Modeling and Analysis of RRC-Based Signalling Storms in · PDF fileIEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING, VOL. XX, NO. X, MONTH 2015 1 Modeling and Analysis of RRC-Based

IEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING, VOL. XX, NO. X, MONTH 2015 1

Modeling and Analysis ofRRC-Based Signalling Storms in 3G NetworksGokce Gorbil, Omer H. Abdelrahman Member, IEEE , Mihajlo Pavloski and Erol Gelenbe Fellow, IEEE

F

Abstract—Mobile networks are vulnerable to signalling attacks andstorms that are caused by traffic patterns that overload the controlplane, and differ from distributed denial of service (DDoS) attacks inthe Internet since they directly affect the control plane, and also reservewireless bandwidth and network resources without actually using them.Such storms can result from malware and mobile botnets, as well asfrom poorly designed applications, and can cause service outages in3G and 4G networks which have been experienced by mobile operators.Since the radio resource control (RRC) protocol in 3G and 4G networksis particularly susceptible to such storms, we analyze their effect with amathematical model that helps to predict the congestion that is causedby a storm. A detailed simulation model of a mobile network is used tobetter understand the temporal dynamics of user behavior and signallingin the network and to show how RRC-based signalling attacks andstorms cause significant problems in both the control and user planes ofthe network. Our analysis also serves to identify how storms can bedetected, and to propose how system parameters can be chosen tomitigate their effect.

Index Terms—Network Attacks, Malware, App Malfunctions, UMTSNetworks, 3G, 4G, Radio Resource Control, Signalling Overload, Per-formance Analysis, Simulation

1 INTRODUCTION

SMART DEVICES have not gone unnoticed by cyber-criminals, who have started to target mobile plat-

forms [1,2], and mobile subscribers and mobile networkoperators (MNOs) face new security challenges [3], includ-ing the identification and mitigation of signalling attacks andstorms, which overload the control plane through trafficthat causes excessive signalling in the network. The sus-ceptibility of mobile networks to such attacks has beenidentified [4]–[9], and they have now become a reality thatMNOs have to face regularly due to side effects of mobilemalware, subscribers with high frequency communicationsessions [10], poorly designed mobile applications [11,12]and unwanted traffic from Internet hosts outside the mobilenetwork [13,14].

G. Gorbil, O.H. Abdelrahman, M. Pavloski and E. Gelenbe are withthe Department of Electrical and Electronic Engineering, Imperial Col-lege, London, UK, SW7 2AZ, e-mail: {g.gorbil, o.abd06, m.pavloski13,e.gelenbe}@imperial.ac.ukManuscript received September 1, 2014; revised December 7, 2014. Acceptedfor publication December 30, 2014.c© 2015 IEEE. Personal use of this material is permitted. However, permission

to use this material for any other purposes must be obtained from the IEEE bysending a request to [email protected].

While malware and network attacks are common in theInternet, they have not been prevalent in mobile networksuntil recent times. However, they are quickly becoming amajor security concern due to the advent of smart mo-bile devices and the increasing capacity and use of mo-bile networks for Internet access [15,16]. The increasingnumber of mobile malware and infected devices, togetherwith changing mobile access patterns of users, can createsignalling anomalies and overloads, either due to deliberatemalicious activity or as a side-effect. Thus signalling attacksand storms are indeed an emerging cyber-security threatin mobile networks, which are a major component of ourcyber infrastructure. Smart mobile devices are also increas-ingly used in emergency management systems, especially inurban environments [17]–[19]. Thus they are likely to be tar-geted in conjunction with other physical or cyber attacks inorder to further compromise the safety and confidentialityof civilians and emergency responders [20,21].

MNOs have a strong incentive to safeguard mobile usersfrom service outages and degradations due to signallingattacks and storms, and to protect their mobile networkinfrastructure, market reputation and revenue [3,22]. It istherefore important to identify how signalling storms aregenerated, analyze their effect on network performance, anddevelop detection and mitigation methods in this new anddynamic playground of smart devices and new generationmobile networks centered around data services. As we lookat the future, we can expect that UMTS and LTE networkswill also support major machine-to-machine communica-tions [23] where the human being is not in the loop toidentify and remediate against an apparent storm. In thefirst instance, we can expect that UMTS will have to besecured against such storms and into the future that LTEshould be an increasing object of studies to detect andmitigate against signalling storms and attacks [24]–[26].

In our previous work [27], we identified the radioresource control (RRC) protocol of UMTS and LTE net-works [28,29] to be particularly susceptible to creatingsignalling attacks and storms. In [27], we developed aprobability model [30] of signalling state transitions for asingle UMTS user, from which we derived analytical resultsregarding the user’s behavior when her device generatesuser traffic that causes a signalling storm and the impact ithas on the network. In the work presented here, we expandupon our earlier work and improve our mathematical modelby introducing the effect of congestion in the control-plane.

0000–0000/00$00.00 c© 2015 IEEE


We also design and develop a mobile network simulatorthat is significantly more complex and realistic than ourmathematical model, and present results from large-scalesimulation experiments that enable us to better understandthe temporal dynamics of user behavior and signalling,and to validate our analytical results. Based on the insightsthat we gain, we discuss how certain network parameterscan help to mitigate against signalling storms, and howsignalling storms can be detected.

2 SIGNALLING ATTACKS AND STORMS

Signalling attacks are caused by traffic patterns that generateexcessive signalling in the control plane of mobile networks,and can be launched easily without modification or com-promise of the radio or networking stack of mobile devicesby generating low volumes of carefully timed user planetraffic. Signalling attacks are in essence distributed denial-of-service (DDoS) attacks [31], but are different than DDoSattacks in the Internet since they directly target the controlplane of mobile networks without necessarily generating ahigh traffic volume at the user plane. RRC-based signallingattacks are further troublesome since they reserve radio re-sources without actually using them, thereby wasting radioresources.

In this paper, we assume that signalling attacks aredue to deliberate malicious activity that aims to disruptmobile services, as opposed to signalling storms which arediscussed below. While we are not aware of any deliberatesignalling attacks in operational mobile networks up tonow, we should not carelessly dismiss the potential forsuch attacks since all the ingredients for their realization arealready available. For example, the mobile world witnessedits first botnet in 2012 [32], which can be leveraged to launchdifferent types of signalling attacks [33], in addition to othertypes of malicious activities [34]. Furthermore, there aremethods available to an attacker that can be used to improvethe efficiency of the attack. For example, the attacker canactively probe the network in order to infer the network’sparameters [35]–[37], and also identify IP addresses at spe-cific locations within the network [38]. Indeed, a review of180 MNOs showed that 51% of them allow mobile devices tobe probed from the Internet, by either assigning them publicIP addresses, allowing IP spoofing, or permitting mobile-to-mobile probing within the network [38,39]. Similar attackscan also be launched via compromised femtocells [40],which can further be used to infect other femtocells viaInternet-based connections not controlled by the MNO, andthus increase the intensity of the attack.

Signalling storms are similar to signalling attacks, butthey are mainly due to poorly designed or misbehavingmobile applications that frequently establish and tear-downdata connections in order to transfer small amounts of data.Many mobile applications are designed and developed bysoftware companies who mainly have an Internet back-ground and thus are not familiar with the control plane ofmobile networks. They therefore assume that connectivityis a given and design their applications without taking intoaccount the specifics of mobile networks. This phenomenonwas studied early in [41], where a small number of mobiledevices were observed to generate an unproportionately

high number of PDP context activations and deactivationsdue to poorly designed application layer software. A goodrecent example that shows that this trend is still continuingdespite earlier work is the case of an Android VoIP applica-tion popular in Japan, which used frequent keep-alive mes-sages even when the users were idle, causing a signallingoverload and a major outage in the mobile network [42]. In asimilar incident, the launch of the free version of the AngryBirds application on Android caused excessive signallingload due to the frequent communications generated by thein-game advertisements [43]. Such problems have promptedthe mobile network industry to promote best practices fordeveloping network-friendly applications [11,12].

Unexpected events in the Internet may also cause sig-nalling storms in mobile networks. For example, an impor-tant feature of smartphones is the ability to receive pushnotifications from cloud services in order to notify the userof an incoming message or VoIP call, which is enabled byhaving the mobile device send periodic keep-alive messagesto a cloud server, typically with a period of five minutes. Ifthe cloud service becomes unavailable, then the mobile de-vice may use a much shorter period, generating significantlyhigher signalling load. Such incidents have been reportedand analyzed in [44] and [45] with outages in Skype andGoogle’s cloud service, respectively.

Signalling storms could also result as a side effect oflarge-scale malware infections which target the user ratherthan the network, but generate excessive signalling as aby-product of malicious activity. Examples of malware thatwould cause signalling storms if many users are infected areSMS/email spammers, adware, premium service abusersand botclients. All of these malware generate frequent butsmall amounts of data, requiring repeated signalling toallocate and deallocate radio channels and other resources,and therefore have a negative impact on the control planeof the network. Unfortunately, such malware are among thetop threats currently encountered on smart devices [1,46,47].

Recent incidents such as the ones described here showthat the threat of signalling attacks and storms is very realand that they have the potential to cause major outagesin mobile networks. Unlike flash crowds which last for ashort time during special occasions such as New Year’sEve, signalling attacks and storms are unpredictable andthey persist until the underlying problem is identified andresolved by the MNO. Considering their impact on theavailability and security of mobile networks, it is evidentthat MNOs have a strong incentive to safeguard their usersfrom malware and to proactively detect and mitigate sig-nalling attacks and storms in order to protect their infras-tructure and services. Although in principle some of theseattacks can be mitigated by smart routing [48] inside thecore network, such facilities are currently not available. Wealso believe that as MNOs progressively take on the role ofInternet service provider with 4G networks, we will witnesssignalling-based DDoS attacks in mobile networks morefrequently, and therefore we should be proactive in theiranalysis and mitigation.


UE Node B RNC

SGSN GGSN

HSS

Radio access network(RAN)

Core network (CN)

Internet

Fig. 1. The basic architecture of a UMTS network. The user equipment(UEs), e.g., smartphones, are connected to the mobile network via thebase stations (Node-Bs), which maintain the radio channels with theUEs. The radio network controller (RNC) manages the radio resourcesand the Node-Bs in the access network.

