summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom2012-06-10 18:34:23 +0200
committerTom2012-06-10 18:34:23 +0200
commit7d99a18c935659967b19051f999e3fc353720e56 (patch)
tree29a8e30be74f1c45bd480375a601c7db15d8993e
parentchanged images (diff)
downloadimsi-catcher-detection-7d99a18c935659967b19051f999e3fc353720e56.tar.gz
imsi-catcher-detection-7d99a18c935659967b19051f999e3fc353720e56.tar.xz
imsi-catcher-detection-7d99a18c935659967b19051f999e3fc353720e56.zip
increased shininess
-rw-r--r--Src/PyCatcher/Databases/foobar.dbbin0 -> 2048 bytes
-rw-r--r--Src/PyCatcher/Databases/home.csv10
-rw-r--r--Src/PyCatcher/Databases/home.dbbin5120 -> 5120 bytes
-rw-r--r--Src/PyCatcher/GUI/catcher_main.glade45
-rw-r--r--Src/PyCatcher/foo.py24
-rw-r--r--Src/PyCatcher/src/driverConnector.py8
-rw-r--r--Src/PyCatcher/src/evaluators.py38
-rw-r--r--Src/PyCatcher/src/localAreaDatabse.py55
-rw-r--r--Src/PyCatcher/src/pyCatcherController.py68
-rw-r--r--Src/PyCatcher/src/pyCatcherModel.py16
-rw-r--r--Src/PyCatcher/src/pyCatcherView.py5
-rw-r--r--Src/PyCatcher/src/rules.py70
-rw-r--r--Src/PyCatcher/src/settings.py14
-rw-r--r--Tex/Content/Abstract.log82
-rw-r--r--Tex/Content/Abstract.tex33
-rw-r--r--Tex/Content/Acknowledgements.tex19
-rw-r--r--Tex/Content/Appendix.tex91
-rw-r--r--Tex/Content/Bibliography.bib269
-rw-r--r--Tex/Content/Conclusion.tex11
-rw-r--r--Tex/Content/Dedication.tex7
-rw-r--r--Tex/Content/Detection.tex62
-rw-r--r--Tex/Content/Evaluation.tex293
-rw-r--r--Tex/Content/GSM_short.tex5
-rw-r--r--Tex/Content/Motivation.tex24
-rw-r--r--Tex/Master/Master.acn250
-rw-r--r--Tex/Master/Master.aux353
-rw-r--r--Tex/Master/Master.bbl221
-rw-r--r--Tex/Master/Master.blg75
-rw-r--r--Tex/Master/Master.dvibin258028 -> 402428 bytes
-rw-r--r--Tex/Master/Master.ist2
-rw-r--r--Tex/Master/Master.lof34
-rw-r--r--Tex/Master/Master.log473
-rw-r--r--Tex/Master/Master.lot24
-rw-r--r--Tex/Master/Master.pdfbin18951952 -> 20274633 bytes
-rw-r--r--Tex/Master/Master.synctex.gzbin740092 -> 804846 bytes
-rw-r--r--Tex/Master/Master.tex25
-rw-r--r--Tex/Master/Master.toc85
-rw-r--r--Tex/Master/Titlepage.tex5
38 files changed, 1614 insertions, 1182 deletions
diff --git a/Src/PyCatcher/Databases/foobar.db b/Src/PyCatcher/Databases/foobar.db
new file mode 100644
index 0000000..9f7c605
--- /dev/null
+++ b/Src/PyCatcher/Databases/foobar.db
Binary files differ
diff --git a/Src/PyCatcher/Databases/home.csv b/Src/PyCatcher/Databases/home.csv
index 89e2960..d77926c 100644
--- a/Src/PyCatcher/Databases/home.csv
+++ b/Src/PyCatcher/Databases/home.csv
@@ -1,3 +1,9 @@
Country, Provider, ARFCN, rxlev, BSIC, LAC, Cell ID, Evaluation, Latitude, Longitude, Encryption, DB Status, DB Provider, Neighbours
-Germany, Vodafone, 62, -76, 7/4, 793, 21791, Ok, 0, 0, Not checked., Not looked up, None, 1 3 6 55 60 65 70 75 107 111 113 115 119
-Germany, Vodafone, 3, -83, 7/3, 793, 45352, Ok, 0, 0, Not checked., Not looked up, None, 1 6 55 62 65 70 75 111 113 119 725 729 731
+afone, 62, -75, 7/4, 793, 21791, Ok, 0, 0, Not looked up, None, 1 3 6 55 60 65 70 75 107 111 113 115 119
+Germany, Vodafone, 3, -84, 7/3, 793, 45352, Ok, 0, 0, Not looked up, None, 1 6 55 62 65 70 75 111 113 119 725 729 731
+Germany, Vodafone, 119, -89, 3/2, 793, 21781, Ok, 0, 0, Not looked up, None, 1 3 6 62 65 66 75 79 107 108 111 113 725 731
+Germany, T-Mobile, 49, -89, 7/0, 21014, 6321, Warning, 0, 0, Not looked up, None, 17 19 21 84 89 93 96 97 124
+Germany, Vodafone, 6, -88, 7/6, 793, 19222, Critical, 0, 0, Not looked up, None, 1 3 10 52 55 57 60 62 107 111 115 119 121
+Germany, O2, 1022, -90, 7/3, 50945, 39093, Critical, 0, 0, Not looked up, None, 654 667 670 675 682 705 711 721 1003 1014 1016 1020
+Germany, T-Mobile, 100, -90, 7/5, 21014, 47560, Critical, 0, 0, Not looked up, None, 17 18 21 29 31 36 97 98
+Germany, E-Plus, 812, -80, 3/6, 588, 7098, Critical, 0, 0, Not looked up, None, 803 809 820 822 823 825 828 977 990
diff --git a/Src/PyCatcher/Databases/home.db b/Src/PyCatcher/Databases/home.db
index 4c9ef1e..f91ad9e 100644
--- a/Src/PyCatcher/Databases/home.db
+++ b/Src/PyCatcher/Databases/home.db
Binary files differ
diff --git a/Src/PyCatcher/GUI/catcher_main.glade b/Src/PyCatcher/GUI/catcher_main.glade
index 65454cd..43747c9 100644
--- a/Src/PyCatcher/GUI/catcher_main.glade
+++ b/Src/PyCatcher/GUI/catcher_main.glade
@@ -404,24 +404,6 @@ Available Evaluators
</packing>
</child>
<child>
- <object class="GtkRadioButton" id="rb_weighted_evaluator">
- <property name="label" translatable="yes">Weighted Evaluator</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="use_action_appearance">False</property>
- <property name="xalign">0</property>
- <property name="active">True</property>
- <property name="draw_indicator">True</property>
- <property name="group">rb_conservative_evaluator</property>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">2</property>
- </packing>
- </child>
- <child>
<object class="GtkRadioButton" id="rb_grouped_evaluator">
<property name="label" translatable="yes">Grouped Evaluator</property>
<property name="visible">True</property>
@@ -436,7 +418,7 @@ Available Evaluators
<packing>
<property name="expand">False</property>
<property name="fill">True</property>
- <property name="position">3</property>
+ <property name="position">2</property>
</packing>
</child>
</object>
@@ -1219,6 +1201,23 @@ PCH Scan Parameters
</packing>
</child>
<child>
+ <object class="GtkCheckButton" id="cb_integrate_pch">
+ <property name="label" translatable="yes">Integrate PCH Scans with Model</property>
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="receives_default">False</property>
+ <property name="use_action_appearance">False</property>
+ <property name="xalign">0</property>
+ <property name="active">True</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="expand">True</property>
+ <property name="fill">True</property>
+ <property name="position">3</property>
+ </packing>
+ </child>
+ <child>
<object class="GtkLabel" id="label8">
<property name="visible">True</property>
<property name="can_focus">False</property>
@@ -1226,7 +1225,7 @@ PCH Scan Parameters
<packing>
<property name="expand">True</property>
<property name="fill">True</property>
- <property name="position">3</property>
+ <property name="position">4</property>
</packing>
</child>
<child>
@@ -1241,7 +1240,7 @@ PCH Scan Parameters
<packing>
<property name="expand">True</property>
<property name="fill">True</property>
- <property name="position">4</property>
+ <property name="position">5</property>
</packing>
</child>
<child>
@@ -1252,7 +1251,7 @@ PCH Scan Parameters
<packing>
<property name="expand">True</property>
<property name="fill">True</property>
- <property name="position">5</property>
+ <property name="position">6</property>
</packing>
</child>
<child>
@@ -1264,7 +1263,7 @@ PCH Scan Parameters
<packing>
<property name="expand">True</property>
<property name="fill">True</property>
- <property name="position">6</property>
+ <property name="position">7</property>
</packing>
</child>
</object>
diff --git a/Src/PyCatcher/foo.py b/Src/PyCatcher/foo.py
new file mode 100644
index 0000000..d6ce582
--- /dev/null
+++ b/Src/PyCatcher/foo.py
@@ -0,0 +1,24 @@
+max_prime = 30#775146
+candidates = range(2,max_prime)
+current_prime = 5
+primes = [2,3,5]
+
+while candidates and current_prime < max_prime:
+ if len(primes) %10 == 0:
+ print current_prime
+ for number in candidates:
+ if number % current_prime == 0:
+ candidates.remove(number)
+ current_prime = candidates[0]
+ candidates.remove(current_prime)
+ primes.append(current_prime)
+
+print primes
+
+result = 0
+
+for number in primes:
+ if 600851475143%number ==0:
+ result = number
+
+print result
diff --git a/Src/PyCatcher/src/driverConnector.py b/Src/PyCatcher/src/driverConnector.py
index cf6f15a..97acf0a 100644
--- a/Src/PyCatcher/src/driverConnector.py
+++ b/Src/PyCatcher/src/driverConnector.py
@@ -217,6 +217,7 @@ class PCHThread(threading.Thread):
while(pch_retries > 0 and scan_time.seconds < max_scan_time and not self._thread_break):
scan_time = datetime.datetime.now() - start_time
poll_result = poll_obj.poll(0)
+ pch_failed = False
if poll_result:
line = scan_process.stdout.readline()
else:
@@ -240,6 +241,8 @@ class PCHThread(threading.Thread):
if 'FBSB RESP: result=255' in line:
if(pch_retries > 0):
retry = True
+ else:
+ pch_failed = True
break
if(retry):
@@ -251,9 +254,6 @@ class PCHThread(threading.Thread):
if scan_process:
scan_process.kill()
- print 'Different TMSI: %d'%len(self._tmsi_dict)
- for key, value in self._tmsi_dict.iteritems():
- print key, value
result = {
'Pagings': pages_found,
@@ -262,7 +262,7 @@ class PCHThread(threading.Thread):
}
if not self._thread_break:
- self._scan_finished_callback((arfcn, result))
+ self._scan_finished_callback((arfcn, result), pch_failed)
class BufferFillerThread(threading.Thread):
def __init__(self, buffer, process):
diff --git a/Src/PyCatcher/src/evaluators.py b/Src/PyCatcher/src/evaluators.py
index 759d400..d567de3 100644
--- a/Src/PyCatcher/src/evaluators.py
+++ b/Src/PyCatcher/src/evaluators.py
@@ -1,9 +1,8 @@
from rules import RuleResult
-from settings import Rule_Groups, Rule_Weights
+from settings import Rule_Groups
class EvaluatorSelect:
CONSERVATIVE = 0
- WEIGHTED = 1
GROUP = 2
class Evaluator:
@@ -32,16 +31,6 @@ class ConservativeEvaluator(Evaluator):
return final_result, {'Decision founded on': decision_rule}
-
-class WeightedEvaluator(Evaluator):
- identifier = 'Weighted Evaluator'
-
- def evaluate(self, result_list):
- for rule, evaluation in reseult_list:
- pass
-
-
-
class GroupEvaluator(Evaluator):
identifier = 'Group Evaluator'
@@ -50,28 +39,35 @@ class GroupEvaluator(Evaluator):
for group in Rule_Groups:
group_results.append(self.evaluate_group_results(self.convert_to_group_result_list(group,result_list)))
- if group_results.count(RuleResult.CRITICAL) > 0:
- return RuleResult.CRITICAL
- elif group_results.count(RuleResult.WARNING) > 0:
- return RuleResult.WARNING
+ criticals = group_results.count(RuleResult.CRITICAL)
+ warnings = group_results.count(RuleResult.WARNING)
+ oks = group_results.count(RuleResult.OK)
+
+ if criticals > 0:
+ return RuleResult.CRITICAL,{'Criticals': criticals, 'Warnings': warnings, 'Oks':oks}
+ elif warnings > 0:
+ return RuleResult.WARNING,{'Criticals': criticals, 'Warnings': warnings, 'Oks':oks}
+ elif oks > 0:
+ return RuleResult.OK,{'Criticals': criticals, 'Warnings': warnings, 'Oks':oks}
else:
- return RuleResult.OK
+ return RuleResult.CRITICAL,{'Reason': 'No evaluation possible, all active rules yield IGNORE.'}
def convert_to_group_result_list(self, group, result_list):
group_result_list = []
for rule in group:
- group_results.append(result_list[rule])
+ if result_list.has_key(rule):
+ group_result_list.append(result_list[rule])
return group_result_list
def evaluate_group_results(self, results):
oks = results.count(RuleResult.OK)
warnings = results.count(RuleResult.WARNING)
criticals = results.count(RuleResult.CRITICAL)
- if criticals >= oks and criticals >= warnings:
+ if criticals >= oks and criticals >= warnings and not criticals == 0:
return RuleResult.CRITICAL
- elif warnings >= oks and warnings>= criticals:
+ elif warnings >= oks and warnings>= criticals and not warnings == 0:
return RuleResult.WARNING
- elif oks >= criticals and oks >= warnings:
+ elif oks >= criticals and oks >= warnings and not oks == 0:
return RuleResult.OK
else:
return RuleResult.IGNORE \ No newline at end of file
diff --git a/Src/PyCatcher/src/localAreaDatabse.py b/Src/PyCatcher/src/localAreaDatabse.py
index de08035..99f3971 100644
--- a/Src/PyCatcher/src/localAreaDatabse.py
+++ b/Src/PyCatcher/src/localAreaDatabse.py
@@ -7,6 +7,7 @@ class LocalAreaDatabase:
def __init__(self):
self._connection = None
self._cursor = None
+ self.cache = []
def load_or_create_database(self, name):
if self._connection:
@@ -22,6 +23,8 @@ class LocalAreaDatabase:
if not database_exists:
self._create_base_table()
+ self.refresh_object_cache()
+
def _create_base_table(self):
sql = '''CREATE TABLE basestations(
cellid INTEGER, country TEXT, provider TEXT, arfcn INTEGER, bsic TEXT, lac INTEGER,
@@ -65,6 +68,31 @@ class LocalAreaDatabase:
self._connection.commit()
def get_station(self, cellID):
+ for item in self.cache:
+ if item.cellID == cellID:
+ return item
+ return None
+
+ def refresh_object_cache(self):
+ if not self._connection:
+ return
+ self.cache = []
+ sql = 'SELECT * FROM basestations'
+ self._cursor.execute(sql)
+ try:
+ result = self._cursor.fetchall()
