Project Results

Project Public Deliverables

WP1: Requirements / Specification / Architecture (RTD)

D1.1 State-of-the-Art for security threats and attacks against mobile devices & analysis of current practices

Download Report (v4.0 Revised May 2014)

Executive Summary

Nowadays smart mobile devices are ubiquitous, they are used for personal mobile communications, data storage, multimedia and entertainment, and therefore are becoming the fulcrum of billions of users’ digital lives. Their usage has grown by 60% in the last year in the United States, and similar trends are observed worldwide, where the number of smartphones in use has now broken the 1 billion mark. With the ITU (the International Telecommunication Union) estimating global mobile subscriptions at 6 billion at the end of 2011, it is calculated that global smartphone penetration is now 16.7%. Even if it has taken 16 years for smartphone penetration to reach 1 billion, it is estimated that it will only take three years to achieve the next billion. As far as the mobile OSes distribution is concerned, Android and Apple iOS combined account for the significant majority of the global smartphone installed base in 2012.

Smartphones are often used to read enterprise email and documents, find local businesses, get deals on products, buy them and click on mobile ads. It is, therefore, evident that a possible compromise of banking and PayPal mobile applications, social networking and email accounts, wireless LAN and VPN applications by cyber-criminals not only puts in jeopardy personal privacy, but can also threaten an important financial loss.

Economic fraud often goes hand-in-hand with identity-related crime, and the spread of information and communication technologies augments the problem. It is obvious that the increasing popularity of smartphones and other mobile devices has moved them into the visor of spyware and fraudware.

In the real world, malware can reach the mobile device by any means: via Bluetooth, SMS and MMS messaging, e-mail, Internet access, and is installed either by taking advantage of the vulnerabilities found on mobile devices, or with the user’s full consent (e.g., social engineering and phishing).

In order to advance in the field of cyber security and counter and prevent mobile cyber-attacks, security techniques should become proactive and provide a defence before new threats materialize. Mobile security solutions, like antiviruses installed on mobile devices, are not enough for this ambitious purpose.

Instead, there is an urgent need for an infrastructure able to collect attack traces against mobile devices, detect, analyse and understand the attack strategies and build appropriate countermeasures. Such an infrastructure, which will be based on the mobile honeypots deployment, will allow for the provisioning of secure and seamless mobile protection services. While there is a lot of experience in building honeypots for wire line networks, honeypots’ deployment in the mobile ecosystem is not a minor task. The majority of conventional honeypot types is mostly instrumented for the detection of undirected, widely spread attacks. Mobile malware usually perpetrate targeted attacks, hence the conventional honeypots are not fully appropriate in the mobile ecosystem.

On the other hand, as mobile networks are becoming mainly data networks, moving to flatter and more open architectures (e.g., the IP-based LTE architecture), and the traffic is growing exponentially, the mobile networks are becoming more vulnerable to security threats. While in 3G networks the traffic is encrypted from the mobile device through the NodeB and all the way to the RNC (thus both RAN and backhaul are protected), basically in LTE networks mandated encryption from the mobile device stops at the eNB, leaving the IP traffic in the backhaul unprotected.

The current attacks and security practices in mobile security are presented from both the device and the core network perspectives, since the aim of NEMESYS is to build the primary tools in order to provide an infrastructure that can offer protection to all network elements. Towards this end, a thorough look at the state of the art in mobile malware and commonly adopted protection mechanisms is provided, in order to be able to propose and implement an architecture and a strategy that will allow the mobile network operators to deliver early warning of attacks on their customers’ mobile devices and their core mobile network.

Summary and Conclusions

Today, there is a widespread adoption of smart mobile devices built on a fully- fledged mobile operating system, with more advanced computing capability connectivity than an ordinary mobile phone. Smart phones started by supporting the functions of a personal digital assistant (PDA), followed by the functionality of portable media players, low-end compact digital cameras, pocket video cameras, GPS navigation units , high-resolution touch screens and web browsers to eventually provide high-speed data access by Wi-Fi and mobile broadband, while the current rapid development of mobile application markets and of mobile commerce have been major drivers of smartphone adoption in everyday life. Smart phones have experienced the fastest worldwide adoption since the advent of television.

As we have seen in the first part of the present document, mobile devices are attractive not only for end users but also for cybercrime and malware developers. In terms of malware widespread and sophistication it seems that the trend is similar to that followed by malware developed for PC platforms, but in a much faster way. Moreover, differently from traditional PC platforms, smartphones are natively a source of profit (the user’s phone/data traffic credit), and this makes them very attractive to cybercriminals.

From the network perspective, and focusing on the advanced 3G (UMTS/HSPA/HSPA+) and the emerging 4G (LTE) access network technologies, emerging threats include the growth in application layer vulnerabilities, risks presented by smartphone application developers and OSs, excessive signalling in the network generated by smartphones and smartphone applications. Especially the flatter LTE IP-based architecture (IP backhaul, RNC node elimination, termination of the user’s traffic encryption in the eNodeB, more signalling and bearer paths between network elements) gives a potential attacker a straighter path to the network core through devices, the RAN, backhaul and external third party networks. With the move to IP based networks, security issues such as the compromise of the user’s location, digital rights management, Spyware or Adware download, the compromise of users’ sensitive information (emails, documents, phone numbers etc.) in case a device is lost or stolen, the list not being exhaustive, need to be addressed. Last but not least, Diameter signalling floods are an emerging threat to LTE networks, and the industry – mobile operators and vendors alike – does not yet fully understand their causes, forms and impact.

Security protection in 3G-networks requires the consideration of several aspects and issues, such as the wireless access, the end-user mobility, the particular security threats, the type of information to be protected (user data, charging and billing data, customer information data, network management data, etc.), and the complexity of the network architecture/topologies including the heterogeneity of the involved technologies.

Most of the security requirements for 3G networks hold also for LTE networks, so that at least the same level of security as in the 3G networks is guaranteed in LTE. In addition, two main new security features introduced in LTE: a) a completely new ciphering mechanism and integrity protection for NAS signaling messages and b) the option to secure the complete IP-based transport of the control plane and user plane on the S1 reference point using Secure IP (IPsec). However, even though IPsec provides traffic encryption, MNOs need to take further actions to protect themselves from signalling flood threats.