3 THE RADIO RESOURCE CONTROL PROTOCOL

In UMTS networks, the radio resource control (RRC) proto-col is used to manage resources in the radio access network(RAN) [28]. It operates between the UMTS terminals, i.e., theuser equipment (UE), and the radio network controller(RNC). Figure 1 shows the basic architecture of a UMTSnetwork, depicting the RAN and the core network (CN)elements comprising the packet-switched domain of themobile network. The RNC is the switching and controllingnetwork element in the RAN, and performs radio resourcemanagement (RRM) functions in order to guarantee thestability of the radio path and the QoS of radio connectionsby efficient sharing and management of radio resources.The RRC protocol is utilized for all RRM-related controlfunctions such as the setup, configuration, maintenance andrelease of radio bearers between the UE and the RNC. TheRRC protocol also carries all non-access stratum signallingbetween the UE and the CN.

In order to manage the radio resources, the RRC protocolassociates a state machine to each UE, which is maintainedsynchronized at the UE and the RNC via RRC signallingmessages. The RNC controls the transitions between theRRC states based on information it receives from the UEsand the Node-Bs on available radio resources, conditions ofthe currently used radio bearers, and requests for commu-nication activity. As shown in Fig. 2, there are typically fourRRC states, given in order of increasing energy consumptionand data rate: idle, cell-PCH, cell-FACH and cell-DCH. Inthe rest of this paper, we refer to state cell-X simply as X.Whenever the UE is not in the idle state, it is in connectedmode and has a signalling connection with the RNC. Inconnected mode, the location of the UE is known by theRNC at the level of a single cell, which is maintained by cellupdates sent by the UE either periodically or when it changescells. We describe the RRC states in more detail below.

Idle: This is the initial state when the UE is turned on.In this state, the UE does not have a signalling connectionwith the RNC, and therefore the RNC does not know thelocation of the UE. Its location is known by the CN at theaccuracy of the location area or routing area, which is basedon the latest mobility signalling the UE performed with theCN. Any downlink activity destined for a UE in idle modewill require paging in order to locate the UE at the cell level.Since the UE does not have an RNC connection, it cannot

DCH

FACH

PCH

Idle

100x Idle

40x Idle

2x Idle

1 (norm)

~10 Mbps

~10 kbps

0

0

UE energyconsumption Data rate

15

3

75

6

3

RRC states

Fig. 2. RRC states in UMTS. The figure on the left shows the typicalnumber of signalling messages exchanged within the RAN for eachtransition. The other figures show the approximate energy consumptionand maximum data rate at the UE.

send any signalling or data until an RNC connection hasbeen established.

FACH: The UE is in connected mode, and the radioconnection between the UE and the RNC uses only commonchannels which allow low-rate data transmission.

DCH: The UE is in connected mode, and the radioconnection uses resources dedicated to the UE. While inDCH, the UE may use shared channels, dedicated channelsor both. The data rate of the connection is significantlyhigher than the FACH state, but energy use is also higher.

PCH: This is a low-energy state that allows the UE tomaintain its RNC connection and thus stay in connectedmode, but it cannot send or receive any traffic while inthis state. While in PCH, the UE listens to paging occasionson the paging channel. This state is optional and it can beenabled or disabled by the MNO according to their policies.Although the PCH state is a low-energy state, the UE stillconsumes more power than in the idle state. Therefore, someMNOs choose to disable the PCH state in order to allow theUE to return to idle mode quickly and thus reduce its energyconsumption. We will investigate the effect of the PCH stateon signalling load in Sec. 7.

State demotions from a higher to a lower state,e.g., DCH→FACH, occur based on radio bearer inactivitytimers at the RNC. The exact order of state demotions isdependent on MNO policy, but a progression as shown inFig. 2 is common, although some MNOs skip the FACHand/or PCH states. State promotions from the idle and PCHstates occur depending on uplink and downlink activity. Forexample, when the UE has uplink data to send, it sends anRNC connection request if in idle, or a cell update if in PCH,to the RNC in order to move to a state where it can sendand receive data. Whether the UE is promoted to the FACHor DCH state is dependent on MNO policy. A FACH→DCHtransition is performed based on buffer occupancy of theuplink and downlink radio links as observed by the RNC.

Table 1 summarizes when RRC state transitions occurand the number of signalling messages exchanged to effecteach transition. In our simulations, we assume the RRC stateprogression given in Fig. 2; whether the UE goes from FACHto PCH, or to idle, depends on whether the PCH state isenabled. For an x → y transition, we use rxy and cxy todenote the number of signalling messages exchanged withinthe RAN and between the RAN and the CN, respectively.


TABLE 1RRC state transitions, number of signalling messages exchanged, and

related parameters

Transition Triggering event rxy cxy

Idle→FACH Uplink or downlink traffic 15 5PCH→FACH Uplink or downlink traffic 3 -FACH→DCHRadio link buffer threshold (Θ) reached,

Θ = 1500 B7 -

DCH→FACHExpiry of inactivity timer T1 = 6s 5 -FACH→Idle Expiry of inactivity timer T2 = 12s, PCH

disabled5 3

FACH→PCH Expiry of inactivity timer T2 = 4s, PCHenabled

3 -

PCH→Idle Expiry of inactivity timer T3 = 20min,PCH enabled

6 3

The RRC protocol was designed to manage the limitedradio resources among multiple UEs and to decrease energyuse at the UE. It is therefore biased towards demoting theUE to a lower state as soon as possible, especially if theUE is in the DCH or FACH state. Indeed, as the numberof smartphones accessing UMTS networks has increased,the industry has introduced improvements and changes inorder to get more data rate out of limited radio resources,such as HSDPA and HSUPA, and to improve the energy useof smartphones. For example, fast dormancy enables the UEto indicate to the RNC when it has no more uplink datato send for a speedier demotion to the PCH or idle state.In addition, some MNOs choose to disable the PCH statein order to allow the UE to return to idle mode quicklyand thus reduce its energy consumption. As we will discussin Sec. 7, this tendency to perform hasty RRC demotionsresult in excessive signalling load in the mobile network,especially in the case of signalling attacks and storms.

The RNC will customarily release radio resources fora UE soon after activity ceases in its channel, makingthose resources available for other UEs. Thus, it uses shortinactivity timers, which are in the order of 2–10 seconds(Table 1). These short timers make the RRC protocol sus-ceptible to signalling attacks, as an attacker that approxi-mately determines the values of the T1 and T2 timers canthen launch a devastating attack from a relatively smallnumber of compromised UEs, as we discuss in Sec. 7. Inaddition, when combined with the chatty nature of manymobile applications and with emerging mobile trends suchas buffering streaming traffic in order to save device en-ergy [49], the tendency to deallocate radio channels quicklynecessarily leads to increased RRC signalling in order toreconfigure or setup channels that were released a short timeago, rendering the mobile network vulnerable to RRC-basedsignalling storms.

We thus focus on the RRC protocol in order to betterunderstand its signalling behavior, and investigate underwhich conditions signalling load becomes excessive. In thenext section, we present a mathematical model of the sig-nalling behavior of a single UE that includes congestioneffects in the control plane, and later derive analytical resultsfrom it. Section 5 describes our simulation model of UMTSnetworks. In Sec. 6, we describe our experimental setup,and discuss our findings on the effect of signalling attackstargeting the RRC protocol in Sec. 7. We discuss related work

in Sec. 8 and present a summary of our findings and futurework in Sec. 9.

4 MODELING SIGNALLING BEHAVIOR OF THE UEAnalytical models [50] are a useful way to gain insight intothe main performance interactions within a telecommuni-cations system. Thus we will first review the work in [27]for a single UE’s signalling behavior which focuses on thepotential of causing signalling storms. We then extend theanalysis to include the effect of congestion which limits thesignalling load that a set of misbehaving UEs can impose onthe network during a storm.

Consider a UE which generates both normal and mali-cious connections, and suppose that its RRC state machine isdescribed by Fig. 2. We will represent the state evolution ofthe UE by a Markov model, presented in Fig. 3, wherebyfuture behavior (residual time in current state and nextstate) depends only on current state and not on past be-havior. Our motivation behind the choice of this modellingapproach is that it provides a balance between capturingthe interactions between user traffic and the RRC protocoland maintaining analytical tractability, and it can also beextended to a population of users without much technicaldifficulty. Let λL and λH be the rates at which low and highdata rate connections are normally made, and µL and µH bethe rates at which these connections terminate. High band-width connections include video streaming, web browsing,VoIP and voice calls, while low bandwidth connectionsrepresent small data transfers such as keep-alive messagesand location updates. We denote by FL the state when theUE is using the bandwidth of FACH, and byDL andDH thestates when low and high rate requests are handled whilethe UE is in DCH. Since the amount of traffic exchangedin states FL and DL is usually very small, we assume thattheir durations are independent but stochastically identical.At the end of normal usage, the UE transitions from FL to F0

or from {DH , DL} toD0, where F0 andD0 are, respectively,the states when the UE is inactive in FACH and DCH, andbefore the timers T2 and T1 expire. If the UE does not starta new session for some time, it will be demoted from D0

to F0, and from F0 to P , and will then return from P to I(i.e., PCH→ Idle) when inactivity timer T3 expires. Since theUE is not able to communicate in P , the transition P → I isperformed by having the UE first move to FACH, release allsignalling connections, and finally move to I .

The attacking or misbehaving connections falsely causeunnecessary up-transitions while the user does not reallyneed to move to a bandwidth using state (FL, DL, or DH ),and therefore the UE is soon demoted to a lower state dueto inactivity, unless the user starts a new data session beforethe timeout. Consequently, the attack results in the usage ofnetwork resources both by the computation, state transitionsand exchange of control messages that occur for sessionhandling, and through bandwidth reservation that remainsunutilised.