+ for line in result:
+ self.cache.append(
+ LACDBEntry(
+ line[0], line[1], line[2], line[3], line[4],
+ line[5], line[6], line[7],line[8]
+ )
+ )
+ except:
+ print 'shouldnt happen'
+ return
+
+ def _get_station(self, cellID):
if not self._connection:
return None
sql = 'SELECT * FROM basestations WHERE cellid =%d'%cellID
@@ -80,7 +108,7 @@ class LocalAreaDatabase:
self.insert_or_alter_base_station(station)
def insert_or_alter_base_station(self, base_station):
- lookupresult = self.get_station(base_station.cell)
+ lookupresult = self._get_station(base_station.cell)
if lookupresult:
self._alter_station(base_station,lookupresult[6],lookupresult[7],lookupresult[8])
else:
@@ -90,4 +118,27 @@ class LocalAreaDatabase:
if self._cursor:
self._cursor.close()
if self._connection:
- self._connection.close() \ No newline at end of file
+ self._connection.close()
+
+class LACDBEntry():
+ def __init__(self, cellID, country, provider, arfcn, bsic, lac, rxmin, rxmax, sightings):
+ self.cellID = cellID
+ self.country = country
+ self.provider = provider
+ self.arfcn = arfcn
+ self.bsic = bsic
+ self.lac = lac
+ self.rxmin = rxmin
+ self.rxmax = rxmax
+ self.sightings = sightings
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Src/PyCatcher/src/pyCatcherController.py b/Src/PyCatcher/src/pyCatcherController.py
index 3d3beac..1ab2a70 100644
--- a/Src/PyCatcher/src/pyCatcherController.py
+++ b/Src/PyCatcher/src/pyCatcherController.py
@@ -5,9 +5,9 @@ from driverConnector import DriverConnector
from pyCatcherModel import BaseStationInformation, BaseStationInformationList
from pyCatcherView import PyCatcherGUI
from filters import ARFCNFilter,ProviderFilter
-from evaluators import EvaluatorSelect, ConservativeEvaluator, WeightedEvaluator, GroupEvaluator
+from evaluators import EvaluatorSelect, ConservativeEvaluator,GroupEvaluator
from rules import ProviderRule, ARFCNMappingRule, CountryMappingRule, LACMappingRule, UniqueCellIDRule, \
- LACMedianRule, NeighbourhoodStructureRule, PureNeighbourhoodRule, FullyDiscoveredNeighbourhoodsRule, RuleResult, CellIDDatabaseRule, LocationAreaDatabaseRule, RxChangeRule, LACChangeRule
+ LACMedianRule, NeighbourhoodStructureRule, PureNeighbourhoodRule, DiscoveredNeighboursRule, RuleResult, CellIDDatabaseRule, LocationAreaDatabaseRule, RxChangeRule, LACChangeRule,PCHRule
import pickle
from localAreaDatabse import LocalAreaDatabase
from cellIDDatabase import CellIDDatabase, CellIDDBStatus, CIDDatabases
@@ -33,7 +33,6 @@ class PyCatcherController:
self._conservative_evaluator = ConservativeEvaluator()
self._group_evaluator = GroupEvaluator()
- self._weighted_evaluator = WeightedEvaluator()
self._active_evaluator = self._conservative_evaluator
self._pch_scan_running = False
@@ -58,7 +57,7 @@ class PyCatcherController:
self.neighbourhood_structure_rule.is_active = True
self.pure_neighbourhood_rule = PureNeighbourhoodRule()
self.pure_neighbourhood_rule.is_active = True
- self.full_discovered_neighbourhoods_rule = FullyDiscoveredNeighbourhoodsRule()
+ self.full_discovered_neighbourhoods_rule = DiscoveredNeighboursRule()
self.full_discovered_neighbourhoods_rule.is_active = False
self.cell_id_db_rule = CellIDDatabaseRule()
self.cell_id_db_rule.is_active = False
@@ -69,16 +68,21 @@ class PyCatcherController:
self.lac_change_rule.is_active = True
self.rx_change_rule = RxChangeRule()
self.rx_change_rule.is_active = True
+ self.pch_scan_integration = PCHRule()
+ self.pch_scan_integration.is_active = True
self._rules = [self.provider_rule, self.country_mapping_rule, self.arfcn_mapping_rule, self.lac_mapping_rule,
self.unique_cell_id_rule, self.lac_median_rule, self.neighbourhood_structure_rule,
self.pure_neighbourhood_rule, self.full_discovered_neighbourhoods_rule, self.cell_id_db_rule,
- self.location_area_database_rule, self.lac_change_rule, self.rx_change_rule]
+ self.location_area_database_rule, self.lac_change_rule, self.rx_change_rule, self.pch_scan_integration]
self.use_google = False
self.use_open_cell_id = False
self.use_local_db = (False, '')
+ self.pch_active = False
+ self.sweep_active = False
+
self._location = ''
gtk.main()
@@ -87,11 +91,18 @@ class PyCatcherController:
self._gui.log_line(message)
def start_scan(self):
+ if self.pch_active:
+ self._gui.log_line('Cannot sweep while PCH is active')
+ return
self._gui.log_line("start scan")
+ self.sweep_active = True
self._driver_connector.start_scanning(self._found_base_station_callback)
def stop_scan(self):
+ if not self.sweep_active:
+ return
self._gui.log_line("stop scan")
+ self.sweep_active = False
self._driver_connector.stop_scanning()
def start_firmware(self):
@@ -126,11 +137,14 @@ class PyCatcherController:
self._active_evaluator = self._conservative_evaluator
elif evaluator == EvaluatorSelect.GROUP:
self._active_evaluator = self._group_evaluator
- elif evaluator == EvaluatorSelect.WEIGHTED:
- self._active_evaluator = self._weighted_evaluator
self.trigger_evaluation()
def user_pch_scan(self, provider):
+ if self.sweep_active:
+ self._gui.log_line('Cannot PCH scan during active sweep scan.')
+ return
+ else:
+ self.pch_active = True
if not provider:
self._gui.set_user_image()
return
@@ -156,6 +170,11 @@ class PyCatcherController:
def normal_pch_scan(self, arfcns, timeout):
+ if self.sweep_active:
+ self._gui.log_line('Cannot PCH scan during active sweep scan.')
+ return
+ else:
+ self.pch_active = True
self._accumulated_pch_results = []
self._user_mode_flag = False
self._scan_pch(arfcns, timeout)
@@ -176,8 +195,27 @@ class PyCatcherController:
self._pch_scan_running = True
self._driver_connector.start_pch_scan(arfcn, self._pch_timeout, self._pch_done_callback)
- def _pch_done_callback(self, results):
+ def _pch_done_callback(self, results, pch_failed):
arfcn, values = results
+
+ if pch_failed:
+ self._gui.log_line('PCH scan failed (%d)'%arfcn)
+ if not self._user_mode_flag :
+ if self._remaining_pch_arfcns:
+ self._do_next_pch_scan()
+ else:
+ self._gui.set_pch_results(self._accumulated_pch_results)
+ else:
+ self._gui.set_user_image(RuleResult.IGNORE)
+ self.pch_active = False
+ return
+
+ for station in self._base_station_list._get_unfiltered_list():
+ if station.arfcn == arfcn and self.pch_scan_integration.is_active:
+ station.imm_ass_non_hop = values['Assignments_non_hopping']
+ station.imm_ass_hop = values['Assignments_hopping']
+ station. pagings = values['Pagings']
+ station.pch_scan_done = True
self._accumulated_pch_results.append(results)
self._gui.log_line('Finished PCH scan on ARFCN %d'%arfcn)
self._pch_scan_running = False
@@ -197,6 +235,7 @@ class PyCatcherController:
else:
self._gui.log_line('Paging/Assignment threshold not met')
self._gui.set_user_image(RuleResult.CRITICAL)
+ self.pch_active = False
def _return_normalised_pagings(self, pagings):
return (float(pagings) / float(USR_timeout))*10
@@ -251,6 +290,7 @@ class PyCatcherController:
self._location = new_location
self._local_area_database.load_or_create_database(self._location)
self._gui.log_line('Location changed to %s'%self._location)
+ self._local_area_database.refresh_object_cache()
def save_project(self, path):
filehandler = open(path, 'w')
@@ -261,6 +301,13 @@ class PyCatcherController:
def load_project(self, path):
filehandler = open(path, 'r')
base_station_list = pickle.load(filehandler)
+ #bit of a hack to be able to use old scans
+ for station in base_station_list._get_unfiltered_list():
+ if not hasattr(station, 'pagings'):
+ station.imm_ass_hop = 0
+ station.imm_ass_non_hop = 0
+ station.pagings = 0
+ station.pch_scan_done = False
self._base_station_list = base_station_list
self.trigger_evaluation()
filehandler.close()
@@ -297,9 +344,9 @@ class PyCatcherController:
return
path = Database_path + self._location + '.csv'
file = open(path,'w')
- file.write('Country, Provider, ARFCN, rxlev, BSIC, LAC, Cell ID, Evaluation, Latitude, Longitude, Encryption, DB Status, DB Provider, Neighbours\n')
+ file.write('Country, Provider, ARFCN, rxlev, BSIC, LAC, Cell ID, Evaluation, Latitude, Longitude, DB Status, DB Provider, Neighbours\n')
for item in self._base_station_list._get_unfiltered_list():
- file.write('%s, %s, %d, %d, %s, %d, %d, %s, %d, %d, %s, %s, %s, %s\n'%
+ file.write('%s, %s, %d, %d, %s, %d, %d, %s, %d, %d, %s, %s, %s\n'%
(item.country,
item.provider,
item.arfcn,
@@ -310,7 +357,6 @@ class PyCatcherController:
item.evaluation,
item.latitude,
item.longitude,
- item.encryption,
item.db_status,
item.db_provider,
' '.join(map(str,item.neighbours))))
diff --git a/Src/PyCatcher/src/pyCatcherModel.py b/Src/PyCatcher/src/pyCatcherModel.py
index 0370da5..b1cfb31 100644
--- a/Src/PyCatcher/src/pyCatcherModel.py
+++ b/Src/PyCatcher/src/pyCatcherModel.py
@@ -33,14 +33,22 @@ class BaseStationInformation:
self.longitude = 0
self.db_status = CellIDDBStatus.NOT_LOOKED_UP
self.db_provider = CIDDatabases.NONE
- self.imm_ass = 0
+
+ self.imm_ass_hop = 0
+ self.imm_ass_non_hop = 0
self.pagings = 0
+ self.pch_scan_done = False
def get_list_model(self):
return self.provider, str(self.arfcn), str(self.rxlev), str(self.cell),self.evaluation, self.discovery_time,self.times_scanned
def create_report(self):
+
+ pch_scan_string = 'No'
+ if self.pch_scan_done:
+ pch_scan_string = 'Yes'
+
report_params = '''------- Base Station Parameters -----------
Country: %s
Provider: %s
@@ -50,12 +58,16 @@ BSIC: %s
LAC: %s
Cell ID: %s
Neighbours: %s
+PCH Scan done: %s
+IAs (hopping): %d
+IAs (non hopping): %d
+Pagings (hopping/10s): %d
Latitude: %s
Longitude: %s
Database Status: %s
Database Provider: %s
Evaluation: %s\n
-'''%(self.country,self.provider, self.arfcn, self.rxlev, self.bsic, self.lac, self.cell, ', '.join(map(str,self.neighbours)),self.latitude,self.longitude,self.db_status, self.db_provider,self.evaluation)
+'''%(self.country,self.provider, self.arfcn, self.rxlev, self.bsic, self.lac, self.cell, ', '.join(map(str,self.neighbours)),pch_scan_string,self.imm_ass_hop,self.imm_ass_non_hop,self.pagings,self.latitude,self.longitude,self.db_status, self.db_provider,self.evaluation)
report_rules ='------- Rule Results -----------\n'
for key in self.rules_report.keys():
diff --git a/Src/PyCatcher/src/pyCatcherView.py b/Src/PyCatcher/src/pyCatcherView.py
index 07c7d10..9d8cfef 100644
--- a/Src/PyCatcher/src/pyCatcherView.py
+++ b/Src/PyCatcher/src/pyCatcherView.py
@@ -137,8 +137,6 @@ class PyCatcherGUI:
def _update_evaluators(self):
if self._builder.get_object('rb_conservative_evaluator').get_active():
self._catcher_controller.set_evaluator(EvaluatorSelect.CONSERVATIVE)
- elif self._builder.get_object('rb_weighted_evaluator').get_active():
- self._catcher_controller.set_evaluator(EvaluatorSelect.WEIGHTED)
elif self._builder.get_object('rb_grouped_evaluator').get_active():
self._catcher_controller.set_evaluator(EvaluatorSelect.GROUP)
@@ -172,13 +170,16 @@ class PyCatcherGUI:
print 'NODE CLICKED'
def _on_user_close_clicked(self, widget):
+ self._catcher_controller.trigger_evaluation()
self._user_window.hide()
def _on_pch_close_clicked(self, widget):
+ self._catcher_controller.pch_scan_integration.is_active = self._builder.get_object('cb_integrate_pch').get_active()
self._catcher_controller.trigger_evaluation()
self._pch_window.hide()
def _on_pch_scan_clicked(self, widget):
+ self._catcher_controller.pch_scan_integration.is_active = self._builder.get_object('cb_integrate_pch').get_active()
arfcns = map(int, self._builder.get_object('te_pch_arfcns').get_text().strip().split(','))
timeout = int(self._builder.get_object('te_pch_timeout').get_text())
self._catcher_controller.normal_pch_scan(arfcns, timeout)
diff --git a/Src/PyCatcher/src/rules.py b/Src/PyCatcher/src/rules.py
index 29676cf..447c7b5 100644
--- a/Src/PyCatcher/src/rules.py
+++ b/Src/PyCatcher/src/rules.py
@@ -1,5 +1,5 @@
from settings import Provider_list, Provider_Country_list, LAC_mapping, ARFCN_mapping, LAC_threshold, DB_RX_threshold, \
- CH_RX_threshold
+ CH_RX_threshold, Pagings_per_10s_threshold, Assignment_limit, Neighbours_threshold
from cellIDDatabase import CellIDDBStatus
import math
@@ -133,6 +133,7 @@ class NeighbourhoodStructureRule (Rule):
identifier = 'Neighbourhood Structure'
def check(self, arfcn, base_station_list):
+ own_provider = self._extract_provider(arfcn, base_station_list)
own_neighbours = self._extract_neighbours(arfcn, base_station_list)
if not len(own_neighbours):
return RuleResult.CRITICAL
@@ -149,13 +150,24 @@ class NeighbourhoodStructureRule (Rule):
if foreign_neighbour_arfcn in own_neighbours:
at_least_one_indirect_neighbour = True
