fbs radar uncovering fake base stations at scale in the
play

FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua - PowerPoint PPT Presentation

Oct 24, 2023 •786 likes •1.26k views

Feb. 26 Mar. 1 FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua Li Weiwei Wang Chen Qian Christo Wilson Jian Chen Yunhao Liu Taeho Jung Lan Zhang Kebin Liu Xiangyang Li lizhenhua1983@gmail.com

  1. Feb. 26 – Mar. 1 FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild Zhenhua Li Weiwei Wang Chen Qian Christo Wilson Jian Chen Yunhao Liu Taeho Jung Lan Zhang Kebin Liu Xiangyang Li lizhenhua1983@gmail.com http://www.greenorbs.org/people/lzh/ Mar. 1st, 2017 1

  2. Outline Background State of the Art Our System Locating FBSes Summary 2

  3. Story 1 SMS Text SMS Text Message Message From 95599 From 95599 (Agriculture (Agriculture Bank of China) : : Bank of China) We’re processing the student loan you’ve applied for, and now requiring you to transfer a deposit of ¥9900 (≈ $1500) to the bank account XXXXXXXXX. * Note: This is a simplified version of the actual story which involves more complex details. 3

  4. Story 2 SMS Text SMS Text Message Message From 95566 (Bank of From 95566 (Bank of China): China): Fake Base We’re processing the Stations house mortgage for you. Please prepare ¥17,600,000 (≈ $2,600,000) ... * Note: This is a simplified version of the actual story which involves more complex details. 4

  5. GSM (Global System for Mobile Communication) Bi Birt rth Ye Year Use ser r Sca Scale Speed Sp Se Secu curi rity 2G – – GSM SM 1990 1990 Po Poor > 1 billion 1 billion Low Low 3G – CDMA 2008 < 2 billion Middle Middle 4G – LTE 2009 ≈ 3 billion High Fine authentica cation X Fake Base 5 Stations

  6. FBS Carrier Very high signal strength 6

  7. Fake Base Station (FBS) Engineering Cellphone Legitimate FBS USB BS Cable Engineering Wireless Laptop Transceiver FBS 7

  8. FBS Attack on GSM Phones - 100 dBm - 70 dBm Current Which BS has Connection the highest signal strength? - 60 dBm - 30 dBm I may have to switch my BS Location connec8on … Update GSM 8

  9. FBS Attack on GSM Phones - 100 dBm - 70 dBm New Connection - 60 dBm - 30 dBm GSM 9

  10. FBS Can Also Impact 3G/4G Phones Jamming Signal 3G/4G GSM Degrade GSM GSM has existed for many years, so abandoning GSM also needs many years … 10

  11. FBS Attack Is NOT Hypothetical Russia UK US ☜ China China India Year # FBS Msgs 2013 >> 2.9 billion 2014 >> 4.2 billion 2015 >> 5.7 billion N * billion 11

  12. FBS Industry in China Device: $400 Daily income: $40 Device: $1000 Daily income: $70 Device: $700 Daily income: up to $1400 12

  13. FBS Industry in China Device: $400 Daily income: $40 Device: $1000 Daily income: $70 Device: $700 Daily income: up to $1400 13

  14. State of the Art 14

  15. Electronic Fence Huge infrastructure costs à Poor scalability 15

  16. FBS-signal Detection Car Random walk à Limited coverage & “dull” 16

  17. User Reporting Dial 12321 Most users don’t realize the existence of FBSes 17

  18. Client-side Tools Do they really work in large-scale practice? … 18

  19. Our System: FBS-Radar 19

  20. Baidu PhoneGuard Users Opt-in p Sender’s number is not in Report multiple the recipient’s contact list fields of su susp spici cious SMS messages p Sender’s number is an authoritative number 20

  21. Five Methods 1. Signal 0.23% Strength Examina8on 5. BS-Handover 0.39% 2. BS ID Syntax 0.15% Speed Checking Es8ma8on ~100M users 4.1% 4. BS-WiFi 3. Message 0.16% Loca8on Content Mining Analysis 21

  22. 3.1 Signal Strength Examination ☜ -40 dBm > -40 dBm FBS 0.23% of user- reported suspicious SMS messages 22

