cyber security for the smart grid - penn state engineering ...pdm12/cse545-s11/slides/cse545... ·...

CSE545 - Advanced Network Security - Professor McDaniel Page

Telecommunications Security

Professor Patrick McDanielCSE545 - Advanced Network Security

Spring 2011

1


Cellular Networks

• Provide communications infrastructure for an estimated 2.6 billion users daily.

‣ The Internet connects roughly 1 billion.

• For many people, this is their only means of reaching the outside world.

• Portable and inexpensive nature of user equipment makes this technology accessible to most socio-economic groups.

2


Aren’t They The Same?• Cellular networks and the Internet are built to support

very different kinds of traffic.

‣ Real-time vs Best Effort

• The notions of control and authority are different.

‣ Centralized vs distributed

• The underlying networks are dissimilar.

‣ Circuit vs packet-switched

3


Cellular Systems• Wireless Access‣ TDMA (IS-136, GSM)‣ CDMA (IS-95, CDMA2000)‣ WCDMA (UMTS)

• Connection oriented networks for voice‣ PSTN (ISDN)

• Packet overlay networks for data‣ General Packet Radio Service (GPRS) - GSM and UMTS‣ Enhanced Version Data “Optimized” (EVDO) - CDMA

• Rebranded from “Data Only”

• Signaling protocols‣ Signaling system number 7 (SS7) for voice and GPRS‣ IETF protocols for EVDO

4


Wireless Standards Evolution to 3G

5

1G

AnalogAMPS

TACS



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

2.75G

GSM EDGE



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

2.75G

GSM EDGE

3GExisting

Spectrum700 MHz

CDMA2000 1xRTT (1.25 MHz)



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

2.75G

GSM EDGE

3GExisting

Spectrum700 MHz


4G

CDMA2000 1xEVDO (1.25 MHz)

CDMA2000 3x (5 MHz)



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

2.75G

GSM EDGE

3GExisting

Spectrum700 MHz


4G


CDMA2000 3x (5 MHz)

WCDMA



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

WiMAX

2.75G

GSM EDGE

3GExisting

Spectrum700 MHz


4G


CDMA2000 3x (5 MHz)

WCDMA



5

1G

AnalogAMPS

TACS

2G

IS-95-A/cdmaOne

IS-136TDMA

GSM

GSM GPRS

HSCSD

2.5G

IS-95-B/cdmaOne

WiMAX

2.75G

GSM EDGE

3GExisting

Spectrum700 MHz


4G


CDMA2000 3x (5 MHz)

LTE

WCDMA


Reference Architecture

• MS: Mobile Subscriber/Station

• BTS: Base Transceiver Station

• BSC: Base Station Controller

• MSC: Mobile Switching Center

• HLR: Home Location Register

• AuC: Authentication Center

• VLR: Visitor’s Location Register

6

MS










6

BTSMS










6

BTS

BSC

MS










6

BTS

BSC

BTS BTS

MS










6

BTS

BSC

BTS BTS

MSC

MS










6

BTS

BSC

BTS BTS

BSC

BSC

MSC

MS










6

BTS

BSC

BTS BTS

BSC

BSC

MSC

MSC

MS










6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

MS


VLR









6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

MS


HLR

VLR









6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

MS


AuCHLR

VLR









6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

MS


AuCHLR

VLR









6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

PSTN/ISDN

MS


WirelessNetwork

HLRMSC

AuCHLR

VLR









6

BTS

BSC

BTS BTS

BSC

BSC

MSC

VLR

MSC

PSTN/ISDN

MS


VLRMSC

MSC

Basic Network Architecture

• Gateway MSC receives incoming calls for phones.• Serving MSC assigned based on location• HLR: Permanent registry for service profiles, pointer to VLR• VLR: Temporary repository for profile information, pointer to SMSC.