- if at_least_one_neighbour_found:
+ incoming_edges = False
+ all_neighbours = []
+ for station in base_station_list:
+ if station.provider == own_provider:
+ for neighbour in station.neighbours:
+ all_neighbours.append(neighbour)
+ for neighbour_arfcn in all_neighbours:
+ if neighbour_arfcn == arfcn:
+ incoming_edges = True
+ break
+
+ if at_least_one_neighbour_found and incoming_edges:
return RuleResult.OK
- elif at_least_one_indirect_neighbour:
+
+ if at_least_one_neighbour_found or at_least_one_indirect_neighbour:
return RuleResult.WARNING
- else:
- return RuleResult.CRITICAL
+ return RuleResult.CRITICAL
class PureNeighbourhoodRule (Rule):
identifier = 'Pure Neighbourhoods'
@@ -176,8 +188,8 @@ class PureNeighbourhoodRule (Rule):
return RuleResult.CRITICAL
-class FullyDiscoveredNeighbourhoodsRule (Rule):
- identifier = 'Fully Discovered Neighbourhoods'
+class DiscoveredNeighboursRule (Rule):
+ identifier = 'Discovered Neighbours'
def check(self, arfcn, base_station_list):
@@ -187,13 +199,22 @@ class FullyDiscoveredNeighbourhoodsRule (Rule):
if item.arfcn in neighbours:
found += 1
- if len(neighbours) != found:
- return RuleResult.CRITICAL
+ if Neighbours_threshold < 0:
+ return RuleResult.IGNORE
+
+ if 0 <= Neighbours_threshold <=1:
+ if (float(found) / float(neighbours)) >= Neighbours_threshold:
+ return RuleResult.OK
+ else:
+ return RuleResult.CRITICAL
else:
- return RuleResult.OK
+ if found >= int(Neighbours_threshold):
+ return RuleResult.OK
+ else:
+ return RuleResult.CRITICAL
class LocationAreaDatabaseRule(Rule):
- identifier = 'Location Area Database'
+ identifier = 'Local Area Database'
def __init__(self):
self.location_database_object = None
@@ -205,10 +226,11 @@ class LocationAreaDatabaseRule(Rule):
result = self.location_database_object.get_station(item.cell)
if not result:
return RuleResult.CRITICAL
- rxmin = result[6]
- rxmax = result[7]
+ rxmin = result.rxmin
+ rxmax = result.rxmax
rxmin_thresh = rxmin - math.fabs(rxmin * DB_RX_threshold)
rxmax_thresh = rxmax + math.fabs(rxmax * DB_RX_threshold)
+
if rxmin_thresh <= float(item.rxlev) <= rxmax_thresh:
return RuleResult.OK
else:
@@ -289,3 +311,25 @@ class RxChangeRule (Rule):
else:
self._old_rx[arfcn] = item.rxlev, item.times_scanned, RuleResult.IGNORE
return RuleResult.IGNORE
+
+class PCHRule (Rule):
+ identifier = 'PCH Scan'
+
+ def check(self, arfcn, base_station_list):
+ for item in base_station_list:
+ if arfcn == item.arfcn:
+ if not item.pch_scan_done:
+ return RuleResult.IGNORE
+ else:
+ if item.imm_ass_non_hop > 0:
+ return RuleResult.CRITICAL
+ if item.pagings >= Pagings_per_10s_threshold and item.imm_ass_hop >= Assignment_limit:
+ return RuleResult.OK
+ else:
+ return RuleResult.CRITICAL
+
+
+
+
+
+
diff --git a/Src/PyCatcher/src/settings.py b/Src/PyCatcher/src/settings.py
index e263d72..f5cf511 100644
--- a/Src/PyCatcher/src/settings.py
+++ b/Src/PyCatcher/src/settings.py
@@ -49,7 +49,7 @@ ARFCN_mapping = {
LAC_threshold = 0.05
-DB_RX_threshold = 0.05
+DB_RX_threshold = 0.1
CH_RX_threshold = 0.07
@@ -57,11 +57,17 @@ Pagings_per_10s_threshold = 20
Assignment_limit = 0
-#Evaluator Configuration ---------------------------------------------------------------------------------------
+Neighbours_threshold = 4
-Rule_Groups = []
+#Evaluator Configuration ---------------------------------------------------------------------------------------
-Rule_Weights = {}
+Rule_Groups = [
+ ['Provider Check', 'Country Provider Mapping', 'ARFCN Mapping', 'LAC Mapping', 'Unique CellID'],
+ ['LAC Median Deviation', 'Neighbourhood Structure', 'Pure Neighbourhoods', 'Fully Discovered Neighbourhoods'],
+ ['Local Area Database','CellID Database'],
+ ['LAC Change Rule','rx Change Rule'],
+ ['PCH Scan']
+]
#PCH Parameters ------------------------------------------------------------------------------------------------
diff --git a/Tex/Content/Abstract.log b/Tex/Content/Abstract.log
new file mode 100644
index 0000000..43b1d7d
--- /dev/null
+++ b/Tex/Content/Abstract.log
@@ -0,0 +1,82 @@
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 7 JUN 2012 21:04
+entering extended mode
+ %&-line parsing enabled.
+**Abstract.tex
+(./Abstract.tex
+LaTeX2e <2009/09/24>
+Babel <v3.8l> and hyphenation patterns for english, usenglishmax, dumylang, noh
+yphenation, farsi, arabic, croatian, bulgarian, ukrainian, russian, czech, slov
+ak, danish, dutch, finnish, french, basque, ngerman, german, german-x-2009-06-1
+9, ngerman-x-2009-06-19, ibycus, monogreek, greek, ancientgreek, hungarian, san
+skrit, italian, latin, latvian, lithuanian, mongolian2a, mongolian, bokmal, nyn
+orsk, romanian, irish, coptic, serbian, turkish, welsh, esperanto, uppersorbian
+, estonian, indonesian, interlingua, icelandic, kurmanji, slovenian, polish, po
+rtuguese, spanish, galician, catalan, swedish, ukenglish, pinyin, loaded.
+
+! LaTeX Error: Missing \begin{document}.
+
+See the LaTeX manual or LaTeX Companion for explanation.
+Type H <return> for immediate help.
+ ...
+
+l.1 \begin{center}
+
+You're in trouble here. Try typing <return> to proceed.
+If that doesn't work, type X <return> to quit.
+
+
+Overfull \hbox (20.0pt too wide) in paragraph at lines 1--1
+[]
+ []
+
+
+Overfull \hbox (47.19556pt too wide) in paragraph at lines 2--2
+ \OT1/cmr/bx/n/10 Abstract:
+ []
+
+Missing character: There is no a in font nullfont!
+
+! LaTeX Error: There's no line here to end.
+
+See the LaTeX manual or LaTeX Companion for explanation.
+Type H <return> for immediate help.
+ ...
+
+l.2 \textbf{Abstract:}\\\phantom{a}\\
+
+Your command was ignored.
+Type I <command> <return> to replace it with another command,
+or <return> to continue without it.
+
+Missing character: There is no s in font nullfont!
+Missing character: There is no j in font nullfont!
+Missing character: There is no d in font nullfont!
+Missing character: There is no h in font nullfont!
+Missing character: There is no a in font nullfont!
+Missing character: There is no l in font nullfont!
+Missing character: There is no k in font nullfont!
+Missing character: There is no j in font nullfont!
+Missing character: There is no h in font nullfont!
+Missing character: There is no s in font nullfont!
+Missing character: There is no d in font nullfont!
+
+Overfull \hbox (94.26747pt too wide) in paragraph at lines 7--8
+ \OT1/cmr/bx/n/10 Zusammenfassung:
+ []
+
+)
+! Emergency stop.
+<*> Abstract.tex
+
+*** (job aborted, no legal \end found)
+
+
+Here is how much of TeX's memory you used:
+ 8 strings out of 493848
+ 162 string characters out of 1152824
+ 47808 words of memory out of 3000000
+ 3383 multiletter control sequences out of 15000+50000
+ 3948 words of font info for 15 fonts, out of 3000000 for 9000
+ 714 hyphenation exceptions out of 8191
+ 13i,1n,10p,65b,110s stack positions out of 5000i,500n,10000p,200000b,50000s
+! ==> Fatal error occurred, no output PDF file produced!
diff --git a/Tex/Content/Abstract.tex b/Tex/Content/Abstract.tex
index 177f391..c5e548c 100644
--- a/Tex/Content/Abstract.tex
+++ b/Tex/Content/Abstract.tex
@@ -1,4 +1,35 @@
\begin{center}
- \textbf{Abstract:}
+\textbf{Abstract:}\\
+\vspace{.1cm}
\end{center}
+For several years now security flaws in the GSM protocol have been known and exploited.
+A device called IMSI catcher, first developed in 1996, uses some of these flaws to enable the operator to localise a mobile subscriber and tap into phone calls.
+Since only authorities were able to obtain these devices the risk for abuse was deemed minor at first.
+However due to the progress in freely available GSM related software and hardware, like OpenBTS and the Universal Software Radio Peripheral, it is now possible for anyone to build an inexpensive version of an IMSI catcher.
+Although operation is prohibited by law, the possibility of affordable self-construction increases the risk of abuse in the private sector and in relation with industrial espionage.
+Additionally operation is near impossible to discover in retrospect.
+
+The goal of this project is to find means and methods of uncovering IMSI catchers that are active in the close perimeter.
+To that end the behaviour of such devices and the differences compared to legitimate base stations will be presented and analysed.
+These findings will then be used to implement the IMSI Catcher Detection System, a toolkit with a user friendly graphical interface to gather, analyse and visualise information.
+Evaluations against an IMSI catcher shows the effectiveness of the methods used by uncovering several realistic attacks.
+The system itself builds upon an open source framework and harvests information about potential IMSI catchers while being invisible itself.
+\vspace{.5cm}
+
+\begin{center}
+\textbf{Zusammenfassung:}\\
+\vspace{.1cm}
+\end{center}
+Seit einigen Jahren werden bekannte Sicherheitsl\"ucken im GSM Protokoll ausgenutzt um Angriffe durchzuf\"uhren.
+Der IMSI-Catcher, ein 1996 entwickeltes Ger\"at, benutzt einige dieser L\"ucken um MobilfunkteilnehmerInnen zu lokalisieren und ihre Anrufe abzuh\"oren.
+Da solche Instrumente nur f\"ur Beh\"orden zug\"anglich waren wurde das Missbrauchsrisiko als gering eingesch\"atzt.
+Weiterentwicklungen im Bereich frei erh\"altlicher Soft- und Hardware im GSM Bereich, wie etwa OpenBTS oder das Universal Software Radio Peripheral, haben es m\"oglich gemacht einen solchen IMSI-Catcher mit vertretbaren Kosten selbst zu bauen.
+Obwohl der Gebrauch solcher Ger\"ate gesetzlich verboten ist, erhöht die Möglichkeit des kostengünstigen Eigenbaus eines IMSI-Catchers das Missbrauchsrisiko im Privatbereich oder im Bereich der Industriespionage enorm.
+Erschwerend kommt die Tatsache hinzu, dass der Einsatz kaum nachvollziehbar ist.
+
+Ziel dieses Projektes ist es Vorgehensweisen zu finden, die den Betrieb eines IMSI-Catchers in der Umgebung aufdecken.
+Um dies zu erreichen wird das Verhalten eines IMSI-Catchers analysiert und mit dem Verhalten einer legal betriebenen Basisstation verglichen.
+Mit Hilfe dieser Ergebnisse wird dann das IMSI-Catcher Detection System entwickelt, ein Programm mit einer benutzerfreundlichen Oberfl\"ache, das dazu dient Informationen zu sammeln, auszuwerten und anzuzeigen.
+Auswertungen von Versuchen zum Auffinden echter IMSI-Catcher in verschiedenen realen Angriffsszenarien zeigen die Effektivität der eingesetzten Methoden.
+Das System selbst baut auf einem open source Framework auf, dass es erm\"oglicht Informationen von IMSI-Catchern zu empfangen und dabei selbst unentdeckt zu bleiben.
diff --git a/Tex/Content/Acknowledgements.tex b/Tex/Content/Acknowledgements.tex
index 2b3899b..5e8e5e5 100644
--- a/Tex/Content/Acknowledgements.tex
+++ b/Tex/Content/Acknowledgements.tex
@@ -1,3 +1,18 @@
\begin{center}
- \textbf{Acknowledgements:}
-\end{center} \ No newline at end of file
+\textbf{Acknowledgements:}
+\end{center}
+This thesis would not have been possible without the guidance and the help of several individuals who in one way or another contributed and extended their valuable assistance in the preparation and completion of this project.
+
+First and foremost I want to thank my supervisor Dennis Wehrle for sacrificing a considerable amount of time reading and annotating my drafts. His constructive comments were of the utmost help in improving the quality of this document.
+He also gave me valuable hints and new ideas while discussing the methods used in this project.
+I also want to thank Konrad Meier for helping me out whenever I was stuck, especially with the programming part in the OsmocomBB framework.
+
+My gratitude also goes to the Chair of Communication Systems and Prof. Schneider for providing this interesting topic and all the expensive, shiny toys and infrastructure I needed to complete this research.
+
+I also wish to thank my mother, her husband and the rest of my family for constantly supporting me throughout the course of my studies.
+
+Last but not least I want to express my gratitude to my invaluable friends that I got to know during the last seven years.
+Thank you for always being there when I needed you and for the great projects that we finished together.
+
+
+
diff --git a/Tex/Content/Appendix.tex b/Tex/Content/Appendix.tex
index 5faf8de..e026b84 100644
--- a/Tex/Content/Appendix.tex
+++ b/Tex/Content/Appendix.tex
@@ -94,9 +94,10 @@ git clone git://git.osmocom.org/osmocom-bb.git
make BOARDS=compal_e88
\end{verbatim}
\item If a new version of OsmocomBB is used, the extra code from this project must be included in the build.