To perform a signalling attack, the attacker would needto infer the radio network configuration parameters (i.e., theTi timers and the radio link buffer threshold Θ), and alsomonitor the user’s activity in order to estimate when atransition occurs so as to trigger a new one immediately


DL

DH D0

FL

F0

I

¹L

¹H

¸L¸H

¸H

¸L

T3-1

Idle

cell_DCH

¿L-1

¾DFT1-1 T2-1

¸H

¿H-1

¹L

¾IF

¾FP¾ID ¾IF

¾ FI

¾FD

¾FD

¾PF

¸L

¾PF

¸H

¾PD

cell_FACH

cell_PCH

¾PF

P

SFP0

SPISPF0SPD1

SPD0

SID0 SID1 SIF0 SIF1

SFI

SFD0

SFD1

SFD2

SPF1

¾ID¾PD

¿H-1

¾FD

¸L ¿L-1

¿H-1

¿H-1

¸H

SDF0

Fig. 3. Markov model of the signalling behavior of the UE. Up-transitionsare caused by either low data rate (L) or high data rate (H) traffic,while down-transitions are due to timeouts. The model includes themain RRC states, shown as rounded rectangles, as well as intermediatestates, shown as circles, some of which represent states where the UEis waiting for a response to a state transition request. The continuousand broken circles represent intermediate states due to normal andmalicious traffic, respectively.

afterwards. Naturally there will be an error between theactual transition time and the estimated one, and we denotethe expected value of the difference between the two timeinstants by τL and τH for malicious transitions to FACHand DCH, respectively. In a similar manner, if the storm iscaused by a misbehaving mobile application, then τL, τHrepresent the level of synchronization between the misbe-having traffic bursts and the UE’s state changes; for instanceτH = 0 indicates the extreme case where a high data rateburst is sent immediately after a demotion from DCH.

Let σ−1xy be the average time needed to establish and/or

release network resources during state promotion or de-motion x → y, and Sxy be the corresponding state whenthe UE is waiting in state x for the transition to complete.Note that this overhead is incurred only when the UEmoves from one RRC state to another, while changes withinthe same RRC state (e.g., from inactive to active) occurinstantaneously and are seamless to the UE. Denote by πxthe stationary probability that the UE is in state x, and letΛH = λH + τ−1

H , ΛL = λL + τ−1L , then the state transition

model can be described by a set of linear equations:

πI [ΛH + ΛL] = πPT−13 ,

πP [ΛH + ΛL + T−13 ] = πF0

T−12 ,

πF0[ΛH + λL + T−1

2 ] = πFLµL + πD0

T−11 ,

πFL[ΛH + µL] = [πI + πP + πF0

]λL,

πD0[λH + λL + T−1

1 ] = πDHµH + πDL

µL,

πDL[λH + µL] = πD0λL + πFL

τ−1H ,

πDHµH =

∑x∈{I,P,F0,FL,D0,DL}

πxλH , (1)

The left hand side of (1) represents the steady-state probabil-ity of a state x times the total rate of moving out of the state,while the right hand side is the sum of the probabilitiesof the states from which one can move into x each multi-plied by the corresponding transition rate. Similar balanceequations can be written for the intermediate states Sxy , e.g.πSIDH

σID = πIλH , allowing us to express the normalisa-

tion condition 1 =∑x,y∈{I,P,F0,FL,D0,DL,DH} πx + πSxy

as:

1 =πI [1 +ΛHσID

+ΛLσIF

]︸︷︷︸Pr[user in Idle]

+πP [1 +ΛHσPD

+ΛLσPF

+T−1

3

σPF︸︷︷︸Pr[user in PCH]

+T−1

3

σFI] + πF0

[1 +ΛHσFD

+T−1

2

σFP] + πFL

[1 +ΛHσFD

]

+ πD0 [1 +T−1

1

σDF] + πDL

+ πDH︸︷︷︸Pr[user in DCH]

. (2)

The average signalling load (msg/s) on the RNC generatedby the UE due to both normal and malicious traffic is then:

γr = πI [ΛLrIF + ΛHrID] + πP [ΛLrPF + ΛHrPD]

+ [πF0+ πFL

]ΛHrFD + πD0T−1

1 rDF

+ πF0T−1

2 [rFP1F→P + rFI1F→I] + πPT−13 rPI1F→P,

(3)

where the characteristic function 1x→y takes the value 1 ifthe transition x → y is enabled and 0 otherwise. The UEalso generates signalling with the CN whenever it movesto/from the Idle state, leading to an average signalling loadon the SGSN given by:

γc = πI [ΛLcIF + ΛHcID] + πF0T−1

2 cFI1F→I

+ πPT−13 cPI1F→P. (4)

4.1 Modeling Congestion in the Control PlaneThe analytical model we just described can be solved inclosed-form [27] when the average transition delays areknown, allowing to determine the conditions and param-eters for which signalling misbehavior has the most seri-ous consequences on the network functioning. In normalcircumstances, state promotions and demotions last for fewmilliseconds that represent only a small fraction of the totallifetime of a session. However, when the mobile networkservers become overloaded, as in during a signalling storm,the time needed to establish and release connections alsoincreases, which in turn limits the maximum signalling loadthat a set of misbehaving UEs can impose on the network.To better understand the effect of a signalling storm, wedevelop a simple model for the average time σ−1

xy needed toperform the transition x→ y as follows:

σ−1xy = rxyw +

rxy∑n=1

(txy[n] + δxy[n]), (5)

which consists of three components:

• Communication delay txy[n] comprising propaga-tion and transmission parts that are subject to thephysical characteristics of the links traversed by then-th signalling message exchanged during the tran-sition. This delay depends only on the path followedby the message, and we ignore queueing at thetransmission links, since signalling storms do notaffect the data plane, and thus they do not translateinto congestion in the wireless or wired links.

• Average queueing delay w at the RNC signallingserver, which is a function of the number of normal


UEs served by the RNC MN , the number of misbe-having ones MA, and the RNC signalling load (3)of both normal γNr and misbehaving γAr UEs. Notethat we do not represent congestion at the SGSN,since the CN is less susceptible to signalling storms,especially when PCH is enabled.

• Processing time δxy[n] at the mobile network servershandling the message, which we assume to beconstant per message type1 such that δxy[n] =∑s∈servers δxy,s[n].

The aggregate load that the RNC signalling server needsto handle is then:

Γr = MNγNr +MAγAr .

Note that Γr is a function of w, which itself is determinedby Γr . Using a simple M/M/K system to model the RNCsignalling server, the average queueing delay becomes [51]:

w =(Kρ)K

K!(1− ρ)(Kν − Γr)

[K−1∑i=0

(Kρ)i

i!+

(Kρ)K

K!(1− ρ)

]−1

,

(6)where ρ = Γr

Kν , and ν is an “equivalent” average servicerate which depends on the composition of the signallingmessages processed by the RNC:

ν−1 = Γ−1r

∑C∈{N ,A}

MC∑x,y

aCxy

rxy∑n=1

δxy,r[n],

where aCxy is the rate at which a UE of type C ∈ {N ,A}triggers the transition x → y (i.e. γCr =

∑x,y a

Cxyrxy), and

δxy,r[n] ≥ 0 is the RNC’s processing time of the n-th sig-nalling message exchanged during the transition. Finally, wis obtained by solving the system of equations (1), (2),(5) and(6), from which the steady state probabilities and averagesignalling loads follow directly.

5 SIMULATION OF UMTS NETWORKS AND SIG-NALLING ANOMALIES

The mathematical user model we have developed and de-scribed in Sec. 4 differentiates between normal and attackor misbehaving traffic, but it aggregates all the differentuser plane applications and services, and other controlplane events carried by RRC such as mobility managementupdates, into a few representative traffic rates assumingPoisson arrivals. Therefore, this model is necessarily anapproximation of the overall signalling behaviour of the UE,and the traffic parameters of the user need to be carefullyselected based on the scenario of interest and the real-lifebehaviour of users as they interact with various mobileapplications and services. This process would normallyinvolve the aggregation of all user plane activity into thefew traffic rates of the model and an approximate translationof non-Poisson traffic patterns into Poisson arrivals, whichintroduces some discrepancy between the mathematicalmodel and the actual behaviour of the UE.

Although the model enables us to quickly derive ana-lytical results in order to investigate the effect of signalling

1. Note that signalling message types are defined by the 3GPPstandards and known a priori.

storms and the values of the various network parameters,such as the Ti timers, on signalling load, it cannot representthe user plane behaviour at the application level in detail,e.g., it cannot differentiate between traffic patterns due toweb traffic and instant messaging. Another assumption ofthe mathematical model is that we know the (aggregate)normal and attack traffic patterns and therefore can selectthe corresponding traffic parameters accordingly. In caseswhen the misbehaving traffic pattern is not known, or ifwe cannot clearly distinguish between normal and attacktraffic, the mathematical model is still useful for improvisedevaluations, but it is significantly more difficult to choosethe correct model parameters for a more realistic analysis.

In order to capture such aspects of the mobile networknot explicitly represented in the mathematical model, wehave developed a discrete event simulation model of theUMTS network, focusing on the signalling layer in theRAN. The simulation models were developed independentof the mathematical model, and are indeed a more realisticapproximation of the UMTS protocol stacks of both thecontrol and user planes. Each node of the mobile networkis represented as a self-contained and independent entity inthe simulation, and nodes communicate through messageexchanges, which are modeled based on the 3GPP standardsfor mobile protocols. We have developed models of the UE,Node-B, RNC, SGSN and GGSN, and also models of theInternet cloud and Internet hosts (i.e., servers). While we donot model the circuit-switched (CS) domain explicitly, theSGSN model contains aspects of the MSC server necessaryto establish and tear-down CS calls, i.e., voice calls and SMS;our SGSN model is therefore a hybrid of the SGSN and theMSC server.

In the control plane, we model the session management(SM), GPRS mobility management (GMM) and RRC layersin significant detail. In the user plane, we model differentapplications at the application layer, which includes CSand IP applications and allows us to differentiate betweendifferent types of user activity. We also realistically modelthe transport layer (TCP and UDP) and the IP layer. We havea simplified model of the RLC layer, but we do not explicitlymodel the MAC and PHY layers; effects of changes inradio conditions are modeled as random variations in thedata rate of the radio channels. Uplink and downlink radiotransmissions over a radio bearer (RB) are modeled by twosingle server, single FIFO queue pairs, one for each directionas shown in Fig. 4. The service time at the transmissionserver, i.e., radio bearer, is calculated based on the lengthof the currently transmitted RLC packet and the currentdata rate for the RB. Changes in the RB data rate arereflected on the service time of the current packet. EachUE has one signalling RB and one data RB. In additionto the transmission delays for the RBs, propagation andprocessing delays are also modeled. We also model the usualcommunication delays (i.e., transmission, propagation andprocessing delays) over wired links connecting the differentnetwork elements, e.g., between the RNC and the SGSN.

