US20100235911A1 - Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions - Google Patents

Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions Download PDF

Info

Publication number
US20100235911A1
US20100235911A1 US12/722,460 US72246010A US2010235911A1 US 20100235911 A1 US20100235911 A1 US 20100235911A1 US 72246010 A US72246010 A US 72246010A US 2010235911 A1 US2010235911 A1 US 2010235911A1
Authority
US
United States
Prior art keywords
message
messaging service
smsc
mobility management
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/722,460
Inventor
Eloy Johan Lambertus Nooren
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tekelec International SPRL
Tekelec Netherlands Group BV
Original Assignee
Tekelec Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tekelec Inc filed Critical Tekelec Inc
Priority to US12/722,460 priority Critical patent/US20100235911A1/en
Assigned to TEKELEC reassignment TEKELEC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NOOREN, ELOY JOHAN LAMBERTUS
Publication of US20100235911A1 publication Critical patent/US20100235911A1/en
Assigned to TEKELEC reassignment TEKELEC CORRECTIVE ASSIGNMENT Assignors: NOOREN, ELOY JOHAN LAMBERTUS
Assigned to WILMINGTON TRUST, NATIONAL ASSOCIATION reassignment WILMINGTON TRUST, NATIONAL ASSOCIATION SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CAMIANT, INC., TEKELEC
Assigned to TEKELEC GLOBAL, INC. reassignment TEKELEC GLOBAL, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: TEKELEC
Assigned to TEKELEC INTERNATIONAL SPRL reassignment TEKELEC INTERNATIONAL SPRL ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TEKELEC GLOBAL, INC.
Assigned to TEKELEC NETHERLANDS GROUP, B.V. reassignment TEKELEC NETHERLANDS GROUP, B.V. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TEKELEC INTERNATIONAL SPRL
Assigned to TEKELEC AND CAMIANT, INC. reassignment TEKELEC AND CAMIANT, INC. TERMINATION OF SECURITY INTERESTS Assignors: WILMINGTON TRUST, NATIONAL ASSOCIATION
Priority to US13/646,538 priority patent/US8908864B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices
    • H04W88/184Messaging devices, e.g. message centre