- The three files \texttt{catcher.c}, \texttt{app\_catcher.c} and \texttt{pch\_scan.c}must be moved to \texttt{osmocom-bb/src/host/layer23/src/misc} and the \texttt{Makefile.am} must be edited to include the new code.
+ The three files \texttt{catcher.c}, \texttt{app\_catcher.c} and \texttt{pch\_scan.c} must be moved to \path{osmocom-bb/src/host/layer23/src/misc} and the \texttt{Makefile.am} must be edited to include the new code.
\begin{verbatim}
-bin_PROGRAMS = bcch_scan ... cbch_sniff catcher pch_scan
+bin_PROGRAMS = bcch_scan ... cbch_sniff catcher \
+ pch_scan
catcher_LDADD = $(LDADD) -lm
catcher_SOURCES = ../common/main.c app_catcher.c \
catcher.c ../../../gsmmap/geo.c
@@ -110,8 +111,9 @@ To use a program written in the framework, the Motorola C123 needs to be flashed
This can be done with the \texttt{osmocon} application.
\begin{verbatim}
cd src/host/osmocon
+
sudo ./osmocon -p /dev/ttyUSB0 -m c123xor
- ../../target/firmware/board/compal_e88/layer1.compalram.bin
+../../target/firmware/board/compal_e88/layer1.compalram.bin
\end{verbatim}
After \texttt{osmocon} is started and running any application can be started with root privileges.
\begin{verbatim}
@@ -306,10 +308,30 @@ USR_timeout = 15
#Evaluator Configuration -------------------------------
-Rule_Groups = []
-
-Rule_Weights = {}
+#This configuration separates the different groups of
+#rules from one another.
+
+Rule_Groups = [
+ ['Provider Check', 'Country Provider Mapping',
+ 'ARFCN Mapping', 'LAC Mapping', 'Unique CellID'],
+
+ ['LAC Median Deviation', 'Neighbourhood Structure',
+ 'Pure Neighbourhoods', 'Fully Discovered
+ Neighbourhoods'],
+
+ ['Local Area Database','CellID Database'],
+
+ ['LAC Change Rule','rx Change Rule'],
+
+ ['PCH Scan']
+]
+#-------------Continues on next page---------------------
+\end{lstlisting}
+\end{minipage}\\\\
+\hspace*{\dimexpr\fboxsep+\fboxrule}%
+\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
+\begin{lstlisting}
#Database Configuration --------------------------------
#The API key for OpenCellID.
@@ -317,8 +339,8 @@ Rule_Weights = {}
Open_Cell_ID_Key = 'd7a5bc3f21b44d4bf93d1ec2b3f83dc4'
#Path to the folder where databases should be saved to or
-#loaded from. The ICDS will look in this folder if databa-
-#ses are available.
+#loaded from. The ICDS will look in this folder if data-
+#bases are available.
Database_path = '''/home/tom/imsi-catcher-detection/Src
/PyCatcher/Databases/'''
\end{lstlisting}
@@ -326,7 +348,7 @@ Database_path = '''/home/tom/imsi-catcher-detection/Src
\chapter{System Information}
\label{sec:system_infos}
-The following pages contain parsed System Information Messages of type 1--4 for reference.
+The following pages contain parsed System Information Messages of type 1--4 for reference \cite{protocols1999}.
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/sysinfo1}
@@ -350,25 +372,50 @@ The following pages contain parsed System Information Messages of type 1--4 for
\chapter{Evaluation Data}
\section{Rx and LAC Change Test}
\label{sec:lac_change_test}
-The following table contains the four configuration that have been used to replace real base stations with the IMSI catcher.
+The following table contains the two configurations that have been used to test the LAC Change and rx Change Rules.
+Config 6 is identical to the configuration used on the base station and thus only triggers the rx Change Rule.
+Config 5 has a different LAC than the original base station and thus was used to test the former one.
+Additionally the rx Change Rule is also triggered for this configuration.
\begin{table}[h!]
\centering
-\begin{tabular}{lllll}
+\begin{tabular}{lll}
\toprule
- &T-Mobile &O2 &E-Plus &Vodafone\\
+ &Config 5 &Config 6\\
\midrule
-ARFCN &877 &877 &877 &877 \\
-ShortName &T-Mobile &Vodafone &E-Plus &O2 \\
-MCC &262 &262 &262 &262 \\
-MNC &01 &02 &03 &07 \\
-LAC &666 &4711 &666 &4711 \\
-Cell ID &1 &1 &1 &1 \\
-Neighbours &--- &--- &--- &--- \\
+ARFCN &877 &877\\
+ShortName &23 &23\\
+MCC &262 &262\\
+MNC &23 &23\\
+LAC &666 &4711\\
+Cell ID &1800 &1800\\
+Neighbours &806, 815, 817, &806, 815, 817, \\
+ & 818, 823, 880 &818, 823, 880 \\
\bottomrule
\end{tabular}
\caption{Configurations used for the rx\,/\,LAC Change Rules test.}
\end{table}
-\section{Long Term Test}
+
+\section{Database Rules Test}
\label{sec:long_term_test}
-The folliwing tables contain the configurations that have been used throughout the long term test period.
-The configurations have been used in the order they appear in the tables. \ No newline at end of file
+The following table contains the two configurations used to test the Database Rules.
+Config 6 is the same as before.
+It is used to check whether the Local Area Database Rule can find the difference in reception for the replaced base station.
+Config 7 features a new CID and is thus used to check if the Cell ID Database Rule is operating correctly.
+\begin{table}[h!]
+\centering
+\begin{tabular}{lll}
+\toprule
+ &Config 6 &Config 7\\
+\midrule
+ARFCN &877 &877\\
+ShortName &23 &23\\
+MCC &262 &262\\
+MNC &23 &23\\
+LAC &4711 &4711\\
+Cell ID &1800 &666\\
+Neighbours &806, 815, 817, &806, 815, 817, \\
+ & 818, 823, 880 &818, 823, 880 \\
+\bottomrule
+\end{tabular}
+\caption{Configurations used for the Database Rules test.}
+\end{table} \ No newline at end of file
diff --git a/Tex/Content/Bibliography.bib b/Tex/Content/Bibliography.bib
index 9e4df2b..0cae1ed 100644
--- a/Tex/Content/Bibliography.bib
+++ b/Tex/Content/Bibliography.bib
@@ -1,27 +1,57 @@
+@Misc{osmo_wiki_c123,
+title = {{Motorola C123}},
+author = {OsmocomBB},
+year = {[Online; Accessed 06.2012]},
+howpublished = {\emph{Project Wiki}, \url{http://bb.osmocom.org/trac/wiki/MotorolaC123}}
+}
+
+@Misc{osmo_slides,
+title = {{OsmocomBB - Running your own GSM stack on a phone}},
+author = {Harald Welte and Steve Markgraf},
+month = {July},
+year = {2010},
+howpublished = {\emph{PDF file}, \url{http://events.ccc.de/congress/2010/Fahrplan/attachments/1771_osmocombb-27c3.pdf}}
+}
+
+@Misc{def_catcher,
+title = {{IMSI-Catcher für 1500 Euro im Eigenbau}},
+author = {Uli Ries},
+month = {August},
+year = {2010},
+howpublished = {\emph{WWW document}, \url{http://heise.de/-1048919}}
+}
+
+@Misc{catcher_catcher,
+title = {{Catcher Catcher}},
+author = {OsmocomBB},
+year = {[Online; Accessed 01.2012]},
+howpublished = {\emph{Project Wiki}, \url{http://opensource.srlabs.de/projects/catcher/wiki}}
+}
+
@Book{GSM2009,
author = {J\"{o}rg Ebersp\"{a}cher and Hans-J\"{o}rg V\"{o}gel and Christian Bettstetter and Christian Hartmann},
editor = {John Wiley \& Sons},
-title = {GSM -- Architecture, Protocols and Services},
+title = {{GSM -- Architecture, Protocols and Services}},
publisher = {Wiley},
year = {2009}
}
@Book{protocols1999,
-title={GSM networks: protocols, terminology, and implementation},
+title={{GSM networks: Protocols, Terminology, and Implementation}},
author={Heine, G.},
year={1999},
publisher={Artech House}
}
@Book{kommsys2006,
-title={Grundkurs mobile Kommunikationssysteme : von UMTS, GSM und GRPS zu Wireless LAN und Bluetooth Piconetzen},
+title={{Grundkurs mobile Kommunikationssysteme : von UMTS, GSM und GRPS zu Wireless LAN und Bluetooth Piconetzen}},
author={Martin Sauter},
year={2006},
publisher={Vieweg}
}
@article{overview1994,
-title={Overview of GSM: philosophy and results},
+title={\emph{Overview of GSM: philosophy and results}},
author={Haug, T.},
journal={International Journal of Wireless Information Networks},
volume={1},
@@ -31,47 +61,53 @@ year={1994},
publisher={Springer}
}
-@article{overview1996,
-title={Overview of GSM: The global system for mobile communications},
+@Misc{overview1996,
+title={{Overview of GSM: The global system for mobile communications}},
author={Scourias, J.},
-journal={University of Waterloo},
-year={1996}
+year={1996},
+howpublished = {\emph{University of Waterloo}, \emph{PDF file}, \url{http://ccnga.uwaterloo.ca/publications/pdfs/TR-96-01.pdf}}
}
@Misc{GSM_history2011,
-title = {Brief History of GSM and the GSMA},
-year = {2011},
-note = {[Accessed: 28/11/2011]},
-key = {gsm.org},
-howpublished = {\url{http://www.gsm.org/about-us/history.htm}}
+title = {{Brief History of GSM and the GSMA}},
+author = {{GSM Association}},
+year = {[Online; Accessed 06.2012]},
+howpublished = {\emph{WWW document}, \url{http://www.gsma.com/aboutus/history/}}
}
@Misc{GSM_stats2011,
-title = {GSM/3g Stats},
-year = {2011},
-note = {[Accessed: 28/11/2011]},
-key = {gsacom.com},
-howpublished = {\url{http://www.gsacom.com/news/statistics.php4}}
+title = {{GSM/3g Stats}},
+author = {{Global mobile Suppliers Association}},
+year = {[Online; Accessed 06.2012]},
+howpublished = {\emph{WWW document}, \url{http://www.gsacom.com/news/statistics.php4}}
}
@Misc{hsdpa,
-title = {{UE} Radio Access capabilities},
-series = {Technical Specification},
-number = {25.306},
-year = {2011},
-key = {hsdpa},
-howpublished = {3GPP TS 25.306, \url{http://www.3gpp.org/ftp/Specs/html-info/25306.htm}}
+title = {{UE Radio Access capabilities}},
+author = {{3GPP Technical Specification Group Radio Access Network}},
+year = {2012},
+month = {March},
+howpublished = {\emph{TS 25.306}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/html-info/25306.htm}}
}
@Misc{hsupa,
-title = {Medium Access Control (MAC) protocol specification},
+title = {{Medium Access Control (MAC) protocol specification}},
year = {2011},
-key = {hsupa},
-howpublished = {3GPP TS 25.321, \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}}
+month = {December},
+author = {{3GPP Technical Specification Group Radio Access Network}},
+howpublished = {\emph{TS 25.321}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}}
+}
+
+@Misc{sysinfos,
+title = {{Mobile radio interface layer 3 specification: Radio Resource Control (RRC) protocol}},
+year = {2012},
+month = {March},
+author = {{3GPP Technical Specification Group GSM/EDGE Radio Access Network}},
+howpublished = {\emph{TS 44.018}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}}
}
@article{3gpp_Proposal2000,
-title={The 3GPP proposal for IMT-2000},
+title={{The 3GPP proposal for IMT-2000}},
author={Chaudhury, P. and Mohr, W. and Onoe, S.},
journal={Communications Magazine, IEEE},
volume={37},
@@ -81,50 +117,48 @@ year={1999},
publisher={IEEE}
}
-@article{ITU1200,
-title={Intelligent Network},
+@Misc{ITU1200,
+title={{General series Intelligent Network Recommendation structure}},
author={{Telecomunication standardization sector of ITU}},
-journal={SERIES Q: Switching and Signaling},
-volume={Q1200},
-number={7},
year={1997},
-publisher={ITU}
+month = {September},
+howpublished = {\emph{Recommendation Q1200}, \emph{DOC file}, \url{http://www.itu.int/rec/T-REC-Q.1200-199709-I/en}}
}
@Misc{GSM0207,
-title = {Digital cellular telecommunications system (Phase 2+): Mobile Stations (MS) features},
-series = {Technical Specification},
-number = {02.07},
+title = {{Digital cellular telecommunications system (Phase 2+): Mobile Stations (MS) features}},
+author = {ETSI},
+month = {March},
year = {2000},
-howpublished = {GSM 02.07, \url{http://www.3gpp.org/ftp/Specs/archive/02_series/02.07/0207-710.zip}}
+howpublished = {\emph{TS 02.07}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/archive/02_series/02.07/0207-710.zip}}
}
@Misc{GSM0502,
-title = {Multiplexing and Multiple Access on the Radio Path},
-series = {Technical Specification},
-number = {05.02},
+title = {{Multiplexing and Multiple Access on the Radio Path}},
+author = {{3GPP Technical Specification Group GSM/EDGE Radio Access Network}},
+month = {June},
year = {2003},
-howpublished = {GSM 05.02, \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.02/0502-8b0.zip}}
+howpublished = {\emph{TS 05.02}, \emph{DOC file} \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.02/0502-8b0.zip}}
}
@Misc{GSM0405,
-title = {Data link (DL) Layer; General aspects},
-series = {Technical Specification},
-number = {04.05},
-year = {1999},
-howpublished = {GSM 04.05, \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.05/0405-802.zip}}
+title = {{Data link (DL) Layer: General aspects}},
+author = {{3GPP Technical Specification Group GSM/EDGE Radio Access Network}},
+year = {2002},
+month = {May},
+howpublished = {\emph{TS 04.05}, \emph{DOC file} \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.05/0405-802.zip}}
}
@Misc{GSM0406,
-title = {Mobile Station - Base Station System (MS - BSS) interface; Data Link (DL) layer specification},
-series = {Technical Specification},
-number = {04.06},
-year = {1999},
-howpublished = {GSM 04.06, \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.06/0406-840.zip}}
+title = {{Mobile Station - Base Station System (MS - BSS) interface: Data Link (DL) layer specification}},
+author = {{3GPP Technical Specification Group GSM/EDGE Radio Access Network}},
+year = {2008},
+month = {December},
+howpublished = {\emph{TS 04.06}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.06/0406-840.zip}}
}
@article{fox,
- title={Der IMSI-catcher},
+ title={{Der IMSI-catcher}},
author={Fox, D.},
journal={Datenschutz und Datensicherheit},
volume={26},
@@ -133,26 +167,36 @@ howpublished = {GSM 04.06, \url{http://www.3gpp.org/ftp/Specs/archive/04_series/
year={2002}
}
-@article{dennis,
- title={Open Source IMSI Catcher},
+@Misc{dennis,
+ title={{Open Source IMSI-Catcher}},
author={Wehrle, Dennis},
- year={2009}
+ year={2009},
+ month = {October},
+ howpublished = {\emph{Master Thesis at the Chair of Communication Systems at Freiburg University}}
+}
+
+@Misc{richy,