  23. 3.2 BS ID Syntax Checking BS ID = MCC + MNC + LAC + CID p MCC: Mobile Country Code, 3 digits p MNC: Mobile Network Code, 2 digits p LAC: Location Area Code, 16 bits p CID: Cell Identity, 16 bits for 2G/3G and 28 bits for 4G 0.15% of suspicious messages were sent by BSes with syntactically invalid IDs 23

  24. 3.3 Message Content Mining p B ag-of-words SVM (Support Vector Machine) classifier trained on 200,000 hand - labeled SMS messages ① Labelling suspicious messages; ② Word segmenta8on; l Computa8on ③ Feature extrac8on; intensive ④ Quan8zing the feature vector; l Viola8on of ⑤ Training the SVM model; user privacy ⑥ Preprocessing the test set; ⑦ SVM classifica8on of the test set. 0.16% of suspicious messages came from authoritative phone numbers and were determined to contain fraud text content 24

  25. 3.4 BS-WiFi Location Analysis BS Location User WiFi Location 4.1% 4.1% of suspicious messages were sent by BSes that were not in their correct geolocation, i.e., they were spoofing the ID of a legitimate but distant BS. 25

  26. 3.4 Counterfeiting a Nearby BS ID - 100 dBm - 70 dBm My loca8on does not change a lot, Current so I needn’t switch Connection to a new BS J - 60 dBm - 30 dBm If I counterfeit Location a nearby BS ID Update … 26

  27. 3.5 BS-Handover Speed Estimation p For BS-WiFi location analysis, what if the WiFi location information is not available? 27

  28. 4.5 BS-Handover Speed Estimation >> 0.39% of suspicious SMS messages come from FBSes 28

  29. Detection Performance p > 4.7% 7% of suspicious messages should have come from FBSes - False positive rate is only 0.05% (according to user feedback), mainly due to the inaccuracy of our WiFi database p Set-3 (by message content mining) is >98% covered by the other 4 sets - No need to collect the text content of users’ messages! - No need to collect the text content of users’ messages! 29

  30. Arresting FBS Operators p With the help of FBS-Radar, the police have arrested tens to hundreds of FBS operators every month 30

  31. Locating FBSes 31

  32. Locating FBSes based on User Device Locations p FBSes frequently move and change their IDs Ø We take both temporal temporal and spatial spatial locality into account Time Only those FBS messages 1) using the same BS ID, BS ID 1 2) happening in the same time time window window , and 3) located in the same spatial cluster Window Ć Ć can be attributed to one FBS. Ć Ć BS ID 2 32

  33. Locating FBSes based on User Device Locations p The centroid of every every cluster is the estimated location of an FBS. ☜ deviation distance FBS This loca8on accuracy is sufficient for us to track FBSes! 33

  34. Real-time Locations of FBSes Public URL à http://shoujiweishi.baidu.com/static/map/pseudo.html 34

  35. Summary l Using extensive crowdsourced data, we evaluate five five different different methods methods for for detect detecting ing FBSes FBSes in the wild, and find that FBSes can be precisely identified without sacrificing user privacy. l We present a reasonable method for locating locating FBSes FBSes with an acceptable accuracy. l FBS-Radar FBS-Radar is is currently currently in in use use by by ~100 ~100M people people . It protects users from millions of malicious messages from FBSes every day, and has helped the authorities arrest numerous FBS operators every month. 35

  36. Backup slides

  37. FBS Attack: Passive vs. Active Passive: IMSI-catcher Rarely reported in China, but sometimes reported in the US Active: Push spam/fraud SMS Year # FBS Msgs messages with spoofed phone numbers 2013 >> 2.9 billion 2014 >> 4.2 billion 2015 >> 5.7 billion 37

  38. Ground Truth p Our ONLY ground truth comes from users’ feedback We think this message comes from an FBS. What do you think? p Yes: 99.95% p No: 0.05% Manual double-check 38

  39. Why not use GPS? p Most people turn GPS off in most time to save battery, so we have to ask users for GPS privilege Locajon User scale accuracy decreases by increases by 20%? for 20%? harassment … 39

  40. Localizing User Devices based on WiFi Information p The centroid of the dominant dominant cluster is the estimated location of the user device k-means deviation distance Centroid Dominant DBSCAN DBSCAN Cluster 40