Definitions

  • the subject matter described herein relates to methods and systems for detecting fraudulent activity within a telecommunications network. More particularly, the subject matter described herein relates to systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
  • a telecommunications network may support one or more messaging services.
  • One example messaging service is the short message service, or SMS. SMS allows the communication of short text messages between mobile communications devices, such as mobile phones, personal digital assistants, and the like.
  • SMS allows the communication of short text messages between mobile communications devices, such as mobile phones, personal digital assistants, and the like.
  • mobile phone is hereinafter used to generically refer to any type of mobile communications device, although the subject matter described herein is not so limited.
  • the delivery of an SMS message is a two-step process. First, if the receiver is a mobile subscriber, the receiver's current location—more specifically, the identity of the mobile switching center (MSC) that is currently serving the receiver's mobile phone, referred to as the serving MSC —must be determined. Second, the MT/SM message is forwarded to the serving MSC, which will transmit the MT/SM message to the receiver's mobile phone.
  • MSC mobile switching center
  • FIG. 1A is a block diagram illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network according to the steps described above.
  • Telecommunications network 100 includes a short messaging service center (SMSC) node 102 for processing SMS messages, such as MT/SM message 104 , which was sent from a mobile subscriber, sender 106 , and intended for another mobile subscriber, receiver 108 .
  • SMSC 102 sends a send routing information for short message (SRI_SM) message 110 to the home location register (HLR) 112 which maintains the current location of receiver 108 .
  • SRI_SM short message
  • SRI_SM_ACK message 114 includes information identifying subscriber 108 , such as the (IMSI) for subscriber 108 .
  • the information identifying subscriber 108 is subscriber 108 's IMSI number, represented in FIG. 1 as IMSI#.
  • SRI_SM_ACK message 114 also includes information identifying the MSC currently serving receiver 108 .
  • MSC 116 is currently serving receiver 108
  • MSC 116 is identified by its network address, represented in FIG. 1 as “ADDR 1 ”.
  • SMSC 102 then issues a MT_FORWARD_SM message 118 to MSC 116 , which delivers what is essentially the original MT/SM message 104 ′ to receiver 108 .
  • SMSC 102 is an entity in the originating network and HLR 112 and MSC 116 are entities in a terminating network that is different from the originating network.
  • SRI_SM message 110 contains the address of SMSC 102 at two layers of the signaling message protocol, and thus within two separate sets of message parameters or fields: the signaling connection control part (SCCP) layer and the mobile application part (MAP) layer.
  • SCCP signaling connection control part
  • MAP mobile application part
  • MSC 116 may, upon receiving MT_FORWARD_SM message 118 , determine that the message originated from a different network and, in response to that determination, extract the SMSC address from MT_FORWARD_SM message 118 .
  • the terminating network may then identify the network to which SMSC 102 belongs and charge a termination fee 120 to the identified originating network.
  • unscrupulous originating network operators may “spoof” (falsify) the contents of the SMS message so that the SMS message appears to have come from a third telecommunications network rather than from the actual originating network.
  • FIG. 1B is a block diagram illustrating MT/SM spoofing in the conventional telecommunications network of FIG. 1A . Elements of FIG. 1B are essentially identical to their like-numbered counterparts in FIG. 1A , and therefore their descriptions will not be repeated here.
  • FIG. 1B also includes a third network, “NW 3 ”, which contains its own SMSC 122 .
  • NW 3 contains its own SMSC 122 .
  • terminating network NW 2 receives from originating network NW 1 an SMS message, such as MT_FORWARD_SM message 118 ′, with a spoofed origination address (“ADDR 3 ”) that falsely indicates that the SMS message came from SMSC 122 .
  • the terminating network then incorrectly charges termination fee 120 ′ to the third telecommunications network NW 3 rather than to the actual originating network NW 1 .
  • an unscrupulous network operator e.g., the operator of NW 1
  • Spam SMS messages are particularly grievous since the subscriber is often charged a fee for every SMS message received, which results in a subscriber not only receiving unwanted and often offensive SMS messages, but the subscriber having to pay for these unwanted SMS messages.
  • Some subscribers may have plans that have a finite number of SMS messages that may be sent or received within a billing period, where the subscriber is charged a steep fee for every additional message sent or received during that billing period.
  • the charge levied upon the subscriber due to the additional SMS messages may be many times more than the cost of the original subscription.
  • Network operators may then face the prospect of absorbing the cost themselves or risk losing subscribers.
  • the network operator would desire to detect and discard spoofed MT/SM messages.
  • a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier.
  • the messaging service firewall allocates a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall, and stores a correlation between the allocated GTA and an originating SMSC identifier.
  • GTA global title address
  • the messaging service firewall replaces the serving switch identifier in the mobility management reply message with the allocated GTA and routes the modified mobility management reply message.
  • the messaging service firewall then receives a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA, and determines the originating SMSC identifier to which the allocated GTA is correlated.
  • the messaging service firewall compares SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction.
  • a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier.
  • the messaging service firewall generates a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction.
  • the messaging service firewall receives a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters, and extracts the echoed parameters from the messaging service message.
  • the messaging service firewall compares SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions.
  • the system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor.
  • SMSC short message service center
  • the messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for: receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; and routing the modified reply message.
  • GTA global title address
  • the spoofing detection module is also for: receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions.
  • the system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor.
  • SMSC short message service center
  • the messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier, and generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction.
  • the spoofing detection module is also for receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • the subject matter described herein for detecting and mitigating address spoofing in messaging service transactions may be implemented in hardware, software, firmware, or any combination thereof.
  • the terms “function” or “module” as used herein refer to hardware, software, and/or firmware for implementing the feature being described.
  • the subject matter described herein may be implemented using a non-transitory computer readable medium having stored thereon computer executable instructions that when executed by the processor of a computer control the computer to perform steps.
  • Exemplary computer readable media suitable for implementing the subject matter described herein include non-transitory computer-readable media, such as disk memory devices, chip memory devices, programmable logic devices, and application specific integrated circuits.
  • a computer readable medium that implements the subject matter described herein may be located on a single device or computing platform or may be distributed across multiple devices or computing platforms.
  • FIGS. 1A and 1B are block diagrams illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network.
  • FIG. 1A illustrates normal (non-fraudulent) MT/SM processing
  • FIG. 1B illustrates MT/SM address spoofing;
  • FIG. 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • FIGS. 3A , 3 B, and 3 C are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • FIGS. 4A and 4B are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein;
  • FIG. 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • systems, methods, and computer readable media are provided for detecting and mitigating address spoofing in messaging service transactions.
  • FIG. 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • System 200 includes one more firewall nodes 202 for detecting and mitigating address spoofing.
  • system 200 includes four firewall nodes 202 , labeled “FWL 1 ”, “FWL 2 ”, “FWL 3 ”, and “FWL 4 ”, respectively.
  • Firewall nodes 202 intercept and process SMS-related messages that may be sent by a short message service center (SMSC) 204 .
  • SMSC short message service center
  • Example messages that may be intercepted include: send routing information for short message (SRI_SM) messages that are sent by SMSC 204 to a home location register (HLR) 206 ; mobile-terminated forward short message (MT_F_SM) messages that are sent by SMSC 204 to a serving mobile switching center (SRVMSC) 208 ; and other types of SMS messages.
  • SRI_SM short message
  • HLR home location register
  • MT_F_SM mobile-terminated forward short message
  • SRVMSC serving mobile switching center
  • a signaling message routing node such as signal transfer point (STP) 210 may distribute incoming SMS-related messages to firewall nodes 202 .
  • STP 210 may assign incoming SMS-related messages to firewall nodes 202 based on the identity of the intended receiver, generically referred to as the “called party” or CDPA.
  • the called party may be identified using a global title address (GTA).
  • GTA global title address
  • STP 210 may make use of a table, database, or other appropriate construct, such as global title translation (GTT) table 212 , that maps a range of called party addresses to particular firewall nodes 202 .
  • GTT global title translation
  • GTT table 212 maps called parties to firewall nodes 202 according to the called party's GTA.
  • GTT table 212 SMS-related messages that involve called parties with a GTA that matches the pattern “+316261*” are assigned or forwarded to FWL 1 for processing, SMS-related messages that involve called parties with a GTA that matches the pattern “+316262*” are assigned or forwarded to FWL 2 for processing, and so on.
  • Each of firewall nodes 202 may access HLR 206 and each may communicate with STP 210 , SRVMSC 208 , or other telecommunication network nodes.
  • system 200 in FIG. 2 includes two separate telecommunications networks: a first network (NW 1 ), which contains SMSC 204 ; and a second network (NW 2 ), which contains every other element illustrated in FIG. 2 .
  • NW 1 may also be referred to as the originating network
  • NW 2 may also be referred to as the terminating network.
  • network identifiers e.g., network addresses
  • SMSC 204 has a network address of “AAA”; of the firewall nodes 202 , FWL 1 has a network address of “BBB”; HLR 206 has a network address of “CCC”; and SRVMSC 208 has a network address of “DDD”.
  • a mobile subscriber (MS) 214 is being served by SRVMSC 208 .
  • MS 214 is identified by both a mobile subscriber integrated services digital network (MSISDN) number, “EEE”, and an international mobile subscriber identity (IMSI) number, “FFF”.
  • MSISDN mobile subscriber integrated services digital network
  • EAE mobile subscriber integrated services digital network
  • IMSI international mobile subscriber identity
  • STP 210 has a network address of “GGG”.
  • each firewall node 202 includes a network interface (NWIF) 216 for sending and receiving signaling messages, and a spoofing detection module (SDM) 218 .
  • NWIF network interface
  • SDM spoofing detection module
  • spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging
  • spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the
  • FIGS. 3A , 3 B, and 3 C are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • FIGS. 3A , 3 B, and 3 C show messages communicated between SMSC 204 , STP 210 , FWL 1 202 , HLR 206 , and SRVMSC 208 . These nodes are identical to their like-numbered counterparts illustrated in FIG. 2 , and therefore their descriptions will not be repeated here.
  • SMSC 204 may send a mobility management request message 300 requesting routing information for a called party mobile subscriber, who is identified by a called party address (CDPA).
  • SMSC 204 sends a send routing information for short message (SRI_SM) message to determine the routing information for mobile subscriber MS 214 , whose MSISDN number is “EEE”.
  • SRI_SM short message
  • mobility management request message 300 may include information indicating the source of the message.
  • mobility management request message 300 includes a field or parameter called “SRC”, which stores the address of SMSC 204 , which has a network address of “AAA”.
  • SRC a field or parameter called “SRC”
  • mobility management request message 300 is received or intercepted by a routing node, STP 210 .
  • STP 210 selects one of firewall nodes 202 based on the called party address contained within mobility management request message 300 .
  • STP 210 selects FWL 1 , whose network address is “BBB”, and forwards the SRI_SM message to FWL 1 , shown in FIG. 3A as message 304 .
  • system 200 may have only one firewall node 202 , in which case mobility management request message 300 may be routed to that firewall node either with or without the need for STP 210 .
  • network NW 2 may not include an STP.
  • firewall node FWL 1 202 terminates SRI_SM message 304 and generates a new SRI_SM message 308 , which sends to HLR 206 .
  • HLR 206 sends a reply message, SRI_SM_ACK 310 , containing the IMSI number (“FFF”) for MS 214 and an identity of the serving MSC (“DDD”).
  • IMSI and serving MSC parameters are displayed in all figures using the format “IMSI@servingMSC”.
  • FWL 1 202 may modify the original mobility management request message 300 in such as manner as to guarantee that the response from HLR 206 returns through FWL 1 202 .
  • FWL 1 202 may update the source information in the routing label so that it appears to HLR 206 that the mobility management request message originated from FWL 1 202 .
  • firewall node FWL 1 202 has at its disposal a pool of addresses or other form of identity by which it may be identified.
  • FWL 1 202 has a collection of global title addresses (GTAs), shown as values “GTA 0 ” through “GTA 9 ”.
  • GTAs global title addresses
