Mobile Network Anomaly Detection and Mitigation: The NEMESYS Approach

  • Omer H. Abdelrahman
  • Erol Gelenbe
  • Gökçe Görbil
  • Boris  Oklander
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 264)


Mobile malware and mobile network attacks are becoming a significant threat that accompanies the increasing popularity of smart phones and tablets. Thus in this paper we present our research vision that aims to develop a network-based security solution combining analytical modelling, simulation and learning, together with billing and control-plane data, to detect anomalies and attacks, and eliminate or mitigate their effects, as part of the EU FP7 NEMESYS project. These ideas are supplemented with a careful review of the state-of-the-art regarding anomaly detection techniques that mobile network operators may use to protect their infrastructure and secure users against malware.


  1. 1.
    Aguilar J, Gelenbe E (1997) Task assignment and transaction clustering heuristics for distributed systems. Inf Sci 97(1–2):199–219CrossRefGoogle Scholar
  2. 2.
  3. 3.
  4. 4.
    Barbuzzi A, Ricciato F, Boggia G (2008) Discovering parameter setting in 3G networks via active measurements. IEEE Commun Lett 12(10):730–732CrossRefGoogle Scholar
  5. 5.
  6. 6.
    Burguera I, Zurutuza U, Nadjm-Tehrani S (2011) Crowdroid: behavior-based malware detection system for android. In: Proceedins of SPSM ’11, ACM, Chicago, pp 15–26Google Scholar
  7. 7.
  8. 8.
  9. 9.
    Enck W et al. (2005) Exploiting open functionality in SMS-capable cellular networks. In: Proceedings of CCS ’05, ACM, Alexandria, pp 393–404Google Scholar
  10. 10.
    Gelenbe E (1979) Probabilistic models of computer systems. Acta Inf 12(4):285–303CrossRefMathSciNetGoogle Scholar
  11. 11.
    Gelenbe E (1989) Random neural networks with negative and positive signals and product form solution. Neural Comput 1(4):502–510CrossRefGoogle Scholar
  12. 12.
    Gelenbe E (1993) Learning in the recurrent random neural network. Neural Comput 5:154–164CrossRefGoogle Scholar
  13. 13.
    Gelenbe E (2009) Steps towards self-aware networks. Commun ACM 52(7):66–75CrossRefGoogle Scholar
  14. 14.
    Gelenbe E (2012) Natural computation. Comput J 55(7):848–851CrossRefGoogle Scholar
  15. 15.
    Gelenbe E, Fourneau JM (1999) Random neural networks with multiple classes of signals. Neural Comput 11(4):953–963CrossRefGoogle Scholar
  16. 16.
    Gelenbe E, Hussain K (2002) Learning in the multiple class random neural network. IEEE Trans. Neural Netw 13(6):1257–1267CrossRefGoogle Scholar
  17. 17.
    Gelenbe E, Labed A (1998) G-networks with multiple classes of signals and positive customers. Eur J Oper Res 108(2):293–305CrossRefMATHGoogle Scholar
  18. 18.
    Gelenbe E, Loukas G (2007) A self-aware approach to denial of service defence. Comput Netw 51(5):1299–1314CrossRefMATHGoogle Scholar
  19. 19.
    Gelenbe E, Muntz RR (1976) Probabilistic models of computer systems: Part i (exact results). Acta Inform 7(1):35–60CrossRefMATHMathSciNetGoogle Scholar
  20. 20.
    Gelenbe E, Timotheou S, Nicholson D (2010) Fast distributed near-optimum assignment of assets to tasks. Comput J 53(9):1360–1369CrossRefGoogle Scholar
  21. 21.
    Gelenbe E et al (2013) NEMESYS: Enhanced network security for seamless service provisioning in the smart mobile ecosystem. In: Proceedings of ISCIS (2013) LNEE. Springer, BerlinGoogle Scholar
  22. 22.
  23. 23.
    Gupta A et al (2013) Detecting MS initiated signaling DDoS attacks in 3G/4G wireless networks. In: Proceedings of COMSNETS’13, pp 1–6Google Scholar
  24. 24.
