SMS-Watchdog: Profiling Social Behaviors of SMS Users for Anomaly Detection

With more than one trillion mobile messages delivered worldwide every year, SMS has been a lucrative playground for various attacks and frauds such as spamming, phishing and spoofing. These SMS-based attacks pose serious security threats to both mobile users and cellular network operators, such as information stealing, overcharging, battery exhaustion, and network congestion. Against the backdrop that approaches to protecting SMS security are lagging behind, we propose a lightweight scheme called SMS-Watchdog that can detect anomalous SMS behaviors with high accuracy. Our key contributions are summarized as follows: (1) After analyzing an SMS trace collected within a five-month period, we conclude that for the majority of SMS users, there are window-based regularities regarding whom she sends messages to and how frequently she sends messages to each recipient. (2) With these regularities, we accordingly propose four detection schemes that build normal social behavior profiles for each SMS user and then use them to detect SMS anomalies in an online and streaming fashion. Each of these schemes stores only a few states (typically, at most 12 states) in memory for each SMS user, thereby imposing very low overhead for online anomaly detection. (3) We evaluate these four schemes and also two hybrid approaches with realistic SMS traces. The results show that the hybrid approaches can detect more than 92% of SMS-based attacks with false alarm rate 8.5%, or about two thirds of the attacks without any false alarm, depending on their parameter settings.

[1]  Victor C. M. Leung,et al.  Enhancing security using mobility-based anomaly detection in cellular mobile networks , 2006, IEEE Trans. Veh. Technol..

[2]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[3]  Guanhua Yan,et al.  Mobi-watchdog: you can steal, but you can't run! , 2009, WiSec '09.

[4]  Songwu Lu,et al.  Analysis of the Reliability of a Nationwide Short Message Service , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[5]  Volker Tresp,et al.  Fraud detection in communication networks using neural and probabilistic methods , 1998, Proceedings of the 1998 IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP '98 (Cat. No.98CH36181).

[6]  Ke Wang,et al.  Behavior-based modeling and its application to Email analysis , 2006, TOIT.

[7]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[8]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2008, J. Comput. Secur..

[9]  A. B. Davis,et al.  Knowledge-based management of cellular clone fraud , 1992, [1992 Proceedings] The Third IEEE International Symposium on Personal, Indoor and Mobile Radio Communications.

[10]  Songwu Lu,et al.  A study of the short message service of a nationwide cellular network , 2006, IMC '06.

[11]  Tom Fawcett,et al.  Activity monitoring: noticing interesting changes in behavior , 1999, KDD '99.

[12]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[14]  Guanhua Yan,et al.  Catching Instant Messaging Worms with Change-Point Detection Techniques , 2008, LEET.

[15]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[16]  Thomas F. La Porta,et al.  Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks , 2006, IEEE/ACM Transactions on Networking.

[17]  Deepak Venugopal,et al.  A Malware Signature Extraction and Detection Method Applied to Mobile Networks , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[18]  Diane J. Cook,et al.  Graph-based anomaly detection , 2003, KDD '03.

[19]  Yi-Bing Lin,et al.  Wireless and Mobile Network Architectures , 2000 .

[20]  Lillian Lee,et al.  Measures of Distributional Similarity , 1999, ACL.