  • FWL 1 202 selects an available GTA (e.g., “GTA 7 ”) to be used for a message delivery transaction, of which mobility management request message 300 is only the first part.
  • FWL 1 202 stores a correlation between the selected or allocated GTA and information identifying an originating SMSC.
  • FWL 1 202 may store correlation information in the form of a correlation record in a table, database, or other form of data storage and retrieval.
  • FWL 1 202 may use the selected GTA as a key and store the address of the originating SMSC 204 and the identity of the MSC currently serving the mobile subscriber.
  • FWL 1 202 may use the key “GTA 7 ” to store the value “AAA” in a record field labeled “SRC” and to store the value “DDD” in a record field labeled “SRVMSC”.
  • firewall nodes 202 may allocate each of its available GTAs to only one correlation record at a time; allocated GTAs are then unavailable to be allocated again until the allocated GTA is deallocated or released back into the pool.
  • a GTA may be deallocated or released as a result of various trigger conditions, such as the completion (or abandonment) of the mobility management transaction to which the GTA is associated, explicit instruction from the network operator or provisioning system, node, module, or service reset, etc.
  • FWL 1 202 terminates SRI_SM_ACK message 314 that it receives from HLR 206 and generates a new SRI_SM_ACK message 318 , which it forwards to SMSC 204 .
  • Generated SRI_SM_ACK message 318 contains the IMSI for MS 214 , i.e., “FFF”, but instead of the address of SRVMSC 208 , FWL 1 202 replaces the actual value “DDD” with the address of the selected GTA, e.g., “GTA 7 ”. In this manner, FWL 1 202 can guarantee that, as will be shown below, other messages involved in the message delivery transaction will also be routed through FWL 1 202 .
  • FIG. 3B illustrates detection of a spoofed MT/SM message
  • FIG. 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message.
  • SMSC 204 in response to receiving SRI_SM_ACK message 318 from FWL 1 202 , SMSC 204 now has enough information to deliver the MT/SM message.
  • SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 320 to what SMSC 204 has been told is the MSC that is currently serving MS 214 .
  • MT_F_SM message 320 is addressed to FWL 1 202 .
  • FIG. 3B illustrates detection of a spoofed MT/SM message
  • FIG. 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message.
  • SMSC 204 in response to receiving SRI_SM_ACK message 318 from FWL 1 202 , SMSC 204 now has enough information to deliver the
  • SMSC 204 attempts to spoof the source address of the MT_F_SM message in order to avoid a termination fee from NW 2 .
  • MT_F_SM message 320 includes false information, shown as “FAKE_ADDR” in FIG. 3B , in the SRC field of MT_F_SM message 320 .
  • MT_F_SM message 320 is received by FWL 1 202 .
  • FWL 1 202 extracts the key, which FWL 1 202 will use to look up the correlation information, from received MT_F_SM message 320 .
  • the key is “GTA 7 ” and the value of the correlation data is the address of the source of mobility management request message 300 , or “AAA”.
  • FWL 1 202 may then simply compare the purported source of MT_F_SM message 320 (“FAKE_ADDR”) with the source of the associated mobility management request message 300 (“AAA”), and determine that MT_F_SM message 320 has a spoofed address. As shown in block 324 of FIG. 3B , FWL 1 202 may then discard the MT_F_SM message or otherwise prohibit it from being forwarded to SRVMSC 208 .
  • FIG. 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message.
  • SMSC 204 in response to receiving SRI_SM_ACK message 318 from FWL 1 202 , SMSC 204 now has enough information to deliver the MT/SM message.
  • SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 328 to what SMSC 204 has been told is the MSC that is currently serving MS 214 .
  • MT_F_SM message 328 is addressed to FWL 1 202 .
  • MT_F_SM message 328 is a legitimate MT/SM message that contains the true identity of the source SMSC 204 : the “SRC” field contains the address of SMSC 204 , which is “AAA”.
  • MT_F_SM message 328 is received by FWL 1 202 .
  • FWL 1 202 extracts the key, which FWL 1 202 will use to look up the correlation information, from received MT_F_SM message 328 .
  • the key is “GTA 7 ” and the correlation data associated with that key is the address of the source of mobility management request message 300 (“AAA”), and the identity of the MSC currently serving MS 214 (“DDD”).
  • FWL 1 202 may then simply compare the purported source of MT_F_SM message 328 (“AAA”) with the source of the associated mobility management request message 300 (“AAA”), and determine that MT_F_SM message 328 is legitimate.
  • FWL 1 202 may then forward the legitimate message 334 to currently serving MSC 208 .
  • FIGS. 4A and 4B are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein.
  • FIGS. 4A and 4B show messages communicated between SMSC 204 , STP 210 , FWL 1 202 , HLR 206 , and SRVMSC 208 . These nodes are identical to their like-numbered counterparts illustrated in FIG. 2 , and therefore their descriptions will not be repeated here.
  • MT/SM spoofing detection and mitigation is accomplished without the need to store correlation data.
  • a firewall node responds to a mobility management query, such as an SRI_SM or similar, with what is herein referred to as a “synthetic” response.
  • a synthetic response is a mobility management query response, such as an SRI_SM_ACK or similar, that appears to be a real response but which does not contain real data.
  • the synthetic response is constructed in such as way as to guarantee that any subsequent mobility management message that is associated with the first mobility management request will: a) be directed to the same firewall that created and issued the synthetic response, and b) include information that identifies the original mobility management request.
  • the firewall node stores the correlation data in the synthetic response itself, and presumes that when a subsequent mobility management message, such as a mobility service request, arrives, the subsequent mobility management message will contain the correlation data that the firewall node needs to perform spoofing detection and mitigation. This process will now be described in detail using FIGS. 4A and 4B .
  • an SMSC may send a mobility management request message requesting routing information for a called party mobile subscriber, such as MS 214 , identified by MSISDN number (“EEE”).
  • SMSC 204 sends SRI_SM message 400 , the message requesting routing information for mobile subscriber MS 214 , whose MSISDN number is “EEE”.
  • SRI_SM message 400 is received and routed by STP 210 , which directs SRI_SM message 400 to firewall node, FWL 202 .
  • FWL 202 does not forward the SRI_SM message to an HLR, but instead generates a synthetic response message, SRI_SM_ACK message 404 .
  • a real SRI_SM_ACK message would return the IMSI number of the mobile subscriber called party, and an identifier of the MSC currently serving the mobile subscriber called party.
  • a real SRI_SM_ACK message would return an IMSI value of “FFF” and a serving MSC identifier of “DDD”.
  • FWL 202 creates a synthetic SRI_SM_ACK message 404 that stores the MSISDN number from SRI_SM message 400 in the IMSI field and stores the address of the source of SRI_SM message 400 in the serving MSC field.
  • FWL 202 cannot completely replace the contents of the serving MSC identifier (e.g., address “DDD”) with the address of the source of SRI_SM message 400 (e.g., address “AAA”), because the serving MSC identifier is subsequently used by SMSC 204 as the destination for the message service request. If synthetic SRI_SM_ACK message 404 included address AAA in the serving MSC field, a subsequent MT_F_SM message would be delivered back to SMSC 204 .
  • the serving MSC identifier e.g., address “DDD”
  • AAA address of the source of SRI_SM message 400
  • the serving MSC address field in synthetic SRI_SM_ACK message 404 contains the address of the source of the SRI_SM message 400 .
  • the serving MSC address is an MSISDN number, of the format shown below:
  • FWL 202 issues synthetic SRI_SM_ACK message 404 with the IMSI field containing value “EEE” (the MSISDN number for MS 214 ) and the serving MSC field containing a first portion that identifies the network to which FWL 202 belongs (shown as “NW 2 ” in FIG. 4A ) and a second portion that identifies the source of SRI_SM message 400 (shown as “AAA” in FIG. 4A ). This information is represented as “EEE@NW 2 +AAA” in FIG. 4A .
  • SMSC 204 receives synthetic SRI_SM_ACK message 404 and uses the IMSI@servingMSC information to issue a message service request message to what it believes to the serving MSC.
  • SMSC 204 issues MT_F_SM message 408 to the address “NW 2 +AAA”.
  • address “NW 2 +AAA” is not a real address; but the “NW 2 ” portion of the address is enough for SMSC 204 to know that MT_F_SM message 408 must be routed first to STP 210 , which receives MT_F_SM message 408 .
  • STP 210 uses MAP filtering to determine that MT_F_SM message 408 is a mobility management service message, and therefore forwards the message to FWL 202 .
  • the forwarded MT_F_SM message 412 is thus guaranteed to go to the same firewall node that received and processed the original mobility management query message (e.g., SRI_SM message 400 ) that is associated with the subsequent mobility management service message (e.g., MT_F_SM message 404 .)
  • FWL 202 determines the source of MT_F_SM message 412 with the information, stored in the serving MSC field, that identifies the source of SRI_SM message 400 , as shown in block 414 .
  • FWL 202 determines that MT_F_SM message 412 came from SMSC 204 (identified by address “AAA”) and that the source of SRI_SM message 400 was also SMSC 204 , because the serving MSC field of MT_F_SM message 412 also contains the value “AAA”.
  • FWL 202 Since, in the embodiment illustrated in FIG. 4B , MT_F_SM message 412 is authentic, FWL 202 now performs all of the necessary steps for SMS message delivery. First, FWL 202 queries HLR 206 for the location of MS 214 (SRI_SM message 418 ) and gets a response (SRI_SM_ACK message 420 ). Second FWL 202 modifies MT_F_SM message 412 to include the authentic IMSI number and serving MSC identifier (e.g., FFF@DDD) and forwards the modified MT_F_SM message 424 to the correct serving MSC, SRVMSC 208 . The serving MSC may then issue a termination fee 426 to the originating SMSC 204 .
  • serving MSC may then issue a termination fee 426 to the originating SMSC 204 .
  • the correlation data that FWL 202 stores in the IMSI and serving MSC fields of synthetic SRI_SM_ACK message 404 may be encrypted. This is illustrated in FIG. 5 .
  • FIG. 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • FIG. 5 illustrates in more detail selected parameters of SRI_SM message 400 , synthetic SRI_SM_ACK message 404 , MT_F_SM message 412 , and SRI_SM message 418 , from FIGS. 4A and 4B .
  • FWL 202 receives SRI_SM message 400 , which includes two parameters: the SCCP SMSC (SRC) parameter 500 , which is in MSISDN format, and the called party (CDPA) parameter 502 , also in MSISDN format.
  • SRC SCCP SMSC
  • CDPA called party
  • FWL 202 uses the country code (CC) and network destination code (NDC) fields of SRC parameter 500 and all of the fields of CDPA parameter 502 as input into an encryption algorithm 504 .
  • Encryption algorithm 504 may also require an encryption key 506 as input.
  • the output of encryption algorithm 504 is used to generate synthetic SRI_SM_ACK message 404 , which has two parameters: the IMSI number (IMSI) parameter 508 and the serving MSC (SRVMSC) parameter 510 .
  • IMSI parameter 508 is in the IMSI format, which includes the following fields:
  • the output of encryption algorithm 504 includes data that will be placed into the MSIN field of IMSI parameter 508 and the SN field of SRVMSC parameter 510 .
  • the CC and NDC fields of SRVMSC parameter 510 must contain CC and NDC values that will cause the subsequent MT_F_SM message 412 to be routed to the network to which FWL 202 belongs, so that FWL 202 will receive subsequent MT_F_SM message 412 .
  • the CC and NCD fields of CDPA parameter 502 may be compressed or replaced with an alias 512 to save space.
  • FIG. 5 also illustrates in detail the parameters within MT_F_SM message 412 , which also includes an IMSI parameter 514 and a SRVMSC parameter 516 .
  • IMSI parameter 514 should be the same as IMSI parameter 508 and the contents of SRVMSC parameter 516 should be the same as SRVMSC parameter 510 .
  • FWL 202 will extract information from the MSIN field of IMSI parameter 514 and the SN field of SRVMSC parameter 516 , and use them as input into a decryption algorithm 518 .
  • Decryption algorithm 518 may also use a decryption key 520 , which may be the same key or a different key from encryption key 506 , depending on whether the encryption algorithm is symmetric or asymmetric, respectively.
  • the output of decryption algorithm 518 includes data that will be placed into the CC, NDC, and SN fields of SCCP SMSC (SCR) parameter 522 and into the CC and NDC fields of SRVMSC parameter 524 of SRI_SM message 418 .
  • the output of decryption algorithm 518 may include an alias 526 which must be decompressed or mapped to a set of data for the CC and NDC fields of IMSI parameter 522 .
  • the correlation data stored by FWL 202 in various fields within SRI_SM_ACK message 404 will return to FWL 202 via the equivalent fields of MT_F_SM message 412 . From the recovered correlation data, FWL 202 has enough information to reconstruct its own SRI_SM message 418 , which it will send to HLR 206 .
  • FWL 202 can compare the SCCP SMSC parameter 522 , which stores information indicating the source of original SRI_SM message 400 , with the contents of the SCCP SMSC parameter for MT_F_SM message 412 (not shown in FIG. 5 ). If the two values are the same, MT_F_SM message 412 is legitimate.
  • the entity that sends the original SRI_SM message may be different from the entity that sends the subsequent MT_F_SM message.
  • the same entity may send both messages but that entity may be a cluster of nodes, or a single node that uses multiple addresses.
  • the contents of SCCP SMSC parameter 522 may not be exactly the same as source address of MT_F_SM message 412 .
  • the purpose of spoofing is usually to redirect a termination fee from the originating network to a third network, comparing only the CC and NDC fields of the two addresses is enough to determine whether or not MT_F_SM message 412 is spoofed.
  • encryption algorithm 504 and decryption algorithm 518 may use fields or portions of fields other than those illustrated in FIG. 5 .
  • other means of obscuring the fact that SRI_SM_ACK message 404 is synthetic or obscuring the data contained within SRI_SM_ACK message 404 is contemplated, including compression of data, mapping of data, etc.
  • SMS Short Message
  • MMS multimedia messaging services
  • mobility management related services may also apply to other telecommunication services that first locate a called party and then send data to that called party.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.

