Handbook of Wireless Networks and Mobile Computing, Edited by Ivan Stojmenovic ´ Copyright © 2002 John Wiley & Sons, Inc ISBNs: 0-471-41902-8 (Paper); 0-471-22456-1 (Electronic) CHAPTER 14 Security and Fraud Detection in Mobile and Wireless Networks AZZEDINE BOUKERCHE Department of Computer Sciences, University of North Texas 14.1 INTRODUCTION The fusion of computer and telecommunication technologies has heralded the age of information superhighway over wireline and wireless networks Mobile cellular communication systems and wireless networking technologies are growing at an ever-faster rate, and this is likely to continue in the foreseeable future Wireless technology is presently being used to link portable computer equipment to corporate distributed computing and other sources of necessary information Wide-area cellular systems and wireless LANs promise to make integrated networks a reality and provide fully distributed and ubiquitous mobile communications, thus bringing an end to the tyranny of geography Higher reliability, better coverage and services, higher capacity, mobility management, power and complexity for channel acquisition, handover decisions, security management, and wireless multimedia are all parts of the potpourri Further increases in network security are necessary before the promise of mobile telecommunication can be fulfilled Safety and security management against fraud, intrusions, and cloned mobile phones, just to mention a few, will be one of the major issues in the next wireless and mobile generations A “safe” system provides protection against errors of trusted users, whereas a “secure” system protects against errors introduced by impostors and untrusted users [1] Therefore, rather than ignoring the security concerns of potential users, merchants, and telecommunication companies need to acknowledge these concerns and deal with them in a straightforward manner Indeed, in order to convince the public to use mobile and wireless technology in the next and future generations of wireless systems, telecom companies and all organizations will need to explain how they have addressed the security of their mobile/wireless systems Manufacturers, M-business, service providers, and entrepreneurs who can visualize this monumental change and effectively leverage their experiences on both wireless and Internet will stand to benefit from it Concerns about network security in general (mobile and wired) are growing, and so is research to match these growing concerns Indeed, since the seminal work by D Denning [9] in 1981, many intrusion-detection prototypes, for instance, have been created Intrusion-detection systems aim at detecting attacks against computer systems and wired net309 310 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS works, or against information systems in general However, intrusion detection in mobile telecommunication networks has received very little attention It is our belief that this issue will play a major role in future generations of wireless systems Several telecom carriers are already complaining about the loss due to impostors and malicious intruders In this chapter, we will identify and describe several aspects of wireless and mobile network security We will discuss the intrusion detection systems in wired and wireless networks and identify the new challenges and opportunities posed by the ad hoc network, a new wireless paradigm for mobile hosts Unlike traditional mobile wireless networks, ad hoc networks not rely on any fixed infrastructure Instead, they rely on each other to keep the network connected Next, we will examine the authentication problem of mobile users Finally, we discuss the problems of cloning and fraud detection in mobile phone operations 14.2 NETWORK SECURITY PROBLEMS Security is an essential part of wired and wireless network communications Interestingly enough, these systems are designed to provide open access across vast networked environments Today’s technologies are usually network-operation-intrusive, i.e., they often limit the connectivity and inhibit easier access to data and services With the increasing popularity of wireless networks, the security issue for mobile users could be even more serious than we expect The traditional analogue cellular phones are very insecure The 32-bit serial number, the 34-bit phone number, and the conversation in a cell can be scanned easily by an all-band receiver The widely used advanced mobile phone system (AMPS) is an analogue phone system Therefore, sending a password or a host name through this system can be a serious security issue Other security issues in wireless networks that have been studied extensively are anonymity and location privacy in mobile networks; these have received a great deal of interest recently [23] A typical situation is one in which a mobile user registered in a certain home domain requests services while visiting a foreign domain Concerned about security and privacy, the user would prefer to remain anonymous with respect to the foreign domain That is, only the home domain authority should be informed as to the mobile user’s real identity, itinerary, whereabouts, etc Another important issue, namely cloning phones, raises a number of concerns to many telecom carriers Indeed, many telecommunication companies are losing money due to the use of clones or genuine mobile phones by impostors One might argue that although it is rather easy to clone an AMPS phone, it is much trickier to clone a D-AMPS, a GSM, or an IS-95 phone However, the security issue remains, and needs to be resolved in the next wireless network generation Consequently, there has been a great deal of interest recently in designing mobile phones using new