7

MS

VLR

Network

BS

BS

BS

SMSC

HLRGMSC


Cellular Services• Automatic call delivery‣ find a user, deliver a call

• IN-type services‣ e.g., call forwarding

• Messaging‣ short message service

• Connection oriented user data transfer‣ voice, fax, circuit-switched data

• Packet Data‣ General Packet Radio Service (GPRS) - GSM and UMTS‣ Enhanced Version Data “Optimized” (EVDO) - CDMA

8


High Level Call Flow• Mobile User Registers

‣ Power up/down

‣ Movement

‣ Periodic

• Call recipient located

‣ Call routed to gateway or home MSC

‣ Gateway MSC searches for called mobile (via HLRs and VLRs)

‣ Mobile user is paged (determines current base station)

• Call delivered

‣ Uses standard SS7 procedures

9


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

1. 404-894-2000


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

2. 404-894-2000maps to HLR X


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

3. How do I deliver callto User 222?


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

4. How do I deliver callto User 222?


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

5. 999-xxx


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

6. 999-xxx


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

7. 999-xxx


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

8. Call to 999-xxx


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

9. Page


Delivering a Call

10

MSC

MS

VLR

Network

BS

BS

BS

SMSC HLR

GMSC

10. Call


Protocols of Note

11

MSC

MS

VLR

PSTN/ISDN

BS

BS

BS

MSC HLR

SS7

Mobility Management ProtocolsGSM-MAP, ANSI41-MAP

Air InterfacesGSM, IS136, IS-95, UMTS


Mobile Registration - High Level

12

Old SMSC

Old VLR

HLR VLR MSC BS

Update Location

Cancel Location OK


GSM - Air Interface• Let’s get into the details of the most widely used air

interface...

• The GSM Air Interface supports:

‣ Call origination and termination

‣ Registration (location update and authentication)

‣ SMS

‣ Mobile assisted handoff

‣ User confidentiality

‣ Data confidentiality

‣ Sleep mode

13


GSM Spectrum

• 50 MHz

‣ Uplink and downlink split bandwidth and use different frequencies

• Reverse channel (uplink)

‣ 890-915 MHz

• Forward channel (downlink)

‣ 935-960 MHz

• Carriers spread at 200 KHz

‣ Why is this?

14

Time-Division Multiple Access (TDMA) with 8 timeslots that

service every 4.615 msec


GSM Structure

• Common Control Channel (CCCH)

‣ Used for control information: registration, paging, call origination/termination.

• Traffic Channel (TCH)

‣ Information transfer

‣ in-call control (fast/slow associated control channels)

15

Common Control Channel (CCCH)

Traffic Channel (per user in a call)

TCH (13 KBps)


GSM Structure• The CCCH is really a series of many logical channels,

each discernible by their position in time.

• The diagram in the previous slide should not be viewed “to scale”.

‣ The control channels generally represent ~3-6% of the resources in a cell.

‣ Everything else is dedicated to TCHs.

‣ Why?

16


Low Rate DoS Attacks• While recent attacks on cellular networks seem unrelated, there

is a common factor that catalyzes them all.

• Comparing multiple attacks uncovers causality:

‣ SMS Attack (JCS’09, CCS’05)

‣ Network Characterization andPartial Mitigations (TON’10, MobiCom’06)

‣ Data Teardown/Setup Attacks(USENIX Security’07)

• The architecture of cellular networks inherently makes them susceptible to denial of service attacks.

17


Low Rate DoS Attacks• While recent attacks on cellular networks seem unrelated, there

is a common factor that catalyzes them all.

• Comparing multiple attacks uncovers causality:

‣ SMS Attack (JCS’09, CCS’05)

‣ Network Characterization andPartial Mitigations (TON’10, MobiCom’06)

‣ Data Teardown/Setup Attacks(USENIX Security’07)

• The architecture of cellular networks inherently makes them susceptible to denial of service attacks.

Clash of Design Philosophies

17


SMS Delivery (simplified)

Network

Internet

PSTN

MSC

VLR

VLR

MSC

ESME

HLR

SMSC

18



Network

Internet

PSTN

MSC

VLR

VLR

MSC

ESME

HLR

SMSC

CCH

18



Network

Internet

PSTN

MSC

VLR

VLR

MSC

ESME

HLR

SMSC

18


Control Channels

• Control channels are used for a handful of infrequently used functions.

‣ Call setup, SMS delivery, mobility management, etc...

• The SDCCH allows the network to perform most of these functions.

• The number of SDCCHs typically depends on the expected use in an area.

‣ 4/8/12...

PCH

AGCHRACH

SDCCH

19


Recognition• Once you fill the SDCCH channels with SMS traffic,

call setup is blocked

• The goal of an adversary is therefore to fill SDCCHs with SMS traffic.‣ Not as simple as you might think...

