Intrusion detection on telephony networks
With the explosion in the mobile communications sector, the deregulation of public switched telecommunication networks (PSTN) as well as the introduction of many new services the dependence on the signalling system 7 (SS7) network has rapidly increased over the last two decades. Typically, monitoring systems on telephony networks have focused on fraud detection however the need for more effective and low-latency detection of attacks on today’s communication infrastructure has become indispensable (Gormann and Ruhl, 1999). Attacks range from fraudulent access to network services and databases (e.g., HLR) to gain access to private or sensitive information to denial of service type attacks to disrupt or deny telecommunication services.
P1 Telecom Monitor (PTM) is an Intrusion Detection System (IDS) specifically designed for SS7 and SIGTRAN networks. It is composed of a realtime detection framework and a reporting and monitoring user interface. PTM’s design allows it to be easily scaled from a single network tap to large-scale deployments throughout the network to be protected. The network traffic is filtered and processed in a decentralized manner while alerts are collected in a central datastore.
The PTM detection framework’s modular design allows us to quickly adapt and extend it to new attack types. Detectors are implemented as independent modules exposing a simple callback interface invoked by the detector framework upon interception of new traffic.
Attacks can often not be discerned from normal traffic by analyzing single packets, PTM also allows time-correlated events to be detected.
We believe that even the best IDS will be of little value if the detected events are not quickly translated into alerts and a response from the operations team. This is why PTM also offers a comprehensive web-based monitoring interface. On the one hand, a simple dashboard allows the engineer to gain a quick overview of the current status of the network and the most important threats. Aggregate statistics and real-time charts expose network activity and top attacks. On the other hand, detailed tabular reports allow the operator to understand and reconstruct events precisely and to react in the most appropriate fashion.
The combination of a scalable realtime traffic monitor, an extensible event-detector framework and simple yet powerful interface position P1 Telecom Monitor at the forefront of intrusion detection systems in the telecommunications sector.