    Houmansadr A, Zonouz SA, Berthier R (2011) A cloud-based intrusion detection and response system for mobile phones. In: Proceedings of DSNW ’11, IEEE Computer Society, Hong Kong, pp 393–404Google Scholar
  25. 25.
    Iland D, Pucher A, Schäuble T (2012) Detecting android malware on network level. Technical representation, UC Santa BarbaraGoogle Scholar
  26. 26.
    Jiang N et al. (2012) Isolating and analyzing fraud activities in a large cellular network via voice call graph analysis. In: Proceedings of MobiSys ’12, ACM, Lake District, UK, pp 253–266.Google Scholar
  27. 27.
    Jiantao S (2012) Analyzing the network friendliness of mobile applications. Technical representation, HuaweiGoogle Scholar
  28. 28.
    Kim EK, McDaniel P, Porta T (2013) A detection mechanism for SMS flooding attacks in cellular networks. In: SecureComm’12, LNICST, vol 106, Springer, Berlin, pp 76–93.Google Scholar
  29. 29.
    Lee PPC, Bu T, Woo T (2009) On the detection of signaling DoS attacks on 3G/WiMax wireless networks. Comput Netw 53(15):2601–2616CrossRefMATHGoogle Scholar
  30. 30.
    Lever C et al. (2013) The core of the matter: analyzing malicious traffic in cellular carriers. In: Proceedings NDSS’13, San Diego, CA, pp 1–16.Google Scholar
  31. 31.
  32. 32.
    Maslennikov D (2013) Technical representaion, Kaspersky Lab
  33. 33.
    Murynets I, Jover RP (2012) Crime scene investigation: SMS spam data analysis. In: Proceedings of IMC ’12, ACM, Boston, pp 441–452.Google Scholar
  34. 34.
    Papadopoulos S, Tzovaras D (2013) Towards visualizing mobile network data. In: Proceedings of ISCIS 2013. Springer, Berlin.Google Scholar
  35. 35.
    Portokalidis G et al. (2010) Paranoid Android: versatile protection for smartphones. In: Proceedings of ACSAC ’10, ACM, Austin, pp. 347–356.Google Scholar
  36. 36.
    Qian F et al. (2010) Characterizing radio resource allocation for 3G networks. In: Proceedings of IMC ’10, ACM, Melbourne, pp 137–150.Google Scholar
  37. 37.
    Qian Z et al. (2012) You can run, but you can’t hide: exposing network location for targeted DoS attacks in cellular networks. In: Proceedings of NDSS’12, San Diego, pp 137–150.Google Scholar
  38. 38.
  39. 39.
    Ricciato F, Coluccia A, D’Alconzo A (2010) A review of DoS attack models for 3G cellular networks from a system-design perspective. Comput Commun 33(5):551–558CrossRefGoogle Scholar
  40. 40.
    Schmidt AD et al (2009) Monitoring smartphones for anomaly detection. Mobile Netw Appl 14(1): 92–106Google Scholar
  41. 41.
    Serror J, Zang H, Bolot JC (2006) Impact of paging channel overloads or attacks on a cellular network. In: Proceedings of WiSe ’06, ACM, Los Angeles, pp 137–150Google Scholar
  42. 42.
    Vural I, Venter H (2010) Mobile botnet detection using network forensics. In: Proceedings of FIS’10, LNCS, vol 6369. Springer, Berlin, pp 57–67Google Scholar
  43. 43.
    Wang Z et al. (2011) An untold story of middleboxes in cellular networks. In: Proceedings of SIGCOMM 2011, ACM, Toronto, pp 57–67Google Scholar
  44. 44.
    Yan G, Eidenbenz S, Galli E (2009) SMS-watchdog: Profiling social behaviors of SMS users for anomaly detection. In: Proceedings of RAID ’09, Springer, Saint-Malo, pp 202–223Google Scholar
  45. 45.
    Zhao B et al. (2012) Mirroring smartphones for good: A feasibility study. In: MobiQuitous’10, LNICST, vol 73. Springer, Berlin, pp 26–38Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Omer H. Abdelrahman
    • 1
  • Erol Gelenbe
    • 1
  • Gökçe Görbil
    • 1
  • Boris  Oklander
    • 1
  1. 1.Department of Electrical and Electronic EngineeringImperial CollegeLondonUK

Personalised recommendations