+ title={{Localization in GSM Mobile Radio Networks }},
+ author={Zahoransky, Richard},
+ year={2011},
+ month = {November},
+ howpublished = {\emph{Master Thesis at the Chair of Communication Systems at Freiburg University}}
}
@Misc{GSM0505,
-title = {Radio Access Network: Radio transmission and reception},
-series = {Technical Specification},
-number = {05.05},
-year = {1999},
-howpublished = {GSM 05.05, \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.05/0505-8k0.zip}}
+title = {{Radio Access Network: Radio transmission and reception}},
+author = {{3GPP Technical Specification Group GSM/EDGE Radio Access Network}},
+year = {2005},
+month = {November},
+howpublished = {\emph{TS 05.05}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.05/0505-8k0.zip}}
}
@Misc{GSM23003,
-title = {Numbering, addressing and identification},
-series = {Technical Specification},
-number = {23.003},
+title = {{Numbering, addressing and identification}},
+author = {{3GPP Technical Specification Group Core Network and Terminals}},
+month = {September},
year = {2011},
-howpublished = {GSM 23.003, \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.003/23003-a30.zip}}
+howpublished = {\emph{TS 23.003}, \emph{DOC file}, \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.003/23003-a30.zip}}
}
@article{criminal_justice,
@@ -166,97 +210,48 @@ howpublished = {GSM 23.003, \url{http://www.3gpp.org/ftp/Specs/archive/23_series
publisher={Oxford Univ Press}
}
-@article{mueller,
- title={Protection in mobile communications},
+@Inproceedings{mueller,
+ booktitle= {{Multilateral Security in Communications – Technology, Infrastructure, Economy}},
+ title={{Protection in mobile communications}},
author={Federrath, H.},
year={1999},
- publisher={Addison-Wesley}
-}
-
-@Misc{ISO7810,
-title = {Identification cards -- Physical characteristics},
-series = {ISO},
-number = {7810:2003},
-year = {2003},
-howpublished = {ISO/IEC 7810:2003, \url{http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=31432}}
+ publisher={Addison-Wesley-Longman},
+ pages = {349--364},
+ editor = {G\"unther M\"uller and Kai Rannenberg}
}
@Misc{blacklisting,
-title = {Equipment Identity Register},
+title = {{Equipment Identity Register}},
author = {Wikipedia},
-year = {2012},
-howpublished = {\url{http://en.wikipedia.org/wiki/Central_Equipment_Identity_Register}}
+year = {[Online; Accessed 06.2012]},
+howpublished = {\emph{WWW document}, \url{http://en.wikipedia.org/wiki/Central_Equipment_Identity_Register}}
}
@Misc{osmo_rationale,
-title = {Project Rationale},
+title = {{Project Rationale}},
author = {OsmocomBB},
-year = {2012},
-howpublished = {\url{http://bb.osmocom.org/trac/wiki/ProjectRationale}}
+year = {[Online; Accessed 06.2012]},
+howpublished = {\emph{Project Wiki}, \url{http://bb.osmocom.org/trac/wiki/ProjectRationale}}
}
@Misc{imsi_wiki,
-title = {Equipment Identity Register},
+title = {{IMSI-Catcher}},
author = {Wikipedia},
-year = {2012},
-howpublished = {\url{http://de.wikipedia.org/wiki/IMSI-Catcher}}
-}
-
-@Misc{osmo_c123,
-title = {Motorola C123},
-author = {OsmocomBB},
-year = {2012},
-howpublished = {\url{http://en.wikipedia.org/wiki/Cell_ID}}
+year = {[Online; Accessed 02.2012]},
+howpublished = {\emph{WWW document}, \url{http://de.wikipedia.org/wiki/IMSI-Catcher}}
}
@Misc{wiki_cells,
-title = {Cell ID},
+title = {{Cell ID}},
author = {Wikipedia},
-year = {2012},
-howpublished = {\url{http://bb.osmocom.org/trac/wiki/MotorolaC123}}
-}
-
-@Misc{osmo_wiki_c123,
-title = {Project Rationale},
-author = {OsmocomBB},
-year = {2012},
-howpublished = {\url{http://bb.osmocom.org/trac/wiki/ProjectRationale}}
-}
-
-@Misc{osmo_slides,
-title = {OsmocomBB - Running your own GSM stack on a phone},
-author = {Harald Welte, Steve Markgraf},
-year = {2010},
-howpublished = {\url{http://events.ccc.de/congress/2010/Fahrplan/attachments/1771_osmocombb-27c3.pdf}}
-}
-
-@Misc{def_catcher,
-title = {IMSI-Catcher für 1500 Euro im Eigenbau},
-author = {Heise Security},
-year = {2010},
-howpublished = {\url{http://www.heise.de/security/meldung/IMSI-Catcher-fuer-1500-Euro-im-Eigenbau-1048919.html}}
-}
-
-@Misc{catcher_catcher,
-title = {Catcher Catcher},
-author = {OsmocomBB},
-year = {2011},
-howpublished = {\url{http://opensource.srlabs.de/projects/catcher/wiki}}
+year = {[Online; Accessed 02.2012]},
+howpublished = {\emph{WWW document}, \url{http://en.wikipedia.org/wiki/Cell_ID}}
}
@Misc{ITU212,
-title={List of Mobile Country or Geographical Area Codes},
+title={{List of Mobile Country or Geographical Area Codes}},
author={{Telecomunication standardization sector of ITU}},
-journal={Annex to ITU Operational Bulletin},
-volume={953},
-year={2010},
-publisher={ITU}
-}
-
-@Misc{GSM23078,
-title = {Customised Applications for Mobile network Enhanced Logic},
-series = {Technical Specification},
-number = {23.078},
-year = {2011},
-howpublished = {GSM 23.078, \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.078/23078-b00.zip}}
-} \ No newline at end of file
+year={2004},
+month={January},
+howpublished={\emph{Complements to Recommendation E.212}, \emph{PDF file}, \url{http://www.itu.int/itudoc/itu-t/ob-lists/icc/e212_685.html}}
+}- \ No newline at end of file
diff --git a/Tex/Content/Conclusion.tex b/Tex/Content/Conclusion.tex
index 4242cb4..8c27e18 100644
--- a/Tex/Content/Conclusion.tex
+++ b/Tex/Content/Conclusion.tex
@@ -4,7 +4,8 @@ The first section starts by reviewing what has been done while the second sectio
\section{Summary}
The aim of this project was to find ways of unveiling whether an IMSI catcher is being operated in the close perimeter or not.
-In other words to find out whether it is safe to initiate a phone call or not.
+In other words to find out if it is safe to connect to the GSM network.
+An unsafe environment could result in IMSI numbers being requested and saved by IMSI catchers or in phone calls being recorded.
The main premise that distinguishes this project from other similar projects like the also OsmocomBB based 'Catcher Catcher' is that the system is operating in a completely passive manner.
Therefore it can only work on a limited amount of information, namely on information that is broadcasted on publicly available channels.
The benefit this yields over other projects is that the IMSI Catcher Detection System itself is completely invisible to the IMSI catcher.
@@ -30,8 +31,8 @@ The results show that some IMSI catcher configurations can be uncovered by these
In addition to this data broadcasted on the \gls{bcch}, reception levels and \glspl{lac} are also monitored over time to unveil attacks in which existing base stations are replaced by IMSI catchers.
This leaves IMSI catchers that have a consistent configuration and blend well in their surroundings concerning the reception levels.
They are also broadcasting the same \gls{lac} as the replaced base station, even if this means it could take a long time until the \gls{ms} announces itself.
-To handle this case the \gls{icds} can monitor the \gls{pch} of the base station in question to gather Paging Messages and \glspl{ia}.
-Since an IMSI catcher is not part of the provider's network no paging messages will be forwarded to the connected subscribers.
+To handle this case the \gls{icds} can monitor the \gls{pch} of the base station in question to gather Paging Messages and Immediate Assignments.
+Since an IMSI catcher is not part of the provider's network no Paging Messages will be forwarded to the connected subscribers.
These findings have been confirmed with the experiments in Chapter 4 where different attack scenarios have been tested.
In cases where the \gls{icds} was not able to uncover the IMSI catcher by rule evaluation the \gls{pch} scan yielded the desired result.
It should be kept in mind that the evaluation has been done against a prototype IMSI catcher since data from a real IMSI catcher is not available.
@@ -45,7 +46,7 @@ If a \gls{bts} is replaced right after it has been scanned it can take up to sev
That is the time that is needed to do a complete sweep scan.
The \gls{icds} could be refined so that only base stations of a particular provider are monitored so the duration of sweep scans is cut down, this could also be done upon entering \emph{User Mode}.
-In case of the Open Source IMSI Catcher no Paging Messages were sent.
+In case of the Open Source IMSI-Catcher no Paging Messages were sent.
However it would be possible for a catcher that is aware of this evaluation criterion to send fake Paging Messages to arbitrary \glspl{tmsi} to deceive the \gls{icds}.
To face this the \gls{icds} could be extended.
Since Paging Messages would be unreliable in such a case one would have to use \glspl{ia}.
@@ -53,7 +54,7 @@ The experiments have shown that this might increase scanning time on the \gls{pc
An \gls{ia} sent to a subscriber contains the dedicated channel on which the conversation between the base station and the mobile phone is to continue.
At this point the \gls{icds} already uses the information about dedicated channels to see whether frequency hopping is used or not.
If an \gls{ia} is caught by the \gls{icds} one could follow on the assigned channel and catch the Cipher Mode Message.
-Since an IMSI catcher will disable encryption to tap into calls, the Cipher Mode Message would contain A5/0 as its encryption algorithm.
+Since an IMSI catcher will disable encryption to tap into calls, the Cipher Mode Message would contain A5/0 as its encryption algorithm instead of A5/1 which is used in Germany.
This feature could be used to handle cases of fake Paging Messages or \glspl{ia}, however it would take longer to conduct the \gls{pch} scan.
Another problem would be that it requires another subscriber that is connected to the IMSI catcher initiating a call.
On the other hand a regular base station using encryption can also be verified this way.
diff --git a/Tex/Content/Dedication.tex b/Tex/Content/Dedication.tex
new file mode 100644
index 0000000..5179a5f
--- /dev/null
+++ b/Tex/Content/Dedication.tex
@@ -0,0 +1,7 @@
+\phantom{a}
+\vfill
+\begin{center}
+\textit{To my late father}\\
+\textit{who taught me that the best way to learn is getting hands-on experience.}
+\end{center}
+\vfill
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index ca20bff..0ffa67a 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -90,7 +90,7 @@ In order to use the Motorola C123 in combination with the OsmocomBB framework th
This has to be done using a RS332 serial cable that is connected to the 2.5\,mm audio jack.
The audio jack of the Motorola C123 and other Calypso based mobile phones typically have a 3.3 V serial port on their audio jacks.
These cables are normally referred to as T191 unlock cables.
-A variety of stores around the internet sell the cables ready made for about \$10--\$15\footnote{FoneFunShop, \url{http://www.fonefunshop.co.uk/table_picker/773_Motorola_T191_W220_W375_OSMOCOM_etc._USB_Unlock_Cable.html} [Online; Accessed 04.2012]}.
+A variety of stores around the internet sell the cables ready made for about \$10--\$15.
One must be careful when using the PC's serial port to communicate with the phone though.
Since the phone's serial operates at 3.3\,V and is internally connected to the 2.8\,V IO-pins of the baseband processor, directly connecting it to the computer's 12\,V serial port will destroy the hardware.
Therefore it is recommended to use a USB serial cable.
@@ -174,11 +174,11 @@ An example of a fully parsed System Information Type 2 can be seen in Figure \re
The Neighbouring Cell List which is a very valuable source of information is located in inside the highlighted section of the message.
\begin{figure}
\centering
-\includegraphics[width=.9\textwidth]{../Images/sysinfo2}
+\includegraphics[width=.8\textwidth]{../Images/sysinfo2marked}
\caption{System Information 2 Message \cite{protocols1999}.}
\label{fig:si1}
\end{figure}
-Examples for all the System Information Messages used, along with an interpretation are located in Appendix \ref{sec:system_infos}.
+Examples for all the System Information Messages used, along with an interpretation are located in Appendix \ref{sec:system_infos} and information on how they are interpreted can be found in 3GPP TS 44.018 \cite{sysinfos}.
As long as scanning mode is active all the available stations are scanned repeatedly and changes in the \glspl{bts} will continuously update the data model inside the \gls{icds} software.
The parameters harvested so far are:
\begin{itemize}
@@ -188,7 +188,7 @@ The parameters harvested so far are:
\item rxlev: Receiving strength in dB.
This parameter is measured by the Motorola C123 and not part of the System Information Messages.
Even small changes in the location can have a large impact on this parameter due to shadowing and reflection.
- \item BSIC: Because of frequency reuse in a cellular network it is possible that two different base stations can sent at the same \gls{arfcn}.
+ \item BSIC: Because of frequency reuse in a cellular network it is possible that two different base stations can send at the same \gls{arfcn}.
In order for the \gls{ms} to keep these apart the \gls{bsic} is also broadcasted.
It consists of a \gls{ncc} identifying the provider, so the \gls{ms} can filter out messages that it does not need beforehand and the \gls{bcc} that must be unique for a given provider over all base station in a large area.
\item LAC: This is the last part of the \gls{lai} (that consists of \gls{mcc} + \gls{mnc} + \gls{lac}) and is a hierarchical identifier for a given base station.