Description

    PRIORITY CLAIM
  • This application claims the benefit of U.S. Provisional Patent Application Ser. No. 61/159,323, filed Mar. 11, 2009; the disclosure of which is incorporated herein by reference in its entirety.
    • TECHNICAL FIELD
  • The subject matter described herein relates to methods and systems for detecting fraudulent activity within a telecommunications network. More particularly, the subject matter described herein relates to systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
    • BACKGROUND
  • A telecommunications network may support one or more messaging services. One example messaging service is the short message service, or SMS. SMS allows the communication of short text messages between mobile communications devices, such as mobile phones, personal digital assistants, and the like. For brevity, the term “mobile phone” is hereinafter used to generically refer to any type of mobile communications device, although the subject matter described herein is not so limited.
  • The delivery of an SMS message is a two-step process. First, if the receiver is a mobile subscriber, the receiver's current location—more specifically, the identity of the mobile switching center (MSC) that is currently serving the receiver's mobile phone, referred to as the serving MSC —must be determined. Second, the MT/SM message is forwarded to the serving MSC, which will transmit the MT/SM message to the receiver's mobile phone.
  • FIG. 1A is a block diagram illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network according to the steps described above. Telecommunications network 100 includes a short messaging service center (SMSC) node 102 for processing SMS messages, such as MT/SM message 104, which was sent from a mobile subscriber, sender 106, and intended for another mobile subscriber, receiver 108. To determine the current location of receiver 108, SMSC 102 sends a send routing information for short message (SRI_SM) message 110 to the home location register (HLR) 112 which maintains the current location of receiver 108. HLR 112 sends a response message, such as SRI_SM_ACK message 114, to SMSC 102. SRI_SM_ACK message 114 includes information identifying subscriber 108, such as the (IMSI) for subscriber 108. In the conventional system illustrated in FIG. 1, the information identifying subscriber 108 is subscriber 108's IMSI number, represented in FIG. 1 as IMSI#. SRI_SM_ACK message 114 also includes information identifying the MSC currently serving receiver 108. In the conventional system illustrated in FIG. 1A, MSC 116 is currently serving receiver 108, and MSC 116 is identified by its network address, represented in FIG. 1 as “ADDR1”. SMSC 102 then issues a MT_FORWARD_SM message 118 to MSC 116, which delivers what is essentially the original MT/SM message 104′ to receiver 108.
  • In the scenario where sender 106 is in a first mobile telecommunications network and receiver 108 is in a second mobile telecommunications network, the SMS message is communicated from the first network, hereinafter referred to as the originating network, to the second network, hereinafter referred to as the terminating network. In the conventional network illustrated in FIG. 1A, SMSC 102 is an entity in the originating network and HLR 112 and MSC 116 are entities in a terminating network that is different from the originating network.
  • It is not uncommon for a terminating network to charge a termination fee for receiving and processing SMS messages that originate from other networks. The terminating network may determine the identity of the originating network—and thus determine whom to charge—by looking at the source address fields within either SRI_SM message 110 or MT_FORWARD_SM message 118. Moreover, both SRI_SM message 110 and MT_FORWARD_SM message 118 contain the address of SMSC 102 at two layers of the signaling message protocol, and thus within two separate sets of message parameters or fields: the signaling connection control part (SCCP) layer and the mobile application part (MAP) layer. Table 1, below, lists the parameter names for the two messages and the two layers.
  • TABLE 1
    SMSC Addresses Contained Within Signaling Messages
    SMSC address SMSC parameter
    Operation at SCCP layer at MAP layer
    SendRoutingInfoForSm CGPA GTA serviceCentreAddress
    MtForwardSm CGPA GTA SM-RP-OA parameter
  • In the conventional telecommunication network illustrated in FIG. 1A, MSC 116 may, upon receiving MT_FORWARD_SM message 118, determine that the message originated from a different network and, in response to that determination, extract the SMSC address from MT_FORWARD_SM message 118. The terminating network may then identify the network to which SMSC 102 belongs and charge a termination fee 120 to the identified originating network.
  • To avoid being charged a termination fee for SMS messages sent to the terminating network, unscrupulous originating network operators may “spoof” (falsify) the contents of the SMS message so that the SMS message appears to have come from a third telecommunications network rather than from the actual originating network.
  • FIG. 1B is a block diagram illustrating MT/SM spoofing in the conventional telecommunications network of FIG. 1A. Elements of FIG. 1B are essentially identical to their like-numbered counterparts in FIG. 1A, and therefore their descriptions will not be repeated here. In addition to the originating and terminating networks of FIG. 1A, now labeled as “NW1” and “NW2”, respectively, FIG. 1B also includes a third network, “NW3”, which contains its own SMSC 122. In the scenario illustrated in FIG. 1B, terminating network NW2 receives from originating network NW1 an SMS message, such as MT_FORWARD_SM message 118′, with a spoofed origination address (“ADDR3”) that falsely indicates that the SMS message came from SMSC 122. The terminating network then incorrectly charges termination fee 120′ to the third telecommunications network NW3 rather than to the actual originating network NW1. In this manner, an unscrupulous network operator (e.g., the operator of NW1) may fraudulently avoid termination fees that would otherwise be imposed upon it by the terminating network NW2.
  • This is a particularly pernicious problem in light of unwanted solicitations, colloquially called “spam”, which flood the world's email systems daily with millions or billions of unwanted messages. The entities that generate these unwanted communications have recently started sending spam via SMS. Spam SMS messages are particularly grievous since the subscriber is often charged a fee for every SMS message received, which results in a subscriber not only receiving unwanted and often offensive SMS messages, but the subscriber having to pay for these unwanted SMS messages. Some subscribers may have plans that have a finite number of SMS messages that may be sent or received within a billing period, where the subscriber is charged a steep fee for every additional message sent or received during that billing period. In a worst case scenario, the charge levied upon the subscriber due to the additional SMS messages may be many times more than the cost of the original subscription. Network operators may then face the prospect of absorbing the cost themselves or risk losing subscribers. In this scenario particularly, the network operator would desire to detect and discard spoofed MT/SM messages.
  • Accordingly, in light of the potential for fraudulent spoofing of SMS addresses, there exists a need for systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
    • SUMMARY
  • According to one aspect, the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction. A messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier. The messaging service firewall allocates a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall, and stores a correlation between the allocated GTA and an originating SMSC identifier. The messaging service firewall replaces the serving switch identifier in the mobility management reply message with the allocated GTA and routes the modified mobility management reply message. The messaging service firewall then receives a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA, and determines the originating SMSC identifier to which the allocated GTA is correlated. The messaging service firewall compares SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • According to another aspect, the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction. A messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier. The messaging service firewall generates a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction. The messaging service firewall receives a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters, and extracts the echoed parameters from the messaging service message. The messaging service firewall compares SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • According to yet another aspect, the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions. The system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor. The messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for: receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; and routing the modified reply message. The spoofing detection module is also for: receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • According to yet another aspect, the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions. The system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor. The messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier, and generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction. The spoofing detection module is also for receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • The subject matter described herein for detecting and mitigating address spoofing in messaging service transactions may be implemented in hardware, software, firmware, or any combination thereof. As such, the terms “function” or “module” as used herein refer to hardware, software, and/or firmware for implementing the feature being described. In one exemplary implementation, the subject matter described herein may be implemented using a non-transitory computer readable medium having stored thereon computer executable instructions that when executed by the processor of a computer control the computer to perform steps. Exemplary computer readable media suitable for implementing the subject matter described herein include non-transitory computer-readable media, such as disk memory devices, chip memory devices, programmable logic devices, and application specific integrated circuits. In addition, a computer readable medium that implements the subject matter described herein may be located on a single device or computing platform or may be distributed across multiple devices or computing platforms.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Preferred embodiments of the subject matter described herein will now be explained with reference to the accompanying drawings, wherein like reference numerals represent like parts, of which:
  • FIGS. 1A and 1B are block diagrams illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network. FIG. 1A illustrates normal (non-fraudulent) MT/SM processing, while FIG. 1B illustrates MT/SM address spoofing;
  • FIG. 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • FIGS. 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • FIGS. 4A and 4B are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein; and
  • FIG. 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
    •  DETAILED DESCRIPTION
  • In accordance with the subject matter disclosed herein, systems, methods, and computer readable media are provided for detecting and mitigating address spoofing in messaging service transactions.
  • Reference will now be made in detail to exemplary embodiments of the present invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts.
  • FIG. 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. System 200 includes one more firewall nodes 202 for detecting and mitigating address spoofing. In the embodiment illustrated in FIG. 2, system 200 includes four firewall nodes 202, labeled “FWL1”, “FWL2”, “FWL3”, and “FWL4”, respectively. Firewall nodes 202 intercept and process SMS-related messages that may be sent by a short message service center (SMSC) 204. Example messages that may be intercepted include: send routing information for short message (SRI_SM) messages that are sent by SMSC 204 to a home location register (HLR) 206; mobile-terminated forward short message (MT_F_SM) messages that are sent by SMSC 204 to a serving mobile switching center (SRVMSC) 208; and other types of SMS messages.
  • In the embodiment illustrated in FIG. 2, a signaling message routing node, such as signal transfer point (STP) 210, may distribute incoming SMS-related messages to firewall nodes 202. In one embodiment, STP 210 may assign incoming SMS-related messages to firewall nodes 202 based on the identity of the intended receiver, generically referred to as the “called party” or CDPA. The called party may be identified using a global title address (GTA). In one embodiment, STP 210 may make use of a table, database, or other appropriate construct, such as global title translation (GTT) table 212, that maps a range of called party addresses to particular firewall nodes 202. In the embodiment illustrated in FIG. 2, GTT table 212 maps called parties to firewall nodes 202 according to the called party's GTA. In GTT table 212, SMS-related messages that involve called parties with a GTA that matches the pattern “+316261*” are assigned or forwarded to FWL1 for processing, SMS-related messages that involve called parties with a GTA that matches the pattern “+316262*” are assigned or forwarded to FWL2 for processing, and so on. Each of firewall nodes 202 may access HLR 206 and each may communicate with STP 210, SRVMSC 208, or other telecommunication network nodes.
  • For the purposes of illustration only and without limitation, system 200 in FIG. 2 includes two separate telecommunications networks: a first network (NW1), which contains SMSC 204; and a second network (NW2), which contains every other element illustrated in FIG. 2. In the examples of MT/SM spoofing detection and mitigation below, NW1 may also be referred to as the originating network and NW2 may also be referred to as the terminating network. For ease of illustration and without limitation, some of the nodes within system 200 will be given network identifiers, e.g., network addresses, in simplified form. For example, in the embodiment illustrated in FIG. 2, SMSC 204 has a network address of “AAA”; of the firewall nodes 202, FWL1 has a network address of “BBB”; HLR 206 has a network address of “CCC”; and SRVMSC 208 has a network address of “DDD”. In the embodiment illustrated in FIG. 2, a mobile subscriber (MS) 214 is being served by SRVMSC 208. MS 214 is identified by both a mobile subscriber integrated services digital network (MSISDN) number, “EEE”, and an international mobile subscriber identity (IMSI) number, “FFF”. STP 210 has a network address of “GGG”. The operation of system 200 will now be described. In the embodiment, illustrated in FIG. 2, each firewall node 202 includes a network interface (NWIF) 216 for sending and receiving signaling messages, and a spoofing detection module (SDM) 218.
  • In one embodiment, spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • In an alternative embodiment, spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • FIGS. 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. FIGS. 3A, 3B, and 3C show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in FIG. 2, and therefore their descriptions will not be repeated here.
  • Referring now to FIG. 3A, in one embodiment, SMSC 204 may send a mobility management request message 300 requesting routing information for a called party mobile subscriber, who is identified by a called party address (CDPA). In the embodiment illustrated in FIG. 3A, SMSC 204 sends a send routing information for short message (SRI_SM) message to determine the routing information for mobile subscriber MS 214, whose MSISDN number is “EEE”.
  • In one embodiment, mobility management request message 300 may include information indicating the source of the message. In the embodiment illustrated in FIG. 3A, mobility management request message 300 includes a field or parameter called “SRC”, which stores the address of SMSC 204, which has a network address of “AAA”. In one embodiment, mobility management request message 300 is received or intercepted by a routing node, STP 210.
  • At block 302, STP 210 selects one of firewall nodes 202 based on the called party address contained within mobility management request message 300. In the embodiment illustrated in FIG. 3A, STP 210 selects FWL1, whose network address is “BBB”, and forwards the SRI_SM message to FWL1, shown in FIG. 3A as message 304. In alternative embodiments, system 200 may have only one firewall node 202, in which case mobility management request message 300 may be routed to that firewall node either with or without the need for STP 210. In one embodiment, network NW2 may not include an STP.
  • Forwarding an unmodified SRI_SM message from FWL1 202 to HRL 206 does not guarantee that the response to the SRI_SM message, such as an SRI_SM_ACK message, will return through FWL1 202. Thus, in one embodiment, at block 306, firewall node FWL1 202 terminates SRI_SM message 304 and generates a new SRI_SM message 308, which sends to HLR 206. HLR 206 sends a reply message, SRI_SM_ACK 310, containing the IMSI number (“FFF”) for MS 214 and an identity of the serving MSC (“DDD”). For brevity, the IMSI and serving MSC parameters are displayed in all figures using the format “IMSI@servingMSC”. Alternatively, FWL1 202 may modify the original mobility management request message 300 in such as manner as to guarantee that the response from HLR 206 returns through FWL1 202. For example, FWL1 202 may update the source information in the routing label so that it appears to HLR 206 that the mobility management request message originated from FWL1 202.