technologies, such as Boot Block flash technology used by Intel Corporation, that will make it much more difficult to clone cellular phones However, to the best of our knowledge there is very little work being done at the software level To combat cloning, cellular operators analyze usage to check for unusual patterns Most obviously, they know that genuine phone cannot be in two places at once If a phone is making more than one call at a time, it has definitely been cloned Furthermore, to verify if a call is out of the client patterns, current software (i) does not have an efficient automatic process to warn clients about the impostors using their mobile phones; in most of these 14.4 INTRUSION DETECTION SYSTEMS (IDS) 311 systems, human staff are used to that (only lists of large bills are reviewed to identify cloned phones); (ii) has no efficient ways to control/identify impostors; and (iii) uses an “experimental satisfaction” to prove the correctness of the security framework Some systems provide the billing process via the Web However, the identification of a cloned phone is done only at the end of the month This, unfortunately, is not quite efficient and may lead to a big loss of revenue for the carrier The wireless Web opens up many new business opportunities, the most important of which use location-based technology Ever since the mobile Internet was first suggested, antivirus companies have warned that viruses could attack cellular phones and PDSs Timofonica was among the first viruses that attacked cell phones Timofonica was an ordinary virus programmed to send abusive messages to random users of Spanish Telefonica mobile systems Viruses are a threat to any computing platform and may be a threat to wireless terminals that include processing and memory akin to those of modern computers 14.3 NETWORK SECURITY MANAGEMENT PLAN An adequate security system management policy has long been an important issue A comprehensive network security plan must also consider losses of privacy when we define authentication and authorization as well as losses of performance when we define key management and security protocols Therefore, a security plan must encompass all of the elements that make up the wireless and/or wired network, and provide important services such as: Access control, i.e., authorization by capability list, wrappers, and firewalls (access control matrix) Confidentiality, i.e., we must ensure that information and transmitted messages are accessible only for reading by authorized parties Authentication, i.e., the receiver must be able to confirm that the message is indeed from the right sender Nonrepudiation, i.e., the sender cannot deny that the message was indeed sent by him/her Integrity, i.e., the message has not been modified in transit Availability, i.e., making sure that the system is available to authorized parties when needed Security administration, i.e., checking audit trails, encryption and password management, maintenance of security equipment and services, and informing users of their responsibilities 14.4 INTRUSION DETECTION SYSTEMS (IDS) Intrusion is most probably one of the key issues that wireless and mobile systems will have to deal with The nature of wireless ad hoc networks makes them very vulnerable to 312 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS an adversary’s malicious attacks Generally speaking, an intrusion can be defined as an act of a person or proxy attempting to break into or misuse your system in violation of an established policy Very little research work dealing with the intrusion problem has been done for wireless networks In this section, we shall describe the intrusion problem in general We hope that researchers will pick up what has been done in related areas, and find efficient approaches on how to deal with this problem in an ad hoc network environment 14.4.1 Current IDS Techniques Generally speaking, intrusion can be classified as: (i) misuse intrusions, i.e., well-defined attacks against known system vulnerabilities; and (ii) anomaly intrusions, i.e., activities based on deviation from normal system usage patterns Intrusion detection systems (IDS) are one of the latest security tools in the battle against these attacks As is well known, it is very difficult to determine exactly which activities provide the best indicators for the established (normal) usage patterns Thus, researchers have turned to using expert systems or knowledge-based intrusion detection to search for activities known to be indicative of possible intrusive behavior [16] The motivation behind this approach is to seek a proper behavior as opposed to a normal one Knowledge-based intrusion detection schemes apply the knowledge they have accumulated about specific attacks and system vulnerabilities Using this knowledge database, any action that is not explicitly recognized as an attack is considered acceptable Otherwise, an alarm is triggered by the system There are many different intrusion systems available in the marketplace Expert systems are based on knowledge-based intrusion detection techniques Each attack is identified by a set of rules Rule-based languages [13] are used for modeling the knowledge that experts have accumulated about attacks/frauds Information regarding some intruders has also been added to these systems A major drawback of knowledge-based intrusion systems is the difficulty of gathering the information on the known attacks (which should be updated regularly) and developing a comprehensive set of rules that can be used to identify intrusive behaviors Some systems use a combination of several approaches to cover both the normal and proper behavior schemes [17] We refer to them as behavior-based intrusion detection Their basic characteristic is that any action that does not match with a previously learned behavior triggers an alarm The action is considered as intrusive The main advantages of these systems are that they can exploit new and unforeseen attacks, and contribute to automatically discovering new attacks However, their high false alarm rate is generally cited as a main drawback of these systems, due basically to the accuracy of the behavior information accumulated during the learning process 14.5 SECURING DATA TRANSFER IN DIGITAL MOBILE SYSTEMS All digital mobile systems provide security through some kind of encryption Data can be encrypted in many ways, but algorithms used for secure data transfer fall into two categories: symmetric and asymmetric Both rely on performing mathematical operations using a secret number known as a key The difficulty with symmetric algorithms is that both 14.6 SECURING WIRELESS AD HOC NETWORKS 313 parties need to have a copy of the key On the other hand, asymmetric techniques use two separate keys for encryption and decryption Usually, the encryption key can be publicly distributed, whereas the decryption key is held securely by the recipient The most widely used symmetric algorithm in DES (data encryption standard), developed by IBM in 1977 It uses a 56-bit key, which seemed unbreakable at that time In 1997, a group of Internet users managed to read a DES-coded message Most organization now use triple-DES, which uses 112 bits The basic idea is that larger keys mean more possible permutations, and so better encryption GMS encrypts all data between the phone and the base station using a code called A5 (The A stands for algorithm) The details of the code are kept secret to make it harder to crack Unfortunately, details have been leaked out over the years and have been posted on hackers’ web sites Thus, we believe there is still much work to be done in the cloning mobile phone area Several different asymmetric algorithms have been developed, each using a different type of “one-way” mathematical function Rivest et al [32] proposed an efficient algorithm, which they refer to as RSA, that relies on the fact that factorization is more difficult than multiplication Indeed, multiplying two prime numbers together is easy for a computer, but recovering those two numbers from the product is not The main drawback of asymmetric schemes is that they use a lot of CPU, and so cannot be used to encrypt an entire message through a mobile phone Instead, A5 encrypts the message itself using a symmetric algorithm, with a key randomly generated by the network and sent to the handset using an asymmetric algorithm 14.6 SECURING WIRELESS AD HOC NETWORKS Many WLANs in use today need an infrastructure network Infrastructure networks not only provide access to other networks, but also include forwarding functions, medium access control, etc In these infrastructure-based wireless networks, communication typically takes place only between the wireless nodes and the access point, but not directly between the wireless nodes Ad hoc wireless networks, however, not need any infrastructure to work Each node can communicate with another node; no access point controlling medium access is necessary Mobile nodes within each other’s radio range communicate directly via wireless links, whereas those that are far apart rely on other nodes to relay messages as routers Node mobility in an ad hoc network causes frequent changes of the network topology Since an ad hoc network can be deployed rapidly at relatively low cost, it becomes an attractive option for commercial uses such as sensor networks or virtual classrooms However, before an ad hoc network becomes a commodity, several security issues must first be resolved On one hand, the security-sensitive applications of ad hoc networks require a high degree of security; on the other hand, ad hoc networks are inherently vulnerable to security attacks Therefore, security mechanisms are indispensable for ad hoc networks As in any wireless or wired network, traffic across an ad hoc network can be highly vulnerable to security threats Thus, to secure an ad hoc network, one should consider not only the attributes described in Section 14.3, i.e., availability, confidentiality, integrity, authentication, and nonrepudiation but also new types of threats that are extended even to 314 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS the basic structure of the networks The salient characteristics of ad hoc networks pose both challenges and opportunities in achieving these security goals Since ad hoc networks use wireless links, they are susceptible to link attacks ranging from passive eavesdropping to active impersonation, message replay, and message distortion Active attacks might allow the adversary to delete messages, inject erroneous, modify messages, and impersonate a node, thereby violating availability, integrity, authentication, and nonrepudiation 14.6.1 Intrusion Detection in Wireless Ad Hoc Networks Most of the IDS systems developed for wired networks described in previous section cannot be applied to wireless networks This is mainly due to the fact that today’s networkbased IDSs, which rely on real-time traffic analysis, can no longer function in the wireless and mobile environments such wireless ad hoc networks When compared with wired networks, in which traffic monitoring is usually done at switches, routers, and gateways, a wireless ad hoc network does not have traffic concentration points at which IDS can collect audit data for the entire network Recall that in a wireless ad hoc network, each node can communicate with another node, and no access point controlling medium access is necessary Mobile nodes within each other’s radio range communicate directly via wireless links, whereas those that are far apart rely on other nodes to relay messages as routers Recently, Zhang and Lee [31] examined the vulnerability of a wireless ad hoc network They described an intrusion detection and response mechanism In their approach, each node is responsible for detecting signs for intrusion locally and independently, but neighboring nodes can collaboratively investigate in a broader range Individual IDS agents are placed on each and every node Each IDS agent runs independently and monitors local activities such as user/system activities, communication activities, etc These IDS agents collectively form the IDS system to protect the wireless ad hoc network against malicious attacks If an IDS agent detects an intrusion from local data, neighboring IDS agents will collaborate in the global intrusion detection actions Intrusion detection responses are provided by both the local response initiated by the IDS agent, and global response modules The type of intrusion response depends on the type of network protocols and applications, and confidence (or certainty) in evidence For example, the IDS agent can send a “reauthentication” request to all nodes in the network to prompt the end users to authenticate themselves (end hence their wireless nodes), using out-of-bound mechanisms (e,g., visual contacts) Only the reauthenticated nodes may collectively negotiate new communication channels, which in turn recognize each other as legitimate Thus, the compromised and/or malicious nodes can be excluded Last but not least, the authors use a secure communication module in their IDS system and provide a high-confidence communication channel among IDS agents However, this work is still at an early stage, and no experimental data were provided to study the effectiveness of their scheme 14.6.2 Securing Routing Protocol in Wireless Ad Hoc Networks Security for any routing protocol [24, 29] is a very difficult problem to deal with One can take advantage of the redundancies in the network topology, i.e., multiple routes between 14.7 AUTHENTICATION OF MOBILE USERS 315 nodes, to achieve availability The security of routing protocols is closely tied to the proper distribution of some keys that allow the creation of unforgeable credentials Thus, designing secure key distribution in ad hoc networks is a challenging problem Diffie–Hellman key exchange may indeed help to establish some temporary security between particular endpoints However, they are also vulnerable to the man-in-the-middle attacks that are hard to defeat in an ad hoc network Recently, Zhang and Lee [31] defined trace data to describe, for each node, the normal (i.e., legitimate) updates of routing information Since a legitimate change in the route table can basically be caused by the physical movement(s) of node(s) or network membership changes, and each mobile node should use only reliable information that it can trust, the authors have decided to use data on a node’s physical movements and the corresponding change in its routing table as the basis of the trace data A normal profile on the trace data in effect specifies the correlation of physical movements of the nodes and the changes in the routing table A classification algorithm is used to compute the classifier and to describe the changes measured by the percentage of changed routes and the percentage of changes in the sum of hops of all routes A detection model that uses deviation scores distinguishes abnormal from normal updating of the routing table Unfortunately, no experimental data was provided to study the performance and effectiveness of their scheme Public key protocols and symmetric key methods are also devilishly difficult, and without an infrastructure it is very hard to conceive of the use of certificate-based protocols Multicast data distribution in ad hoc networks poses new types of security problems Indeed, one should not forget that there will always be many different trust relationships that are hard to maintain between neighbors in a large community Quality of service (QoS) control could be used to provide a reasonable solution to the multicast data distribution in ad hoc networks 14.7 AUTHENTICATION OF MOBILE USERS Some wireless communications systems protocols such as GSM [27, 28] and IS-41 [18, 22] use the secret key crypto-system for authentication Although the authentication of these systems is only unilateral, and the user’s identity and location are not anonymous, the protocols [13, 20] provide more security functions, such as identity, confidentiality, and mutual authentication The drawback of the above schemes is that they all need a third party, i.e., a third trusted server such as the home location register (HLR) and old visitor location register (VLR) Although HLR creates a record that contains the mobile station’s (MS) directory number, profile information, current location, and validation period, etc., whenever the MS subscribes to the service of a mobile system, VLR records the temporal information for the MS when it visits a mobile system other than the home system HLR acts as the CA; VLR is responsible for authenticating the MS Several public key and secret key hybrid schemes have also been proposed in the literature Brown [7] proposes a hybrid technique to provide privacy and authentication in personnel communication systems Other authors [10] present a protocol based on Diffie–Hellman scheme to generate a session key, and a mechanism to detect a cloned phone 316 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS Several certificate-based protocols have been proposed for wireless authentication, where the traffic between VLR and HLR is minimized [2, 15, 21] The