  41. Spam and Fraud SMS Messages “Dear user, you are lucky to be the winner of this month’s big award! You will be offered 10-GB FREE 4G traffic by clicking on this URL: http://www.10086award.com.” --- sent from 10086 (China ☜ Mobile). Spoofed phone numbers Spoofed phone numbers Fraud “Dear customer, you have failed to pay for this year’s management fee of 100 dollars. If you do not pay for it before Jul. 30th, you will face a fine of 500 dollars. You should pay it by transferring money to the following bank account: ...” --- sent from 95533 (Bank of China). “We are selling excellent, cheap goods and food from Jul. to Aug. 2016. Visit our shops at the People’s Square as soon as possible!” --- sent from a (usually not Spam well-known) mart or grocery. (Ads) “We provide very cheap and legal invoices that can help you quickly make a big fortune. Don’t hesitate, dial us via the phone number: 010-61881234!” --- sent from a (usually not well-known) company. 41

  42. FBS-Radar: 4-fold Design Goals p Detect as many FBSes as possible with very few false positives, without specialized hardware p Automatically filter spam/fraud FBS messages from user devices with a high precision p Provide actionable intelligence about geolocations of FBSes to aid law enforcement agencies p Use minimal resources on client side, minimize collection of sensitive data, and not require root. 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IoT Security IoT: Internet of things Hidden Voice Commands, Usenix Security16 Presented by

IoT Security IoT: Internet of things Hidden Voice Commands, Usenix Security16 Presented by

IoT Security IoT: Internet of things Hidden Voice Commands, Usenix Security16 Presented by Jinli Zhong FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild, NDSS17 Presented by Jie Li Protecting Privacy of BLE

470 views • 34 slides
Self-Optimisation of LTE Home Base Stations Kristina Zetterberg Ericsson AB Renato Nascimento,

Self-Optimisation of LTE Home Base Stations Kristina Zetterberg Ericsson AB Renato Nascimento,

FP7 ICT-SOCRATES Self-Optimisation of LTE Home Base Stations Kristina Zetterberg Ericsson AB Renato Nascimento, Ljupco Jorguseski TNO Neil Scully, John Turk Vodafone Abstract: In LTE an extensive use of home base stations, also referred to

205 views • 16 slides
Uncovering disassortativity in large scale-free networks Nelly Litvak University of Twente,

Uncovering disassortativity in large scale-free networks Nelly Litvak University of Twente,

Uncovering disassortativity in large scale-free networks Nelly Litvak University of Twente, Stochastic Operations Research group Joint work with Remco van der Hofstad Supported by EC FET Open project NADINE Trento, Italy, 23-07-2012 Power

1.29k views • 87 slides
Many-antenna base stations are interesting systems Lin Zhong http://recg.org 2 How we got

Many-antenna base stations are interesting systems Lin Zhong http://recg.org 2 How we got

Many-antenna base stations are interesting systems Lin Zhong http://recg.org 2 How we got started Why many-antenna base station What we have learned What we are doing now 3 How we started Why a mobile system guy got

925 views • 79 slides
Optimal Placemen t of Base Stations in Wireless Indo or T elecomm unication Thom

Optimal Placemen t of Base Stations in Wireless Indo or T elecomm unication Thom

Optimal Placemen t of Base Stations in Wireless Indo or T elecomm unication Thom F r uh wirth LudwigMaximiliansUniv ersit y Munic h frueh wirinformatikunim uenc hende h

502 views • 26 slides
Call Completion Probability in Heterogeneous Networks with Energy Harvesting Base Stations Craig

Call Completion Probability in Heterogeneous Networks with Energy Harvesting Base Stations Craig

Call Completion Probability in Heterogeneous Networks with Energy Harvesting Base Stations Craig Wang, Salman Durrani , Jing Guo and Xiangyun (Sean) Zhou Research School of Engineering, The Australian National University, Canberra, ACT 2601,

677 views • 42 slides
PRAXIS AND PHRONESIS IN FURTHER EDUCATION; UNCOVERING THE Catherine Lloyd SCHOLARSHIP OF FURTHER

