Improving network security with scalable signal monitoring

Network convergence has brought with it challenges and opportunities. Hackers easily spoofed the in-band signaling used for call setup with a cereal whistle and blue boxes, eventually leading to the development of a separate signaling network and entirely different call control philosophies.

But what was once a tightly defined number of access points into a wired network has evolved into a web of access points, across wireless and wired networks, all of which are vulnerable to intrusion, hacking, and fraud. Operators must continuously monitor their signaling network for accuracy, reliability, and security. The challenge: finding telecommunications security systems that are real-time, cost effective, scalable, and flexible enough to grow with evolving standards and hackers' attempts at fraud.

As per minute costs decline, operators continue to provide more enhanced services like caller ID, call waiting, call blocking, and call forwarding to increase their revenue generation opportunities. Evolving revenue opportunities are focused in the wireless space: m-wallets, direct-dial numbers for purchases from vending machines, and Short Message Service (SMS) based advertising.

All of these revenue-generating services have a common thread. They are based on the signaling information carried across the network. Each service leverages a well-defined set of parameters that allow or deny service and provide value added information to the customer. The same signaling information is also used as the backbone for billing and call data record creation, billing reconciliation between operators, and most importantly, call setup.

For example, an operator can offer a service that blocks calls from known numbers. A user can subscribe to this service for a monthly fee and provide a list of numbers they wish to block from their line. In order for this feature to be deployed, the operator has to screen all of the signaling information going to the customer's line and when the number is identified, deny service or present a busy signal.

One approach to delivering this service would be to deploy a sniffer on the signaling channel that, through the use of databases and rules, would recognize an unwanted number and send the appropriate busy signal message back to the originator through the signaling network.

Enhanced services not only provide greater revenue opportunity, they provide more opportunities for the operator to be exploited through fraudulent activity and more points of interest for hackers to attack.

To combat these attempts, all operators have systems in place that attempt to detect fraud patterns and keep the hackers out. Signaling System #7 (SS7) messages, specifically, Message Signal Units (MSU's), are typically analyzed and processed to combat fraud and network misuse. MSU's are the data messages used any time information is transferred between two signaling points in the network, that contain information like call originator and destination party.

Unfortunately, call signaling requirements continue to grow beyond SS7 and monitoring systems must continue to grow to work with new protocols. Operators may have to analyze legacy ISDN signaling channels and new IP based signaling protocols for Voice over Packet networks. Session Initiation Protocol (SIP), H.323, Media Gateway Control (MEGACO), and the IP version of SS7, Stream Control Transmission Protocol (SCTP) are all used at various points in the network and contain valuable information that must be analyzed as well as SS7 messages. System developers must keep up with evolving standards, simplify development, and decrease time to market to meet the operators' growing needs.

Two basic software approaches are in use for fraud detection/signal monitoring today. The first requires two steps. Step one is full processing of the signaling messages through a complete protocol stack. The second step is the use of data analysis. Each message is received in the system like it was live on the network and processed appropriately.

Large investments

There are two drawbacks to this processing approach; software stack cost and host processing requirements. Each stack requires licenses or intense software development investment from the equipment manufacturer that is passed on to the operator. Every stack added to the system requires more computing power and competes for system resources. These factors usually relate to a greater initial investment for the operator.

The second approach leverages packet inspection at lower levels in the stack and the pre-screening of unwanted messages before they are processed. In this approach, the physical interface boards actually have the ability to assign rules or filters to packets as they enter the monitoring system. Based on the values in the payload, the packets can be dropped, routed to a specific data channel for processing, copied and sent to multiple software processes, or copied and sent to multiple locations for alerting or other purposes. The application only gets the information it requires, which allows the system to scale to much higher densities for a lower initial investment.

It is important to discuss system monitoring techniques with respect to investment, especially as capital expenditure budgets are shrinking, more protocols are added and more demands are placed on monitoring systems. Operators must now justify the expansion of their fraud detection system to keep up with network build-outs and it becomes increasingly difficult to accurately calculate the ROI they realize from stopping fraud. Hacker strategies and fraud techniques become more and more sophisticated for each service they offer and at each system entry point they add. The faster the security system can recognize a network threat, the greater the return on investment.

Requirements for the Communications Assistance for Law Enforcement Act (CALEA) and the Patriot Act can also be met through signaling inspection techniques. Operators can further justify the expense of an enhanced security system by extending the reach to externally to law enforcement agencies and government offices.

In support of CALEA, authorized numbers are quickly tapped, high-speed call traces can be sent real-time to the appropriate authority, and suspect databases can be created through individual call data records as calls are made. Homeland Security efforts can be assisted by loading targeted phone numbers into the system for activity detection. When the security system recognizes the number or call characteristics, such as country code, the voice channel can be copied to an Automatic Speech Recognition (ASR) engine for key word detection, location information can be forwarded in the event of a mobile device, call forwarding and conferencing can be detected and followed, or a live agent can be alerted to provide real-time analysis of the conversation.