Visual Analytics for Enhancing Supervised Attack Attribution in Mobile Networks

Conference paper


Researchers have recently uncovered numerous anomalies that affect 3G/4G networks, caused either by hardware failures, or by Denial of Service (DoS) attacks against core network components. Detection and attribution of these anomalies are of major importance for the mobile operators. In this respect, this paper presents a lightweight application, which aims at analyzing signaling activity in the mobile network. The proposed approach combines the advantages of anomaly detection and visualization, in order to efficiently enable the analyst to detect and to attribute anomalies. Specifically, an outlier-based anomaly detection technique is applied onto hourly statistics of multiple traffic variables, collected from one Home Location Register (HLR). The calculated anomaly scores are afterward visualized utilizing stacked graphs, in order to allow the analyst to have an overview of the signaling activity and detect time windows of significant change in their behavior. Afterward, the analyst can perform root cause analysis of suspicious time periods, utilizing graph representations, which illustrate the high-level topology of the mobile network and the cumulative signaling activity of each network component. Experimental demonstration on synthetically generated anomalies illustrates the efficiency of the proposed approach.


Mobile Network Anomaly Detection Network Component Border Gateway Protocol Visitor Location Register 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    G. Kambourakis, C. Kolias, S. Gritzalis, J.H. Park, DoS attacks exploiting signaling in UMTS and IMS. Comput. Commun. 34(3), 226–235 (2011)CrossRefGoogle Scholar
  2. 2.
    P.P.C. Lee, T. Bu, T. Woo, On the detection of signaling DoS attacks on 3G wireless networks, in: INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE, pp. 1289–1297, 2007.Google Scholar
  3. 3.
    P.P.C. Lee, T. Bu, T. Woo, On the detection of signaling DoS attacks on 3G/WiMax wireless networks. Comput. Netw. 53(15), 2601–2616 (2009)CrossRefzbMATHGoogle Scholar
  4. 4.
    A. D’Alconzo, A. Coluccia, F. Ricciato, P. Romirer-Maierhofer, A distribution-based approach to anomaly detection and application to 3G mobile traffic, in: Global Telecommunications Conference, GLOBECOM 2009. IEEE, pp. 1–8, 2009.Google Scholar
  5. 5.
    A. Coluccia, A. DAlconzo, F. Ricciato, Distribution-based anomaly detection in network traffic, in: Data Traffic Monitoring and Analysis, Springer, pp. 202–216, 2013.Google Scholar
  6. 6.
    H. Shiravi, A. Shiravi, A.A. Ghorbani, A survey of visualization systems for network security. IEEE Trans. Vis. Comput. Graph. 1(1), 1–19 (2011)Google Scholar
  7. 7.
    M. Lad, D. Massey, L. Zhang, Visualizing internet routing changes. IEEE Trans. Vis. Comput. Graph. 12(6), 1450–1460 (2006)CrossRefMathSciNetGoogle Scholar
  8. 8.
    L. Shi, Q. Liao, Y. He, R. Li, A. Striegel, Z. Su, SAVE: Sensor anomaly visualization engine, in: IEEE Conference on Visual Analytics Science and Technology (VAST), IEEE, pp. 201–210, 2011.Google Scholar
  9. 9.
    G. Andrienko, N. Andrienko, P. Bak, D. Keim, S. Kisilevich, S. Wrobel, A conceptual framework and taxonomy of techniques for analyzing movement. J. Vis. Lang. Comput. 22(3), 213–232 (2011)CrossRefGoogle Scholar
  10. 10.
    H. Janetzko, F. Stoffel, S. Mittelstädt, D.A. Keim, Anomaly detection for visual analytics of power consumption data. Comput. Graph. 38, 27–37 (2014)CrossRefGoogle Scholar
  11. 11.
    V. Chandola, A. Banerjee, V. Kumar, Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 15 (2009)CrossRefGoogle Scholar
  12. 12.
    M.M. Breunig, H.-P. Kriegel, R.T. Ng, J. Sander, LOF: identifying density-based local outliers, in: ACM Sigmod Record, vol. 29, pp. 93–104, ACM, 2000.Google Scholar
  13. 13.
    B. Shneiderman, The eyes have it: a task by data type taxonomy for information visualizations, in: Proceedings of the 1996 IEEE Symposium on Visual Languages, VL ’96, 1996.Google Scholar
  14. 14.
    N. Gobbo, A. Merlo, M. Migliardi, A denial of service attack to GSM networks via attach procedure, in: Security Engineering and Intelligence Informatics, Springer, pp. 361–376, 2013.Google Scholar
  15. 15.
    P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, T. La Porta, On cellular botnets: measuring the impact of malicious devices on a cellular network core, in: Proceedings of the 16th ACM conference on Computer and communications security, pp. 223–234, ACM, 2009.Google Scholar
  16. 16.
    N. Jiang, Y. Jin, A. Skudlark, Z.-L. Zhang, Understanding sms spam in a large cellular network: characteristics, strategies and defenses, in: Research in Attacks, Intrusions, and Defenses, Springer, pp. 328–347, 2013.Google Scholar
  17. 17.
    T.A. Almeida, J.M.G. Hidalgo, A. Yamakami, Contributions to the study of sms spam filtering: new collection and results, in:textitProceedings of the 11th ACM Symposium on Document Engineering, pp. 259–262, ACM, 2011.Google Scholar
  18. 18.
    3GPP, Study on Core Network Overload (CNO) Solutions, TS 23.843, 3rd Generation Partnership Project (3GPP), 12 2013.Google Scholar
  19. 19.
    S.J. Delany, M. Buckley, D. Greene, Sms spam filtering: methods and data. Expert Syst. Appl. 39(10), 9899–9908 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Imperial College LondonLondonUK
  2. 2.CERTH-ITIThessalonikiGreece

Personalised recommendations