PRAXIS AND PHRONESIS IN FURTHER EDUCATION; UNCOVERING THE Catherine Lloyd SCHOLARSHIP OF FURTHER

Samantha Jones PRAXIS AND PHRONESIS IN FURTHER EDUCATION; UNCOVERING THE Catherine Lloyd SCHOLARSHIP OF FURTHER Bedford College EDUCATION LECTURERS. INTRODUCTION Aims to contribute to the This research set out to knowledge base of teaching

327 views • 13 slides
Direct Assimilation of Radar Reflectivity Data using a Convective scale EnKF System Jingyao Luo 1

Direct Assimilation of Radar Reflectivity Data using a Convective scale EnKF System Jingyao Luo 1

Direct Assimilation of Radar Reflectivity Data using a Convective scale EnKF System Jingyao Luo 1 , Hong Li 1 , Ming Xue 2,3 and Youngsun Jung 2 1 Shanghai Typhoon Institute, China 2 Center for Analysis and Prediction of Storms and 3 School of

344 views • 19 slides
Random Walk Inference and Learning in A Large Scale Knowledge Base in A Large Scale Knowledge Base

Random Walk Inference and Learning in A Large Scale Knowledge Base in A Large Scale Knowledge Base

Random Walk Inference and Learning in A Large Scale Knowledge Base in A Large Scale Knowledge Base Ni Lao Tom Mitchell William W Cohen Ni Lao, Tom Mitchell, William W. Cohen Carnegie Mellon University 2011.7.28 EMNLP 2011, Edinburgh, Scotland, UK

379 views • 24 slides
DATAMAN MOBILE COMPUTING LABORATORY VOR Base Stations for Indoor 802.11 Positioning Dragos

DATAMAN MOBILE COMPUTING LABORATORY VOR Base Stations for Indoor 802.11 Positioning Dragos

DATAMAN MOBILE COMPUTING LABORATORY VOR Base Stations for Indoor 802.11 Positioning Dragos Niculescu and Badri Nath { dnicules,badri } @cs.rutgers.edu indoor positioning existing systems require either: extra infrastructure + good

470 views • 25 slides
Assimilation of 3D Radar Data and Derived Objects on the Convective Scale with an Ensemble-based

Assimilation of 3D Radar Data and Derived Objects on the Convective Scale with an Ensemble-based

Assimilation of 3D Radar Data and Derived Objects on the Convective Scale with an Ensemble-based Data Assimilation System 7 th International Symposium on Data Assimilation 24th of January 2019 RIKEN Center for Computational Science, Kobe, Japan

570 views • 20 slides
Retrospective View on 100 years of radar 50 years radar in EuMC 1st European Radar Conference

Retrospective View on 100 years of radar 50 years radar in EuMC 1st European Radar Conference

Retrospective View on 100 years of radar 50 years radar in EuMC 1st European Radar Conference (EuRAD2004) by Prof.Dr. Leo P Ligthart Chairman EuRAD2004 October 2019 Introduction Radar European Microwave Conference (EuMC) started in 1969

534 views • 8 slides
Cognitive multi-mode and multi-standard base stations: architecture and system analysis C. Armani

Cognitive multi-mode and multi-standard base stations: architecture and system analysis C. Armani

Cognitive multi-mode and multi-standard base stations: architecture and system analysis C. Armani Selex Elsag, Italy; claudio.armani@selexelsag.com R. Giuliano University of Rome Tor Vergata, Italy; romeo.giuliano@uniroma2.it F. Mazzenga

424 views • 20 slides
So what is Fake News Fake news is a type of hoax or deliberate spread of misinformation: News

So what is Fake News Fake news is a type of hoax or deliberate spread of misinformation: News

So what is Fake News Fake news is a type of hoax or deliberate spread of misinformation: News Media Social Media with the intent to mislead in order to gain financially or politically . So what is Fake News It employs eye-catching

1.3k views • 55 slides
In the spOOTlight: gr-radar Martin Braun Senior Git Wrangler, Ettus Research, not the author of

In the spOOTlight: gr-radar Martin Braun Senior Git Wrangler, Ettus Research, not the author of

In the spOOTlight: gr-radar Martin Braun Senior Git Wrangler, Ettus Research, not the author of gr-radar FOSDEM 18, SDR Devroom What is Radar? Detect object based on their reflection of EM waves Active Radar sends it own signals,