Security mechanisms for the communications between the client device and the carrier’s core network (against eavesdropping, fraud, service disruption, and other malicious activity) have also been designed for the IP-based FAPs, namely: FAP Physical Security, FAP and Core Network mutual authentication and IPSec tunnel establishment, Location Verification, Access Control, Protection of FMS traffic between FMS and FAP and Measures for Clock Protection.

As a result, considering the network security/protection, there is a variety of appropriate countermeasures, such as: advanced firewall and intrusion prevention system (IPS) products, addition of IPsec termination capabilities on platforms, solutions to reduce the impact of smartphone, features of network security architecture including authentication, key mechanism, encryption, etc. are available, for the mobile operators to deploy. However, the protection of the mobile core network from an attack coming from a user device that is utilized as a stepping stone for this purpose still remains a challenge to be investigated and addressed, so as to enable the mobile operators to protect their networks and provide a safe environment for their subscribers.

We can conclude that the spreading of smartphones represents many opportunities for users themselves and for MNOs. However, there are certain major challenges imposed on the network side of a MNO associated with providing services to smart mobile devices. These challenges include securing transmissions to and from devices and protecting the network and the devices themselves. NEMESYS will respond to these challenges by designing a comprehensive security infrastructure which aims to offer protection to both the devices and the mobile networks they are connected to.

D1.2.2 Use case analysis and user scenarios - Consolidated version

Download Report

Executive Summary

Nowadays smart mobile devices (smartphones and/or tablets), are becoming ubiquitous and they are used for mobile communications, web browsing, data storage, multimedia and entertainment, reading personal and enterprise email and documents, finding local businesses, getting deals on products, and for a lot more applications the number of which is foreseen to increase over time.

The amount of malware attacks against these devices is also foreseen to grow over time [15]. In the real world, malware can reach the mobile device via Bluetooth, SMS and MMS messaging, e-mail or Internet access and is installed either by taking advantage of the vulnerabilities found on mobile devices, or with the user’s full consent. These attacks can subsequently affect the mobile network.

Mobile devices are not the only entry points for attacks against the mobile networks. Femto access points, also known as femtocells, are becoming increasingly popular due to the enhanced indoor coverage they offer. These devices however, can be exploited by malicious attackers and therefore they should be considered as an additional entry point for attacks against the mobile network.

NEMESYS goal is to build the primary tools aiming to provide an infrastructure framework that can offer protection to mobile devices, femtocells and mobile networks. This deliverable describes the first step towards this goal, which is the definition of a wide range of innovative use cases and the corresponding user scenarios. These scenarios will identify the user needs and they will be utilised to drive the process of gathering architectural requirements for both user and system levels. They will also guide the design and development of the NEMESYS framework and they will identify the evaluation criteria through which the results of the NEMESYS project will be demonstrated.

This deliverable is part of the first Work Package and presents the results of task T1.2, whose goal is to specify the interface between the end-user needs and the research partners and perform cross scenario studies to determine the main common functionalities that the NEMESYS project should primarily focus on.

Taking into account the output of T1.1 provided in the deliverable D1.1 regarding the consolidation of relevant research and studies performed in relation with the operational fields (e.g. honeypot development for mobile devices, data collection infrastructure, abnormal event detection and attack attribution), T1.2 has the following detailed tasks:

  • Consolidation of operational requirements and constraints, to be provided as input to the research teams in the Work Packages 2 to 7.
  • Identify/sketch the main operational functionalities of NEMESYS. Their study and specification will follow as part of the deliverable D3.1.
  • Derive technical requirements and check for feasibility.
  • Identify scenario requirements and variables that are crucial to be measured and traced.

There will be two versions of this deliverable, since task T1.2 will run for two distinct periods. This first version of the requirements and use cases (Month 12), will guide the research work conducted in T7.1 and T7.2. Then, after analyzing the initial results of T7.1 and T7.2, a second version of the deliverable will be available by Month 27 that will provide the final updated use cases and requirements, the selection of the sub-use cases to be demonstrated together with the implementation and demonstration implications and demonstration feasibility study.

The rest of this deliverable is organised as follows:

In Chapter 2, the evolving ecosystem of wireless communications is presented by describing the changes that are currently taking place in the wireless communications environment, the threats’ landscape and the generic countermeasures at Mobile Network Operator (MNO) level.

In Chapter 3, the operational requirements are investigated.

In Chapter 4, the detailed descriptions of four (4) use case scenarios are presented and the way NEMESYS will contribute to satisfy the user specific needs is explained. The four use cases considered are:

  • The detection of attacks against mobile devices and their users
  • The detection of signalling based attacks against a mobile network
  • The anomaly detection within femtocell architecture and
  • The visual analytics framework for the MNO.

Finally, at the end of this deliverable, after the Summary, an appendix is included listing all known common attacks, the devices and network(s) they affect, their origin and the MNO security recommendations.

Summary and Conclusions

This deliverable presents a wide range of attack scenarios and specific use cases in order to identify the NEMESYS user needs and main functionality that will be utilized to drive the process of user and system level architectural requirements gathering for the NEMESYS project.

To start with, the evolving landscape is briefly presented mainly characterized by the proliferation of the smart mobile devices, comprising an attractive source of personal information while it is exposed to a non exhaustive list of threats for its owner or for the core mobile network and thus continuous alert for security is required. Moreover, femtocells provide additional potential entry points to the core mobile network; the latter being transformed into flat IP networks with more connections among elements which are easier to penetrate.

At the present time, various signaling attacks that target the core UMTS system, the IP Multimedia Subsystem (IMS), and the LTE infrastructure are proposed in the literature (rather than realized in practice). More specifically, in research works signaling-oriented DoS attacks (which exploit unencrypted and unauthenticated signaling messages) are considered as possible. Their hypothesis is that the attackers hold a malicious entity (currently available and affordable) with the help of which they are capable to act as man-in-the-middle, intercept valid UE-BS sessions, sniff and resend packets, analyze traffic and spoof the data of UMTS frames and lead to system instability, poor QoS or render a service unavailable to its legitimate users. A list of potential DoS attacks (both real and theoretical ones) is provided1 along with indicative scenarios to illustrate the kind, the width and the severity of threats. In addition, a brief description of the vulnerabilities and the attacks which can be conducted against SIGTRAN stack layers (IP, SCTP) is presented, since the interconnection of the MNO networks to each other over cheaper and more efficient IP infrastructures (compared with the traditional SS7 links), by means of new protocols based on IP layer (like SIGTRAN and VoIP), exposes the mobile network to new threats that cannot be easily detected.