@@ -207,7 +207,7 @@ As mentioned in Section \ref{sec:common_channels} the network contacts the \gls{
\begin{figure}
\centering
\includegraphics{../Images/Paging}
-\caption{Procedure taken when the network has a call/text waiting for a passive subscriber.}
+\caption{Procedure taken when the network has a call\,/\,text waiting for a passive subscriber.}
\label{fig:paging}
\end{figure}
The procedure is outlined in Figure \ref{fig:paging}.
@@ -299,8 +299,8 @@ Pure Neighbourhoods &Checks whether all found stations in the Neighbouring\\
&Cell List share the same provider.\\
Neighbourhood Structure &Checks the structure of the Neighbouring Cell List for\\
&certain patterns.\\
-Fully Discovered Nbhds. &Checks whether all the cells in the Neighbouring Cell\\
- &List have actually been found.\\
+Discovered Neighbours. &Checks whether a certain amount of the cells in the\\
+ &Neighbouring Cell List have actually been found.\\
Cell ID Uniqueness &Checks whether there are other cells with the same\\
&Cell ID.\\
\bottomrule
@@ -318,7 +318,7 @@ However in none of the scans more than two different \glspl{la} have been found
For the Freiburg area a 1\% threshold for the deviation yielded good results.
\paragraph{Neighbourhood Structure}
-The neighbourhood structure is the graph that is described by the Neighbouring Cell List located in the System Inforamtion 2\,/\,2bis\,/\,2ter constructs.
+The Neighbourhood Structure is the graph that is described by the Neighbouring Cell List located in the System Inforamtion 2\,/\,2bis\,/\,2ter constructs.
Figure \ref{fig:neighbourhood_example} shows an extract of the neighbourhood graphs at the Faculty of Engineering of the University of Freiburg\footnote{Georges Koehler Allee, Freiburg}.
The E-Plus subgraph has been enlarged.
\begin{figure}
@@ -329,7 +329,7 @@ The E-Plus subgraph has been enlarged.
\end{figure}
It can be seen that for each provider, the neighbourhood forms an isolated, nearly fully connected subgraph.
Nodes with a green background have an \emph{Ok} rating, while the red node has a \emph{Critical} rating.
-The bordering white nodes have not yet been discovered and evaluated therefore they have no outgoing edges.
+The bordering white nodes have not yet been discovered and evaluated therefore they have no outgoing edges, they were merely found by extracting the neighbourhood lists.
This could be the case because they are too far away for the Motorola to receive or because of signal damping due to shadowing and reflection effects.
In the \gls{icds} the aspect of isolated subgraphs for neighbourhoods is captured inside the \emph{Pure Neighbourhoods Rule}.
@@ -337,11 +337,12 @@ An interesting fact is that one node inside the E-Plus subgraph on the upper rig
This is because it is a \gls{bts} of the university's own \gls{gsm} network.
It was set up to be in a E-Plus neighbourhood but is not consistent with the E-Plus nodes surrounding it.
Therefore it is marked by the \gls{icds}.
-%TODO: cite richy
-The node was set up inside the E-Plus neighbourhood for another Master project\footnote{Cite Richy} at the Chair of Communication Systems where the goal was to estimate the most probably position of a subscriber given his\,/\,her reception strengths.
+
+The node was set up inside the E-Plus neighbourhood for another Master Thesis \cite{richy} at the Chair of Communication Systems where the goal was to estimate the most probably position of a subscriber given his\,/\,her reception levels.
Some of the attacks discussed in Section \ref{sec:attacks} imply a certain structure of the neighbourhood graph.
Since the IMSI catcher tries to lock in \glspl{ms} that have connected from switching back to a normal cell, the neighbourhood list of such a catcher cell would either be empty or would only host neighbour cells that have a lower reception strength than itself.
+
An empty Neighbouring Cell List is represented in the graph by a node that has been discovered and has no outgoing edges.
A Neighbouring Cell list containing only imaginary nodes serves the same purpose.
\begin{figure}
@@ -393,6 +394,27 @@ This means that this cell is not known by any other node of the same provider.
Nevertheless it has some outgoing edges to nodes with significantly less transmission strength to not stick out too much as a completely isolated node.
Combinations of these two approaches are also possible.
These thoughts are basically what is captured inside the \emph{Neighbourhood Structure Rule}.
+The procedure the Neighbourhood Structure Rule follows is:
+\begin{enumerate}
+ \item Check if the node in question has neighbours and check if at least one neighbour has been discovered.
+This rules out the cases where IMSI catchers have no neighbours or only an imaginary list.
+ \item If no neighbours have been discovered by the \gls{icds}, check if other nodes share some of the neighbours, if yes yield a \emph{Warning}, else yield \emph{Critical}.
+If the node is question is a legitimate node and the rare case occurs that none of its neighbours are in reach, most of its neighbours should be shared by other nodes of the same provider.
+ \item Check if other nodes of the same provider have the node in question inside their neighbourhood list, \eg if the node in question has incoming edges.
+This would not be the case for example for an IMSI catcher that broadcasts on a new \gls{arfcn}.
+ \item If all the above criteria are met, yield \emph{Ok}.
+\end{enumerate}
+This rule cannot find an IMSI catcher that has in- and outgoing edges, in other words a device that replaced a legitimate base station and copied the neighbourhood list from the original cell.
+Such a catcher would transmit at a very high strength and thus make sure all its neighbours have a worse reception on the target mobile phone than itself.
+It is generally not possible to rule out base stations where all outgoing edges point to base stations with a lower reception, since every legitimate neighbourhood will have one node that excels all other nodes in terms of reception.
+
+The Neighbourhood Structure Rule tests if at least one neighbour has actually be found.to raise this threshold the \emph{Discovered Neighbours Rule} can be used.
+It takes a parameter as an input which is interpreted differently depending on its range.
+If the threshold is in the interval $[0,1]$ it is interpreted as a percentage.
+$0.5$ meaning that at least half the neighbours in the list need to be found for the rule to give an \emph{Ok} rating.
+A threshold in the interval $(1,+\infty)$ means that this absolute number of base stations have to be found, if a floating point number is provided the real part is stripped.
+As an example $3$ and $3.47$ would both mean that at least $3$ neighbours would have to be found.
+This representation cannot cover the 'at least one' case since $1$ equals $100\%$ which is no problem for this case is already covered by the Neighbourhood Structure Rule.
\subsubsection{Database Rules}
Let us do a quick summary of the situation so far.
@@ -403,9 +425,9 @@ Therefore the Configuration Rules and most of the Context Rules will yield an \e
The Neighbouring Cell List is a bit different.
Since the catcher wants to keep lured subscribers it will normally have an empty list or a list pointing only to \glspl{bts} imaginary neighbours.
Both of these cases can be detected.
-However the operator \emph{may} also choose to set a list consistent with the neighbouring cells.
-This would lower the chances of success for the catcher but also make it blend better in its environment and thus harder to detect.
-
+However the operator \emph{may} also choose to set a list consistent with the neighbouring cells, \eg a catcher replacing a cell and copying the neighbourhood list.
+
+A new parameter has to be introduced to yield information in the cases the rules mentioned before fail, the \gls{cid}.
For the \gls{cid} there are basically two possibilities depending on which attack type is used.
The first possibility was that the IMSI catcher opens up a new cell and the second one was that it replaces a formerly existent cell.
In the first case parameters can be chosen in a consistent way although a new \gls{cid} has to be chosen, as the \gls{cid} needs to be unique.
@@ -504,17 +526,15 @@ The \gls{icds} also uses this method on particularly filtered base stations in \
\label{sec:evaluators}
All the rules are evaluated for each base station.
Aggregation of these rule results into a single result is done by modules called \emph{evaluators}.
-Currently there are three different evaluators implemented inside the \gls{icds}, with varying degrees of customisability.
+Currently there are two different evaluators implemented inside the \gls{icds}:
\begin{itemize}
\item Conservative Evaluator: This is a worst-case evaluator.
It iterates over all the rule findings and yields the most concerning finding as its result.
By default this evaluator is enabled in the system.
- \item Weighted Evaluator: Using this evaluator the user can give a weight to each rule.
- This way rules that are more important to the user can have a higher impact on overall evaluation.
\item Grouped Evaluator: With this evaluator rules can be grouped together.
Inside each group the result for the group is found by majority vote whereas the final result is conservatively found by comparing all the group results.
\end{itemize}
-The different kinds of evaluators can be used to tweak the whole system more to a specific environment or purpose, if specific rules are given more weight.
+Different kinds of evaluators can be used to tweak the whole system more to a specific environment or purpose, if specific rules are grouped together.
They are meant more for experimental purpose if the \gls{icds} is used as a toolbox for analysing base stations, to give more freedom in use to the operator.
In case of the system being used in \emph{User Mode} or for the sole purpose of finding whether an IMSI catcher is active or not, the conservative evaluator should almost always be the evaluator of choice and tweaking should be done on the rule parameters rather than on the evaluator.
@@ -670,7 +690,7 @@ Only the provider is to be entered and a final evaluation will be returned once
\item Base Station List: This list gives an overview of which base stations have been discovered so far along with some distinguishing information including its evaluation.
A detailed view of a base station can be brought up by selecting it in the list and pressing the enter or return key.
-The report is separated into four main parts, the first being all the harvested parameters, followed by findings the different rules and evaluators yielded and a section with the raw uninterpreted system information data.
+The report is separated into four main parts, the first being all the harvested parameters, followed by findings the different rules and evaluators yielded and a section with the raw uninterpreted System Information data.
\item Log Window: Every important event inside the \gls{icds} is reported in the log together with a time stamp when it occurred.
@@ -732,10 +752,13 @@ To enhance the quality of a Local Area Database it is recommended to do multiple
This raises the probability that all \gls{bts} in the perimeter are found is higher and it solidifies the interval in which the base station signal strength varies.
\paragraph{Conducting a PCH Scan:} A \gls{pch} scan can be conducted in addition to a sweep scan or as a standalone method therefore no scan data needs to be present.
+Since PHC scans and sweep scans use the Motorola C123 a PCH scan can only be done when no sweep scan is active and vice versa.
The first parameter is a comma separated list of \glspl{arfcn} that will be scanned.
The second parameter is the timeout.
A scan for a particular \gls{arfcn} will tune in on the \gls{pch} of each \gls{arfcn} given and wait there until the timeout is reached gathering all paging messages and \gls{ia} that are sent in that time interval.
In the lower part of the dialog, after the scan has finished, the statistics for the scanned \glspl{bts} will occur.
+If the checkbox is checked, the data acquired by the scan will also be integrated with the data model and will have an impact on the evaluation displayed in the Base Station Graph.
+The findings can then also be seen in the report for a base station.
\begin{figure}
\centering
@@ -752,6 +775,7 @@ If the station already has been evaluated as \emph{Critical}, \emph{User Mode} w
In all other cases it performs an additional \gls{pch} scan on that station to rule out the scenario where a catcher has not been detected by the currently active set of rules.
After the evaluation has been completed, the picture on the bottom will change to reflect the result found.
+Additionally if PCH scan integration is enabled the results from \emph{User Scan} will also carry over to the data model if a PCH scan has been carried out in the process.
\section{Related Projects}
IMSI catcher detection is a topic that has not emerged until recently therefore not a lot of work and research has been done upon that subject.
diff --git a/Tex/Content/Evaluation.tex b/Tex/Content/Evaluation.tex
index b809c14..4fc1a87 100644
--- a/Tex/Content/Evaluation.tex
+++ b/Tex/Content/Evaluation.tex
@@ -1,30 +1,31 @@
\chapter{Evaluation}
-The following chapter presents the results of the experiments done with the \gls{icds}.
+The following chapter presents the results of the experiments carried out with the \gls{icds}.
Evaluation has been done in different areas to give a complete impression of how the \gls{icds} performs.
In the first section some general findings will be described that affect overall performance.
Afterwards the test environment and setup of the IMSI catcher is discussed.
The last two sections evaluate the \gls{icds} against a configured catcher.
-At first the individual Rules are tested, then the two attacks described in the theory section were conducted.
+At first the individual rules are tested, then the two attacks described in the theory section were conducted.
\section{Performance Evaluation}
In order to evaluate general performance it has to be considered that the \gls{icds} can be deployed in different environments.
To reflect different compositions and densities of base stations from different areas, four distinct data sets will be used for the experiments in this section.
The data sets have been taken in areas surrounding the city of Freiburg.
+For each area three scans were made on a fixed position and the duration was averaged.
Table \ref{tab:key_data} shows some of the data sets' key values.
\begin{table}
\centering
\begin{tabular}{llrr}
\toprule
-Name &Description &Number of BTS &Scan Duration\\
+Name &Description &Number of BTS &Duration\\
\midrule
-\texttt{cdb} &CBD around the area of &54 &6:13 \\
- &Bertholdsbrunnen & & \\
-\texttt{airport} &Airport and university area &68 &6:25 \\
- &around Georges Koehler Allee & & \\
-\texttt{ind\_park} &Industrial park Haid in &53 &4:52 \\
+\texttt{cdb} &CBD around the area of &54 &6:13\,m \\
+ &Bertoldsbrunnen & & \\
+\texttt{airport} &Airport and university area &68 &6:25\,m \\
+ &around Georges K\"ohler Allee & & \\
+\texttt{ind\_park} &Industrial park Haid in &53 &4:52\,m \\
&Freiburg West, Hausener Weg & & \\
-\texttt{house\_area} &Housing area at the rim of &22 &3:59 \\
- &Freiburg Zähringen, Thuner Weg & & \\
+\texttt{house\_area} &Housing area at the rim of &22 &3:59\,m \\
+ &Freiburg Z\"ahringen, Thuner Weg & & \\
\bottomrule
\end{tabular}
\caption{Key values of the data sets used for performance tests.}
@@ -46,11 +47,11 @@ Therefore they will be ignored and factored out for the remainder of this evalua
\begin{axis}[
width=\textwidth,
height=0.3\textheight,
- xlabel=Total BTS,
+ xlabel=Total BTSs,
ylabel=Scan duration in s,
xticklabel style={/pgf/number format/1000 sep=}
]
- \addplot [mark=*,blue] plot coordinates {
+ \addplot [mark=*, blue, only marks] plot coordinates {
(68, 385)
(54, 373)
(53, 292)
@@ -66,22 +67,20 @@ Generally said it takes longer the more dense the base station distribution is i
This is however not the only factor, as Figure \ref{fig:durations} visualises.
If the scan duration would only depend on the number of base stations scanned, a linear growth could be expected.
-There is a large increase in scan duration between the \texttt{ind\_park} and the \texttt{cbd} data sets although only one more base station was detected.
-This jump can be explained considering the context of the scan.
-The scans were done on a Saturday between 14:00 and 16:00.