151 views • 14 slides
AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system Let us suppose we have the following requirements System implementation is composed by physical devices (Hardware entity): 1. antenna + processor +

589 views • 10 slides
FBS Presentation Friday 27 th March 2020 Jonah, parody and satire: the Bible in conversation with

FBS Presentation Friday 27 th March 2020 Jonah, parody and satire: the Bible in conversation with

FBS Presentation Friday 27 th March 2020 Jonah, parody and satire: the Bible in conversation with itself Stephen Cook PhD University of Sydney The main problem with scholarship on Jonah is that there is little agreement on what the book is

293 views • 13 slides
FATKING &amp; FOGKING Fats, oil and grease treatment FATKING a highly concentrated blend of

FATKING &amp; FOGKING Fats, oil and grease treatment FATKING a highly concentrated blend of

FATKING &amp; FOGKING Fats, oil and grease treatment FATKING a highly concentrated blend of multiple bacterial spores, specifically selected to function in the grease trap environments FATKING was formulated to breakdown animal fats and

179 views • 13 slides
Overview of Georgia-Pacific Toledos NPDES Permit &amp; Outfall Study City of Newport Technical

Overview of Georgia-Pacific Toledos NPDES Permit &amp; Outfall Study City of Newport Technical

Overview of Georgia-Pacific Toledos NPDES Permit &amp; Outfall Study City of Newport Technical Advisory Task Force Meeting April 13, 2011 Toledo Mill History 1952 Purchased C.D. Johnson Sawmill - Largest Spruce Mill in the World 1957

882 views • 49 slides
McBride plc 2007-08 full year results presentation September 2008 Summary Proven strategy in

McBride plc 2007-08 full year results presentation September 2008 Summary Proven strategy in

McBride plc 2007-08 full year results presentation September 2008 Summary Proven strategy in difficult markets Revenue up 18%, driven by acquisitions and currency Profits impacted by increased input costs partially offset by

274 views • 25 slides
NCAA Initial Eligibility Burlington Central High School September 20, 2017 Overview NCAA

NCAA Initial Eligibility Burlington Central High School September 20, 2017 Overview NCAA

NCAA Initial Eligibility Burlington Central High School September 20, 2017 Overview NCAA Divisions, NAIA, and NJCAA Steps to Achieving Eligibility NCAA Eligibility Center Academics Initial Eligibility Core Courses

899 views • 34 slides
World Sesame Convention Istanbul. August 19-20, 2019 Case for a Global Sesame Alliance G.

World Sesame Convention Istanbul. August 19-20, 2019 Case for a Global Sesame Alliance G.

World Sesame Convention Istanbul. August 19-20, 2019 Case for a Global Sesame Alliance G. Chandrashekhar The Context for Sesame seed World production 4-5 million tons (India, China, Nigeria, Tanzania, Myanmar, and many more . . . .

2.01k views • 8 slides
NSW Commercial Fisheries Reform First meeting of the Ocean Trawl Fishery Share Linkage Working

NSW Commercial Fisheries Reform First meeting of the Ocean Trawl Fishery Share Linkage Working

NSW Commercial Fisheries Reform First meeting of the Ocean Trawl Fishery Share Linkage Working Group NSW Commercial Fishing Industry Reform Program Darren Hale Fisheries NSW June 2013 Fishery information shares &amp; endorsements

311 views • 16 slides
HIGH SCHOOL COACHES DO NOT OFFER AND SECURE SCHOLARSHIPS FOR ATHLETES. HOWEVER, COACHES WILL

HIGH SCHOOL COACHES DO NOT OFFER AND SECURE SCHOLARSHIPS FOR ATHLETES. HOWEVER, COACHES WILL

HIGH SCHOOL COACHES DO NOT OFFER AND SECURE SCHOLARSHIPS FOR ATHLETES. HOWEVER, COACHES WILL ALWAYS HELP IN ANYWAY THEY CAN. THERE ARE ALWAYS EXCEPTIONS TO THE INFORMATION IN THIS POWERPOINT Core Course Requirements NCAA Clearinghouse

852 views • 61 slides

More recommend