basic idea behind these protocols is that when roaming across a domain becomes more frequent, the frequency of long-distance signaling across domains is dramatically reduced The drawback of these schemes is that incorrect use of certificates in protocols may result in security flaws For instance, it might be easy to clone a user if its certificate is used as secret information To remedy to these drawbacks, other authors [30] propose an authentication procedure consisting of two protocols: a certificate-based authentication (CBA) protocol and a ticket-based authentication (TBA) protocol Only two parties—mobile station (MS) and visitor location register (VLR)—are involved in executing their scheme The CBA protocol is used in registration, handover, and when the ticket is invalid The certificate contains the user public key and other information and signature information provided by the CA (certificate authority) The ticket is a message authentication code (MAC) {TID, Date, L, (TID, Date, L) KVLR}, where KVLR is the secret code key of VLR, TID is the temporary identify for MS, Date is the issue date of the ticket, and L is the lifetime of the ticket Only the user owning the secret key can make a ticket and verify its validity VLR will save the secret key K, and ( )K indicates a secret key crypto-system In the authentication suite of protocols [30], HLR issues the certificates CertVLR and CertMS to VLR and MS; MS stores the following data: CertMS, CertHLR, and KRMS VLR saves the following data: CertVLR, CertHLR, KRVLR, and KRHLR; where CertX represents the certificate of entity X, and KRX represents a private key of entity X Let us denote by two random numbers R1 and R2 Let KUX be a public key of entity X, K0 the old session key, and TID a temporary identity The basic idea of the CBA protocol (shown in Figure 14.1) is the exchange of three type of messages which are described as follows: MS VLR MS VLR Cert_Auth_Ask Ticket_Auth_Com Cert_Auth_Resp Ticket_Auth_Result Cert_Auth_Ask CBA Protocol TBA Protocol Figure 14.1 CBA and TBA protocols 14.8 SUBSCRIPTION AND FRAUD DETECTION IN MOBILE PHONE SYSTEMS 317 Cert_Auth_Ask: CertVLR, R1 Cert_Auth_resp: (Ks)KUVLR, [CertMS||(R2||R1)KRMS]Ks Cert_Auth_Ack: (Ks)KUVLR, [Ticket||(R1||R2)KRVLR]Ks where the session key is R1 R2 If the MS stays at the same cell and requests the service several times, we use the TBA protocol The TBA protocol uses the ticket in the authentication procedure and is described as follows: Ticket_Auth_Com: TID, (Ticket||R1)K0 Ticket_Auth_Result: (R2||R1)K0) where the session key is R1 R2 If the ticket is out of date, the MS runs the CBA protocol to get the current ticket TBA protocol uses a symmetric crypto-system in authenticating the MS Therefore, the computational cost is lower and the efficiency is higher than that of the CBA protocol Since the CBA/TBA suite of protocols not need a trusted party, entities in these protocols store more information Nevertheless, Tzeng and Tzeng [30], have proven that the message complexity exchanged between entities the CBA/TBA protocols is less than that of previous UMTS schemes Last but not least, an authentication architecture for ad hoc networks has been proposed by Jacob and Corsen [14] Their scheme presents the formats of all messages together with protocols that are supposed to achieve authentication 14.8 SUBSCRIPTION AND FRAUD DETECTION IN MOBILE PHONE SYSTEMS With the increasing popularity of wireless networks, the security issue for mobile users could be even more serious than we expect [5, 12] Before the mobile phones became widely popular, the greatest threat to the network security in most organizations was dialup lines While dial-up lines still merit attention, the risks they pose are minor when compared to wireless and mobile connections To break the system, one need only buy a piece of portable radio equipment, such as a scanner, to program a mobile cloned to debit calls from genuine mobile phone, and register the frequencies at which mobile phones operate in surrounding areas Then the person committing the fraud may, for example, park his car in a shopping mall, jot down various frequencies, transfer the data to clones, and then pass them to whomever may be interested in these cloned mobiles Mobile phones will change many aspects of our lives, but not until potential users become convinced of the security of the mobile networks This author and others [4, 26] have presented a distributed security system supported by CORBA that uses on-line telecommunication databases (i.e., CallsFile), as well as database files (i.e., Baseline) created during the training process of the system for the classification of the clients It uses neural network/pattern recognition techniques 318 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS CORBA and Web/Java security components were added to further secure the system LOTOS formal specification and validation techniques were embedded in the system to prove its correctness and validate it The basic framework consists of three main components The first part protects the security system against cellular cloning (SSCC) The second part uses the security of the Internet and the Web (SETWeb) Finally, the third component, SIPI, protects the system from future impostors that might try to use the mobile phones improperly SSCC can be viewed as a black box that interacts with the users via mail or phone, which we refer to as gate-mail, and gate-phone, respectively The first gate is used by the SSCC to send alarms of possible frauds to the users by “surface” mail, and the second gate allows the SSCC to use mobile phones to send the same alarms The main purpose of sending alarms by phone is for an immediate notification of possible fraud Although the “surface” mail is more secure, it is still slower than the notification by phone The most abstract specification of the SSCC system corresponds to a formalization of the user requirements of this system, and it might be used as a basis for future refinements of the project Furthermore, using this requirement specification, it will be possible to prove— formally—that it is equivalent to the future final and complete specification In order to validate the SSCC system, we make use of the CADP tool (Caesar Aldbaran Development Package) [11] available in the Eucalyptus toolbox The procedure used to obtain the correction proofs between refinements generates the following two automata: SSCC.AUT and SSCC_DET.AUT These two automata aim at proving the correctness of the system in conformation with ISO 8807 [6] and US DoD ClassA1 SETWeb, a system phone bill on line via the Web, has been developed to allow clients to consult their phone bill online at any time The client can then observe if a call from a clone just arrived in his bill, thus avoiding losses Our system ensures the security and the privacy of the client when he or she tries to access to his/her file [19] In what follows, we will present the security policy scheme to ensure the security of the carrier site and protect the privacy of the client Several issues must be maintained, such as access controlling, logging, confidentiality, authentication, and administration of the systems resources, just to mention a few In their design Notare et al [26] used all these services to implement the Java security API with the overall goal of protecting the user’s information from eavesdropping and tampering To avoid spoofing attacks and ensure that the user is accessing the right phone carrier site, we made use of digital certificates on the server side In this system, the tool “policytool” creates and manages a text file that stores security policy definitions, known as “mypolicy.” Those definitions can give special privileges to users having some form of authentication, such as a digital signature Many security policies can be defined for an environment and its many resources 14.8.1 SIPI—System to Identify Probable Impostors The SIPI system has been designed to identify “probable” impostors using cloned phones Boukerche et al.’s [5, 10, 33] approach to identifying fraudulent calls is to classify the mobile phone users into a set of groups according to their log files [10] They assume that all relevant characteristics that identify the users will be stored in these files; i.e., where, at 14.8 SUBSCRIPTION AND FRAUD DETECTION IN MOBILE PHONE SYSTEMS 319 what time, and from where the calls were made, etc Classifying the users into groups will help our system to easily identify if a specific call does not correspond to a mobile phone owner There are several types of impostors our SIPI system can identify: (i) those who had changed the mobile phone’s owner call patterns; (ii) those who bought a mobile phone only for one month (already convinced not to pay); and (iii) those who bought mobile phones using other names Thus, when the call made using the genuine/cloned phone is terminated, the system will check to see if the characteristics of the call are within the client patterns saved in the file A warning message could be sent to the client if a fraud was detected This immediate notification, instead of waiting until the end of monthly bill cycle, will help to reduce losses to the carrier and to the owner of the mobile phone that has been cloned To identify these types of impostors as soon as possible instead of at the end of the month, avoiding more losses for the carrier, we propose the use of a radial basis function (RBF) network in its more basic form [25] to partition the users into classes and create the log files that we refer to as baseline files The architecture of the RBF network consists of an entry layer, a hidden layer, and an output layer The nodes of the output layer form a linear combination of the radial basis function using the kernel classifier The RBF function in the hidden layer produces a response for the stimulus of input (pattern) When the input (pattern) is within a small region located in the input space, the RBF function produces a response significantly different from zero The input is made from the source nodes, i.e., sensorial units Each activation function requires a center and a scalable parameter A Gauss function can be used as activator In this case, the neural network can be used to make decisions of maximum likelihood, i.e., determining which one of the various centers is more likely to be similar to the input vector Given X – C as an input vector, the output of a simple node could be defined as follows: ΄ 1 F(X – C) = ᎏᎏᎏ exp – ᎏ /2 , , · · · , n (2) 2 n Α ᎏ ΅ j j=1 xj – cj where n is the number of input data and s1, s2, , sn, j = [1, n] determine the scalar dispersion in each direction To increase the functionality of the function f, we propose to use the Mahalanobis distance in the Gaussian function This type function is also known as the radial basis function (RBF), and it is defined as follows: ΄ ΅ 1 F(X – C) = ᎏᎏ exp – ᎏ (X – C)TK–1(X – C) (2)/2 | K |1/2 where K–1 is the inverse of the X covariance matrix, associated with the node of the hidden C layer Given n vectors (input data) of p samples, representing p classes, the network may be initiated with the knowledge of the centers (i.e., locations of the samples) If the j-th vector sample is represented, then the weight matrix C can be defined as: C = [c1, c2, · · · , c3]T so that the weights in the hidden layer of j-th node are composed of the “center” vec- 320 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS tor The output layer is a pondered sum of the outputs of the hidden layer When presenting an input vector for the network, the network implements Y as follows: Y = W · f (||X – C||) where f represents the functional output vector of the hidden layer, and C represents the corresponding center vector After supplying some data with the desired results, the weights matrix W can be determined using the least mean square (LMS) training algorithm [25] interactively and noninteractively using the descendant and pseudo inverse gradient techniques, respectively The learning in the intermediate (hidden) layer is executed using the nonsupervised method, such as a cluster or heuristic cluster algorithm or supervised method to find the centers, i.e., the C nodes that represent the connections between the input layer and the intermediate layer, in the hidden layer The Lloyd (or K-means) algorithm is the most common technique employed to determine these centers [25] To determine s2, the variation parameter for the Gaussian function, one could choose to (i) approximate them to the average distance among all training data, (ii) calculate the distances among the centers in each dimension and use some percentage of this distance for the scale factor to approximate s2, or (iii) use the p-nearest neighbor algorithm [25] In our design, we choose the latter, i.e., p-nearest technique, to perform the classification Our main motivation behind using a neural network algorithm (NNA) for mobile users classification are: (1) NNA has the intrinsic capacity of learning input data and generalizing; (2) the network is nonparametric and makes more assumptions regarding the distribution of the input data than the static traditional methods (Bayesian); and (3) NNA is capable of creating decision boundaries that are highly nonlinear in the space of characteristics A neural network algorithm was used to find good (suboptimal) classes The K-means and p-nearest neighbor algorithms were used to obtain the centers and radiuses of each cluster and variance between the centers The Gauss function was used to obtain the output of a hidden layer (i.e., centers data, input standards, and radii) In order to implement these functions, we employed Matlab and Toolbox software [8] This algorithm executes the classification of users through the Gauss, K-means, and pnearest neighbor algorithms Note that the data obtained by RBF algorithm constitute the baseline file It represents the database used by CORBA implementation of our system, where every call is compared with this database in order to identify a possible fraud, i.e., a call that does not match with the pattern of the client 14.8.2 Experimental Results This author and colleagues [4, 26], used data in which users were classified into seven types: Local users (FLC) class, representing users that make few local calls Local users (MLC) class, representing users that make many local calls Users (FLDC) class, representing users that make few long-distance calls Users (MLDC) class, representing users that make many long-distance calls 14.9 CONCLUSION 321 Users (SLIC) class, representing users that make a few short international calls Users (FLIC) class, representing users that make a few long international calls Users (MLIC) class, representing users that make many long international calls Note that class leads to class 1, and class leads to classes and 2, and so forth All data were stored in four files, which we refer to as Copenhagen data, (A1.data, A2.data, B1.data, and B2.data), where A1.data and B1.data contain 4061 and 4050 calls, respectively Each call is identified by the following three parameters: (1) the user phone number, (2) the number called, and (3) the duration of the call Similarly, A2.data and B2.data contain 4061 and 4050 observations, where each observation contains the type of user, i.e., the class the user belongs to Note that the Copenhagen data are widely used by many researchers Input patterns can be seen as points in a multidimensional space defined by the measure of the input characteristics The main goal of a “pattern classifier” is to split the multidimensional space into decision regions, and identify which one of the classes the input belongs to The classifier efficiency is strongly dependent to the characteristics that represent the input object During our experimentation, we varied the number of neurons from 50 to 150 The results obtained are summarized in Table 14.1 As can be seen, using 110 neurons, for instance, we obtained a good (suboptimal) classification with an error rate of 4.2027 Our experiments also indicated that our system can help to reduce significantly the losses to 0.084% with an error rate of 4.2%, using 110 neurons Thus, if the profit of a carrier telecom represents $175 million, and the losses due to the frauds and the impostors using cloned mobile phones, consume 2% of the gain, then the telecom company is loosing $35 million 14.9 CONCLUSION Due to the rapidly changing telecommunication industry and the increasing popularity of wireless networks, there has been a great deal of concern about security in wireless and mobile telecommunication systems TABLE 14.1 Number of neurons in the hidden layer and respective error rate Number of neurons (hidden layer) Error rate 50 107 100 110 111 127 5.0185 4.3758 4.4252 4.2027 4.2027 4.3511 322 SECURITY AND FRAUD DETECTION IN MOBILE AND WIRELESS NETWORKS Of the five areas of network management—configuration, failures, performance, accounting, and security—the last area has not received its fair share of attention With the increasing popularity of mobile and wireless networks, it is time to acknowledge the security concerns of potential mobile users and deal with them in a straightforward manner In this chapter, we focused on the network intrusion detection problem and the fraud of cloned mobile phones We identified the major problems in network security, and described the major intrusion detection techniques for wireless and mobile systems, including ad hoc networks We have also presented our security management system, which can used to identify frauds and impostors using cloned mobile phones Neural network techniques have been used to classify (mobile) phone users into groups according to their (past/current) profiles Using this classification, it is easy to determine if a call was made by the user or an impostor/intruder The system might also be used to identify future impostors as well Consequently, this antifraud system will prevent the cloning of mobile phones, and it will significantly reduce the profit losses of the telecom carriers and the damage that might be done to their clients REFERENCES D S Alexander, W A Arbaugh, A D Keromytis, and J M Smith, Safety and security of programmable networks infrastructures, IEEE Communications Magazine, 36, 10, 84–92 A Aziz and W Diffie, Privacy and authentication for wireless local area networks, IEEE Pers Comm., 1, 1, 25–31, 1994 V Bharghavan, Secure Wireless LANs, in Proceedings ACM Conference on Computer and Communications Security, 1994, pp 10–17 A Boukerche and M S M A Notare, Neural fraud detection in mobile phone operations, 4th IEEE BioSP3, Bio-Inspired Solutions to Parallel Processing, May 2000, pp 636–644 A Boukerche, M Sechi Moretti, and A Notare, Applications of neural networks to mobile and wireless networks, In Biologically Inspired Solutions to Parallel and Distributed Computing, A Zomaya (Ed.), New York: Wiley, 2001 E Brinksma IS 8807—LOTOS—Language of Temporal Ordering Specifications, 1988 D Brown, M Abadi, and R M Needham, A logic of authentication, ACM Transactions on Computer Systems, 8, 1, 18–36, 1995 H Demuth and M Beale, Neural network tollbox—For use with MatLab, Matlab User’s Guide, Version 3, pp 7.1 – 7.33, 1998 D Denning, An intrusion-detection model, IEEE Transactions on Software Eng., 2(13), 222–232, 1987 10 Y Frankel, A Herzberg, P A Karger, C A Kunzinger, and M Yung, Security issues in a CDPD wireless network, IEEE Pers Comm., 2, 4, 16–27, 1995 11 H Garavel, CADP/Eucalyptus Manual, INRIA, Grenoble, France, 1996 12 V Gupta and G Montenegro, Secure and mobile networking, ACM/Baltzer MONET, 3, 381–390, 1999 13 N Habra et al., Asax: Software architecture and rule-based language for universal audit trail analysis, in Proceedings 2nd European Symposium on Research in Computer Security, LNCS, vol 648, 1992 REFERENCES 323 14 S Jacob and M S Corsen, MANET Authentication architecture, MANET Internet Draft, Feb 1999 15 J Liu and L Harn, Authentication of mobile users in personal communication systems, IEEE Symposium on Personnel Indoor and Mobile Radio Communication, 1996, pp 1239–1242 16 T Lunt et al., Knowledge-Based Intrusion Detection, in Proceedings AI Systems in Government Conference, 1986 17 T Lunt, Automated audit trail analysis and intrusion detection: A survey, in Proceedings 11th International Computer Security Conference, 1988, pp 65–73 18 S Mohan, Privacy and authentication protocol for PCS, IEEE Personnel Communication, 1996, pp 34–38 19 G McGraw and E Felten, Java Security, New York: Wiley, 1997 20 R Molva, D Samfat, and T Tsudik, Authentication of mobile users, IEEE Personnel Communication, 1994, pp 26–34 21 C S Park, On certificate-based security protocols for wireless mobile communication systems, IEEE Network, 1997, pp 50–55 22 S Patel, Weakness of North American wireless authentication protocol, IEEE Personnel Communication, No 3, 1997, pp 40–44 23 C Pfleeger and D Cooper, Security and privacy: Promising advances, IEEE Software, 1997 24 C Perkins, Ad Hoc Networking, Reading, MA: Addison Wesley, 2001 25 B D Ripley, Pattern Recognition and Neural Networks, Cambridge University Press, 1996 26 M S M A Notare, A Boukerche, F Cruz, B Risco, and C Westphal security management against cloning mobile phones, IEEE Globecom’99, pp 969–973 Dec 1999 27 S P Shieh, C T Lin, and J T Hsueh, Secure communication in global systems for mobile telecommunication, in Proceedings of the First IEEE Workshop on Mobile Computing, 1994, pp 136–142 28 F Stoll, The need for decentralization and privacy in mobile communication networks, Computers and Security, 4, 6, 527–539, 1995 29 B R Smith, S Murphy, and J J Garcia-Luna-Aceves, Securing distance-vector routing protocol, in Proceedings Symposium Networking and Distribution Systems Security, 1997, pp 85–92 30 Z J Tzeng and W G Tzeng, Authentication of mobile users in third generation mobile systems, Wireless Personnel Communication Journal, 16, 35–50, 2001 31 Y Zhang and W Lee, Intrusion detection in wireless ad hoc networks, IEEE/ACM MobiCom Proc., 2000, pp 275–283 32 R Rivest, The MDS message-digest algorithm, RFC286, Internet Engineering Task Force, Symbolic, Inc., 1982 33 A Boukerche and M S M A Notara, Behavior based intrusion detection in mobile phone systems, Journal of Parallel and Distributed Computing, in press ... scalar dispersion in each direction To increase the functionality of the function f, we propose to use the Mahalanobis distance in the Gaussian function This type function is also known as the radial... approximate them to the average distance among all training data, (ii) calculate the distances among the centers in each dimension and use some percentage of this distance for the scale factor... tied to the proper distribution of some keys that allow the creation of unforgeable credentials Thus, designing secure key distribution in ad hoc networks is a challenging problem Diffie–Hellman