SMS-Watchdog: Profiling Social Behaviors of SMS Users for Anomaly Detection

  • Guanhua Yan
  • Stephan Eidenbenz
  • Emanuele Galli
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5758)


With more than one trillion mobile messages delivered worldwide every year, SMS has been a lucrative playground for various attacks and frauds such as spamming, phishing and spoofing. These SMS-based attacks pose serious security threats to both mobile users and cellular network operators, such as information stealing, overcharging, battery exhaustion, and network congestion. Against the backdrop that approaches to protecting SMS security are lagging behind, we propose a lightweight scheme called SMS-Watchdog that can detect anomalous SMS behaviors with high accuracy. Our key contributions are summarized as follows: (1) After analyzing an SMS trace collected within a five-month period, we conclude that for the majority of SMS users, there are window-based regularities regarding whom she sends messages to and how frequently she sends messages to each recipient. (2) With these regularities, we accordingly propose four detection schemes that build normal social behavior profiles for each SMS user and then use them to detect SMS anomalies in an online and streaming fashion. Each of these schemes stores only a few states (typically, at most 12 states) in memory for each SMS user, thereby imposing very low overhead for online anomaly detection. (3) We evaluate these four schemes and also two hybrid approaches with realistic SMS traces. The results show that the hybrid approaches can detect more than 92% of SMS-based attacks with false alarm rate 8.5%, or about two thirds of the attacks without any false alarm, depending on their parameter settings.


SMS anomaly detection relative entropy JS-divergence 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bose, A., Hu, X., Shin, K.G., Park, T.: Behavioral detection of malware on mobile handsets. In: Proceedings of MobiSys 2008 (2008)Google Scholar
  2. 2.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Survey (September 2009) (to appear)Google Scholar
  3. 3.
    Cover, T., Thomas, J.: Elements of Information Theory. John Wiley, Chichester (1991)CrossRefzbMATHGoogle Scholar
  4. 4.
  5. 5.
    Davis, A.B., Goyal, S.K.: Knowledge-based management of cellular clone fraud. In: Proceedings of IEEE PIMRC 1992, Boston, MA, USA (1992)Google Scholar
  6. 6.
    Enck, W., Traynor, P., McDaniel, P., Porta, T.L.: Exploiting open functionality in SMS-capable cellular networks. In: Proceedings of CCS 2005 (2005)Google Scholar
  7. 7.
    Fawcett, T., Provost, F.: Activity monitoring: noticing interesting changes in behavior. In: Proceedings of ACM KDD 1999 (1999)Google Scholar
  8. 8.
    Hu, G., Venugopal, D.: A malware signature extraction and detection method applied to mobile networks. In: Proceedings of IPCCC 2007 (April 2007)Google Scholar
  9. 9.
    Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of MobiSys (2008)Google Scholar
  10. 10.
    Lee, L.: Measures of distributional similarity. In: Proceedings of the 37th Annual Meeting of the ACL (1999)Google Scholar
  11. 11.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of IEEE S&P (2001)Google Scholar
  12. 12.
    Lin, Y., Chlamtac, I.: Wireless and Mobile Network Architectures. John Wiley & Sons, Inc., Chichester (2001)Google Scholar
  13. 13.
    Meng, X., Zerfos, P., Samanta, V., Wong, S.H.Y., Lu, S.: Analysis of the reliability of a nationwide short message service. In: Proceedings of INFOCOM 2007 (2007)Google Scholar
  14. 14.
    Noble, C.C., Cook, D.J.: Graph-based anomaly detection. In: KDD 2003: Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining (2003)Google Scholar
  15. 15.
  16. 16.
  17. 17.
  18. 18.
  19. 19.
  20. 20.
    Stolfo, S.J., Hershkop, S., Hu, C., Li, W., Nimeskern, O., Wang, K.: Behavior-based modeling and its application to email analysis. ACM Transactions on Internet Technology 6(2), 187–221 (2006)CrossRefGoogle Scholar
  21. 21.
    Sun, B., Yu, F., Wu, K., Xiao, Y., Leung, V.C.M.: Enhancing security using mobility-based anomaly detection in cellular mobile networks. IEEE Trans. on Vehicular Technology 55(3) (2006)Google Scholar
  22. 22.
  23. 23.
    Taniguchi, M., Haft, M., Hollmn, J., Tresp, V.: Fraud detection in communications networks using neural and probabilistic methods. In: Proceedings of the 1998 IEEE International Conference in Acoustics, Speech and Signal Processing (1998)Google Scholar
  24. 24.
    Traynor, P., Enck, W., McDaniel, P., Porta, T.L.: Mitigating attacks on open functionality in SMS-capable cellular networks. In: Proceedings of MobiCom 2006 (2006)Google Scholar
  25. 25.
    Yan, G., Eidenbenz, S., Sun, B.: Mobi-watchdog: you can steal, but you can’t run! In: Proceedings of ACM WiSec 2009, Zurich, Switzerland (2009)Google Scholar
  26. 26.
    Yan, G., Xiao, Z., Eidenbenz, S.: Catching instant messaging worms with change-point detection techniques. In: LEET 2008: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, Berkeley, CA, USA (2008)Google Scholar
  27. 27.
    Zerfos, P., Meng, X., Samanta, V., Wong, S.H.Y., Lu, S.: A study of the short message service of a nationwide cellular carrier. In: Proceedings of IMC 2006 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Guanhua Yan
    • 1
  • Stephan Eidenbenz
    • 1
  • Emanuele Galli
    • 1
  1. 1.Information Sciences (CCS-3)Los Alamos National LaboratoryUSA

Personalised recommendations