  • In one embodiment, firewall node FWL1 202 has at its disposal a pool of addresses or other form of identity by which it may be identified. In the embodiment illustrated in FIG. 3A, FWL1 202 has a collection of global title addresses (GTAs), shown as values “GTA0” through “GTA9”. At block 312, FWL1 202, selects an available GTA (e.g., “GTA7”) to be used for a message delivery transaction, of which mobility management request message 300 is only the first part.
  • At block 314, FWL1 202 stores a correlation between the selected or allocated GTA and information identifying an originating SMSC. In one embodiment, FWL1 202 may store correlation information in the form of a correlation record in a table, database, or other form of data storage and retrieval. In the embodiment illustrated in FIG. 3A, FWL1 202 may use the selected GTA as a key and store the address of the originating SMSC 204 and the identity of the MSC currently serving the mobile subscriber. For example, FWL1 202 may use the key “GTA7” to store the value “AAA” in a record field labeled “SRC” and to store the value “DDD” in a record field labeled “SRVMSC”. In one embodiment, firewall nodes 202 may allocate each of its available GTAs to only one correlation record at a time; allocated GTAs are then unavailable to be allocated again until the allocated GTA is deallocated or released back into the pool. A GTA may be deallocated or released as a result of various trigger conditions, such as the completion (or abandonment) of the mobility management transaction to which the GTA is associated, explicit instruction from the network operator or provisioning system, node, module, or service reset, etc.
  • At block 316, FWL1 202 terminates SRI_SM_ACK message 314 that it receives from HLR 206 and generates a new SRI_SM_ACK message 318, which it forwards to SMSC 204. Generated SRI_SM_ACK message 318 contains the IMSI for MS 214, i.e., “FFF”, but instead of the address of SRVMSC 208, FWL1 202 replaces the actual value “DDD” with the address of the selected GTA, e.g., “GTA7”. In this manner, FWL1 202 can guarantee that, as will be shown below, other messages involved in the message delivery transaction will also be routed through FWL1 202. By guaranteeing that all messages involved in the message delivery transaction are seen by the same node (e.g., FWL1 202), this ensures the opportunity to compare the address of the originating SMSC (e.g., SMSC 204) as reported in the mobility management query message with the address of the originating SMSC as reported in any subsequent message service message that is part of the same mobility management transaction. If the addresses are not the same, this is a very likely indication of spoofing. The process continues in FIGS. 3B and 3C.
  • FIG. 3B illustrates detection of a spoofed MT/SM message, and FIG. 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message. Starting with FIG. 3B, in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message. Thus, SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 320 to what SMSC 204 has been told is the MSC that is currently serving MS 214. Actually, MT_F_SM message 320 is addressed to FWL1 202. In the embodiment illustrated in FIG. 3B, SMSC 204 attempts to spoof the source address of the MT_F_SM message in order to avoid a termination fee from NW2. Thus, MT_F_SM message 320 includes false information, shown as “FAKE_ADDR” in FIG. 3B, in the SRC field of MT_F_SM message 320.
  • MT_F_SM message 320 is received by FWL1 202. At block 322, FWL1 202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 320. In the embodiment illustrated in FIG. 3B, the key is “GTA7” and the value of the correlation data is the address of the source of mobility management request message 300, or “AAA”. FWL1 202 may then simply compare the purported source of MT_F_SM message 320 (“FAKE_ADDR”) with the source of the associated mobility management request message 300 (“AAA”), and determine that MT_F_SM message 320 has a spoofed address. As shown in block 324 of FIG. 3B, FWL1 202 may then discard the MT_F_SM message or otherwise prohibit it from being forwarded to SRVMSC 208.
  • FIG. 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message. In FIG. 3C, in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message. Thus, SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 328 to what SMSC 204 has been told is the MSC that is currently serving MS 214. Actually, MT_F_SM message 328 is addressed to FWL1 202. In the embodiment illustrated in FIG. 3C, MT_F_SM message 328 is a legitimate MT/SM message that contains the true identity of the source SMSC 204: the “SRC” field contains the address of SMSC 204, which is “AAA”.
  • MT_F_SM message 328 is received by FWL1 202. At block 330, FWL1 202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 328. In the embodiment illustrated in FIG. 3C, the key is “GTA7” and the correlation data associated with that key is the address of the source of mobility management request message 300 (“AAA”), and the identity of the MSC currently serving MS 214 (“DDD”). FWL1 202 may then simply compare the purported source of MT_F_SM message 328 (“AAA”) with the source of the associated mobility management request message 300 (“AAA”), and determine that MT_F_SM message 328 is legitimate. FWL1 202 may then forward the legitimate message 334 to currently serving MSC 208.
  • FIGS. 4A and 4B are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein. FIGS. 4A and 4B show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in FIG. 2, and therefore their descriptions will not be repeated here.
  • In the embodiment illustrated in FIGS. 4A and 4B, MT/SM spoofing detection and mitigation is accomplished without the need to store correlation data. Instead, a firewall node responds to a mobility management query, such as an SRI_SM or similar, with what is herein referred to as a “synthetic” response. A synthetic response is a mobility management query response, such as an SRI_SM_ACK or similar, that appears to be a real response but which does not contain real data. Instead, the synthetic response is constructed in such as way as to guarantee that any subsequent mobility management message that is associated with the first mobility management request will: a) be directed to the same firewall that created and issued the synthetic response, and b) include information that identifies the original mobility management request.
  • In other words, rather than storing correlation data within the firewall node, the firewall node stores the correlation data in the synthetic response itself, and presumes that when a subsequent mobility management message, such as a mobility service request, arrives, the subsequent mobility management message will contain the correlation data that the firewall node needs to perform spoofing detection and mitigation. This process will now be described in detail using FIGS. 4A and 4B.
  • In one embodiment, an SMSC may send a mobility management request message requesting routing information for a called party mobile subscriber, such as MS 214, identified by MSISDN number (“EEE”). In the embodiment illustrated in FIG. 4A, SMSC 204 sends SRI_SM message 400, the message requesting routing information for mobile subscriber MS 214, whose MSISDN number is “EEE”. SRI_SM message 400 is received and routed by STP 210, which directs SRI_SM message 400 to firewall node, FWL 202.
  • At block 402 in FIG. 4A, FWL 202 does not forward the SRI_SM message to an HLR, but instead generates a synthetic response message, SRI_SM_ACK message 404. A real SRI_SM_ACK message would return the IMSI number of the mobile subscriber called party, and an identifier of the MSC currently serving the mobile subscriber called party. In the embodiment illustrated in FIG. 4A, for example, a real SRI_SM_ACK message would return an IMSI value of “FFF” and a serving MSC identifier of “DDD”. Instead, FWL 202 creates a synthetic SRI_SM_ACK message 404 that stores the MSISDN number from SRI_SM message 400 in the IMSI field and stores the address of the source of SRI_SM message 400 in the serving MSC field.
  • However, FWL 202 cannot completely replace the contents of the serving MSC identifier (e.g., address “DDD”) with the address of the source of SRI_SM message 400 (e.g., address “AAA”), because the serving MSC identifier is subsequently used by SMSC 204 as the destination for the message service request. If synthetic SRI_SM_ACK message 404 included address AAA in the serving MSC field, a subsequent MT_F_SM message would be delivered back to SMSC 204.
  • To overcome this problem, only a portion of the serving MSC address field in synthetic SRI_SM_ACK message 404 contains the address of the source of the SRI_SM message 400. In one embodiment, the serving MSC address is an MSISDN number, of the format shown below:
      • CC:NDC:SN
        where CC=country code, NDC=network destination code, and SN=subscriber number. The CC and NDC fields must contain values that are correct for FWL 202, so that the subsequent messaging service message is directed to the correct country and network to which FWL 202 belongs. This leaves only the SN field, which FWL 202 uses to store the address “AAA”. In one embodiment, only a portion of address AAA is stored in the SN portion of the serving MSC field; as will be seen below, this is enough information to detect spoofing. In another embodiment, also described below, the various pieces of information needed for correlation and spoofing detection may be combined, encrypted, and/or compressed to fit into the available spaces of the IMSI and serving MSC fields within synthetic SRI_SM_ACK message 404.
  • Referring again to FIG. 4A, block 402, FWL 202 issues synthetic SRI_SM_ACK message 404 with the IMSI field containing value “EEE” (the MSISDN number for MS 214) and the serving MSC field containing a first portion that identifies the network to which FWL 202 belongs (shown as “NW2” in FIG. 4A) and a second portion that identifies the source of SRI_SM message 400 (shown as “AAA” in FIG. 4A). This information is represented as “EEE@NW2+AAA” in FIG. 4A.
  • At block 406, SMSC 204 receives synthetic SRI_SM_ACK message 404 and uses the IMSI@servingMSC information to issue a message service request message to what it believes to the serving MSC. In the embodiment illustrated in FIG. 4A, SMSC 204 issues MT_F_SM message 408 to the address “NW2+AAA”. However, as described above, address “NW2+AAA” is not a real address; but the “NW2” portion of the address is enough for SMSC 204 to know that MT_F_SM message 408 must be routed first to STP 210, which receives MT_F_SM message 408.
  • At block 410, STP 210 uses MAP filtering to determine that MT_F_SM message 408 is a mobility management service message, and therefore forwards the message to FWL 202. The forwarded MT_F_SM message 412 is thus guaranteed to go to the same firewall node that received and processed the original mobility management query message (e.g., SRI_SM message 400) that is associated with the subsequent mobility management service message (e.g., MT_F_SM message 404.)
  • The process continues in FIG. 4B. Upon receipt of forwarded MT_F_SM message 412, FWL 202 determines the source of MT_F_SM message 412 with the information, stored in the serving MSC field, that identifies the source of SRI_SM message 400, as shown in block 414. In the embodiment illustrated in FIG. 3B, FWL 202 determines that MT_F_SM message 412 came from SMSC 204 (identified by address “AAA”) and that the source of SRI_SM message 400 was also SMSC 204, because the serving MSC field of MT_F_SM message 412 also contains the value “AAA”. At block 416, FWL 202 compares the two values, determines that they match (AAA==AAA), and thus determines that MT_F_SM message 412 is not spoofed. Had the two values not matched, FWL 202 would determine that MT_F_SM message 412 was spoofed, and would have discarded MT_F_SM message 412, and the process would have ended there.
  • Since, in the embodiment illustrated in FIG. 4B, MT_F_SM message 412 is authentic, FWL 202 now performs all of the necessary steps for SMS message delivery. First, FWL 202 queries HLR 206 for the location of MS 214 (SRI_SM message 418) and gets a response (SRI_SM_ACK message 420). Second FWL 202 modifies MT_F_SM message 412 to include the authentic IMSI number and serving MSC identifier (e.g., FFF@DDD) and forwards the modified MT_F_SM message 424 to the correct serving MSC, SRVMSC 208. The serving MSC may then issue a termination fee 426 to the originating SMSC 204.
  • It may be desirable to obscure the fact that the SRI_SM_ACK message that FWL 202 sends to SMSC 204 is synthetic. Thus, in one embodiment, the correlation data that FWL 202 stores in the IMSI and serving MSC fields of synthetic SRI_SM_ACK message 404 may be encrypted. This is illustrated in FIG. 5.
  • FIG. 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. FIG. 5 illustrates in more detail selected parameters of SRI_SM message 400, synthetic SRI_SM_ACK message 404, MT_F_SM message 412, and SRI_SM message 418, from FIGS. 4A and 4B.
  • In one embodiment, FWL 202 receives SRI_SM message 400, which includes two parameters: the SCCP SMSC (SRC) parameter 500, which is in MSISDN format, and the called party (CDPA) parameter 502, also in MSISDN format. FWL 202 uses the country code (CC) and network destination code (NDC) fields of SRC parameter 500 and all of the fields of CDPA parameter 502 as input into an encryption algorithm 504. Encryption algorithm 504 may also require an encryption key 506 as input. The output of encryption algorithm 504 is used to generate synthetic SRI_SM_ACK message 404, which has two parameters: the IMSI number (IMSI) parameter 508 and the serving MSC (SRVMSC) parameter 510. IMSI parameter 508 is in the IMSI format, which includes the following fields:
      • MCC:MNC:MSIN
        where MCC=mobile country code, MNC=mobile network code, and MSIN=mobile subscriber identity number. SRVMSC parameter 510 is in the MSISDN format.
  • In the embodiment illustrated in FIG. 5, the output of encryption algorithm 504 includes data that will be placed into the MSIN field of IMSI parameter 508 and the SN field of SRVMSC parameter 510. As described above, the CC and NDC fields of SRVMSC parameter 510 must contain CC and NDC values that will cause the subsequent MT_F_SM message 412 to be routed to the network to which FWL 202 belongs, so that FWL 202 will receive subsequent MT_F_SM message 412. In one embodiment, the CC and NCD fields of CDPA parameter 502 may be compressed or replaced with an alias 512 to save space.
  • FIG. 5 also illustrates in detail the parameters within MT_F_SM message 412, which also includes an IMSI parameter 514 and a SRVMSC parameter 516. If MT_F_SM message 412 is related to SRI_SM_ACK message 404, the contents of IMSI parameter 514 should be the same as IMSI parameter 508 and the contents of SRVMSC parameter 516 should be the same as SRVMSC parameter 510. In response to receiving MT_F_SM message 412, FWL 202 will extract information from the MSIN field of IMSI parameter 514 and the SN field of SRVMSC parameter 516, and use them as input into a decryption algorithm 518. Decryption algorithm 518 may also use a decryption key 520, which may be the same key or a different key from encryption key 506, depending on whether the encryption algorithm is symmetric or asymmetric, respectively.
  • In the embodiment illustrated in FIG. 5, the output of decryption algorithm 518 includes data that will be placed into the CC, NDC, and SN fields of SCCP SMSC (SCR) parameter 522 and into the CC and NDC fields of SRVMSC parameter 524 of SRI_SM message 418. In one embodiment, the output of decryption algorithm 518 may include an alias 526 which must be decompressed or mapped to a set of data for the CC and NDC fields of IMSI parameter 522. In this manner, the correlation data stored by FWL 202 in various fields within SRI_SM_ACK message 404 will return to FWL 202 via the equivalent fields of MT_F_SM message 412. From the recovered correlation data, FWL 202 has enough information to reconstruct its own SRI_SM message 418, which it will send to HLR 206.
  • To detect spoofing, FWL 202 can compare the SCCP SMSC parameter 522, which stores information indicating the source of original SRI_SM message 400, with the contents of the SCCP SMSC parameter for MT_F_SM message 412 (not shown in FIG. 5). If the two values are the same, MT_F_SM message 412 is legitimate.
  • In some systems, however, the entity that sends the original SRI_SM message may be different from the entity that sends the subsequent MT_F_SM message. Alternatively, the same entity may send both messages but that entity may be a cluster of nodes, or a single node that uses multiple addresses. In these scenarios, the contents of SCCP SMSC parameter 522 may not be exactly the same as source address of MT_F_SM message 412. However, since the purpose of spoofing is usually to redirect a termination fee from the originating network to a third network, comparing only the CC and NDC fields of the two addresses is enough to determine whether or not MT_F_SM message 412 is spoofed.
  • The embodiment illustrated in FIG. 5 is for illustration purposes and is not intended to be limiting. For example, encryption algorithm 504 and decryption algorithm 518 may use fields or portions of fields other than those illustrated in FIG. 5. Also, other means of obscuring the fact that SRI_SM_ACK message 404 is synthetic or obscuring the data contained within SRI_SM_ACK message 404 is contemplated, including compression of data, mapping of data, etc.
  • It will be understood that various details of the subject matter described herein may be changed without departing from the scope of the subject matter described herein. For example, the methods and systems described herein are not limited to SMS messages, but may apply to other messaging services, such as multimedia messaging services (MMS), may also apply to other mobility management related services, and may also apply to other telecommunication services that first locate a called party and then send data to that called party. Furthermore, the foregoing description is for the purpose of illustration only, and not for the purpose of limitation.