Taking into account the current countermeasures taken (or potentially taken) by a MNO as well as the threats and vulnerabilities to be addressed by NEMESYS security approach, NEMESYS general operational requirements (both user and system related) are presented.

The deliverable culminates with the elaboration of specific use cases to be addressed by NEMESYS in order to illustrate the NEMESYS approach, including a comprehensive description of them, the expected NEMESYS results and innovations (beyond SoA), along with the main system requirements and constraints, the challenges and the evaluation framework (e.g. evaluation criteria, parameters to be measured / traced).

Four use cases are considered in this deliverable:

The first one shows how the NEMESYS malware detection framework can be used to detect attacks against mobile users, where it is assumed that smartphones are infected by Android malware which steals private information, sends premium SMS, and communicates with a remote server.

The second use case describes how the NEMESYS anomaly detection framework can be used to perform attack detection in signaling traffic from 3G and 4G networks, in the case of DoS signaling attacks against the access and core network of a MNO. The third use case shows how anomaly detection can be performed within the femtocell architecture based on techniques presented in the NEMESYS framework.

Finally, the forth use case describes how to use the NEMESYS Visual Analytics framework to perform attack detection & classification, root cause identification – attack attribution, attack grouping, and formulate-validate attack related hypothesis, in case of a DDoS attack affecting the core network and the quality of service provided to end users.

The above use cases will guide the design and development of the NEMESYS framework and they will identify the evaluation criteria through which the results of the NEMESYS project will be demonstrated.

D1.3.2 System Architecture – Consolidated version

Download Report

Executive Summary

Using the results of T1.1 and T1.2 (D1.1 and especially D1.2.1), the realisation of the user needs and the identification of user and system requirements, the objective of this document is to define the overall system architecture of the security framework proposed by the NEMESYS project. It includes the description of the structure of the NEMESYS architecture, the system specification of each component and of the communication among them. The main components of the NEMESYS system are di- vided into functional modules, and each one is thoroughly specified, while the inte- grated view of the infrastructure is designed to guide the implementation and inte- gration during the R&D phases of the project. The specification is made with a view to ensuring the harmonious interplay of components.

Further to the system design, this task will provide a study on how the framework will address the user scenarios identified in Task 1.2 and will also initiate to define the appropriate user acceptance metrics to be assessed in the validation phase.

Summary and Conclusions

The NEMESYS distributed and collaborative approach at detection of mobile mal- ware through mobile honeypots and anomaly detection on mobile traffic coming from UE, femtocells and selected devices of the MNO’s core mobile network is the most complete approach as far as mobile malware detection and prevention is con- cerned.

The challenges of the definition, development and deployment of such a complex system are not few and some of them have been addressed in the current version of Deliverable D1.3.1. As the work progresses in the various WPs of the project, the fi- nal version of this Deliverable, D1.3.2, will come with the complete descriptions and specifications of the proposed views of the NEMESYS architecture.

WP2: Development of Virtualized Honeypots for Mobile Devices

D2.1 Survey of Smart Mobile Platforms

Download Report (v2.0 revised May 2014)

Executive Summary

Smart mobile devices–smartphones and tablets–are ubiquitous tools to manage and ac- cess people’s online assets everywhere, every time. They store valuable personal infor- mation, such as passwords, emails, contact information and photos. With this wealth of valuable information, smart mobile devices became the target of attackers. With smart mobile devices entering the corporate domain with BYOD, it is of utmost importance to ensure the confidentiality, integrity and availability of the information on the devices.

Enacting countermeasures against attacks precludes knowledge about current threats. Up to now we do not have a systematic tool to collect threat intelligence.

In this report we aim to do the first step in creating of such a tool: Determine the target platform and the attack vectors that need to be covered. To that end we survey the current smart mobile platforms in terms of their architecture, security measures and openness. We follow up with a market analysis to determine the most important mobile platform today. Finally we do a thorough analysis on known threats to that platform.

Summary and Conclusions

In this report we presented a survey of current smart mobile platforms. The goals of this report were to decide on a target platform for the mobile honeypot, and to distill attack vectors that the honeypot can cover.

To that end we surveyed a number of smart mobile platforms. We then investigated their market share. Given this information we defined the prerequisites of the virtualized mobile honeypot. Using these, we decided to target the Android platform, because it is the most popular mobile platform, and it is the target of the majority of malware. Further, is in large parts open source, which enables us to virtualize it.

Having decided on the target platform, we further investigated the attack vectors of Android that the honeypot can cover. Our analysis of attack vectors revealed that there are three categories: physical attacks, social engineering and exploits. We argue that there is no effective means against physical attacks. Especially the JTAG interface can usually not be turned off in software. So there is essentially nothing that we can do. However, physical attacks require that the attacker get physical access to the device, which limits the effectiveness. For the scope of this work package, we will not address physical attacks.

Social engineering is an attack vector that is very interesting. It sheds light on the role of the user. It is the user who cannot interpret the requested permissions on App installation. It is the user who turns to black markets to obtain potentially malicious pirated versions of legitimate paid Apps. Therefore, to assess the current threat situation of smart mobile devices, we cannot ignore the user.

The third attack vector is software vulnerabilities. The impact of a vulnerability is based on the location of the vulnerability. In the worst case, the vulnerability is located in the kernel. If the attacker manages to write a reliable exploit that allows him to run her own code in kernel context, then all the platforms security measures are void. Thus, for our honeypot we must assume the kernel to be vulnerable.

D2.2 Honeydroid: Virtualized Mobile Honeypot for Android

Download Report

D2.3 Lightweight Malware Detector

Download Report

WP3: Network data collection infrastructure

D3.1 Network information sources

Download Report

Executive Summary

This document provides an outline of all available information sources followed by evaluation and comparisons under the light of the NEMESYS objectives. The purpose of deliverable D3.1 is to provide the consortium with an overview of the available information sources related to mobile signaling, user behavior and attacks against end hosts and edge networks and identify those that are the most likely to give us interesting hints with respect to the correlation of attacks. The task T3.1 contributed to the production of this deliverable.