SMS

Voice

SMS SMS SMS SMS SMS SMS SMS

X

20


Reconnaissance

• Can such an attack be launched by targeting a single phone?

‣ Low end phones: 30-50 msgs

‣ High end phones: 500+ msgs (battery dies)

• How do you get messages into the network?

‣ Email, IM, provider websites, bulk senders, etc...

• Don’t the networks have protections?

‣ IP Address blocking, Spam filtering

21


Finding Phones• North American Numbering Plan (NANP)

‣ Mappings between providers and exchanges publicly documented and available on the web

• Implication: An adversary can identify the prefixes used in a target area.

NPA-NXX-XXXX

Numbering Plan Area(Area code)

Numbering Plan Exchange

22


Web-Scraping• Googling for phone numbers

gives us better results:

7,300 in NYC6,184 in D.C.

in 5 seconds...

23


Provider Interfaces

• Almost all provider interfaces indicate whether or not a number is good.

‣ Some sites even tell you a target phone’s availability.

• This interface is an “oracle” for available phones.

24


Exploit (Metro)

• 165 msgs/sec * 1500 bytes = 1933.6 kb/sec

• 193.36 kb/sec on multi-send interface...

• Comparison: Cable modem ~= 768 kb/sec

Sectors in Manhattan

SDCCHs persector

Messages per SDCCH per hour

CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH

TCH TCH TCH TCH TCH TCH TCH TCH



TRX 1

TRX 2

TRX 3

TRX 4

0 1 2 3 4 5 6 7

Figure 4: An example air interface with four carriers (each

showing a single frame). The first time slot of the first carrier

is the Common CCH. The second time slot of the first chan-

nel is reserved for SDCCH connections. Over the course of a

multiframe, capacity for eight users is allotted. The remaining

time slots across all carriers are designated for voice data. This

setup is common in many urban areas.

is divided into eight timeslots and, when viewed as a whole, form

a frame. During a given timeslot, the assigned user receives full

control of the channel. From the telephony perspective, a user as-

signed to a given TCH is able to transmit voice data once per frame.

In order to provide the illusion of continuous voice sampling, the

frame length is limited to 4.615 ms. An illustration of this system

is shown in Figure 4.

Because the bandwidth within a given frame is limited, data (es-

pecially relating to the CCH) must often span a number of frames,

as depicted in Figure 5. This aggregation is known as a multiframe

and is typically comprised of 51 frames6. For example, over the

course of a single multiframe, the base station is able to dedicate

up to 34 of the 51 Common CCH slots to paging operations.

Each channel has distinct characteristics. While the PCH is used

to signal each incoming call and text message, its commitment to

each session is limited to the transmission of a TMSI. TCHs, on

the other hand, remain occupied for the duration of a call, which on

average is a number of minutes [44]. The SDDCH, which has ap-

proximately the same bandwidth as the PCH across a multiframe,

is occupied for a number of seconds per session establishment. Ac-

cordingly, in many scenarios, this channel can become a bottleneck.

In order to determine the characteristics of the wireless bottle-

neck, it is necessary to understand the available bandwidth. As

shown in Figure 5, each SDCCH spans four logically consecutive

timeslots in a multiframe. With 184 bits per control channel unit

and a multiframe cycle time of 235.36 ms, the effective bandwidth

is 782 bps [4]. Given that authentication, TMSI renewal, the en-

abling of encryption, and the 160 byte text message must be trans-

ferred, a single SDCCH is commonly held by an individual session

for between four and five seconds [44]. The gray-box testing in

Section 3.1 reinforces the plausibility of this value by observing no

messages delivered in under six seconds.

This service time translates into the ability to handle up to 900

SMS sessions per hour on each SDCCH. In real systems, the total

number of SDCCHs available in a sector is typically equal to twice

the number of carriers7, or one per three to four voice channels.

For example, in an urban location such as the one demonstrated

in Figure 4 where a total of four carriers are used, a total of eight

SDCCHs are allocated. A less populated suburban or rural sector

may only have two carriers per area and therefore have four allo-

6Multiframes can actually contain 26, 51 or 52 frames. A justifica-tion for each case is available in the standards [4].7Actual allocation of SDCCH channels may vary across implemen-tations; however, these are the generally accepted values through-out the community.