Claims (12)

1. A method for detecting and mitigating address spoofing in a messaging service transaction, the method comprising:
at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor:
receiving a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier;
allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall;
storing a correlation between the allocated GTA and an originating SMSC identifier;
replacing the serving switch identifier in the mobility management reply message with the allocated GTA;
routing the modified mobility management reply message;
receiving a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA;
determining the originating SMSC identifier to which the allocated GTA is correlated;
comparing SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
2. The method of claim 1 comprising generating a message detail record based on the attempted delivery of the message service message.
3. A method for detecting and mitigating address spoofing in a messaging service transaction, the method comprising:
at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor:
receiving a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier;
generating a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction;
receiving a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters;
extracting the echoed parameters from the messaging service message;
comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
4. The method of claim 3 comprising generating a message detail record based on the attempted delivery of the message service message.
5. The method of claim 3 wherein receiving the messaging service message associated with the message delivery transaction comprises receiving the messaging service message from a signaling message routing node that uses mobile application part (MAP) screening to route received messaging service messages.
6. A system for detecting and mitigating address spoofing in messaging service transactions, the system comprising:
a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor, the messaging service firewall including:
a network interface for sending and receiving signaling messages; and
a spoofing detection module for:
receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier;
allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall;
generating and storing a correlation record that associates the GTA with an originating SMSC identifier;
replacing the serving switch identifier in the reply message with the firewall GTA;
routing the modified reply message;
receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record;
comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
7. The system of claim 6 wherein the messaging service firewall generates a message detail record based on the attempted delivery of the message service message.
8. A system for detecting and mitigating address spoofing in messaging service transactions, the system comprising:
a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor, the messaging service firewall including:
a network interface for sending and receiving signaling messages; and
a spoofing detection module for:
receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier;
generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction;
receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters;
extracting the echoed parameters in the messaging service message;
comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
9. The system of claim 8 wherein the messaging service firewall generates a message detail record based on the attempted delivery of the message service message.
10. The system of claim 8 comprising a signaling message routing node that uses mobile application part (MAP) screening to route messaging service messages to the messaging service firewall.
11. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising:
at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor:
receiving a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier;
allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall;
generating and storing a correlation record that associates the GTA with an originating SMSC identifier;
replacing the serving switch identifier in the reply message with the firewall GTA;
routing the modified reply message;
receiving the message service message including the allocated GTA and using the allocated GTA to locate the correlation record;
comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
12. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising:
at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor:
receiving a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier;
generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction;
receiving a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters;
extracting the echoed parameters in the messaging service message;
comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and
in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
US12/722,460 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions Abandoned US20100235911A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/722,460 US20100235911A1 (en) 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US13/646,538 US8908864B2 (en) 2009-03-11 2012-10-05 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15932309P 2009-03-11 2009-03-11
US12/722,460 US20100235911A1 (en) 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/646,538 Continuation US8908864B2 (en) 2009-03-11 2012-10-05 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Publications (1)

Publication Number Publication Date
US20100235911A1 true US20100235911A1 (en) 2010-09-16

Family

ID=42729117

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/722,460 Abandoned US20100235911A1 (en) 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US13/646,538 Expired - Fee Related US8908864B2 (en) 2009-03-11 2012-10-05 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/646,538 Expired - Fee Related US8908864B2 (en) 2009-03-11 2012-10-05 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Country Status (2)

Country Link
US (2) US20100235911A1 (en)
WO (1) WO2010105099A2 (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100105355A1 (en) * 2008-10-17 2010-04-29 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for detection of an unauthorized service message in a network
WO2013124152A1 (en) * 2012-02-23 2013-08-29 Markport Limited A home routing system and method for mobile networks
US8908864B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US8909266B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for short message service (SMS) forwarding
US8949355B2 (en) * 2007-10-24 2015-02-03 Blackberry Limited Method for disambiguating email recipient fields in an electronic device
US20160174077A1 (en) * 2013-05-23 2016-06-16 Markport Limited SMS Fraud Detection
US9565528B2 (en) * 2015-04-08 2017-02-07 Verizon Patent And Licensing Inc. Providing a message based on translating a beacon identifier to a virtual beacon identifier
CN108243420A (en) * 2016-12-26 2018-07-03 中国移动通信集团公司 A kind of processing method and processing device of fraud text message number
CN108810833A (en) * 2018-05-18 2018-11-13 努比亚技术有限公司 Phone number binding information management method, device and computer readable storage medium
CN109996191A (en) * 2017-12-29 2019-07-09 中兴通讯股份有限公司 Multimedia message verification method, server, mobile terminal and computer readable storage medium
US10616200B2 (en) 2017-08-01 2020-04-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (MME) authentication for outbound roaming subscribers using diameter edge agent (DEA)
US10834045B2 (en) 2018-08-09 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for conducting a time distance security countermeasure for outbound roaming subscribers using diameter edge agent
CN112119385A (en) * 2018-05-24 2020-12-22 德州仪器公司 System-on-chip firewall memory architecture
US10931668B2 (en) 2018-06-29 2021-02-23 Oracle International Corporation Methods, systems, and computer readable media for network node validation
US10952063B2 (en) 2019-04-09 2021-03-16 Oracle International Corporation Methods, systems, and computer readable media for dynamically learning and using foreign telecommunications network mobility management node information for security screening
US11349792B2 (en) * 2015-01-30 2022-05-31 Sinch Sweden Ab Identification of sources of media traffic through a network
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11622255B2 (en) 2020-10-21 2023-04-04 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (SMF) registration request
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9667730B2 (en) * 2013-03-14 2017-05-30 Comcast Cable Communications, Llc Systems and methods for abandonment detection and mitigation
DE102014117713B4 (en) 2014-12-02 2016-12-01 GSMK Gesellschaft für sichere mobile Kommunikation mbH Method and device for securing a signaling system No. 7 interface
US12095942B2 (en) 2020-09-03 2024-09-17 AB Handshake Corporation Method and apparatus for detecting SMS parameter manipulation
EP4420339A1 (en) * 2021-10-18 2024-08-28 AB Handshake Corporation Method and system for detecting sms parameters manipulation

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6091958A (en) * 1997-02-14 2000-07-18 Telefonaktiebolaget Lm Ericsson Mobile stations' geographical position determination, method and arrangement
US6308075B1 (en) * 1998-05-04 2001-10-23 Adc Telecommunications, Inc. Method and apparatus for routing short messages
US20010046856A1 (en) * 2000-03-07 2001-11-29 Mccann Thomas Matthew Methods and systems for mobile application part (MAP) screening
US20020098856A1 (en) * 2000-12-05 2002-07-25 Andreas Berg Method and apparatus for sending out short messages from a mobile terminal in a mobile radio network
US20020181448A1 (en) * 1999-12-22 2002-12-05 Sami Uskela Prevention of spoofing in telecommunications systems
US20020193127A1 (en) * 1999-11-17 2002-12-19 Andreas Martschitsch Method and system for preparing and transmitting SMS messages in a mobile radio network
US20050182968A1 (en) * 2002-01-24 2005-08-18 David Izatt Intelligent firewall
US20050232236A1 (en) * 2004-04-14 2005-10-20 Tekelec Methods and systems for mobile application part (MAP) screening in transit networks
US20060028429A1 (en) * 2004-08-09 2006-02-09 International Business Machines Corporation Controlling devices' behaviors via changes in their relative locations and positions
US20060211406A1 (en) * 2005-03-17 2006-09-21 Nokia Corporation Providing security for network subscribers
US20070011261A1 (en) * 2004-12-03 2007-01-11 Madams Peter H C Apparatus for executing an application function using a mail link and methods therefor
US20070281718A1 (en) * 2004-04-14 2007-12-06 Nooren Consulting B.V. Method for Preventing the Delivery of Short Message Service Message Spam
US20080004047A1 (en) * 2004-03-18 2008-01-03 Telsis Holdings Limited Telecommunications Services Apparatus and Methods
US20080026778A1 (en) * 2006-07-25 2008-01-31 Yigang Cai Message spoofing detection via validation of originating switch
US20080045246A1 (en) * 2004-10-14 2008-02-21 Anam Mobile Limited Messaging System and Method
US20100105355A1 (en) * 2008-10-17 2010-04-29 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for detection of an unauthorized service message in a network