The main body of this report examines in detail the information sources, divided in four discrete categories. The first category introduces sources which collect data using monitoring software installed directly in mobile devices or monitor the signaling traces of devices in a confined geospatial area. The second category describes datasets composed using monitoring systems deployed in the Operating and Maintenance Centers (OMCs) of the network providers. The third category focuses on malware and vulnerability databases and repositories. Finally, the forth category includes DNS monitoring services, honeypot projects, malicious URL blocklists and IP and URL reputation services. An “Evaluation & Comparison” section is included for each of the above categories including comparison tables coupled with our remarks and suggestions. The final part of the document is dedicated to the conclusions drawn from the previous examination and puts the deliverable into the higher context of the project.

It is strongly emphasized that this is an ongoing document that is being evolved along with the project progress and will be regularly updated to reflect up-to-date information.

Summary and Conclusions

Throughout this deliverable, we have listed and documented all relevant information sources that will be valuable inputs for the NEMESYS project.

As shown in Chapter 2, there are sufficient information sources that release datasets produced using mobile device monitoring. In particular, Lausanne Data Collection, Reality Mining and NODOBO are the most important information sources and they provide reliable and rich datasets. Moreover, a number of Bluetooth and Wifi datasets (e.g., SIGCOMM 2009) are released and it would be very interesting to explore malware spread techniques based on the traces they provide. In chapter 3, we examined information sources that provide datasets collected using monitoring from a central network node. A shortage of information sources becomes easily apparent, mainly because of the monitoring complexity and the strict privacy policies the networks providers apply. Despite this, both datasets (i.e., IEEE VAST 2008, Orange D4D) were evaluated as very useful for NEMESYS and especially the private dataset from the D4D challenge which contains call detail records from 5 million users.

In Chapter 4, we examined various databases, repositories and analysis tools. More specifically, many malware repositories, databases, encyclopedias and analysis tools were presented and discussed. VirusShare, Android Malware Genome project, VirusTotal and Anubis are among others the most significant information sources from this category. On the other hand, vulnerabilities also provide a valuable source of information for the analysis of malware and attackers techniques. The most prevalent sources are NIST and OSVDB because they offer a wide variety of vulnerabilities in an easy to use format.

Chapter 5 presents DNS monitoring projects, honeypots and blocklists regarding malicious activity and malware. From those we found DNSDB from ISC, ISOT Botnet dataset and Nothink to be very close to what is needed for NEMESYS. Additionally, VX Vault and Malc0de should be considered the NEMESYS’ primary sources for malware samples and signatures.

From all the above, we conclude that the information sources we introduced will effectively cover the needs of all NEMESYS’ tasks that require such input. As planned within NEMESYS, correlating all those heterogeneous information sources should help us to efficiently identify, analyze and counteract against the attackers’ modus operandi. Last but not least, it is important to note that even though we made every effort to examine and list all available information sources new projects are constantly initiated and thus it would be beneficial to stay alert for new sources.

D3.2 Network information sources

Download Report

D3.3 Data Collection Infrastructure

Download Report

WP4: Anomaly detection using control plane data

D4.1 Anomaly detection based on signalling protocols

Download Report

Executive Summary

In this deliverable we review the characteristics of signalling storms that have been caused by certain common apps and recently observed in cellular networks, leading to system outages. We then develop mathematical and simulation models of a mobile user's signalling behaviour which focus on the potential of causing such storms. The analysis of the models allows us to determine the key parameters of mobile user device behaviour that can lead to signalling storms. We then identify the parameter values that will lead to worst case load for the network itself in the presence of such storms. This leads to explicit results regarding the manner in which individual mobile behaviour can cause overload conditions on the network and its signalling servers. Finally, we present anomaly detection and mitigation algorithms based on the insights gained from the analysis, and we show via simulation experiments that the algorithms can substantially reduce the amount of signalling load in the network as well as improve the quality of experience for the users.


This deliverable has focused on modelling, detection and mitigation of signalling storms that affect the radio resource control (RRC) protocol in mobile networks. Such storms can be caused by poorly designed mobile apps, outages in cloud services, large scale malware infections, or malicious network attacks. We first modelled the behaviour of a mobile network user with a view to determining network overload in signalling servers that can result from signalling misbehaviour. In the course of this work we derived a Markov model of user behaviour that can also be exploited in other studies concerning mobile networks as a whole. The Markov model has been solved analytically, and used to derive conditions and parameters for which the signalling misbehaviour can cause the largest damage and which therefore need to be avoided. Specifically, the model shows that there is a single transition in the RRC state which, if triggered repeatedly, can cause the maximum load on the RRC signalling server, and this transition is determined by the average normal user profile. The analysis also provided insights into how to detect signalling storms without penalising heavy users. The model was then extended for effects of congestion in the control plane, providing an accurate representation of the RRC signalling storm and allowing us to reach quick analytical results.

We then presented a simulation based study of signalling storms, looking at their effects on the performance of the mobile network and the quality-of-experience (QoE) of the users. The results have shown that even when a small fraction of the mobile users misbehaves, the signalling components in the mobile network, e.g. the RNC, are overloaded, resulting in at best a degradation in the QoE and at worst a denial-of-service for all mobile users connected to the same network element. Considering that network elements such as the RNC and the SGSN normally handle all users in a small city, the effects of storms can be far-reaching.

Our results indicate that mobile network operators should enable the PCH state in their RRC protocol configuration since it significantly reduces the signalling load on the core network and thus protecting it from the effects of RRC-induced storms. Another recommendation would be to increase the RRC inactivity timers T1 and T2 in order to reduce the number of RRC state transitions and thus the signalling load. However, this would affect all users in the mobile network and have a negative impact on the energy consumption of mobile devices, which is a major consideration of operators due to the advent of smartphones. This motivates the need for detection and mitigation methods that can distinguish between normal and signalling-heavy users so as to reduce the impact of storms while not needlessly punishing non-misbehaving users.

While we have focused on UMTS networks in this work, the RRC protocol is also employed in LTE networks, and any RRC related anomalies would have a more severe impact in LTE networks since they employ only two RRC states (connected and idle), and the mitigating effect of the long T3 timer used in the PCH state are non-existent in LTE networks.