In order to improve the performance of simulationsand to be able to realistically evaluate large scale mobilenetworks, we combine packet-level and call-level represen-tation of user plane communications in our simulationmodel. Communications that are message-based or bursty


Downlink

UE Node B

Radio bearer (RB)

FIFO queue(RLC buffer)

Transmissionserver

Uplink

Fig. 4. The simulation model of a radio bearer, consisting of a (singleserver, single FIFO queue) pair in each direction. The uplink and down-link servers are located at the UE and the Node-B, respectively.

TABLE 2Service times at the RNC signalling server for handling RRC signalling

messages

Initial state x Resulting state y Service time δxy,r (ms)

Idle FACH 75PCH FACH 15FACH DCH 35DCH FACH 25FACH PCH 10PCH Idle 30

in nature are represented at the packet level; these includecommunications for SMS, email, web browsing, and instantmessaging. Other types of communications are representedat the call level: examples include voice and VoIP calls, andmultimedia streaming. Furthermore, our simulation modelssupport distributed simulation, allowing us to leverage mul-tiple hosts and processors in a single simulation.

In addition to the control plane protocols discussedabove, we model the RANAP, NBAP and GTP protocols.The RRC model in the RNC consists of a single signallingserver and a single FIFO queue, used to model the pro-cessing time δxy,r for RRC signalling messages. The serverhandles two classes of signalling messages, where one classconsists of signalling messages that effect a state transitionx → y (e.g., the RB setup message), and the second classincludes all other signalling messages, including mobilityupdates. The service time assigned to the first class reflectsthe time taken to allocate and deallocate radio resourcesby the RNC, whereas a default and smaller service time isused for the second class (one ms in our simulations). In theanalytical results presented in the next section, K = 1, andν is calculated based on the δxy,r values, which are givenin Table 2. These values were chosen based on the typicalprocessing required to effect a change that the signallinginvolves, for example setting up a radio bearer, and reflectsthe complexity of the procedure based on 3GPP standards.It should be noted that while these values are realistic, theyare by no means definitive since the exact values are vendor-dependent. The signalling server at the RNC is one of themain points of interest in our simulations, and as we willdiscuss in Sec. 7, it will become overloaded as the severityof the signalling storm increases.

Inter-sessioninterval

Idleperiod

Activity periodActivationdelay

Inter-requestintervalMain page

request

Embedded objectrequests

Main pageresponse

Embedded objectresponses

Session

Activity period

Simulationstart

Last mainpage request

in session

Processingdelay

Initial sessiondelay

Fig. 5. Web traffic model representing interactive user browsing in oursimulations. The traffic model is self-similar, consisting of active brows-ing sessions and inactive intervals. This user model is independent ofand significantly different than the simpler aggregate signalling model ofthe user presented in Sec. 4. Time is not drawn to scale.

6 EXPERIMENTS

In order to understand the effect of RRC-based signallingattacks in UMTS networks, we implemented our simulationmodel in the OMNeT++ simulation framework [52]. Wepresent results from simulation experiments and analyticalresults derived from our mathematical model. The UMTSnetwork topology used in the simulations closely resemblesthe architecture shown in Fig. 1. In the simulations, we have1,000 UEs in an area of 2x2 km2, which is covered by sevenNode-Bs connected to a single RNC. The CN consists of theSGSN and the GGSN, and the GGSN is connected to tenInternet hosts acting as web servers. All UEs attach to themobile network at the start of the simulation, and remainattached. We simulate a high level of web browsing activityin a two and a half hour period. Our web browsing modelis based on 3GPP recommendations [53], and is describedbelow.

6.1 The Web Browsing ModelWe model interactive web browsing behavior using a self-similar traffic model as shown in Fig. 5. The parameters ofthe web traffic model are random variables from probabilitydistributions; Table 3 gives the values we used in oursimulations, which are based on web metrics released byGoogle [54]. This simulation model of the user is signifi-cantly more complex than in the mathematical model, andallows us to represent user behaviour more realistically andwithout assuming Poisson arrivals.

The day-night cycle of the user is represented by the ac-tivity period, which is the time the UE is actively generatingweb traffic during a 24-hour period. The user starts its firstactivity period after an activation delay da, and the periodconsists of one or more browsing sessions. The first sessionwithin an activity period starts after an initial session delayds, and the inter-session interval is is the time between thelast and the first main request in one session and the next.

Within a session, the user generates main page requestsand embedded object requests for web pages and the webobjects embedded within the main page, respectively. Thefirst main page request is scheduled at the start of thesession, which results in a page response from the webserver. This response is subject to a processing delay dpc

at the client, which represents the time it takes for theweb client at the UE to process the received response. A


TABLE 3Parameters of the web traffic model used in the simulation experiments

NameDescription Value

pa Activity period constant, 24 hoursda Activation delay (min.) uniform(1, 10)ds Initial session delay is/2ns Number of main page

requests in sessiontruncated normal µ = 10,σ = 5, min = 2

is Inter-session interval (min.) truncated normal, µ = 20,σ = 10, min = 2

ir Inter-request interval (sec.) truncated exponential,λ−1 = 60, min = 10,max = 600

lr Request size (B) truncated normal, µ = 600,σ = 100, min = 300

lm Main page size, excludingembedded resources

histogram [54]

limg Size of image resources (KB) truncated exponential,λ−1 = 50, min = 1.2,max = 400

ltxt Size of text resources histogram [54]ne Number of embedded objects

in pagehistogram [54]

Rimg Ratio of image resources to allembedded resources in page

uniform(0.1, 0.5)

dpc Processing delay, client (ms) truncated normal, µ = 50,σ = 10, min = 0

dps Processing delay, server (ms) truncated normal, µ = 4,σ = 1, min = 1

web page contains zero or more embedded objects, andthe client generates an embedded object request for eachone. We assume that HTTP version 1.1 is used and thateach embedded object request is pipelined over a singleTCP connection. The length of a request is denoted bylr. The inter-request interval ir is the time between thegeneration of two consecutive main page requests, and it isindependent of the reception of the responses. The sessionlength is controlled by the number of main page requests ns

in the session.The web server generates a response for each request

it receives after a processing delay dps . The length of amain page response is lm, and it excludes the sizes ofany embedded objects and TCP/IP headers. The number ofembedded objects per page is ne, and we model two typesof objects: images and text (e.g., CSS documents, scripts).The size of an embedded object is limg and ltxt for imageand text objects, respectively. Rimg gives the ratio of imageobjects to all embedded objects in a page. In the simulations,a client selects a web server uniformly at random for eachmain page request.

6.2 The Attack ModelWe consider two different attack strategies, or equivalently,misbehaviour patterns in our evaluation: FACH and DCHattacks. Note that in the rest of this paper, we will usethe terms attack and misbehaviour interchangeably. In FACHattacks, the attacker aims to overload the control plane bycausing superfluous promotions to the FACH state, andtherefore needs to know when a demotion from FACHoccurs in the UE. In DCH attacks, the demotion of interestis from the DCH state. As introduced in Sec. 4, the errorbetween the actual transition time and the estimated oneis denoted by τL and τH in the FACH and DCH attack

scenarios, respectively. Consequently, 1/τ is a measure ofthe aggressiveness of the misbehaving application.

In FACH attacks, the attacker sends a small data packetto a random Internet server in order to cause a promotion toFACH. Higher rate data traffic is generated in DCH attacksin order to cause the buffer threshold to be reached andtherefore result in a promotion to DCH. For simulationpurposes, our RRC model at the UE informs all registeredmalicious applications when an RRC state transition occurs.Before launching the next attack, the attacker waits for aperiod of τL or τH after a suitable demotion is detected,e.g., from FACH to PCH in the FACH attack case, where τL,τH are random variables. In our experiments, we assumethat τL, τH are exponentially distributed with mean ={0, 1, 2, 4, 6, 10, 14, 20, 30}s to simulate varying degrees oferror on behalf of the attacker. For signalling storms, τ rep-resents the synchronization between the RRC state machineof the UE and the misbehaving application, while the attackscenario represents whether the misbehaving applicationgenerates low-rate or high-rate traffic. We present resultsfrom the DCH attack scenario only since the FACH attackscenario produces similar behaviour in most cases.

7 MODELING AND SIMULATION RESULTS

We performed simulation experiments in order to investi-gate the effect of signalling attacks and storms due to theRRC protocol on the RAN and the CN. We vary the numberof compromised or misbehaving UEs from 1% to 20% ofall UEs. Both normal and misbehaving UEs generate normaltraffic based on the web browsing model described above.The misbehaving applications are activated gradually be-tween 20 and 30 minutes from the start of the simulation inorder to prevent artifacts such as a huge spike of signallingload due to many malicious applications coming online atthe same time. We collect simulation data only from theperiod when all misbehaving UEs are active. Each data pointin the presented results is an average of five simulation runswith different random seeds, resulting in different mobilityand traffic patterns. The relevant RRC protocol parametersare as given in Tables 1 and 2. The simulation results do notcapture signalling due to mobility and session management,but we have observed from other experiments that thesesignalling activities have negligible effect on the resultingsignalling load in the network since the rate of signallingmessages exchanged for these activities is minor comparedto RRC signalling, especially in the case of a signallingstorm.

We present analytical results derived from our mathe-matical model together with the simulation results. How-ever, we do not present analytical results for Figs. 8b and9 to prevent repetition of similar results, and for Fig. 8asince the mathematical model does not capture quality-of-experience. The parameters of the mathematical model werechosen based on an initial set of simulation experiments,from which we derived the aggregate normal and misbe-having user patterns for the UE. This enabled us to validatethe mathematical model using simulation experiments insimilar settings and parameters.

Figure 6 shows the signalling load in the RAN underDCH attacks, with PCH enabled or disabled; the signalling


0 1/10 1/4 1/2 1/180

100

120

140

160

180

1/τH

[s−1

]

Load o

n R

NC

[m

sg/s

]

1% 2% 4% 8% 12% 16% 20%

+∞

(a) PCH enabled (simulation)

0 1/10 1/4 1/2 1/1130

140

150

160

170

180

190

1/τH

[s−1

]

Load o

n R

NC

[m

sg/s

]

1% 2% 4% 8% 12% 16% 20%

+∞

(b) PCH disabled (simulation)

0 0.2 0.4 0.6 0.8 180

100

120

140

160

180

Load o

n R

NC

[m

sg/s

]

200

(c) PCH enabled (analytical)

0 0.2 0.4 0.6 0.8 1130

140

150

160

170

180

190

Load o

n R

NC

[m

sg/s

]

200

(d) PCH disabled (analytical)

Fig. 6. Signalling load (sum of the rates of the incoming and outgoingsignalling messages) on the RNC vs. aggresiveness (1/τH ) under DCHattacks. Each line represents a different number of misbehaving devices.The 1/τH = 0 case corresponds to a no attack scenario. We presentanalytical and simulation results with the PCH state enabled or disabledin the network, and observe that the analytical model can produceaccurate results given that the parameters of the model are correctlychosen.

load is calculated as the sum of the rate of incoming andoutgoing signalling messages to and from the RNC, andtherefore it is not a direct measure of the capacity of theRNC. We observe that the rate of increase of the signallingload is significantly higher when the number of attackersis high, and that enabling the PCH state slightly decreasesthe signalling load in the RAN. A worrying observation isthat when PCH is disabled, there is a possibility to inducea maximum signalling load on the RNC without requiringa high level of synchronization between the misbehavingapplication and the RRC state machine. Enabling the PCHstate resolves this issue. Another useful observation is thatgiven a fixed number of attackers, RRC attacks are self-limiting: as signalling load on the RNC increases, this pre-vents attackers from being able to attack the network at ahigh rate since they are themselves subject to longer waitsfor channel allocations. We will re-visit this issue when wediscuss congestion at the RNC signalling server below.

Figure 7 shows the signalling load in the CN under DCHattacks, with PCH enabled or disabled, and demonstratesthe advantage of enabling the optional PCH state. MostRRC-induced signalling with the CN occurs when the UEenters and exits the idle state. With PCH enabled, signallingload on the SGSN drops with decreasing τH since morefrequent messages prevent the UE from entering the idlestate and thus reduce the signalling load on the SGSN.Therefore, our recommendation would be to enable PCHas a first step in the mitigation of RRC-based signallingattacks and storms. Enabling the PCH state also eliminatesthe problem of the maximum signalling load observed inFig. 7b for high values of τH , which is due to the interactionbetween τH and the RRC inactivity timers T1 and T2. WhenτH > T1 + T2, the UE enters the idle state as a result of

0 1/10 1/4 1/2 1/11.6

1.7

1.8

1.9

2.0

2.1

1/τH

[s−1

]

Load o

n S

GS

N [m

sg/s

]

1% 2% 4% 8% 12% 16% 20%

+∞

(a) PCH enabled (simulation)

0 1/10 1/4 1/2 1/120

25

30

35

40

45

1/τH

[s−1

]

Load o

n S

GS

N [m

sg/s

]

1% 2% 4% 8% 12% 16% 20%

+∞

(b) PCH disabled (simulation)

4.2

4.4

4.6

4.8

5

5.2

4Load o

n S

GS

N [

msg/s

]

0 0.2 0.4 0.6 0.8 1

(c) PCH enabled (analytical)

20

25

30

35

40

45

Load o

n S

GS

N [

msg/s

]

0 0.2 0.4 0.6 0.8 1

(d) PCH disabled (analytical)

Fig. 7. Signalling load (sum of the rates of the incoming and outgoingsignalling messages) on the SGSN vs. aggresiveness (1/τH ) underDCH attacks. Each line represents a different number of misbehavingdevices. The 1/τH = 0 case corresponds to a no attack scenario. Wepresent analytical and simulation results with the PCH state enabledor disabled in the network, and observe that enabling it significantlyreduces signalling load on the SGSN. The analytical and simulationresults still show a high degree of agreement.

inactivity, and then the misbehaving application causes theUE to go into FACH or DCH in order to send data, resultingin excessive signalling with the CN. The long T3 timer fordemotion from the PCH state solves this issue.

Our results so far demonstrate how the mobile networkinfrastructure is seriously affected by RRC-based signallinganomalies. These anomalies also have an appreciable impacton the quality-of-experience (QoE) of the mobile user. Figure8a shows the application response time, which is definedas the time between when the user requests a web pageand when all of the web page is received, at a normalUE. The response time is not greatly affected when thereare very few misbehaving UEs and when τH is high. Butdelay increases by up to 400% as the severity of the attackincreases with increasing number of attackers and 1/τH .Users normally tolerate a wait of 2–10 seconds for a webpage to download [55], and therefore the observed responsetimes are significant from a QoE view. The affected mobileusers are highly likely to attribute the bad QoE to the MNO,so the MNO has one more incentive to detect and mitigatesignalling problems in its network.

The main reason for the increase in application responsetime is the time it takes for the UE to acquire a radiochannel in order to send and receive data, which includes,in addition to the communication delays between the UEand the RNC, the service and queueing times experiencedby the RRC signalling messages effecting the channel ac-quisition. Figure 8b shows that queueing time at the RRCsignalling server component of the RNC greatly increasesas the number of attackers increase. We observe that ef-fects of congestion at the server become significant whenthe percentage of attackers is ≥ 8%, affecting applicationresponse time for normal users, and also placing a limit


0 1/10 1/4 1/2 1/11

3

5

7

1/τH

[s−1

]

End−

to−

end d

ela

y [s]

1% 2% 4% 8% 12% 16% 20%

+∞

(a) Application response time (s)vs. aggresiveness (1/τH ) underDCH attacks, with PCH disabled.Each line represents a differentnumber of misbehaving devices.

1 2 4 8 12 16 200

2

4

6

8

Attackers [%]

Queuein

g tim

e [s]

0s 4s 10s 20s

(b) Average queueing time (s) atthe RNC signalling server vs. per-centage of misbehaving devicesunder DCH attacks, with PCHdisabled. Each line represents adifferent τH value.

Fig. 8. Effect of signalling storms on application response time at normaldevices, and on queueing time at the RNC signalling server under DCHattacks, with PCH disabled.

on the impact of signalling attacks on the network sincethe attackers themselves are subject to longer delays forchannel acquisition. This self-limiting behaviour imposes amaximum signalling load of around 200 msgs/s on theRNC (Fig. 6). Note that the service time for RRC messageseffecting a FACH→DCH transition, which is the transitionexploited in the DCH attack scenario, is 35 ms, meaningthat the RNC would be congested by an incoming rateof 30 msgs/s of such messages. However, the signallingload observed on the RNC is significantly higher than this(around 200 msgs/s) since it is (mostly) the rate of incomingsignalling messages to the RNC, which is only loosely basedon the service capacity of the RNC because the congestionat the RNC signalling server does not prevent the UEs fromsending channel requests until they are blocked waiting fora reply to their previous request. This behaviour is the maincause of the self-limiting nature of the signalling storm: ifall the UEs in the area are blocked due to congestion, nomore signalling requests are received by the RNC until it hasprocessed some of the requests and therefore has allowedthose UEs to send subsequent requests.

The service capacity in the RAN can be increased byinstalling more RNCs to handle the same number of sub-scribers or by using a node with more capacity. Installingmore RNCs is very cost-ineffective, and thus would beshunned by MNOs. Installing a higher-capacity RNC alsodoes not address the inherent signalling problem since theRNC would then be provisioned to handle a larger numberof base stations, and thus more subscribers, due to costefficiency reasons. We therefore need to understand thenature of signalling storms so that we may develop cost-effective detection and mitigation methods, which could beinstalled as part of the admission control component in theRNC and prevent the signalling storm from occurring in thefirst place.

We observe that while RRC-based attacks have a sig-nificant impact on the RAN, they do not greatly affect theCN. This is due to the nature of the RRC protocol, whichis essentially an access network protocol between the UEand the RNC. Therefore, an attacker that wishes to attackthe CN directly needs to adopt other strategies, such as au-thentication attacks [56]. The advantages of the investigated

0 1/10 1/4 1/2 10

0.1

0.2

0.3

0.4

0.5

1/τH

[s−1

]

P(u

ser

in F

AC

H)

Idle, 20% Busy, 20%Busy, 1%Idle, 1% att.

(a) Ratio of time spent in theFACH state while idle and busyto total time spent in all RRCstates

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

1/τH

[s−1

]

P(u

ser

in D

CH

)

Idle, 20% Busy, 20%Busy, 1%Idle, 1% att.

(b) Ratio of time spent in theDCH state while idle and busy tototal time spent in all RRC states

Fig. 9. Radio channel utilization vs. aggresiveness (1/τH ) under DCHattacks, with PCH disabled. We observe that normal (1/τH = 0) andmisbehaving (1/τH 6= 0) devices exhibit markedly different channelutilizations, which suggests that channel utilizations and busy and idletimes can be used as representative features for efficient detection ofsignalling storms.

attack for the attacker is its ease of implementation sinceit only requires that the attacker estimates the RRC-relatedparameters of the network, which is easily attainable [35],and then listens to user activity in order to estimate whenRRC state transitions will occur on the infected device. Asimpler attack that would have a similar impact wouldbe sending frequent and periodic messages in order toinduce unnecessary state transitions, and this is indeed thetype of behaviour we observe with misbehaving or poorlydesigned applications which cause signalling storms ratherthan deliberate signalling attacks.

Our final results relate to how the UE utilizes its allo-cated radio resources, and provide a useful feature that weaim to exploit in our future work on the detection of sig-nalling attacks. Figure 9 shows the ratio of time the UE is inthe FACH or DCH state while busy (i.e., ending or receivingdata) and idle. The most important observation is that anormal UE, represented with 1/τH = 0, has a markedlydifferent behaviour than a misbehaving UE (1/τH > 0), andthe discrepancy increases with 1/τH . Normal UEs do notspend a significant time in FACH or DCH as busy or idle,but attackers spend a long time as idle while in FACH andDCH, i.e., their session tails are comparatively longer thantheir session body. This is because normal users only acquirethe channel when they have legitimate traffic, and they sendlarger chunks of data and therefore use the channel forlonger than attackers, resulting in a low ratio of idle to busytime. Attackers, on the other hand, frequently acquire thechannel to send only a small amount of attack traffic andtherefore waste most of the radio channel as reflected intheir high ratio of idle to busy time. The exception to this isthe FACH state when there is congestion in the control planedue to the signalling attack: we observe that attackers spendsignificantly long times as busy in the FACH state whenthere is congestion, e.g., with 20% of attackers, which is dueto the long delay it takes the UEs to acquire the channel asdiscussed above.

8 RELATED WORK

The vulnerability of mobile networks to different typessignalling attacks and storms have been recognized even


prior to 3G networks. Pre-3G signalling attacks include theSMS flooding attack [57] and the paging attack [4]. Enck etal. [57] show that an SMS attack originating from GSM-capable Internet hosts can significantly degrade, and inthe worst case prevent voice and SMS services on thecellular network. Two countermeasures are proposed in [7]:providing differentiated services via queue management,and resource provisioning to preferentially allocate channelresources over the air interface. In [9], the possibility of SMSattacks originating from mobile devices within the cellularnetwork is considered, and the authors show the feasibilityof such an attack by implementing it using feature phoneson a 2G network.

The paging attack exploits the paging mechanism whichis used to locate and connect to idle devices in the mobilenetwork for incoming calls. Serror et al. [4] addressed theproblem of paging attacks due to Internet-originating datacalls on a CDMA2000 network, and showed that the pagingchannel exhibits a sharp rather than a graceful degradationunder load. Similar problems still exist in 4G networks asdiscussed in [58].

RRC-based signalling attacks and storms have been in-vestigated in [6], where the authors consider a remote host-based attack on UMTS networks and propose an onlinedetection method based on the statistical cumulative sumtest. The detector is located at the GGSN, and uses a packetsniffer to look at IP metrics such as destination addressesand the estimated radio access bearer setup time in orderto detect the intention of launching an attack, even thoughthe activity may not actually have an effect on the signallingload. Our investigation of signalling storms suggests thata better method would be to install the detector at theRNC, possibly as part of the existing admission controlmechanisms, since then an effective mitigation mechanismcan be combined with the detector to jointly identify andsolve the problem.

RRC-based signalling attacks [59] and storms [60] effectLTE networks as well. In [59], the authors evaluate theeffect of an RRC-based signalling attack on an LTE net-work using simulation experiments, and show the resultingperformance degradation in the eNode-Bs and the evolvedpacket core (EPC). The utilization of LTE radio channelssuch as PUSCH and PUCCH due to keep-alive messagesis studied in [60]. We are currently investigating the effectof signalling storms in LTE networks, paying special atten-tion to machine-to-machine communications, which are aconsiderable source of signalling problems [23].

RRC-based signalling attacks are not the only possible at-tacks targeting the control plane of mobile networks. Otherattacks typically target the core network, aiming to overloadthe Home Location Register (HLR) or the AuthenticationCenter (AuC). Various types of authentication attacks ex-ploiting the authentication mechanism between the UE andthe mobile network in UMTS networks have been discussedin [56], and the signalling load of authentication messagesin LTE networks has been evaluated using renewal processtheory and analytical modeling in [61]. An interesting at-tack that exploits the network attach procedure in UMTSnetworks is described in [62], where SIM-less devices areused to overload the HLR and the AuC.

The IP Multimedia Subsystem (IMS) in 3G and 4G net-

works has also been the target of signalling attacks. Earlywork in this area has looked at the signalling load due tothe Session Initiation Protocol (SIP) used in the IMS [63].Zhao et al. [64] have identified an IMS attack that overloadsthe presence servers by exploiting SIP, and have proposed adetection mechanism based on the Girshick-Rubin-Shiryaevalgorithm that looks at the CPU usage at the presenceservers in order to detect the attack.

Other work has looked at how signalling attacks canbe mitigated. A detailed review of signalling attacks in 3Gnetworks is presented in [8], where the authors identifythe system design decisions that result in such attacks, andconvincingly argue that the design focus should move fromoptimality to robustness and elasticity of mobile networks.The methods that they propose to achieve this change arerandomization of the radio resource management (RRM)and mobility management (MM) procedures, device-specificadaptive state transitions based on profiles, and prioritiza-tion of devices. Wu et al. [65] evaluate one such method, therandomization of the RRM and MM procedures in 3G net-works, and show that it can indeed mitigate against certainattacks while acceptably degrading normal performance.We are currently developing a signalling storm detectorand mitigator (SSDM) based on our investigation of thesignalling behaviour of UMTS networks under signallingstorms. Our SSDM adopts the device-specific adaptive statetransitions approach discussed in [8], and mitigates thestorm by adaptively controlling the state transitions of de-vices that are identified to be misbehaving, and thus willimpact normal users less than network-wide solutions suchas randomization. The SSDM can be implemented as partof the admission control mechanism in the RNC, or it canimplemented on the mobile devices, for example as part ofa virtualization solution designed to mitigate against a widevariety of device-originating problems as proposed in [66].

The signalling attacks and storms discussed here arenot specific to UMTS and LTE networks, and WiMAXnetworks are also vulnerable to such problems. Kolias etal. [67] provide an in-depth review in this area. Such workshighlight the importance of analyzing and understandingthe root causes and the dynamic behaviour of signallinganomalies in mobile networks as they evolve with emergingapplication patterns and new network technologies. Recentwork [68] shows that this task is not trivial since the inter-actions between the control plane and the user plane aremore complex than previously thought. Thus, further workis necessary in this old but still emerging field in order tostay ahead of changes in the mobile landscape.

9 CONCLUSIONS AND FUTURE WORK

In this paper, we investigated the effect of signalling attacksand storms in mobile networks, focusing on signallinganomalies that exploit the radio resource control (RRC)protocol in UMTS networks. We presented a Markov modelof the signalling behaviour of the UE and extended themodel for effects of congestion in the control plane. Theanalytical model provides an accurate representation of theRRC signalling behaviour and allows us to reach quickanalytical results, but its parameters need to be carefully


selected using user traffic models built based on either real-life data or on simulation results. Without being able tochoose representative parameters for the mobile networkunder investigation and the user plane behaviour of theUE, the results provided by the mathematical model willnecessarily be speculative.

In order to validate the mathematical model and to selectrepresentative parameters, we developed a realistic simula-tion model of the UMTS network, which is comprised of therelevant user plane and control plane protocols representedat various abstraction levels. The simulation model capturesthe interactions between the network elements and proto-cols in a UMTS network. We implemented the simulationmodel in a distributed network simulator, and conductedsimulation experiments to evaluate the effect of signallingstorms on the signalling servers and the mobile devices.

Our analytical and simulation results show that RRC-based signalling storms can cause significant problems inboth the control plane and the user plane in the network,and provide insight into how such attacks and storms canbe detected and mitigated. While we have focused on UMTSnetworks in this work, the RRC protocol is also employed inLTE networks, and any RRC related anomalies would have amore severe impact in LTE networks since they employ onlytwo RRC states (connected and idle), and the mitigatingeffect of the long T3 timer used in the PCH state are non-existent in LTE networks.

While this work has employed mathematical modellingand simulation experiments to evaluate the effect of sig-nalling storms, it is important to validate these findingsusing data from operational mobile networks. We are in theprocess of negotiating the release of data relevant to sig-nalling storms from our telecommunication partners, whichis inevitably a lengthy process due to legal and privacyissues. As future work, we plan to use charging data recordsfrom mobile subscribers to build user models, which willresult in the adjustment of the parameters of the mathemat-ical model and the development of new simulation models.We will also conduct experiments on signalling storms ona small-scale physical mobile network test-bed, and usethese results to design more realistic simulation experimentswhich can scale up to larger networks.

Future work can exploit the insight gained in this paperfor the detection and mitigation of signalling attacks inmobile networks. One aspect that requires attention is theidentification of possible locations, such as specific cells,where attacks may originate, and methods related to searchand smart traffic routing may prove valuable in this con-text [69,70]. Another important aspect relates to identifyingsets of representative features for the detection of signallingattacks and storms, and of the misbehaving UEs. An im-portant consideration is to prevent false positives as muchas possible so as not to punish normal heavy users. Wewill also develop system-wide models based on queueingtheory [71] that represent a single user in a simple manner,to study mitigation methods that involve randomizationand adaptively introducing artificial delays in the statetransitions of the UEs so that they may automatically reducethe negative impact of attacks and signalling storms.

ACKNOWLEDGMENTS

The work presented in this paper was partially supportedby the EU FP7 research project NEMESYS (EnhancedNetwork Security for Seamless Service Provisioning inthe Smart Mobile Ecosystem), under grant agreement no.317888 within the FP7-ICT-2011.1.4 Trustworthy ICT do-main.

REFERENCES

[1] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “Asurvey of mobile malware in the wild,” in Proc. 1st ACM W’shop onSecurity and Privacy in Smartphones and Mobile Devices (SPSM’11),2011, pp. 3–14.

[2] M. Chandramohan and H. B. K. Tan, “Detection of mobile mal-ware in the wild,” IEEE Computer, vol. 45, no. 9, pp. 65–71, Sep.2012.

[3] E. Gelenbe, G. Gorbil, D. Tzovaras, S. Liebergeld, D. Garcia,M. Baltatu, and G. Lyberopoulos, “Security for smart mobilenetworks: The NEMESYS approach,” in Proc. 2013 IEEE GlobalHigh Tech Congress on Electronics (GHTCE’13), Nov. 2013, pp. 63–69.

[4] J. Serror, H. Zang, and J. C. Bolot, “Impact of paging channeloverloads or attacks on a cellular network,” in Proc. 5th ACMW’shop on Wireless Security (WiSe’06), Sep. 2006, pp. 75–84.

[5] H. Yang, F. Ricciato, S. Lu, and L. Zhang, “Securing a wirelessworld,” Proc. IEEE, vol. 94, no. 2, pp. 442–454, Feb. 2006.

[6] P. P. Lee, T. Bu, and T. Woo, “On the detection of signaling DoSattacks on 3G/WiMax wireless networks,” Computer Networks,vol. 53, no. 15, pp. 2601–2616, Oct. 2009.

[7] P. Traynor, W. Enck, P. McDaniel, and T. L. Porta, “Mitigatingattacks on open functionality in SMS-capable cellular networks,”IEEE/ACM Trans. Networking, vol. 17, no. 1, pp. 40–53, Feb. 2009.

[8] F. Ricciato, A. Coluccia, and A. DAlconzo, “A review of DoSattack models for 3G cellular networks from a system-designperspective,” Computer Communications, vol. 33, no. 5, pp. 551–558,Mar. 2010.

[9] C. Mulliner, N. Golde, and J.-P. Seifert, “SMS of death: Fromanalyzing to attacking mobile phones on a large scale,” in Proc.20th USENIX Conf. on Security (SEC’11), Aug. 2011, pp. 363–378.

[10] J. Li, W. Pei, and Z. Cao, “Characterizing high-frequency sub-scriber sessions in cellular data networks,” in Proc. 2013 IFIPNetworking Conf., May 2013, pp. 1–9.

[11] (2012, Feb.) Smarter apps for smarter phones!GSMA. [Online]. Available: http://www.gsma.com/technicalprojects/wp-content/uploads/2012/04/gsmasmarterappsforsmarterphones0112v.0.14.pdf

[12] S. Jianto, “Analyzing the network friendliness of mobileapplications,” Huawei, Tech. Rep., Jul. 2012. [Online]. Available:www.huawei.com/ilink/en/download/HW 146595

[13] F. Ricciato, “Unwanted traffic in 3G networks,” ACM SIGCOMMComputer Communication Review, vol. 36, no. 2, pp. 53–56, Apr.2006.

[14] F. Ricciato, E. Hasenleithner, P. Svoboda, and W. Fleischer, “On theimpact of unwanted traffic onto a 3G network,” in Proc. 2nd Inter.W’shop on Security, Privacy and Trust in Pervasive and UbiquitousComputing (SecPerU’06), Jun. 2006, pp. 49–56.

[15] (2013, Jan.) TrendLabs 2012 annual security roundup:Evolved threats in a post-PC world. TrendMicro. [Online]. Available: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-evolved-threats-in-a-post-pc-world.pdf

[16] C. Raiu and D. Emm. (2012, Dec.) Kaspersky securitybulletin 2012: Malware evolution. Kaspersky Lab. [Online].Available: http://www.securelist.com/en/analysis/204792254/Kaspersky Security Bulletin 2012 Malware Evolution

[17] A. Filippoupolitis and E. Gelenbe, “A distributed decision supportsystem for building evacuation,” pp. 323–330, 2009.

[18] E. Gelenbe and F.-J. Wu, “Large scale simulation for human evac-uation and rescue,” Computers and Mathematics with Applications,vol. 64, no. 12, pp. 3869–3880, Dec. 2012.

[19] A. Filippoupolitis, G. Gorbil, and E. Gelenbe, “Spatial computersfor emergency support,” The Computer Journal, vol. 56, no. 12, pp.1399–1416, Dec. 2013.

http://www.gsma.com/technicalprojects/wp-content/uploads/2012/04/gsmasmarterappsforsmarterphones0112v.0.14.pdf



www.huawei.com/ilink/en/download/HW_146595

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-evolved-threats-in-a-post-pc-world.pdf



http://www.securelist.com/en/analysis/204792254/Kaspersky_Security_Bulletin_2012_Malware_Evolution

http://www.securelist.com/en/analysis/204792254/Kaspersky_Security_Bulletin_2012_Malware_Evolution


[20] G. Gorbil and E. Gelenbe, “Opportunistic communications foremergency support systems,” Procedia Computer Science, vol. 5, pp.39–47, 2011.

[21] ——, “Resilience and security of opportunistic communicationsfor emergency evacuation,” in Proc. 7th ACM W’shop on Perfor-mance Monitoring and Measurement of Heterogeneous Wireless andWired Networks (PM2HW2N’12). ACM, Oct. 2012, pp. 115–124.

[22] O. H. Abdelrahman, E. Gelenbe, G. Gorbil, and B. Oklander, “Mo-bile network anomaly detection and mitigation: The NEMESYSapproach,” in Information Sciences and Systems 2013, ser. LNEE,E. Gelenbe and R. Lent, Eds. Springer, Oct. 2013, vol. 264, pp.429–438.

[23] T. Taleb and A. Kunz, “Machine type communications in 3GPPnetworks: Potential, challenges, and solutions,” IEEE Communica-tions Magazine, vol. 50, no. 3, pp. 178–184, Mar. 2012.

[24] A. Ksentini, Y. Hadjadj-Aoul, and T. Taleb, “Cellular-basedmachine-to-machine: Overload control,” IEEE Network, vol. 26,no. 6, pp. 54–60, Nov. 2012.

[25] Y. Chang, C. Zhou, and O. Bulakci, “Coordinated random accessmanagement for network overload avoidance in cellular machine-to-machine communications,” in Proc. 20th European Wireless Conf.,May 2014, pp. 1–6.

[26] H.-L. Fu, P. Lin, H. Yue, G.-M. Huang, and C.-P. Lee, “Groupmobility management for large-scale machine-to-machine mobilenetworking,” IEEE Trans. Vehicular Technology, vol. 63, no. 3, pp.1296–1305, Mar. 2014.

[27] O. H. Abdelrahman and E. Gelenbe, “Signalling storms in 3Gmobile networks,” in Proc. 2014 IEEE Inter. Conf. on Communications(ICC’14), Sydney, Australia, Jun. 2014, pp. 1017–1022.

[28] “3GPP TS 25.331: Universal mobile telecommunications system(UMTS) radio resource control (RRC) protocol specification,”3GPP, technical specification. [Online]. Available: http://www.3gpp.org/DynaReport/25331.htm

[29] “3GPP TS 36.331: Evolved universal terrestrial radio access(E-UTRA) radio resource control (RRC) protocol specification,”3GPP, technical specification. [Online]. Available: http://www.3gpp.org/DynaReport/36331.htm

[30] E. Gelenbe and R. Muntz, “Probabilistic models of computersystems – part i (exact results),” Acta Informatica, vol. 7, no. 1, pp.35–60, 1976.

[31] E. Gelenbe and G. Loukas, “A self-aware approach to denial ofservice defence,” Computer Networks, vol. 51, no. 5, pp. 1299–1314,Apr. 2007.

[32] D. Maslennikov and Y. Namestnikov. (2012, Dec.)Kaspersky security bulletin 2012: The overallstatistics for 2012. Kaspersky Lab. [Online]. Available:http://www.securelist.com/en/analysis/204792255/KasperskySecurity Bulletin 2012 The overall statistics for 2012

[33] P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel,and T. L. Porta, “On cellular botnets: Measuring the impact ofmalicious devices on a cellular network core,” in Proc. 16th ACMConf. on Computer and Communications Security (CCS’09), Nov. 2009,pp. 223–234.

[34] C. Mulliner and J.-P. Seifert, “Rise of the iBots: Owning a telconetwork,” in Proc. 5th Inter. Conf. on Malicious and UnwantedSoftware (MALWARE’10), Oct. 2010, pp. 71–80.

[35] A. Barbuzzi, F. Ricciato, and G. Boggia, “Discovering parametersetting in 3G networks via active measurements,” IEEE Communi-cations Letters, vol. 12, no. 10, pp. 730–732, Oct. 2008.

[36] P. H. Perala, A. Barbuzzi, G. Boggia, and K. Pentikousis, “Theoryand practice of RRC state transitions in UMTS networks,” inProc. 2009 IEEE Global Communications Conf. W’shops (Globecom’09Wshops), Nov. 2009, pp. 1–6.

[37] F. Qian, Z. Wang, A. Gerber, Z. M. Mao, S. Sen, and O. Spatscheck,“Characterizing radio resource allocation for 3G networks,” inProc. 10th ACM SIGCOMM Conf. on Internet Measurement (IMC’10),Nov. 2010, pp. 137–150.

[38] Z. Qian, Z. Wang, Q. Xu, Z. M. Mao, M. Zhang, and Y.-M. Wang,“You can run, but you can’t hide: Exposing network location fortargeted DoS attacks in cellular networks,” in Proc. 19th AnnualNetwork and Distributed System Security Symp. (NDSS’12)), Feb.2012.

[39] Z. Wang, Z. Qian, Q. Xu, Z. Mao, and M. Zhang, “An untold storyof middleboxes in cellular networks,” ACM SIGCOMM ComputerCommunication Review - SIGCOMM’11, vol. 41, no. 4, pp. 374–385,Aug. 2011.

[40] N. Golde, K. Redon, and R. Borgaonkar, “Weaponizing femtocells:The effect of rogue devices on mobile telecommunication,” inProc. 19th Annual Network and Distributed System Security Symp.(NDSS’12), Feb. 2012, pp. 1–16.

[41] F. Ricciato, P. Svoboda, J. Motz, W. Fleischer, M. Sedlak,M. Karner, R. Pilz, P. Romirer-Maierhofer, E. Hasenleithner,W. Jager, P. Kruger, F. Vacirca, and M. Rupp, “Traffic monitoringand analysis in 3G networks: Lessons learned from the METAWINproject,” e&i Elektrotechnik und Informationstechnik, vol. 123, no. 7–8,pp. 288–296, Aug. 2006.

[42] C. Gabriel. (2012, Jun.) DoCoMo demands Google’shelp with signalling storm. Rethink Wireless. [On-line]. Available: http://www.rethink-wireless.com/2012/01/30/docomo-demands-googles-signalling-storm.htm

[43] S. Corner. (2011, Jun.) Angry Birds + Android + ads= network overload. IT Wire. [Online]. Available: http://www.itwire.com/business-it-news/networking/47823

[44] A. Coluccia, A. D’Alconzo, and F. Ricciato, “Distribution-basedanomaly detection via generalized likelihood ratio test: A generalmaximum entropy approach,” Computer Networks, vol. 57, no. 17,pp. 3446–3462, Dec. 2013.

[45] G. Redding. (2013, Sep.) OTT service blackoutstrigger signaling overload in mobile networks.Nokia Solutions and Networks. [Online]. Available:http://blogs.nsn.com/mobile-networks/2013/09/16/ott-service-blackouts-trigger-signaling-overload-in-mobile-networks/

[46] (2013, Jan.) TrendLabs 2012 mobile threat and securityroundup: Repeating history. Trend Micro. [Online].Available: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-repeating-history.pdf

[47] Y. Zhou and X. Jiang, “Dissecting Android malware: Character-ization and evolution,” in Proc. 2012 IEEE Symp. on Security andPrivacy, May 2012, pp. 95–109.

[48] E. Gelenbe, “Sensible decisions based on QoS,” ComputationalManagement Science, vol. 1, no. 1, pp. 1–14, dec 2003.

[49] M. Siekkinen, M. A. Hoque, J. K. Nurminen, and M. Aalto,“Streaming over 3G and LTE: How to save smartphone energy inradio access network-friendly way,” in Proc. 5th W’shop on MobileVideo (MoVid’13), Feb. 2013, pp. 13–18.

[50] E. Gelenbe, “Probabilistic models of computer systems part ii:Diffusion approximations: waiting times and batch arrivals,” ActaInformatica, vol. 12, no. 4, pp. 285–303, 1979.

[51] E. Gelenbe and G. Pujolle, Introduction to Queueing Networks,2nd ed. New York, NY, USA: John Wiley & Sons, Inc., Apr. 1998.

[52] A. Varga and R. Hornig, “An overview of the OMNeT++ sim-ulation environment,” in Proc. 1st Inter. Conf. on Simulation Toolsand Techniques for Communications, Networks and Systems W’shops(Simutools’08), Mar. 2008, pp. 60:1–60:10.

[53] “cdma2000 evaluation methodology - revision A,” Technicaldocument, 3GPP2, May 2009, 3GPP2 C.R1002-A, version 1.0.[Online]. Available: http://www.3gpp2.org/public html/specs/C.R1002-A v1.0 Evaluation Methodology.pdf

[54] S. Ramachandran. (2010, May) Web metrics: Size and number ofresources. Google. [Online]. Available: https://developers.google.com/speed/articles/web-metrics

[55] F. F.-H. Nah, “A study on tolerable waiting time: How long areWeb users willing to wait?” Behaviour & Information Technology,vol. 23, no. 3, pp. 153–163, 2004.

[56] G. Kambourakis, C. Kolias, S. Gritzalis, and J. H. Park, “DoSattacks exploiting signaling in UMTS and IMS,” Computer Com-munications, vol. 34, no. 3, pp. 226–235, Feb. 2010.

[57] W. Enck, P. Traynor, P. McDaniel, and T. L. Porta, “Exploiting openfunctionality in SMS-capable cellular networks,” in Proceedings ofthe 12th ACM Conference on Computer and Communications Security(CCS’05), Nov. 2005, pp. 393–404.

[58] A. Baraev, U. Ayesta, I. M. Verloop, D. Miorandi, and I. Chlamtac,“Technical vulnerability of the E-UTRAN paging mechanism,” inProceedings of the 2012 IEEE Wireless Communications and Network-ing Conference (WCNC’12), Apr. 2012, pp. 2247–2252.

[59] R. Bassil, I. H. Elhajj, A. Chehab, and A. Kayssi, “Effects ofsignaling attacks on LTE networks,” in Proceedings of the 27thInternational Conference on Advanced Information Networking andApplications Workshops (WAINA’13), Mar. 2013, pp. 499–504.

[60] Z. Zhang, Z. Zhao, H. Guan, D. Miao, and Z. Tan, “Study of sig-naling overhead caused by keep-alive messages in LTE network,”in Proceedings of the 78th IEEE Vehicular Technology Conference (VTCFall’13), Sep. 2013, pp. 1–5.

http://www.3gpp.org/DynaReport/25331.htm




http://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012

http://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012

http://www.rethink-wireless.com/2012/01/30/docomo-demands-googles-signalling-storm.htm

http://www.rethink-wireless.com/2012/01/30/docomo-demands-googles-signalling-storm.htm

http://www.itwire.com/business-it-news/networking/47823

http://www.itwire.com/business-it-news/networking/47823

http://blogs.nsn.com/mobile-networks/2013/09/16/ott-service-blackouts-trigger-signaling-overload-in-mobile-networks/

http://blogs.nsn.com/mobile-networks/2013/09/16/ott-service-blackouts-trigger-signaling-overload-in-mobile-networks/

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-repeating-history.pdf

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-repeating-history.pdf

http://www.3gpp2.org/public_html/specs/C.R1002-A_v1.0_Evaluation_Methodology.pdf

http://www.3gpp2.org/public_html/specs/C.R1002-A_v1.0_Evaluation_Methodology.pdf

https://developers.google.com/speed/articles/web-metrics

https://developers.google.com/speed/articles/web-metrics


[61] C.-K. Han, H.-K. Choi, J. W. Baek, and H. W. Lee, “Evaluation ofauthentication signaling loads in 3GPP LTE/SAE networks,” inProc. 34th IEEE Conf. on Local Computer Networks (LCN’09), Oct.2009, pp. 37–44.

[62] A. Merlo, M. Migliardi, N. Gobbo, F. Palmieri, and A. Castiglione,“A denial of service attack to UMTS networks using SIM-lessdevices,” IEEE Trans. Dependable and Secure Computing, vol. 11,no. 3, pp. 280–291, May 2014.

[63] D. S. Tonesi, L. Salgarelli, Y. Sun, and T. F. L. Porta, “Evaluation ofsignaling loads in 3GPP networks,” IEEE Wireless Communications,vol. 15, no. 1, pp. 92–100, Feb. 2008.

[64] B. Zhao, C. Chi, W. Gao, S. Zhu, and G. Cao, “A chain reactionDoS attack on 3G networks: Analysis and defenses,” in Proc. 28thIEEE Conf. on Computer Communications (Infocom’09), Apr. 2009, pp.2544–2463.

[65] Z. Wu, X. Zhou, and F. Yang, “Defending against DoS attacks on3G cellular networks via randomization method,” in Proceedingsof the 2010 International Conference on Educational and InformationTechnology (ICEIT’10), Sep. 2010, pp. V1–504–V1–508.

[66] C. Mulliner, S. Liebergeld, M. Lange, and J.-P. Seifert, “TamingMr Hayes: Mitigating signaling based attacks on smartphones,” inProc. 42nd Annual IEEE/IFIP Inter. Conf. on Dependable Systems andNetworks (DSN’12), Jun. 2012, pp. 1–12.

[67] C. Kolias, G. Kambourakis, and S. Gritzalis, “Attacks and coun-termeasures on 802.16: Analysis and assessment,” IEEE Commu-nications Surveys Tutorials, vol. 15, no. 1, pp. 487–514, 1st quarter2013.

[68] S. Rosen, H. Luo, Q. A. Chen, Z. M. Mao, J. Hui, A. Drake,and K. Lau, “Discovering fine-grained RRC state dynamics andperformance impacts in cellular networks,” in Proc. 20th AnnualInter. Conf. on Mobile Computing and Networking (MobiCom’14), Sep.2014, pp. 177–188.

[69] E. Gelenbe and Y. Cao, “Autonomous search for mines,” EuropeanJournal of Operational Research, vol. 108, no. 2, pp. 319–333, 1998.

[70] E. Gelenbe and Z. Kazhmaganbetova, “Cognitive packet networkfor bilateral asymmetric connections,” IEEE Trans. Industrial Infor-matics, 2014.

[71] E. Gelenbe, “The first decade of G-networks,” European Journal ofOperational Research, vol. 126, no. 2, pp. 231–232, 2000.

Gokce Gorbil received his PhD degree in Elec-trical and Electronic Engineering from ImperialCollege London in 2013. He is currently a re-search associate at Imperial, working in the ar-eas of mobile network security and cloud com-puting. He is an organizing committee memberof the ISCIS’15 conference, and a TPC memberin the IEEE ISSNIP’15 conference and the IEEEPerNEM’15 workshop. His research interests in-clude wireless and mobile networks, distributedsystems, cloud computing, modeling and simu-

lation of computing systems and networks, and network security.

Omer H. Abdelrahman (M’14) received the BScdegree in Electrical and Electronic Engineeringfrom the University of Khartoum, Sudan, in 2005,the MSc degree in Communications and Sig-nal Processing and the PhD degree in Com-puter Networks from Imperial College Londonin 2007 and 2012, respectively. He is currentlya research associate in the Intelligent Systemsand Networks Group at Imperial. His researchinterests include stochastic analysis and queue-ing theory, search techniques in random environ-

ments, and network security.

Mihajlo Pavloski received his BSc degree inTelecommunications and MSc degree in Wire-less and Mobile Communications from Ss Cyriland Methodius University in Skopje, Republic ofMacedonia in 2009 and 2012, respectively. He iscurrently pursuing his PhD degree in Electricaland Electronic Engineering at Imperial CollegeLondon. His research interests include queueingnetworks, statistical analysis and machine learn-ing.

Erol Gelenbe F’86 is the “Dennis Gabor ChairProfessor” at Imperial College London in theDepartment of Electrical and Electronic Engi-neering. He is a Fellow of the French NationalAcademy of Engineering, and of the ScienceAcademies of Hungary, Poland and Turkey. Anexpert on the performance, including security,of large scale computer and network systems,he was born in Istanbul, graduated from AnkaraKoleji, and received his BSc degree in Electricaland Electronic Engineering with High Honours

from the Middle East Technical University (Ankara). After a MSc andPhD in Electrical Engineering at Brooklyn Poly, he joined the Universityof Michigan (Ann Arbor) as an Assistant Professor. In early 1972 hejoined INRIA France where he established the first research groupin Modelling and Performance Evaluation of Computer Systems andNetworks, which is still today one of INRIA’s strongest research areas. In1973 he received the Doctorat d’Etat degree in Mathematical Sciencesfrom Universite “Pierre et Marie Curie (Paris VI)”, and in 1974 he wasappointed Chaired Professor of Computer Science at the University ofLiege, Belgium. In 1979 he became Professor of Computer Scienceat Universite Paris Sud (Orsay), while continuing his association withINRIA, and also served as Lecturer in Applied Mathematics at EcolePolytechnique (Paris). In 1984–86 he was Science and TechnologyAdvisor to the Minister for Universities (France), and then moved toUniversite Paris V where he started the Computer Science department.From 1993 onwards he was on leave from the University of Paris, firstas Chaired Professor and Department Head at Duke University, andthen Director of the School of Electrical Engineering and ComputerScience at the University of Central Florida, and at Imperial CollegeLondon since 2003. He is currently PI of a 2.9M Euro EU FP7 grant onMobile Network Security. He is also PI of two grants (EPSRC and DSTL)regarding energy savings in ICT, and is PI for Imperial for the EU FP7grant PANACEA regarding resilient Cloud Computing. Erol’s researchalso addresses biologically inspired neural networks, gene regulatorynetworks and certain aspects of statistical physics. His papers appearin the top journals of Electrical Engineering, Computer Science, appliedmathematics and physics. A Fellow of ACM and the IET, he received theScience Prize of the Parlar Foundation, the Grand Prix France Telecomof the French Academy of Science and the ACM SIGMETRICS Life-Time Achievement Award. His honours include the “Chevalier de laLegion d’Honneur” and “Officier de l’ Ordre du Merite” (France), andthe Commander of Merit and Grand Officer of the Order of the Star ofItaly.

Modeling and Analysis of RRC-Based Signalling Storms in · PDF fileIEEE TRANSACTIONS ON EMERGING TOPICS IN COMPUTING, VOL. XX, NO. X, MONTH 2015 1 Modeling and Analysis of RRC-Based

Documents