Family Cites Families (106)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0328606D0 (en) 2003-11-21 2004-01-14 Intellprop Ltd Telecommunications services apparatus and method
US6047327A (en) 1996-02-16 2000-04-04 Intel Corporation System for distributing electronic information to a targeted group of users
US5684951A (en) 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
US5768509A (en) 1996-04-08 1998-06-16 Adc Newnet, Inc. Short message server without local customer database
US9418381B2 (en) 2000-04-14 2016-08-16 Citigroup Credit Services, Inc. (USA) Method and system for notifying customers of transaction opportunities
FI106603B (en) 1998-03-26 2001-02-28 Nokia Networks Oy Sending multicast services to the target area
US6597688B2 (en) 1998-06-12 2003-07-22 J2 Global Communications, Inc. Scalable architecture for transmission of messages over a network
KR100325961B1 (en) 1999-07-16 2002-03-07 Method and system for providing customized information during call setup process in telecommunication systems
US20020010745A1 (en) 1999-12-09 2002-01-24 Eric Schneider Method, product, and apparatus for delivering a message
US7136634B1 (en) 1999-12-22 2006-11-14 Nokia Corporation System and method for displaying information included in predetermined messages automatically
US6564055B1 (en) 2000-01-21 2003-05-13 Telecommunication Systems, Inc. Intelligent roaming database (IRDB) updating
AU2001234620A1 (en) 2000-01-28 2001-08-07 Ibeam Broadcasting Corporation Method and apparatus for client-side authentication and stream selection in a content distribution system
US20040221011A1 (en) 2000-04-10 2004-11-04 Steven Smith High volume electronic mail processing systems and methods having remote transmission capability
US6577723B1 (en) 2000-07-13 2003-06-10 At&T Wireless Service, Inc. Application of TCAP criteria in SCCP routing
US7394818B1 (en) 2000-09-22 2008-07-01 Qwest Communications International Inc. Extended multi-line hunt group communication
FI114000B (en) 2000-11-08 2004-07-15 Mikko Kalervo Vaeaenaenen Electronic short message and marketing procedure and corresponding devices
US7155001B2 (en) 2001-10-24 2006-12-26 Sbc Properties, L.P. System and method for restricting and monitoring telephone calls
US7177917B2 (en) 2000-12-27 2007-02-13 Softwired Ag Scaleable message system
FI112153B (en) 2000-12-28 2003-10-31 Nokia Corp Management of messages in a communication system
US7072976B2 (en) 2001-01-04 2006-07-04 Sun Microsystems, Inc. Scalable routing scheme for a multi-path interconnection fabric
US7343317B2 (en) 2001-01-18 2008-03-11 Nokia Corporation Real-time wireless e-coupon (promotion) definition based on available segment
US6947738B2 (en) 2001-01-18 2005-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Multimedia messaging service routing system and method
FI115744B (en) 2001-02-08 2005-06-30 Nokia Corp communication Service
KR20020071296A (en) 2001-03-06 2002-09-12 삼성전자 주식회사 Method for forwarding short message in mobile telecommunication system
WO2002076077A1 (en) 2001-03-16 2002-09-26 Leap Wireless International, Inc. Method and system for distributing content over a wireless communications system
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
SE0101087D0 (en) 2001-03-26 2001-03-26 Obnex Technologies Hb System for distribution of position-dependent information
US20020147928A1 (en) 2001-04-10 2002-10-10 Motorola, Inc. Method of information dissemination in a network of end terminals
GB0109525D0 (en) 2001-04-18 2001-06-06 Telsis Holdings Ltd Managing text message traffic in mobile telephone networks
US20020187794A1 (en) 2001-05-04 2002-12-12 Comverse Network Systems, Ltd. SMS automatic reply and automatic handling
TW511365B (en) 2001-05-15 2002-11-21 Corbett Wall Method allowing individual user to record song and forward to others for listening by connecting to a service provider with telecommunication device signal
AU2002328129A1 (en) 2001-06-22 2003-01-08 Emblaze Systems, Ltd. Mms system and method with protocol conversion suitable for mobile/portable handset display
KR20030000491A (en) 2001-06-25 2003-01-06 에스케이 텔레콤주식회사 Method for forwarding a short message
US7389118B2 (en) 2001-06-29 2008-06-17 Nokia Corporation System and method for person-to-person messaging with a value-added service
WO2003024136A1 (en) 2001-09-12 2003-03-20 Aircross Co., Ltd. Push advertisement in mobile communications network and mobile terminal suitable for the same
US20030069991A1 (en) 2001-10-09 2003-04-10 Brescia Paul T. Location-based address provision
US6996579B2 (en) 2001-11-02 2006-02-07 At&T Corp. E-coupon service for location-aware mobile commerce which determines whether to supply requested e-coupons based on the number of requests received in a processing cycle, and a threshold number of requests required to make expected returns from redeemed coupons greater than advertising fees
US7116972B1 (en) 2001-11-16 2006-10-03 Sprint Spectrum L.P. Method and system for control over call handling
US7072667B2 (en) 2001-12-31 2006-07-04 Nokia Corporation Location information service for a cellular telecommunications network
ITPI20020025A1 (en) 2002-04-18 2003-10-20 Pietro Baracco METHOD TO MODIFY THE TEXT OF A MESSAGE SENT BETWEEN TWO TELEPHONE TERMINALS
WO2004010257A2 (en) 2002-07-19 2004-01-29 M-Qube, Inc. System and method to initiate a mobile data communication utilizing a trigger system
US20040019695A1 (en) 2002-07-25 2004-01-29 International Business Machines Corporation Messaging system and method using alternative message delivery paths
FR2844948B1 (en) 2002-09-23 2005-01-07 Eastman Kodak Co METHOD FOR ARCHIVING MULTIMEDIA MESSAGES
US20040203581A1 (en) 2002-10-07 2004-10-14 Msafe Ltd. Method system and device for monitoring data pushed to a wireless communication device
US20050021666A1 (en) 2002-10-08 2005-01-27 Dinnage David M. System and method for interactive communication between matched users
KR100511300B1 (en) 2002-12-31 2005-08-31 엘지전자 주식회사 Method for enhanced short message service
DE10303958B4 (en) 2003-01-31 2005-03-03 Siemens Ag Method and system for inserting a multimedia message multiple element into a multimedia message
US7248857B1 (en) 2004-02-27 2007-07-24 Cingular Wireless Ii, Llc System and method for enhanced message notification
ATE378759T1 (en) 2003-05-06 2007-11-15 Cvon Innovations Ltd MESSAGE TRANSMISSION SYSTEM AND INFORMATION SERVICE
ZA200509020B (en) 2003-05-08 2008-02-27 Kahn Ari Call management protocol for insufficient credit
WO2004102345A2 (en) 2003-05-09 2004-11-25 Tekelec Methods and systems for providing short message gateway functionality in a telecommunications network
US7299050B2 (en) 2003-05-12 2007-11-20 Tekelec Methods and systems for generating, distributing, and screening commercial content
JP4874799B2 (en) 2003-05-15 2012-02-15 華為技術有限公司 System and method for providing RBT (ringing tone) in a communication network
CA2526415C (en) 2003-05-16 2014-09-16 Gerald Hewes Mobile messaging short code translation and routing system and method
US20040243719A1 (en) 2003-05-28 2004-12-02 Milt Roselinsky System and method for routing messages over disparate networks
US7660898B2 (en) 2003-07-29 2010-02-09 At&T Intellectual Property I, L.P. Presence enhanced telephony service architecture
US20080125117A1 (en) * 2004-02-18 2008-05-29 John Yue Jun Jiang Method and system for providing roaming services to outbound roamers using home network Gateway Location Register
EP1661380A4 (en) 2003-09-04 2007-06-13 Emc Corp Data message mirroring and redirection
US7447219B2 (en) 2003-09-29 2008-11-04 Redknee Inc. System and method for implementing a universal messaging gateway (UMG)
CN1625146A (en) 2003-12-02 2005-06-08 华为技术有限公司 Method and system for realizing sharing intelligent route
US20050130685A1 (en) 2003-12-12 2005-06-16 Mark Jenkin Method and apparatus for inserting information into an unused portion of a text message
US7269431B1 (en) 2004-01-16 2007-09-11 Cingular Wireless Ii, Llc System for forwarding SMS messages to other devices
US8112103B2 (en) 2004-01-16 2012-02-07 Kuang-Chao Eric Yeh Methods and systems for mobile device messaging
KR100600335B1 (en) 2004-03-22 2006-07-14 주식회사 팬택앤큐리텔 Data provision method with short message service
US20070287463A1 (en) 2004-03-29 2007-12-13 Intellprop Limited Telecommunications Services Apparatus And Method For Modifying The Routing Of Mobile Terminated Short Messages (Sms)
US7961663B2 (en) 2004-04-05 2011-06-14 Daniel J. LIN Peer-to-peer mobile instant messaging method and device
US20050239448A1 (en) 2004-04-12 2005-10-27 Bayne Anthony J System and method for the distribution of advertising and associated coupons via mobile media platforms
US7120455B1 (en) 2004-05-20 2006-10-10 Cellco Partnership Method and system for mobile instant messaging using multiple interfaces
US7155243B2 (en) 2004-06-15 2006-12-26 Tekelec Methods, systems, and computer program products for content-based screening of messaging service messages
CN101053264B (en) 2004-08-14 2011-03-23 基鲁萨有限公司 Methods for identifying messages and communicating with users of a multimodal message service
US20060047572A1 (en) 2004-08-26 2006-03-02 Jeffery Moore Text and multimedia messaging-based layered service and contact method, auction method and method of conducting business
AU2005298424C1 (en) 2004-10-27 2010-03-04 Intellprop Limited Telecommunications services apparatus and methods
GB0425905D0 (en) 2004-11-25 2004-12-29 Intellprop Ltd Telecommunications services apparatus and method
WO2006062900A2 (en) 2004-12-06 2006-06-15 Roamware, Inc. Scalable message forwarding
US7454164B2 (en) 2004-12-28 2008-11-18 Lucent Technologies Inc. Providing a multimedia message with a multimedia messaging service message in a mobile environment
US7941165B2 (en) 2005-03-02 2011-05-10 Cisco Technology, Inc. System and method for providing a proxy in a short message service (SMS) environment
US20060218613A1 (en) 2005-03-22 2006-09-28 Bushnell William J System and method for acquiring on-line content via wireless communication device
US8014762B2 (en) 2005-03-31 2011-09-06 Qualcomm Incorporated Time and location-based non-intrusive advertisements and informational messages
US7209759B1 (en) 2005-06-23 2007-04-24 Cisco Technology, Inc. Method and system for customizing distributed short message routing
US8099114B2 (en) 2005-07-28 2012-01-17 At&T Mobility Ii Llc Personal short codes for SMS
US20070072591A1 (en) 2005-09-23 2007-03-29 Mcgary Faith Enhanced directory assistance system and method including location search functions
US8677020B2 (en) 2005-10-17 2014-03-18 Amobee Inc. Device, system and method of wireless delivery of targeted advertisements
US20080051066A1 (en) 2005-12-05 2008-02-28 Fonemine, Inc. Digital personal assistant and automated response system
IL173011A (en) 2006-01-08 2012-01-31 Picscout Ltd Image insertion for cellular text messaging
US20070168432A1 (en) * 2006-01-17 2007-07-19 Cibernet Corporation Use of service identifiers to authenticate the originator of an electronic message
US20070206747A1 (en) 2006-03-01 2007-09-06 Carol Gruchala System and method for performing call screening
US7817987B2 (en) 2006-03-07 2010-10-19 Motorola, Inc. Apparatus and method for handling messaging service message adaptation
US7912908B2 (en) 2006-03-27 2011-03-22 Alcatel-Lucent Usa Inc. Electronic message forwarding control
US7747264B2 (en) 2006-05-18 2010-06-29 Myriad Group Ag Method and apparatus for delivering advertisements to mobile users
US8170584B2 (en) 2006-06-06 2012-05-01 Yahoo! Inc. Providing an actionable event in an intercepted text message for a mobile device based on customized user information
US9219952B2 (en) 2006-06-09 2015-12-22 Starscriber Corporation Voiding calls to signal supplementary services
KR20080006225A (en) 2006-07-11 2008-01-16 에스케이 텔레콤주식회사 Service system and method of instant transmission premium sms
US7606202B2 (en) 2006-07-28 2009-10-20 Tekelec Methods, systems, and computer program products for offloading call control services from a first network of a first type to a second network of a second type
US8204057B2 (en) 2006-10-26 2012-06-19 Tekelec Global, Inc. Methods, systems, and computer program products for providing an enriched messaging service in a communications network
US8199892B2 (en) 2006-10-26 2012-06-12 Tekelec Methods, systems, and computer program products for providing a call attempt triggered messaging service in a communications network
US20080113677A1 (en) 2006-11-11 2008-05-15 Rajeev Kumar Madnawat Mobile to mobile service invocation framework using text messsaging
KR100850734B1 (en) 2006-12-13 2008-08-06 삼성전자주식회사 Method For Transmitting Message Of Portable Terminal
US20080161028A1 (en) 2007-01-03 2008-07-03 Tekelec Methods, systems and computer program products for a redundant, geographically diverse, and independently scalable message service (MS) content store
US7941129B2 (en) 2007-01-11 2011-05-10 At&T Mobility Ii Llc Multi-way messaging with forwarding
US20080207181A1 (en) 2007-02-28 2008-08-28 Roamware Method and system for applying value added services on messages sent to a subscriber without affecting the subscriber's mobile communication
KR20080111175A (en) 2007-03-30 2008-12-23 (주)옴니텔 System and method for advertisement using free sms
US7930208B2 (en) 2007-03-30 2011-04-19 Wmode Incorporated Method and system for delivery of advertising content in short message service (SMS) messages
WO2008130565A1 (en) 2007-04-16 2008-10-30 Roamware, Inc. Method and system for inserting advertisement content into a text message
US20100210292A1 (en) 2009-02-16 2010-08-19 Eloy Johan Lambertus Nooren Extending a text message with content
US20100235911A1 (en) 2009-03-11 2010-09-16 Eloy Johan Lambertus Nooren Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US20100233992A1 (en) 2009-03-11 2010-09-16 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for short message service (sms) forwarding