Using the insights from the mathematical and simulation models, we developed two anomaly detection and mitigation algorithms based on cost functions that track the number of successive RRC state transitions that do not make use of the requested band- width. The detection algorithms utilise thresholds that can be adjusted dynamically according to the level of signalling overload in the network, allowing good compromise between false positives which negatively affect normal users, and the overall quality of service (QoS) improvement resulting from reducing signalling congestion. The mitigation mechanisms adaptively introduce artificial delays in the state transitions of misbehaving users so as to reduce the negative impact of signalling attacks and storms. Simulation experiments showed that although a small percentage of normal users may be misclassified as malicious, the average QoS in the network is significantly improved when our algorithms are activated. Based on these results, further simulation and experimental studies and interaction with standards committees are being performed in the context of NEMESYS in order to advance these ideas into a practical scheme that may be used to protect future-generation mobile networks from such signalling attacks or malfunctions.

D4.2 Anomaly detection based on real-time exploitation of billing systems

Download Report

Executive Summary

Mobile malware and mobile network attacks are becoming a significant threat that accompanies the increasing popularity of smart phones and tablets. Thus in this deliverable we propose two anomaly detection algorithms that use traffic measurements and billing meta(data) in order to identify malicious or misbehaving mobile devices. The first algorithm is based on measuring various quantities describing the activity of a user, applying different statistical methods to compute features that capture both instantaneous and long term changes in behaviour, and using a random neural network to fuse the information gathered from the individual features in order to detect anomalies in real-time. The second approach uses graph based descriptors to model billing records, where vertices in the graph represent users and services, while edges correspond to communication events. Anomaly detection is then performed by extracting features from the graph, and applying a supervised learning technique to discriminate between normal and anomalous users. The proposed methods are evaluated on two datasets from our mobile network simulator, representing threats that affect mobile users and networks.


The goal of the NEMESYS project is to develop a novel security framework for gathering and analysing information about the nature of cyber-attacks targeting mobile devices and networks, and to identify abnormal events and malicious network activity. Thus this deliverable described our proposed approaches to the analysis of network traffic and the development of anomaly detection algorithms, which combine modelling and learning from network measurements and billing (meta)data that are readily available to the mobile operator. In contrast to signalling based solutions, the algorithms presented in this deliverable do not require changes to network components and/or protocols, and can be deployed using standard traffic monitoring platforms.

We first presented an online anomaly detection approach based on the random neural
network (RNN) [28, 29]. Our method uses the notion of an observation window in which
summary statistics about the behaviour of a mobile user are collected and stored at fixed
time intervals (called slots) and used in order to calculate expressive features that can
capture both sudden and long term changes in the user's behaviour. The features for
the most recent time slot are subsequently fused using a trained RNN to produce the
final classification decision. Using our mobile network simulator, we have shown that
our technique is able to detect quickly users that are causing signalling overloads in the
network, without directly monitoring the control plane itself, and can even identify the
end of attacks.

OThe proposed RNN approach is exible, providing a number of parameters to optimise
the trade-off between detection speed, accuracy and overhead. For example, the size of
the observation window and the frequency of statistical measurements (i.e. number of
slots within the window) could be adjusted in real-time to respond to network conditions,
and to reflect the capacity of the network to tolerate a specific misbehaviour. Our
approach is also generic and can be applied to identify a variety of attacks targeting
both the mobile user and the network, which requires only the selection of appropriate
features and the adjustment of the algorithm's parameters. We concluded our evaluation
with a mathematical model that allows us to analyse and optimise the performance of the
signalling based detector of D4.1 [6], when used in conjunction with the RNN method;
the insights gained from the model will be utilised in the integration phase to improve
the overall detection performance of the NEMESYS solution.

Finally, we developed an anomaly detection algorithm which uses graph based descriptors to capture billing related activities in the network, where nodes in the graph
represent users and servers, and edges correspond to communication events. In this
method, graph traversal techniques are applied to create multiple graphs in each vertex
neighbourhood, from which features are extracted and used in order to train a random
forest classifier [15] to recognise anomalous graphs. The graph based approach has been
validated for the signalling storm dataset, and also for SMS spam data generated by our
simulator. The results indicate that the method is able to identify, with high accuracy
and precision, anomalous users in both datasets, thus providing a complementary approach
to the online RNN algorithm; the latter is activated and configured based on key
performance indicators to respond to an urgent condition, while the former can be executed
periodically to detect stealthy but non-critical malicious campaigns in the mobile
network. These algorithms will be further evaluated in the final phase of the project
using our mobile simulator and testbed.

D4.3 Anomaly detection within femtocell architectures

Download Report

Executive Summary

Recent studies showed that femtocells can be compromised and weaponized to attack the cellular networks. Further they argue that femtocell security architecture is vulner- able to these attacks. Hence for operators, it is necessary to detect such attacks and protect their infrastructure. In this report, first we survey different attacks in femtocell networks and propose a novel honeypot framework to detect them. Secondly we present anomaly detection algorithms and evaluate them in simulated mobile networks.


In this report we presented a survey of attacks in femtocell-enabled mobile communication networks. The goals of this report were to make a survey of such attacks and propose a framework to detect them using a honeypot architecture, and propose algorithms to detect anomalies in malicious femtocell network.

In this work we introduce Cellpot, a novel mechanism that enables threat intelligence
directly inside the cellular network. It consists of customized small cells, that are interconnected with a P2P network, and that are under control of the cellular operator
with a secure backchannel. Cellpot has the ability to deploy countermeasures against
detected threats, and enables a multitude of applications. Further it provides a platform for mobile network operators to deploy and run additional applications to reduce
signaling. The security of small cell firmware has been shown to be deficient. To ensure
Cellpot security, we present a software architecture that is applicable to future small cell
hardware and that succeeds in securing the core cellular network even if the firmware
has been compromised. Our modular architecture restricts certification and validation
to the firmware and allows for frequent updates to the honeypot software.

Finally we present a series of algorithms to detect abnormal events in femtocell network. Efficacy of these algorithms is tested in a simulated femtocell-based mobile network.

WP5: Root Cause Analysis of Attack Phenomena Targeting Mobile Devices

D5.1.2 Correlation Analysis and Abnormal Event Detection Module - Consolidated version

Download Report

D5.2.3 Interactive visual analytic exploration module - Consolidated version

Download Report

Executive Summary

This Deliverable presents the general visual analytics approach that has been developed within the NEMESYS project for the visualization and the interactive analytic exploration of the mobile network related information.

Provided that the mobile network related information is significantly large and multidimensional, the proposed visualization approaches scope to provide meaningful and efficient visual representations at specific time instances, but also to give semantically valuable overview of the network on larger periods of time, by simultaneously highlighting the suspicious activities. For instance, multiple coordinated views of multivariate graphs are used to help the procedure of network and threat monitoring, while they also enable the multifaceted perception of the data and the discovery of hidden patterns in it.

The proposed visualizations provide efficient approaches for the interactive exploration and monitoring of the network security status, and enable the analyst to take informed decisions about any mitigation actions that should be taken. The visualizations proposed herein are considered to have great potential to efficiently handle the aforementioned large amounts of information, useful for network monitoring and for interactive analysis of the network anomalies in near-real time.

Two interactive visualization techniques are utilized, for the visual representing of the activity of the users in the mobile network and the identification of clusters comprised of users with common behavior. In addition, an efficient smart magnification framework is introduced and applied as an interaction method to both visualization techniques. This framework enables the analyst to select parts of the display with high visual clutter and magnify. The goal is to reduce visual clutter, enhance parts of the display with high information content, and reveals hidden patterns in the data.


This deliverable presented the visualization methods developed for the exploration of billing related information. Specifically, two tools were presented, the k-partite graphs and the multi-objective visualization. The k-partite graphs provides the means necessary to visualize and explore CDR datasets using graph representations. Patterns in the CDR dataset are mapped onto the structure of the graph, in order to allow for their visual identification by the analyst. The utilization of force directed layouts allows for the emergence of visual clusters, and the positioning of similar nodes next to each other. The abstract graph representation and the filtering proposed, provides a solution to scalability issues and efficiently reduces the size of the graphs, while also preserving the important information. Graph matching techniques proposed in D5.1.1 are applied on the sequence of k-partite graphs, and through the MDS dimensionality reduction technique are visualized on the 2-dimensional plane. This procedure allows for the detection of specific graphs in the sequence that have distinctly different behavior from the rest, and thus provides the means for abnormal event detection. The multi-objective visualization combines various behavior descriptors extracted from the CDR data for each user, in order to provide visualizations in which the user behavior, either normal or malicious, can be grouped into distinct clusters. The combination of multiple descriptors leads to a clearer visualization of the user clusters, than using each descriptor separately. Using multiple descriptors is formulated as a multi-objective optimization problem, resulting in several solutions, which represent different trade-offs among the various descriptors. Through an interactive user interface, the operator is able to select among the various solutions, in order to view different aspects of the data and gain intuition about the dataset. The visualization magnification framework utilized in the context of this module allows for the reduction of visual clutter by magnifying significant regions at the expense of reducing the size of other less significant regions. This procedure reveals patterns which were previously hidden due to high cluttering, and enables the interactive exploration of the visualization results.

Each one of the proposed approaches were found to be very efficient in the analysis of network information, the detection of abnormal events, and their root cause analysis. Demonstration in CDR datasets illustrated their analytical potential.

D5.3.2 Attack attribution module

Download Report

Executive Summary

This deliverable presents the Attack Attribution module that has been developed within the NEMESYS project. This module provides methods that aim at the solution of the attack attribution problem, i.e. the identification of the root causes behind the observed anomalies and the discovery of the modus operandi of the cyber criminals.

In order to solve the attack attribution problem, all the methods presented in the context of WP4 and WP5 are combined into a common tool. Anomaly detection, correlation analysis and visualization methods are utilized in combination in order to enable the analyst to have a complete picture of the activity on the network, as well as the individual mobile devices. Combination of all these approaches enables the visual correlation of information from multiple sources. The analyst can identify anomalies, and focus on significant subsets of the data for further root cause analysis.

Two visualization techniques are presented in this deliverable, for the visual representation of the signaling activity of the users’ devices in the mobile network and the identification of clusters comprised of users with common behavior.

Moreover, with in this deliverable, the hypothesis formulation and visual validation module is presented, which enables the analyst to formulate attack related hypotheses, and validate or reject them, using visual correlation analysis.


This deliverable presented the attack attribution module developed in the context of WP5. The methods included in the attack attribution module aim to address the attack attribution problem, i.e. the discovery of the root causes behind the observed phenomena, and the identification of the methods of operation of malware. Multiple methods including anomaly detection (WP4), correlation analysis (T5.1), and visual analytics (T5.2 and T5.3) were combined into a common tool, in order to provide to the analyst the means necessary to solve the attack attribution problem.

An important component of the attack attribution module presented in this deliverable is the hypothesis formulation and visual validation module. This module enables the analyst to select a set of users and a related hypothesis, and validate or reject it by using visual correlation analysis of raw data and anomaly detection results. The visual correlation analysis takes place utilizing a coordinated view of all the visualization approaches presented in the context of WP5. Compared to D5.3, this deliverable has extended the hypothesis formulation and visual validation module by added four new and very important types of anomaly hypotheses. These hypothesis cover the most disruptive and costly attacks that can be observed in practice on mobile networks. It should also be noted that these new hypothesis, in combination with the original hypotheses presented in D5.3 can be used to cover the use case scenarios proposed by the project and formulated in WP1. It is also important to note that there might be specific flows of hypothesis (specified in the description of each hypothesis), as for example to firstly perform an anomaly detection, and afterwards perform a botnet behavior querry on the anomalous nodes.

Two additional visualization methods were presented in this deliverable, the Mobile Network Graph, and the multi-modal graph embedding. The Mobile Network Graph visualizes the distribution of the signaling messages on the mobile network, as well as the values of anomaly indicators at different time periods of network activity. This visualization enables the analyst to detect signaling related anomalies, as well as the the users responsible. The analyst can afterwards focus on a selected subset of data, and perform further analysis of CDR data for the identification of billing related anomalies. The multi-modal graph embedding method clusters the users according to their behaviors, and generates visualizations that illustrate their similarities. The generated clusters allow for the discrimination between normal and abnormal users, as well as the selection of subsets of users for hypothesis formulation and validation.

The efficiency of the attack attribution module in solving the attack attribution problem, and performing hypothesis formulation and visual validation was demonstrated on all the NEMESYS datasets.

WP7: Scenarios development, validation and evaluation

D7.1.2 Threat landscape identification – Consolidated version

Download Report

Executive Summary

This document aims at formulating the appropriate scenarios for validating the accuracy and the usefulness of the mobile honeypot (Honeydroid) and the corresponding malware detection module (LMD) in detecting and combating malware targeting Android mobile devices. The prototype, Honeydroid integrated with Lightweight Malware Detector, is evaluated against data accumulated in the test framework developed as part of Work Package 6. In addition, usability features of the prototype are evaluated by means of a user study with tens of participants. The end-goal of the evaluation is to identify, represent and explain the various threats that are likely to be due to a common root cause.


This deliverable presented an initial evaluation of device-side solutions developed in NEMESYS, namely the mobile honeypot and lightweight malware detector which have been integrated into a Honeydroid prototype. The evaluation has focused on two key areas considered necessary for the prototype to be useful in identifying the mobile threat landscape: (i) effectiveness in terms of accurately recognizing malware from goodware, the functionalities available to security analysts, and the reliability of the system and its communications; and (ii) usability such user-friendliness, responsiveness and battery drain.

The deliverable presented the test scenarios and methodologies, questionnaires and evaluation metrics that were designed to assess the performance of the prototype. Fol- lowing these principles, Honeydroid smartphones were distributed to more than 10 users, external to the project but from CERTH, COSMOTE and TIIT, who used the prototype and provided data and feedback over a span of few months.

Several refinements to the LMD algorithms have been implemented as a result of the data collected by the Honeydroid. The results indicate that, while the detection performance of Honeydroid can be further improved, the real utility of the device lies in providing data that, when used with information from other NEMESYS modules, will significantly improve the overall performance of the NEMESYS framework. The final evaluation of the NEMESYS framework will be presented in D7.4.2. The data collected from our deployment scenarios has also been analysed using the visual analytics module, providing interesting insights regarding the similarities and differences between malware and goodware.

Finally, the usability study presented in this report aimed mainly at identifying the most relevant challenges so that they can be addressed during the engineering phase of any later commercial exploitation of the prototype. Some minor deficiencies have been identified by the test users, which we consider to be minor since the feedback is based on the users’ experience of other commercial smartphones and not other mobile honeypots which do not exist in the market.

D7.2.2 Analysis of attacks against the core network infrastructure – Final version

Download Report

Executive Summary

This document presents an overview of the NEMESYS mobile network test-bed, and describes the test-bed experiments that were conducted in order to quantify the impact of attacks against the core network and the mobile users. The specification and design of the experiments were guided by the use cases identified in WP1 and also by a review of the common and important security threats that mobile networks face. This document also presents the results of the application of the anomaly detection algorithms and the visualization algorithms on the generated datasets. Finally, experimental findings from our experience in the testbeds are also presented in this deliverable.


The NEMESYS project is developing a complete suite of security tools to protect both mobile users and the mobile network against malware and other security threats.The validation and evaluation of these tools is performed in WP7 and involves experiments in a realistic mobile network test-bed and simulation studies.

This document presents the NEMESYS networking test-beds, which provide the basic functionalities of an operational mobile network. We have also conducted experiments on a real UK operational network that allowed us to test the feasibility of attacks on a real mobile environment. We have described and conducted a set of experiments on each test-bed and the real network, and as a result we acquired realistic data traces collected from real network components.

These data enable us to analyse the impact of control-plane attacks on the network and the feasibility of DoS attacks. One of the expected outcomes from these experiments is the identification of physical limitations that may throttle such DoS attacks, such as limitations due to the wireless medium and battery life described in this Deliverable. We plan to employ the results of these experiments in order to further develop accurate simulation models and to select the appropriate parameters in our simulation studies as part of WP7.

D7.3 Event-driven Simulation Experiments

Download Report

Executive Summary

This deliverable describes SECSIM, a software tool for modelling and simulation and for evaluating cybersecurity of mobile networks. The report describes the simulation models that have been developed for UMTS and LTE networks; normal user behaviour including web browsing, SMS, instant messaging, as well as mobility within macro and small cells; machine to machine communications; and attacks scenarios such as signalling overload, SMS spam and fraud, and compromised femtocells. We then present a graphical user interface for SECSIM that has been built as part of the NEMESYS control centre, allowing an operator to remotely run, configure and retrieve the results of simulations. Finally, we present experiments illustrating the different attacks scenarios supported by SECSIM, and how the produced datasets can be used to evaluate some of the solutions developed by NEMESYS.


In this deliverable, we presented a critical review of existing simulation platforms for wireless networks, showing that the available simulators are not sufficient for analysing the cybersecurity of mobile networks. This is due to the fact that wireless simulations have been traditionally used in order to evaluate aspects of the physical and lower protocol layers, yielding very accurate simulations at the cost of scalability. This led us to building simulation models on top of the modular OMET++ simulation platform which enables different abstraction levels for modelling to achieve a good trade-off between accuracy and performance. In our simulation models, we have focused on specific layers of the control plane that are vulnerable to signalling attacks, while at the same time accurately representing the data plane since it drives signalling events. The resulting simulator, SECSIM, has been used extensively to evaluate the anomaly detection and visualisation techniques developed in the NEMESYS project. Experiments to illustrate the developed simulation models and attack scenarios have been presented in this report, together with examples of how the generated datasets are analysed by some of the NEMESYS components. In future work, we will continue the development of SECSIM models, and investigate the utility of integrating accurate physical layer models such as the open-source library developed in ‎ [22].

WP8: Dissemination / Exploitation

D8.1.3 Final dissemination report

Download Report

Executive summary

This deliverable summarises the main dissemination activities undertaken by the NEMESYS consortium, and describes in detail the activities performed during the final reporting period which include the following:

  • Organisation of an industry workshop with the theme "Exploiting the NEMESYS technical outputs" in Berlin on 19-20 March 2015, and a number of one-on-one face-to-face meetings with teams from telecommunication vendors such as Huawei and Nokia and with external operators such as Orange and Deutsche Telekom.
  • Organisation of a special session on:
    • "Network Security" within the 30th Annual Symposium on Computer and Information Sciences (ISCIS '15), London, 23-25 September 2015.
    • "Security and Trust - from Mobile Networks to the IoT" within the EAI International Conference on CYber physiCaL systems, iOt and sensors Networks (Cyclone'15), Rome, 26 October 2015.
  • Publication of 14 conference papers and 5 journal articles, and submission of 4 additional journal papers.
  • Presentation of the project in numerous EU and International events on cybersecurity, including the Round Table "Digital Privacy: Citizens' Rights in the Light of New Technologies and Commercial needs" Co-organised by the European Commission's Joint Research Centre (JRC) and European Council of Academies of Applied Sciences, Technologies and Engineering (Euro-CASE), 28 January 2015, Berlaymont Building, European Commission, also a poster presentation and technical demonstrations at the Cybersecurity and Privacy (CSP) Innovation Forum, Brussels, 28-29 April 2015.
  • Submission of a document for discussion by Telecom Italia (on behalf of the project) to the 3GPP TSG Radio Access Network meeting.
  • Dissemination of NEMESYS news, activities and successes on the project website and the CSP Forum newsletter.
Summary and Conclusions

This report presented the main dissemination activities of the NEMESYS consortium throughout the project, emphasising the results of the final reporting period (M25-M33). This task has strongly contributed to the public awareness of NEMESYS among the academic community, standardisation bodies such as 3GPP, and the telecommunication and security industry sectors. The final phase of the project has seen a dramatic increase in the number of scientific publications, from 21 to 35 conference papers and from 1 to 5 accepted or published journal articles, in addition to 4 more journal submissions, which reflect the high quality of research and development work conducted within the project. NEMESYS partners have also increased their interactions with relevant European institutions, by participating in events organised by the CSP Forum, Joint Research Centre (JRC) and European Alliance for Innovation (EAI), with contributions that include oral and poster presentations, technical demonstrations and news items. The consortium has also continued to actively engage potential users of the project's results and other parties that may offer collaboration and exploitation opportunities, by organising a NEMESYS industry workshop, several meetings with telecommunication vendors, as well as seminars and discussions with mobile operators external to the project, by submitting a document for discussion to a 3GPP Radio Access Network meeting, which made 3GPP companies aware of the results achieved by NEMESYS, and by launching innovative online security services (first of which is based on the technologies developed by the project.

D8.2 NEMESYS Dissemination Material

Download Report

Executive Summary

This document presents the material produced for the dissemination of the NEMESYS project. This material consists of the NEMESYS public website, the NEMESYS logo, the NEMESYS leaflet, the NEMESYS private exchange and collaboration platform for consortium partners, and the official project templates (PowerPoint presentations, deliverables and reports).

It is strongly emphasized that this is an ongoing document that is being evolved along with the project progress and will be regularly updated to reflect up-to-date information.

Summary and Conclusions

This deliverable presented the work that has been accomplished during the first three months of the Project regarding the production of the material that will be utilised for the dissemination of the project results, both internally and externally. This material includes the NEMESYS public web site, which informs the general public about the objectives, activities, progress and results of the Project, the NEMESYS logo, which was selected to symbolise the scope of the Project, the NEMESYS leaflet, which will be distributed in main events and will serve the purpose of informing the general public about the objectives, the basic architecture and the partners of NEMESYS, and the document and presentation templates, which will be used by the project partners for reporting and presenting results.

The produced dissemination material will help making the project research and practical outcomes as widely disseminated as possible to the appropriate targeted communities.

It should be pointed out, however, that this is an ongoing document that will be evolved along with the project progress, by means of regular updates, to reflect up- to-date information.

D8.4.2 Business development model

Download Report

Executive Summary

The present document is an initial version of the second deliverable of Task 8.3, “D8.4 - Business development model”, and contains the exploitation plans from each partner and a first draft of the business models proposed for the solutions developed by the NEMESYS project. The final version of deliverable 8.4 is scheduled at the end of the project (Month 36).

After the market assessment performed in D8.3, where the mobile security market was analysed and the opportunities and barriers were identified, together with the market segments and strategies, this first version of D8.4 describes the partners’ intentions towards exploiting the project results to support their own business or activities, as laid down in the project’s Description of Work. The document also illustrates several business models for the solutions that, in our opinion, have reached a maturity level that enables them to be proposed on the mobile security market.

Deliverables D8.3 and D8.4 follow a guiding thread of questions and answers, where the leading questions are: What are the NEMESYS exploitable results? Where can NEMESYS exploit such results (i.e., what are the identified target markets and/or the security gaps that can be fill in)? How and possibly when is NEMESYS going to exploit these results? The answers to the previous questions lead to the definition of the NEMESYS exploitation’s strategy. The definition of the “what” (Deliverable 8.3) is essential and it includes the assets and the results expected to be generated by the NEMESYS project. The definition of the target markets (but also of the MNO partners’ security needs) is also crucial due to the fact that NEMESYS offers solutions that can be used in several different vertical markets, each one with its own domain characteristics and dynamics. Timing and modalities of the overall exploitation activities are finally also a fundamental aspect WP8 has been looking into, so as to ensure proper and effective implementation of exploitation plans.

After having answered to the questions at a context level in deliverable 8.3, this report goes on describing the exploitation strategy in terms of different possible models of exploitation, stakeholders, assets, competitors, key success factors, and actions identified for an effective exploitation of NEMESYS.

Conclusions and future plans

This report summarised the activities related to the exploitation and business model creation undertaken by NEMESYS partners during the second two years of the project. The main activities were to: identify the project results that can be exploited, formulate proposals for their possible exploitation (where the exploitation is looked at from all perspective: internal deployment of acquired knowhow, proposals to standardization bodies, free exploitation, commercial exploitation, etc.) and create plausible/possible business models. This does not necessarily signify that the proposing organizations are actually engaging in selling these products on the mobile security market.

The business building blocks have been presented and analysed relevant to five technologies developed in the NEMESYS project.

The main conclusions can be summed up in these key propositions:

  • Mobile security market is quick and in continuous growth due to the evolution of mobile threats which increase in both figures and sophistication, the expansion of mobile device market and the wide increase in mobile service offering.
  • The proposed technologies have different levels of maturity, ranging from near market-ready to research prototypes. This makes only some of them ready for a possible adoption in a real business context.
  • An in depth research on macroeconomic elements that may influence the business models is needed for the mature technologies in order to compare the value that can really be created in the selected market segments with the sustainability of the business itself.
  • Our market analysis shows that segments exists where the market is not mature yet and where the users are beginning to grow security awareness, this fact makes our technologies appealing for further investigation and exploitation.

Last Update: 05/01/2016 19:24