SDCCH 0

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 70 1 2 3 4 5 6 7Time Slot #

SDCCH 1Multiframe

Frame # 0 1 2 3 4 5 6 7 8 9 04 5

0 1 2 3 4 5 6 7

Radio Carrier

Figure 5: Timeslot 1 from each frame in a multiframe creates

the logical SDCCH channel. In a single multiframe, up to eight

users can receive SDCCH access.

cated SDCCHs. Densely populated metropolitan sectors may have

as many as six carriers and therefore support up to 12 SDCCHs per

area.

We now calculate the maximum capacity of the system for an

area. As indicated in a study conducted by the National Communi-

cations System (NCS) [44], the city of Washington D.C. has 40 cel-

lular towers and a total of 120 sectors. This number reflects sectors

of approximately 0.5 to 0.75 mi2 through the 68.2 mi2 city. Assum-

ing that each of the sectors has eight SDCCHs, the total number of

messages per second needed to saturate the SDCCH capacity C is:

C � (120 sectors)

„8 SDCCH1 sector

« „900 msgs/hr1 SDCCH

«

� 864, 000 msgs/hr

� 240 msgs/sec

Manhattan is smaller in area at 31.1 mi2. Assuming the same

sector distribution as Washington D.C., there are 55 sectors. Due

to the greater population density, we assume 12 SDCCHs are used

per sector.

C � (55 sectors)

„12 SDCCH

1 sector

« „900 msg/hr1 SDCCH

«

� 594, 000 msg/hr

� 165 msg/sec

Given that SMSCs in use by service providers in 2000 were capa-

ble of processing 2500 msgs/sec [59], such volumes are achievable

even in the hypothetical case of a sector having twice this number

of SDCCHs.

Using a source transmission size of 1500 bytes as described in

Section 3.1 to submit an SMS from the Internet, Table 3 shows the

bandwidth required at the source to saturate the control channels,

thereby incapacitating legitimate voice and text messaging services

for Washington D.C. and Manhattan. The adversary’s bandwidth

requirements can be reduced by an order of magnitude when at-

tacking providers including Verizon and Cingular Wireless due to

the ability to have a single message repeated to up to ten recipients.

Due to the data gathered in Section 3.1, sending this magnitude

of messages to a small number of recipients would degrade the ef-

fectiveness of such an attack. As shown in the previous section, tar-

geted phones would quickly see their buffers reach capacity. Unde-

liverable messages would then be buffered in the network until the

space alloted per user was also exhausted. These accounts would

likely be flagged and potentially temporarily shut down for receiv-

ing a high number of messages in a short period of time, thereby

25


Attack Profile

• Applied simulation and analysis to better characterize the attacks.

• Examined call blocking under multiple arrival patterns with exponentially distributed service times.

• Using 495 msgs/sec, a blocking probability of 71% is possible with the bandwidth of a cable modem.

0

0.2

0.4

0.6

0.8

1

1.2

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH Utilization

TCH Utilization

SDCCH Utilization

TCHUtilization

26


Security Goals• Goal: To preserve the fidelity of both voice services and

legitimate text messages during targeted SMS attacks.

• Security Model:

‣ We must trust equipment in the network core.

‣ We can not trust Internet users or customer devices.

27


Placing Mitigations

Network

Internet

PSTN

MSC

VLR

VLR

MSC

ESME

HLR

SMSC

28


Solution Classifications

• Scheduling/Shaping/Regulation

‣ WFQ, Leaky Bucket, Priority Queues

‣ AQM (WRED, REM, AVQ)

• Resource Provisioning

‣ SRP

‣ DRP

‣ DCA 0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percent

of A

ttem

pts

Blo

cked

Time (seconds)

Service Queue (SMS)

Service Queue (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percent

of A

ttem

pts

Blo

cked

Time (seconds)

SDCCH (SMS)

SDCCH (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Percen

t o

f A

ttem

pts

Blo

ck

ed

Time (seconds)

SDCCH (SMS)

SDCCH (Voice)

TCH (Voice)

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH

TCH

Service Queue

29


WRED - Overview

LowMedHigh

tlow,mintmed,mintmed,maxtlow,max

30


WRED - Overview

LowMedHigh

closer to a moving average and not capacity, space typically exists

to accommodate sudden bursts of traffic. However, one of the chief

difficulties with traditional RED is that it eliminates the ability of

a provider to offer quality of service (QoS) guarantees because all

traffic entering a queue is dropped with equal probability. Weighted

Random Early Detection (WRED) solves this problem by basing

the probability a given incoming message is dropped on an attribute

such as its contents, source or destination. Arriving messages not

meeting some priority are therefore subject to increased probabil-

ity of drop. The dropping probability for each class of message is

tuned by setting tpriority,min and tpriority,max for each class.

We consider the use of authentication as a means of creating

messaging priority classes. For example, during a crisis, messages

injected to a network from the Internet by an authenticated mu-

nicipality or from emergency personnel could receive priority over

all other text messages. A number of municipalities already use

such systems for emergency [32] and traffic updates [36]. Mes-

sages from authenticated users within the network itself receive

secondary priority. Unauthenticated messages originating from the

Internet are delivered with the lowest priority. Such a system would

allow the informative messages (i.e. evacuation plans, additional

warnings, etc) to be quickly distributed amongst the population.

The remaining messages would then be delivered at ratios corre-

sponding to their priority level. We assume that packet priority

marking occurs at the SMSCs such that additional computational

burden is not placed on base stations.

Here, we illustrate how WRED can provide differentiated ser-

vice to different classes of SMS traffic using the attack scenario

described in Tables 1 and 2. We maintain separate queues, which

are served in a round robin fashion, for voice requests and SMS

requests. We apply WRED to the SMS queue. In this example we

assume legitimate text messages arrive at a sector with an average

rate of 0.7 msgs/sec with the following distribution: 10% high

priority, 80% medium priority, and 10% low priority. The attack

generates an additional 9 msgs/sec.To accommodate sudden bursts of high priority SMS traffic, we

choose an SMS queue size of 12. Because we desire low latency

delivery of high priority messages, we target an average queue oc-

cupancy Qavg = 3.To meet this objective, we must set tlow,min and tlow,max. For

M/M/n systems with a finite queue of size m, the number of mes-sages in the queue, NQ, is:

NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)

Setting NQ = 3, we derive a target load !target = 0.855.!target is the utilization desired at the SDCCHs. Thus, the packet

dropping caused byWREDmust reduce the actual utilization, !actual

or "SMS/(µSMS · n), caused by the heavy offered load during anattack, to !target. Therefore:

!target = !actual(1 ! Pdrop) (5)

where Pdrop is the overall dropping probability of WRED. For traf-

fic with average arrival rate of "SMS = 9.7 msgs/sec, !actual =3.23. Solving for Pdrop,

Pdrop = 1 !!target

!actual= 0.736 (6)

Pdrop can be calculated from the dropping probabilities of theindividual classes of messages by ("low = 9.07):

Pdrop =Pdrop,high · !high + Pdrop,med · !med + Pdrop,low · !low

!SMS(7)

Because we desire to deliver all messages of high and medium

priority, we set Pdrop,high = Pdrop,med = 0. Using Equation 7,we find Pdrop,low = 0.787. This value is then used in conjunctionwith Equation 1 to determine tlow,min and tlow,max.

The desired average queue occupancy, Qavg, is 3. From equa-

tion 1, tlow,min must be an integer less than the average queue

occupancy. This leaves three possible values for tlow,min: 0, 1,and 2. The best fit is found when tlow,min = 0 and tlow,max = 4,resulting in 75% dropping of low priority traffic.

Using this method it is possible to set thresholds to meet delivery

targets. Of course, depending on the intensity of an attack, it may

not be possible to meet desired targets according to Equation 7, i.e.,

it may not be possible to limit blocking to only low priority traffic.

While the method outlined here provides just an approximate solu-

tion, given the quantization error in setting tlow,min and tlow,max

(they must be integers), we believe the method is sufficient. We

provide more insight into the performance of WRED in Section 5.

4.3 Resource ProvisioningNone of the above methods deal with the system bottleneck di-

rectly; rather, they strive to affect traffic before it reaches the air

interface. An alternative strategy of addressing targeted SMS at-

tacks instead focuses on the reallocation of the available messaging

bandwidth. We therefore investigate a variety of techniques that

modify the way in which the air interface is used.

To analyze these techniques we resort to simple Erlang-B queue-

ing analysis. We present a brief background here. For more details

see Schwartz [35]. In a system with n servers, and an offered loadin Erlangs of A, the probability that an arriving request is blockedbecause all servers are occupied is given by:

PB =An

n!Pl=n!1

l=0

All!

(8)

The load in Erlangs is the same as the utilization, !, in a queueingsystem; it is simply the offered load multiplied by the service time

of the resource. The expected occupancy of the servers is given by:

E(n) = !(1 ! PB) (9)

4.3.1 Strict Resource Provisioning

Under normal conditions, the resources for service setup and de-

livery are over-provisioned. At a rate of 50, 000 calls/hour in ourbaseline scenario, for example, the calculated average utilization

of SDCCHs per sector is approximately 2%. Given this observa-

tion, if a subset of the total SDCCHs can be used only by voice

calls, blocking due to targeted SMS attacks can be significantly

mitigated. Our first air interface provisioning technique, Strict Re-

source Provisoning (SRP), attempts to address this contention by

allowing text messages to occupy only a subset of the total num-

ber of SDCCHs in a sector. Requests for incoming voice calls can

compete for the entire set of SDCCHs, including the subset used

for SMS. In order to determine appropriate parameters for systems

using SRP, we apply Equations 8 and 9.

closer to a moving average and not capacity, space typically exists

to accommodate sudden bursts of traffic. However, one of the chief

difficulties with traditional RED is that it eliminates the ability of

a provider to offer quality of service (QoS) guarantees because all

traffic entering a queue is dropped with equal probability. Weighted

Random Early Detection (WRED) solves this problem by basing

the probability a given incoming message is dropped on an attribute

such as its contents, source or destination. Arriving messages not

meeting some priority are therefore subject to increased probabil-

ity of drop. The dropping probability for each class of message is

tuned by setting tpriority,min and tpriority,max for each class.

We consider the use of authentication as a means of creating

messaging priority classes. For example, during a crisis, messages

injected to a network from the Internet by an authenticated mu-

nicipality or from emergency personnel could receive priority over

all other text messages. A number of municipalities already use

such systems for emergency [32] and traffic updates [36]. Mes-

sages from authenticated users within the network itself receive

secondary priority. Unauthenticated messages originating from the

Internet are delivered with the lowest priority. Such a system would

allow the informative messages (i.e. evacuation plans, additional

warnings, etc) to be quickly distributed amongst the population.

The remaining messages would then be delivered at ratios corre-

sponding to their priority level. We assume that packet priority

marking occurs at the SMSCs such that additional computational

burden is not placed on base stations.

Here, we illustrate how WRED can provide differentiated ser-

vice to different classes of SMS traffic using the attack scenario

described in Tables 1 and 2. We maintain separate queues, which

are served in a round robin fashion, for voice requests and SMS

requests. We apply WRED to the SMS queue. In this example we

assume legitimate text messages arrive at a sector with an average

rate of 0.7 msgs/sec with the following distribution: 10% high

priority, 80% medium priority, and 10% low priority. The attack

generates an additional 9 msgs/sec.To accommodate sudden bursts of high priority SMS traffic, we

choose an SMS queue size of 12. Because we desire low latency

delivery of high priority messages, we target an average queue oc-

cupancy Qavg = 3.To meet this objective, we must set tlow,min and tlow,max. For

M/M/n systems with a finite queue of size m, the number of mes-sages in the queue, NQ, is:

NQ = PQ!

1 ! !(2)

where:

PQ =p0(m!)m

m!(1 ! !)(3)

where:

p0 =

"

m!1X

n=0

(m!)n

n!+

(m!)m

m!(1 ! !)

#

!1

(4)

Setting NQ = 3, we derive a target load !target = 0.855.!target is the utilization desired at the SDCCHs. Thus, the packet

dropping caused byWREDmust reduce the actual utilization, !actual

or "SMS/(µSMS · n), caused by the heavy offered load during anattack, to !target. Therefore:

!target = !actual(1 ! Pdrop) (5)

where Pdrop is the overall dropping probability of WRED. For traf-

fic with average arrival rate of "SMS = 9.7 msgs/sec, !actual =3.23. Solving for Pdrop,

Pdrop = 1 !!target

!actual= 0.736 (6)

Pdrop can be calculated from the dropping probabilities of theindividual classes of messages by ("low = 9.07):

Pdrop =Pdrop,high · !high + Pdrop,med · !med + Pdrop,low · !low

!SMS(7)

Because we desire to deliver all messages of high and medium

priority, we set Pdrop,high = Pdrop,med = 0. Using Equation 7,we find Pdrop,low = 0.787. This value is then used in conjunctionwith Equation 1 to determine tlow,min and tlow,max.

The desired average queue occupancy, Qavg, is 3. From equa-

tion 1, tlow,min must be an integer less than the average queue

occupancy. This leaves three possible values for tlow,min: 0, 1,and 2. The best fit is found when tlow,min = 0 and tlow,max = 4,resulting in 75% dropping of low priority traffic.

Using this method it is possible to set thresholds to meet delivery

targets. Of course, depending on the intensity of an attack, it may

not be possible to meet desired targets according to Equation 7, i.e.,

it may not be possible to limit blocking to only low priority traffic.

While the method outlined here provides just an approximate solu-

tion, given the quantization error in setting tlow,min and tlow,max

(they must be integers), we believe the method is sufficient. We

provide more insight into the performance of WRED in Section 5.

4.3 Resource ProvisioningNone of the above methods deal with the system bottleneck di-

rectly; rather, they strive to affect traffic before it reaches the air

interface. An alternative strategy of addressing targeted SMS at-

tacks instead focuses on the reallocation of the available messaging

bandwidth. We therefore investigate a variety of techniques that

modify the way in which the air interface is used.

To analyze these techniques we resort to simple Erlang-B queue-

ing analysis. We present a brief background here. For more details

see Schwartz [35]. In a system with n servers, and an offered loadin Erlangs of A, the probability that an arriving request is blockedbecause all servers are occupied is given by:

PB =An

n!Pl=n!1

l=0

All!

(8)

The load in Erlangs is the same as the utilization, !, in a queueingsystem; it is simply the offered load multiplied by the service time

of the resource. The expected occupancy of the servers is given by:

E(n) = !(1 ! PB) (9)

4.3.1 Strict Resource Provisioning

Under normal conditions, the resources for service setup and de-

livery are over-provisioned. At a rate of 50, 000 calls/hour in ourbaseline scenario, for example, the calculated average utilization

of SDCCHs per sector is approximately 2%. Given this observa-

tion, if a subset of the total SDCCHs can be used only by voice

calls, blocking due to targeted SMS attacks can be significantly

mitigated. Our first air interface provisioning technique, Strict Re-

source Provisoning (SRP), attempts to address this contention by

allowing text messages to occupy only a subset of the total num-

ber of SDCCHs in a sector. Requests for incoming voice calls can

compete for the entire set of SDCCHs, including the subset used

for SMS. In order to determine appropriate parameters for systems

using SRP, we apply Equations 8 and 9.

Pdrop = Pdrop,max · (Qavg − tmin)(tmax − tmin)

tlow,mintmed,mintmed,maxtlow,max

NQ = PQρ

1− ρ

31


WRED - Results

• Messages of high and medium-priority experience no blocking, but increased delay.

• An average of 77% of low-priority messages are blocked.

• This is a nice solution, assuming meaningful partitioning of flows.

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Perc

ent o

f Atte

mpt

s Blo

cked

Time (seconds)

Service Queue (SMS - Priority 1)Service Queue (SMS - Priority 2)Service Queue (SMS - Priority 3)

Low PrioritySMS Blocking

0

0.2

0.4

0.6

0.8

1

0 500 1000 1500 2000 2500 3000 3500 4000

Uti

lizati

on

Time (seconds)

SDCCH

TCH

Service Queue

Average Queue Occupancy

32


A Cautionary Tale...

• Cellular networks are among the most specialized systems ever constructed.

• Adding services that violate the assumptions upon which the network is optimized allows an attacker to force such systems to fail at very low rates...

‣ The unintended consequence of attempts to save battery life allow attackers to shut down the network.

• Many more vulnerabilities exist in this network...

33

cyber security for the smart grid - penn state engineering ...pdm12/cse545-s11/slides/cse545... ·...

Documents