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6091958A (en) * 1997-02-14 2000-07-18 Telefonaktiebolaget Lm Ericsson Mobile stations' geographical position determination, method and arrangement
US6308075B1 (en) * 1998-05-04 2001-10-23 Adc Telecommunications, Inc. Method and apparatus for routing short messages
US20020193127A1 (en) * 1999-11-17 2002-12-19 Andreas Martschitsch Method and system for preparing and transmitting SMS messages in a mobile radio network
US20020181448A1 (en) * 1999-12-22 2002-12-05 Sami Uskela Prevention of spoofing in telecommunications systems
US20010046856A1 (en) * 2000-03-07 2001-11-29 Mccann Thomas Matthew Methods and systems for mobile application part (MAP) screening
US20020098856A1 (en) * 2000-12-05 2002-07-25 Andreas Berg Method and apparatus for sending out short messages from a mobile terminal in a mobile radio network
US20050182968A1 (en) * 2002-01-24 2005-08-18 David Izatt Intelligent firewall
US20080004047A1 (en) * 2004-03-18 2008-01-03 Telsis Holdings Limited Telecommunications Services Apparatus and Methods
US20070281718A1 (en) * 2004-04-14 2007-12-06 Nooren Consulting B.V. Method for Preventing the Delivery of Short Message Service Message Spam
US20050232236A1 (en) * 2004-04-14 2005-10-20 Tekelec Methods and systems for mobile application part (MAP) screening in transit networks
US20060028429A1 (en) * 2004-08-09 2006-02-09 International Business Machines Corporation Controlling devices' behaviors via changes in their relative locations and positions
US20080045246A1 (en) * 2004-10-14 2008-02-21 Anam Mobile Limited Messaging System and Method
US20070011261A1 (en) * 2004-12-03 2007-01-11 Madams Peter H C Apparatus for executing an application function using a mail link and methods therefor
US20060211406A1 (en) * 2005-03-17 2006-09-21 Nokia Corporation Providing security for network subscribers
US20080026778A1 (en) * 2006-07-25 2008-01-31 Yigang Cai Message spoofing detection via validation of originating switch
US20100105355A1 (en) * 2008-10-17 2010-04-29 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for detection of an unauthorized service message in a network

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8949355B2 (en) * 2007-10-24 2015-02-03 Blackberry Limited Method for disambiguating email recipient fields in an electronic device
US20100105355A1 (en) * 2008-10-17 2010-04-29 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for detection of an unauthorized service message in a network
US8326265B2 (en) 2008-10-17 2012-12-04 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for detection of an unauthorized service message in a network
US8908864B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US8909266B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for short message service (SMS) forwarding
WO2013124152A1 (en) * 2012-02-23 2013-08-29 Markport Limited A home routing system and method for mobile networks
US20150024740A1 (en) * 2012-02-23 2015-01-22 Markport Limited A home routing system and method for mobile networks
US9338618B2 (en) * 2012-02-23 2016-05-10 Markport Limited Home routing system and method for mobile networks
US20160174077A1 (en) * 2013-05-23 2016-06-16 Markport Limited SMS Fraud Detection
US9661502B2 (en) * 2013-05-23 2017-05-23 Markport Limited SMS fraud detection
US11349792B2 (en) * 2015-01-30 2022-05-31 Sinch Sweden Ab Identification of sources of media traffic through a network
US9565528B2 (en) * 2015-04-08 2017-02-07 Verizon Patent And Licensing Inc. Providing a message based on translating a beacon identifier to a virtual beacon identifier
CN108243420A (en) * 2016-12-26 2018-07-03 中国移动通信集团公司 A kind of processing method and processing device of fraud text message number
US10616200B2 (en) 2017-08-01 2020-04-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (MME) authentication for outbound roaming subscribers using diameter edge agent (DEA)
CN109996191A (en) * 2017-12-29 2019-07-09 中兴通讯股份有限公司 Multimedia message verification method, server, mobile terminal and computer readable storage medium
CN108810833A (en) * 2018-05-18 2018-11-13 努比亚技术有限公司 Phone number binding information management method, device and computer readable storage medium
CN112119385A (en) * 2018-05-24 2020-12-22 德州仪器公司 System-on-chip firewall memory architecture
US10931668B2 (en) 2018-06-29 2021-02-23 Oracle International Corporation Methods, systems, and computer readable media for network node validation
US10834045B2 (en) 2018-08-09 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for conducting a time distance security countermeasure for outbound roaming subscribers using diameter edge agent
US10952063B2 (en) 2019-04-09 2021-03-16 Oracle International Corporation Methods, systems, and computer readable media for dynamically learning and using foreign telecommunications network mobility management node information for security screening
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface
US11622255B2 (en) 2020-10-21 2023-04-04 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (SMF) registration request
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries

Also Published As

Publication number Publication date
US20130095793A1 (en) 2013-04-18
US8908864B2 (en) 2014-12-09
WO2010105099A3 (en) 2011-01-13
WO2010105099A2 (en) 2010-09-16

Similar Documents

Publication Publication Date Title
US8908864B2 (en) Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US11265695B2 (en) MMS termination on different networks
US8005493B2 (en) Messaging system and method
US7797003B2 (en) Telecommunication services apparatus and methods for addressing the problem of mobile terminated message faking
US7751836B2 (en) Methods, systems, and computer program products for short message service (SMS) spam filtering using e-mail spam filtering resources
US8199892B2 (en) Methods, systems, and computer program products for providing a call attempt triggered messaging service in a communications network
US8879526B2 (en) Method and system for addressing a mobile terminal
US20080207181A1 (en) Method and system for applying value added services on messages sent to a subscriber without affecting the subscriber's mobile communication
US11700510B2 (en) Methods, systems, and computer readable media for short message delivery status report validation
EP3000212B1 (en) Sms fraud detection
US20060211406A1 (en) Providing security for network subscribers
US10498678B2 (en) Method for user reporting of spam mobile messages and filter node
US20070287463A1 (en) Telecommunications Services Apparatus And Method For Modifying The Routing Of Mobile Terminated Short Messages (Sms)
JP2006178999A (en) Storage of anti-spam black list
US20160255567A1 (en) Methods, network control nodes and communication devices for routing signalling requests in a communication system
WO2003019969A1 (en) Method and system for routing calls to a mobile telecommunications device
EP1865731A1 (en) A method for realizing short message called service and a short message process system
US20200252772A1 (en) System and method for communicating across multiple network types
US20100112993A1 (en) Method, device and system for message identification
EP2387259B1 (en) Method for routing a message
GB2435156A (en) Communication system for accessing more than one device at a single address
US7444131B2 (en) Method and apparatus for rerouting terminations for CALEA targets through a predetermined surveilling MSC
US9338618B2 (en) Home routing system and method for mobile networks
WO2008073234A2 (en) Method and system for applying value added services on messages sent to a subscriber without affecting the subscriber's mobile communication
IES84271Y1 (en) A messaging system and method

Legal Events

Date Code Title Description
AS Assignment

Owner name: TEKELEC, NORTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NOOREN, ELOY JOHAN LAMBERTUS;REEL/FRAME:024430/0936

Effective date: 20100413

AS Assignment

Owner name: TEKELEC, NORTH CAROLINA

Free format text: CORRECTIVE ASSIGNMENT;ASSIGNOR:NOOREN, ELOY JOHAN LAMBERTUS;REEL/FRAME:026617/0628

Effective date: 20110704

AS Assignment

Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, MINNESOTA

Free format text: SECURITY INTEREST;ASSIGNORS:TEKELEC;CAMIANT, INC.;REEL/FRAME:028035/0659

Effective date: 20120127

AS Assignment

Owner name: TEKELEC GLOBAL, INC., NORTH CAROLINA

Free format text: CHANGE OF NAME;ASSIGNOR:TEKELEC;REEL/FRAME:028078/0287

Effective date: 20120130

AS Assignment

Owner name: TEKELEC AND CAMIANT, INC., NORTH CAROLINA

Free format text: TERMINATION OF SECURITY INTERESTS;ASSIGNOR:WILMINGTON TRUST, NATIONAL ASSOCIATION;REEL/FRAME:028856/0396

Effective date: 20120812

Owner name: TEKELEC NETHERLANDS GROUP, B.V., NETHERLANDS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TEKELEC INTERNATIONAL SPRL;REEL/FRAME:028853/0469

Effective date: 20120812

Owner name: TEKELEC INTERNATIONAL SPRL, BELGIUM

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TEKELEC GLOBAL, INC.;REEL/FRAME:028853/0324

Effective date: 20120812

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION