shows the architecture of the proposed framework for detection of malformed GTP packets. GTP protocol is used by most of the 3G transmission techniques including WCDMA and TD/CDMA, which employ the GPRS core network ...