-The Freiburg CBD was crowded at the time of the scan as was the university campus due to an event held there.
-In contrast the industrial park area was very calm, as was the housing area.
-Whenever the \gls{icds} discovers a \gls{bts} it needs to wait until all System Information messages are gathered before it can continue scanning for further base stations.
-In a crowded area reception is far worse due to radio inference therefore it takes longer to accumulate the information needed resulting in increased scanning times.
+This is however not the case as the plot shows.
+A bad reception means that a lot of \gls{bcch} frames are rendered unusable and have to be retransmitted.
+Therefore it takes significantly longer to gather all System Information Messages for a single \gls{bts} that has a bad reception.
+Looking at the overall reception in the datasets shows that no base stations in the \texttt{cbd} dataset had a reception of below -95\,dB.
+In the three other datasets stations with reception levels of below -100\,dB can be found.
+Overall reception was worst in the \texttt{airport} and \texttt{cbd} datasets which explains the large jump in time although only one more base station has been scanned between the \texttt{ind\_park} and \texttt{cbd} datasets.
-A crowded area with high density of \glspl{bts} could be seen as a worst case for scan duration.
-Re-evaluation of a base station based on its own parameters thus occurs only every 7 minutes in this worst case scenario.
+Re-evaluation of a base station based on its own parameters thus occurs only every seven minutes in the worst scenario we experienced.
This is an inherent problem to the approach of scanning and updating all base stations and not only monitoring a subset belonging to a single provider.
-If an IMSI catcher replaces a base station directly after it was scanned, it could take up to 7 minutes until it is discovered.
-To lessen this threat, if the \gls{icds} is used in User Mode, the base station with the strongest reception is scanned again, to eliminate the possibility of having been taken over and not being detected.
+If an IMSI catcher replaces a base station directly after it was scanned, it could take up to seven minutes until it is discovered.
+To lessen this threat, if the \gls{icds} is used in \emph{User Mode}, the base station with the strongest reception is scanned again with a PCH scan, to eliminate the possibility of having been taken over and not being detected.
\subsection{Cell ID Databases}
-The usefulness of the \emph{Cell ID Rule} is subject to the completeness of the database that is used.
+The usefulness of the Cell ID Rule is subject to the completeness of the database that is used.
That is even more so since a database with a low coverage will yield false positives, \eg legitimate base stations will be evaluated as being IMSI catchers because they are not found in the database.
The coverage for the OpenCellID database and the Google Mobile Maps service evaluated against the data sets can be seen in Table \ref{tab:coverage}.
@@ -97,66 +96,80 @@ Google& 1.00&5& &0.99&8& &1.00&5& &1.00&2\\
OCID& 0.57&51& &0.58&68& &0.58&55& &0.41&19\\
\bottomrule
\end{tabular}
-\caption{Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}
+\caption{Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in seconds for fetching the information.}
\label{tab:coverage}
\end{table}
-Google Mobile Maps service scored a complete coverage on all the data sets while Open Cell ID could cover about half the nodes in the different sets.
-The reason the Google service had only a 99\% coverage on the \texttt{airport} data set is that base station that has not been found was the one operated by the chair of communication systems, therefore it can be factored out.
+Google Mobile Maps service scored a complete coverage on all the data sets while OpenCellID could cover about half the nodes in the different sets.
+The Ericson and combain databases could not be evaluated since it was not possible to obtain an API key without handing out credit card details for billing.
+The reason the Google service had only a 99\% coverage on the \texttt{airport} data set is that base station that has not been found was the one operated by the Chair of Communication Systems, therefore it can be factored out.
The OpenCellID database is not a good source of information for this project as is shown by its coverage scores.
+Both services also show a large difference in response time.
+The time needed to do a single lookup could take up to several seconds while a single lookup on the Google service presented a result almost instantly.
+This is most probably due to the fact that Google's server infrastructure is strongly optimised for tasks like this.
+The times also show that if the \gls{icds} would be connected to the internet, the lookups on Google's database could also be done during the course of a sweep scan since they do not impose a large time overhead per base station.
+
However it must be said that these two services are intended for localisation and thus do not have the demand to yield a complete coverage of all the base stations in the area.
-Therefore it must be kept in mind when using this Rule for analysis that false positives might still be brought forth.
-What can be said though is that a base station that has been found may only be subject to a type of attack that replaces an existing base station and can thus be investigated more specifically.
+Therefore it must be kept in mind when using this rule for analysis that false positives might still be brought forth.
+What can be said though is that a base station that has been found may only be subject to a type of attack that replaces an existing base station and can thus be investigated more specifically on that ground.
\subsection{PCH Scans}
-In order to establish a baseline on what to expect from the \gls{pch} scans different measurements have been done.
-Table \ref{tab:pagings} shows scans that have been done in three different areas.
+In order to establish a baseline on what to expect from the \gls{pch} scans additional measurements have been done.
+Table \ref{tab:pagings} shows scans that have been done in the different areas.
In each area the cell with the strongest reception for each provider was chosen as a representative for the respective provider.
-The duration of each scan was set to 60\,s, while the values in the table have been averaged for 10\,s since this is the unit the \gls{icds} is using.
-
-A comparison of the results suggests that the different providers also have different policies when to page.
-Vodafone has about six times the paging rate O$_{2}$ has but only half the Immediate Assignments.
+The duration of each scan was set to 60 seconds, while the values in the table have been averaged for 10 seconds since this is the unit the \gls{icds} is using.
+
+A comparison of the results suggests that different providers also have different policies when to page.
+Vodafone has about six times the paging rate of other providers.
+This can be explained by further examining the Vodafone network structure.
+Another scan showed that for other providers the Paging Messages were addressed to between 70 and 120 different \glspl{tmsi} whereas for Vodafone between 600 and 700 different \glspl{tmsi} were found.
+The large difference in \glspl{tmsi} is due to the fact that Vodafone's \glspl{la} are larger than the \glspl{la} other providers use.
+For the Freiburg area two different \glspl{lac} were found for each of the providers E-Plus, T-Mobile and O$_2$ while for Vodafone only one \gls{lac} was found.
+These facts were also checked against the OpenCellID database which yielded the same results for \glspl{lac} used in the Freiburg area.
+All this gives some insights into the paging policy that Vodafone might have.
+If the network is looking for a subscriber the last known \gls{la} for this subscriber is paged rather than starting with the last known cell and expanding the paging radius.
+Since the area covered by a single \gls{la} is very large, a lot of subscribers are registered for a single area.
+This theory would also be consistent with the face that despite of the large number of Paging Messages only an average number of \glspl{ia} were caught which are restricted to the serving cell.
Another scan was also done on the IMSI catcher.
-No Paging Messages or Immediate Assignments were detected although \glspl{ms} were connected to it.
-That was to be expected as formerly discussed in Section \ref{sec:paging} because the IMSI catcher is not actually part of the providers network and thus cannot receive and forward paging requests.
+No Paging Messages or \glspl{ia} were detected although a \gls{ms} was connected to it.
+This was to be expected as formerly discussed in Section \ref{sec:paging} because the IMSI catcher is not actually part of the providers network and thus cannot receive and forward Paging Messages.
\begin{table}
\centering
-\begin{tabular}{lrrcrrcrr}
+\begin{tabular}{lrrcrrcrrcrr}
\toprule
-& \multicolumn{2}{c}{\texttt{house\_area}} &\phantom{a}& \multicolumn{2}{c}{\texttt{cbd}} &\phantom{a} & \multicolumn{2}{c}{\texttt{airport}}\\
-\cmidrule{2-3} \cmidrule{5-6} \cmidrule{8-9}
-&Pagings&IAs& &Pagings &IAs.& &Pagings&IAs.\\
+& \multicolumn{2}{c}{\texttt{house\_area}} &\phantom{a}& \multicolumn{2}{c}{\texttt{cbd}} &\phantom{a} & \multicolumn{2}{c}{\texttt{airport}}&\phantom{a} & \multicolumn{2}{c}{\texttt{ind\_area}}\\
+\cmidrule{2-3} \cmidrule{5-6} \cmidrule{8-9} \cmidrule{11-12}
+&PMs.&IAs& &PMs. &IAs.& &PMs.&IAs.&&PMs.&IAs\\
\midrule
-T-Mobile& 89&3& &75&3& &109&4\\
-E-Plus& 119&1& &67&2& &70&1\\
-Vodafone& 776&6& &720&5& &712&6\\
-O2& 117&9& &106&16& &94&11\\
+T-Mobile& 89&3& &75&3& &109&4&&72&1\\
+E-Plus& 119&1& &67&2& &70&1&&65&0\\
+Vodafone& 776&6& &720&5& &712&6&&743&2\\
+O$_{2}$& 117&9& &106&16& &94&11&&95&7\\
\bottomrule
\end{tabular}
-\caption{Number of Pagings and Immediate Assignments (per 10\;s) for the four German providers at different locations.}
+\caption{Number of Paging Messages and Immediate Assignments (per 10 seconds) for the four German providers at different locations.}
\label{tab:pagings}
\end{table}
\section{IMSI Catcher Detection}
Before using an IMSI catcher for testing purpose or a launching an OpenBTS base station it should be ensured that licenses for the specific frequencies that are used, have been obtained.
This way it can be ensured that the operation does not interfere with regular radio communication.
-Extra care should be taken when configuring the IMSI catcher to simulate a real base station to reject incoming connections when the experiments are not done within a radio sealed room.
-Otherwise subscribers might get caught by the catcher and might not be able to initiate calls.
-How this can be done for the Open Source IMSI Catcher that is used to test the \gls{icds} is explained in the next section.
+In case of our experiments we always used \gls{arfcn} 877 and broadcasted '23' as provider name.
+The university has acquired a license for this frequency and since the provider identification differs from the four common providers' \glspl{mnc} we do not lure mobile subscribers into connecting to the catcher.
\subsection{Open Source IMSI Catcher}
-Some of the Rules cannot be tested without an active IMSI catcher.
+Some of the rules cannot be tested without an active IMSI catcher.
For this purpose the Open Source IMSI Catcher \cite{dennis} is used.
-This project builds up an IMSI catcher using only Open Source systems and freely available hardware so it can basically be used by anybody.
+This project prototypes an IMSI catcher using only open source systems and freely available hardware so it can basically be used and built by anybody.
On the hardware side a computer running a Linux operating system is used, as well as the \gls{usrp} as the radio transmitter.
The \gls{usrp} allows the signal processing for radio transmissions to be done in software, therefore it can be used for a multitude of purposes and protocols.
Some hardware modifications have to be done to the device to empower it to send and receive data on the frequency bands used for \gls{gsm} communication.
An external clock needs to be used since \gls{gsm} operations are very time critical.
Figure \ref{fig:setup} shows the Open Source IMSI Catcher and the \gls{icds} side by side.
-On the software side GNU Radio\footnote{GNU Radio Project Wiki, \url{http://gnuradio.org/redmine/projects/gnuradio/wiki} [Online; Accessed 05.2012]}, OpenBTS\footnote{OpenBTS Project Wiki, \url{http://wush.net/trac/rangepublic} [Online; Accessed 05.2012]} and Asterisk\footnote{Asterisk, \url{http://www.asterisk.org} [Online; Accessed 05.2012]} are used to achieve the functionality provided by a IMSI catcher.
+On the software side GNU Radio\footnote{GNU Radio Project Wiki, \url{http://gnuradio.org/redmine/projects/gnuradio/wiki} [Online; Accessed 05.2012]}, OpenBTS\footnote{OpenBTS Project Wiki, \url{http://wush.net/trac/rangepublic} [Online; Accessed 05.2012]} and Asterisk\footnote{Asterisk, \url{http://www.asterisk.org} [Online; Accessed 05.2012]} are used to achieve the functionality provided by an IMSI catcher.
\begin{figure}
\centering
\includegraphics[width=.95\textwidth]{../Images/catcherICDS}
@@ -164,7 +177,7 @@ On the software side GNU Radio\footnote{GNU Radio Project Wiki, \url{http://gnur
\label{fig:setup}
\end{figure}
The raw data that is received by the \gls{usrp} is sent to the GNU Radio component which works as a software side interface to the \gls{usrp}.
-This data is taken by the OpenBTS software that simulates base station behaviour and has an integrated module simulating a \gls{vlr} and handing out \glspl{tmsi}.
+This data is taken by the OpenBTS software that simulates base station behaviour and has an integrated module simulating a \gls{vlr} handing out \glspl{tmsi}.
OpenBTS implements an open source version of the \gls{gsm} stack with the goal to provide cheap access points to the \gls{gsm} network in areas with bad coverage.
The user accounts as well as encoding of voice data and recording of calls is handled inside the Asterisk software, basically combining the \gls{trau}, \gls{hlr} and authentication centre of a real \gls{gsm} network.
Calls are routed from here on to the \gls{voip} network of the university.
@@ -202,17 +215,20 @@ GSM.T3212 1
More precisely this will only let users connect that have been set up in the \texttt{sip.conf} of the Asterisk server.
Only the test phone does have a valid account.
+As a general note, when the experiments were conducted the \gls{icds} and the Open Source IMSI Catcher were located in the same room, therefore the IMSI catcher had always good reception levels.
+This is not a problem since an IMSI catcher operator generally wants to have high reception levels on the target phone to lure it to connect to the device.
+So if the IMSI catcher would be located farther away the operator would increase transmission power accordingly.
+
\subsubsection{Modifications to the ICDS Configuration}
A few small modifications have to be made to the configuration of the \gls{icds} to not instantly evaluate the university base station and the IMSI catcher as \emph{Critical}.
-The configuration of the \emph{ARFCN\,/\,Provider Mapping Rule} has been changed to include the \gls{arfcn} 877 as valid \gls{arfcn} for each provider since the is the frequency that we are allowed to send on.
-In one experiment this rule was tested by faking a T-Mobile station on \gls{arfcn} 50.
-This experiment was done in a radio sealed room.
-
+The configuration of the ARFCN\,/\,Provider Mapping Rule has been changed to include the \gls{arfcn} 877 as valid \gls{arfcn} for the imaginary provider '23' since it is the frequency that we are allowed to send on.
+Furthermore '23' was included in the list of known providers, that the Provider Known Rule uses.
+Another small change has been done to the implementation of the Neighbourhood Structure Rule to treat the provider '23' as an equivalent to E-Plus.
+One the one hand this has been done because the university base station has E-Plus nodes as neighbours which would normally trigger a \emph{Critical} rating on the Neighbourhood Structure Rule and on the other hand this makes it possible to integrate the IMSI catcher into an E-Plus neighbourhood.
-
-\subsection{Rule Evaluation}
+\subsection{Configuration and Context Rules Evaluation}
With the environment set up we will now evaluate the individual Rules.
-The IMSI catcher was launched with the four different configurations shown in Table \ref{tab:err_configs}.
+The IMSI catcher was launched with the three different configurations 2--4 shown in Table \ref{tab:err_configs}.
\begin{table}
\centering
\begin{tabular}{lllll}
@@ -223,34 +239,67 @@ ARFCN &50 &877 &877 &877 \\
ShortName &T-Mobile &Vodafone &E-Plus &O2 \\
MCC &262 &262 &262 &505 \\
MNC &01 &02 &03 &07 \\
-LAC &21010 &793 &588 &50945 \\
+LAC &21010 &123 &588 &50945 \\
Cell ID &1 &2 &3 &4 \\
-Neighbours &--- &10,11,12 &695, 20 &1022, 1001 \\
+Neighbours &42, 44, 45 &10, 11, 12 &695, 20, 21 &1022, 1001, 1015\\
\bottomrule
\end{tabular}
\caption{Erroneous configurations for the IMSI catcher.}
\label{tab:err_configs}
\end{table}
-With each of these configurations the \gls{icds} detected the catcher for various reasons:
+
+\begin{table}
+\centering
+\begin{tabular}{lll}
+\toprule
+Rule &Finding &Explanation \\
+\midrule
+Provider Known &\emph{Ok} &T-Mobiled is a known provider.\\
+Country\,/\,Provider Map &\emph{Ok} &MNC 262 and MNC 01 with\\
+ & &T-Mobile fit together.\\
+LAC\,/\,Provider Map &\emph{Critical}&LAC 21010 not a known LAC for\\
+ & &MNC 01 in the Freiburg area.\\
+ARFCN\,/\,Provider Map &\emph{Critical}&ARFCN 50 belongs to Vodafone.\\
+LAC Median Deviation &\emph{Critical}&LAC differs from other T-Mobile\\
+ & &stations in the area.\\
+Pure Neighbourhoods &\emph{Ok} &Only T-Mobile stations as\\
+ & & neighbours.\\
+Neighbourhood Structure &\emph{Warning} &Explanation in running text.\\
+Discovered Neighbours &\emph{Ok} &All neighbours have been\\
+ & &discovered.\\
+Cell ID Uniqueness &\emph{Ok} &No duplicate Cell ID found.\\
+\bottomrule
+\end{tabular}
+\caption{Configuration and Context Rule results for Config 1.}
+\label{tab:config_rules_eval}
+\end{table}
+
+Configuration 1 will now be used to recap the rules theoretically since we cannot actually transmit on \gls{arfcn} 50.
+Table \ref{tab:config_rules_eval} summarises and explains the findings of the different Configuration and Context Rules for this imaginary scenario.
+The Neighbourhood Structure Rule should be given a closer examination.
+Since neighbours are present and at least one neighbour has been found directly the basic requirements for the rule to yield an \emph{Ok} have been met.
+However since its \gls{arfcn} is 50, it has no incoming edges in the neighbourhood graph from other T-Mobile nodes thus the rule only yields a \emph{Warning} result.
+
+With each of the remaining configurations the \gls{icds} detected the catcher for various reasons.
+All rules mentioned did yield a \emph{Critical} rating unless noted otherwise.
\begin{itemize}
- \item Config 1: For this configuration the \gls{icds} detected that \gls{arfcn} 50 is not in the range registered to the provider T-Mobile.
- Apart from that the \gls{lac} differed from the ones found in the Freiburg area and thus different from the neighbouring \glspl{lac}.
- The neighbouring cell list was also empty which is a strong indication for an IMSI catcher.
- An interesting fact to be noted here is, when an empty neighbourhood list is given to OpenBTS it still transmits a neighbourhood list containing the element '0'.
- \emph{The Neighbourhood Structure Rule} triggered nevertheless since no other T-Mobile station in the area had \gls{arfcn} 0 as a neighbour, nor was it discovered during the scan.\\
- Rules triggered: LAC\,/\,Provider Mapping, Neighbourhood Structure, ARFCN\,/\,Provider Mapping, LAC Median Deviation
- \item Config 2: The detected errors within this configuration are that none of the neighbours mentioned was in range to be detected, which is very unlikely for a normal base station.\\
- Rules triggered: Neighbourhood Structure
- \item Config 3: In this configuration one of the neighbours, namely 695 is not consistent with the set provider.
- The base stations breaks up the isolated subgraph for E-Plus and is thus detected.\\
+ \item Config 2: The detected errors within this configuration are that none of the neighbours mentioned was in range to be detected, which is very unlikely for a normal base station.
+ Additionally LAC 123 is not a known LAC for Vodafone in the Freiburg area.
+ As a result the LAC deviation triggered the respective rule.
+ The neighbour on \gls{arfcn} 11 could not be found by the sweep scan so the Discovered Neighbours Rule.
+ Rules triggered: Neighbourhood Structure, LAC\,/\,Provider Map, LAC Median Deviation, Discovered Neighbours Rule.
+ \item Config 3: In this configuration one of the neighbours, namely 695 (O$_2$) is not consistent with the set provider.
+ The base station breaks up the isolated subgraph structure for E-Plus and is thus detected.\\
Rules triggered: Pure Neighbourhoods
\item Config 4: The chosen provider is not consistent with the country set.
- Additionally another warning is thrown since the neighbourhood list only contained nodes that were only found indirectly.\\
- Rules triggered: Country\,/\,Provider Mapping, Neighbourhood Structure (warning)
+ Additionally another warning is thrown since the neighbourhood list only contained nodes that were found indirectly.\\
+ On top of that, the \gls{cid} was already in use by another station.
+ Rules triggered: Country\,/\,Provider Mapping, Neighbourhood Structure (\emph{Warning}), Cell ID Uniqueness.
\end{itemize}
-The \emph{LAC Change Rule} and the \emph{rx Change Rule} remain to be tested.
-For this purpose the procedure was as follows.
-At first the \gls{icds} was turned on an scanning commenced.
+
+\subsection{Scan Rules Evaluation}
+For the purpose of testing the LAC Change and rx Change Rules the procedure was as follows.
+At first the \gls{icds} was turned on and scanning commenced.
Afterwards the IMSI catcher was turned on, operating on the same frequency as a base station that was previously discovered.
This was repeated several times with different configurations of the IMSI catcher.
Table \ref{tab:par_change} summarises the findings.
@@ -265,67 +314,81 @@ These times can vary however depending on the timing of the catcher being turned
\cmidrule{2-3} \cmidrule{5-6}
Config &Old &New & &Old &New &rx det. &LAC det. &Time\\
\midrule
-T-Mobile &-92 dB &-45dB & &4711 &666 &Yes &Yes &6:31\,m\\
-O2 &-91 dB &-46dB & &4711 &4711 &Yes &No &6:22\,m\\
-E-Plus &-89 dB &-41dB & &4711 &666 &Yes &Yes &5:59\,m\\
-Vodafone &-93 dB &-41dB & &4711 &4711 &Yes &No &6:35\,m\\
+Config 5 &-92 dB &-44dB & &4711 &666 &Yes &Yes &6:31\,m\\
+Config 6 &-91 dB &-46dB & &4711 &4711 &Yes &No &6:22\,m\\
+Config 5 &-89 dB &-44dB & &4711 &666 &Yes &Yes &5:59\,m\\
+Config 6 &-92 dB &-43dB & &4711 &4711 &Yes &No &6:35\,m\\
\bottomrule
\end{tabular}
\caption{Results obtained testing the \emph{rx} and \emph{LAC Change rules}.}
\label{tab:par_change}
\end{table}
-\subsection{Long-Term Test}
-To evaluate the \emph{Local Area Database Rule} a long-term test has been carried out.
+\subsection{Database Rules Evaluation}
+To evaluate the Local Area Database Rule and Cell ID Database Rule a long-term test has been carried out.
This has been done to find out whether base stations in the surrounding area change on a regular basis or stay the same (including their respective configurations and reception levels).
-This is essential for a Location Area Database to be usable over a longer period of time.
+This is essential for databases to be usable over a longer period of time.
-The database itself has been built over the course of one week in Freiburg, Georges Koehler Allee.
+The database itself has been built over the course of one week in Freiburg, Georges K\"ohler Allee.
+Two scans were conducted per day and integrated with the \gls{icds} into the existing Local Area Database.
During this period no parameter changes were detected and the reception of base stations only varied inside a very small interval.
-After that each day for another week, two scans per day were done.
-One of them while the IMSI catcher was operating, the other without the device present.
-This was done to evaluate if false positives or negatives occurred using the database and all the methods mentioned above over a larger period of time.
+
+After that each day for another one and a half week, two scans per day were done, on at around 11:00\,am and one around 8:00\,pm.
+One of them was conducted while the IMSI catcher was operating, the other without the device present.
+The gap between the 5$^\text{th}$ and the 8$^\text{th}$ was due to the face the IMSI catcher was unavailable during these days.
+This was done to evaluate if false positives or negatives occurred using the prebuilt database over a larger period of time.
The results on a per day basis are summarised in Table \ref{tab:longterm_test}.
+
\begin{table}
\centering
-\begin{tabular}{lllllrr}
+\begin{tabular}{rrlll}
\toprule
-Date &Time &Catcher &Detected &Detected by &False positives &False negatives\\
+Date &Time &Catcher &Detected &Detected by\\
\midrule
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
- & & & & & & \\
+31.05.12&11:00\,am &Yes &Yes &Local Area Database \\
+31.05.12&8:00\,pm &No &No & \\
+01.06.12&11:00\,am &No &No & \\
+01.06.12&8:00\,pm &Yes &Yes &Cell ID Database \\
+02.06.12&11:00\,am &Yes &Yes &Local Area Database \\
+02.06.12&8:00\,pm &No &No & \\
+03.06.12&11:00\,am &No &No & \\
+03.06.12&8:00\,pm &Yes &Yes &Cell ID Database \\
+04.06.12&11:00\,am &Yes &Yes &Local Area Database \\
+04.06.12&8:00\,pm &No &No & \\
+05.06.12&11:00\,am &No &No & \\
+05.06.12&8:00\,pm &Yes &Yes &Cell ID Database \\
+08.06.12&11:00\,am &Yes &Yes &Local Area Database \\
+08.06.12&8:00\,pm &No &No & \\
+09.06.12&11:00\,am&No &No & \\
+09.06.12&8:00\,pm &Yes &Yes &Cell ID Database \\
\bottomrule
\end{tabular}
-\caption{Results of the long-term evaluation.}
+\caption{Results of the database evaluation.}
\label{tab:longterm_test}
\end{table}
-\subsection{Attack Scenarios}
-Since all the Rules have been tested we assume from this point on that the IMSI catcher is configured correctly, meaning that parameters like the \gls{arfcn}, \gls{lac} or provider have been set up in correct and consistent way so the respective Rules will not show an alarm.
+Two different configurations for the IMSI catcher were in place each targeting one of the rules.
+In cases it was detected by the Local Area Database Rule a configuration was used that mirrored the base station that was replaced.
+In the other cases where the Cell ID Database Rule triggered the same configuration was used, but the \gls{cid} was changed to be a new one.
+The catcher and the normal base station were sending at the same frequency for these cases since the base station could not be switched off.
+No problems occurred due to that fact since the IMSI catcher had a significantly better reception and was found in all cases instead of the regular base station.
+
+During this two and a half week time period in which the databases were built and the tests done, none of the \glspl{bts} in the surrounding area listed a significant change in reception or parameters.
+Therefore no false positives or negatives had been found.
+All cases in which the IMSI catcher was operating were found either because the reception on the frequency was exceptionally good or because the \gls{cid} used was not in the database.
+
+\subsection{Realistic Scenarios}
+Since all the rules have been tested we assume from this point on that the IMSI catcher is configured correctly, meaning that parameters like the \gls{arfcn}, \gls{lac} and provider have been set up in correct and consistent way so the respective rules will not show an alarm.
Consistent parameters for the four providers in Germany can be found in Table \ref{tab:consistent_parameters}.
\begin{table}
\centering
\begin{tabular}{lllll}
\toprule
-Parameter &T-Mobile &Vodafone &E-Plus &O2\\
+Parameter &T-Mobile &Vodafone &E-Plus &O$_2$\\
\midrule
ARFCN &13-49, 81-102, &1-12, 50-80, &975-999, &0, 1000-1023,\\
&122-124, 587-611 &103-121, 725-751 &777-863 &637-723\\
-LAC &21014/21015 &793 &588/138 &50945\\
+LAC &21014/21015 &793 &588/138 &50945/51903\\
MCC &262 &262 &262 &262\\
MNC &01 &02 &03 &07\\
\bottomrule
@@ -344,9 +407,9 @@ First the IMSI catcher was turned on, faking a legitimate T-Mobile cell with a n
Afterwards the \gls{icds} was started and a sweep scan was performed.
As soon as the cell was scanned which occurred very early since the reception was very good (-45\,dB) it was detected that this cell was not in the Local Area Database.
After the sweep scan \glspl{cid} from Google were also fetched.
-Both the \emph{Local Area Database Rule} and the \emph{Cell ID Database Rule} indicated a \emph{Critical} status.
+Both the Local Area Database Rule and the Cell ID Database Rule indicated a \emph{Critical} status.
-As a further step to simulate the case where no local information is available, the \emph{Local Area Database Rule} and \emph{Cell ID Rules} were turned off.
+As a further step to simulate the case where no local information is available, the Local Area Database Rule and Cell ID Rules were turned off.
The \gls{icds} then yielded an \emph{Ok} evaluation since the configuration of the catcher cell was consistent.
The next step was to put the \gls{icds} into \emph{User Mode} with T-Mobile as its fixed provider.
It selected the IMSI catcher cell as its target cell because of the good reception level and since it's evaluation was \emph{Ok} an additional PCH scan was started.
@@ -355,7 +418,7 @@ No paging messages or \glspl{ia} were caught so the end result was a \emph{Criti
\subsubsection{IMSI Catcher replacing an old Cell}
The second scenario simulated the attack where the IMSI catcher replaces a base station with a bad reception in the neighbourhood of the cell the \gls{ms} is connected to.
-This way the reception drastically improves on that particular frequency suggesting to the \gls{ms} that the subscriber moved to the close perimeter of that \gls{bts} and .
+This way the reception drastically improves on that particular frequency suggesting to the \gls{ms} that the subscriber moved into the close perimeter of that \gls{bts} and it switches its cell to the stronger one.
We used the university base station on \gls{arfcn} 877 as our target.
A sweep scan was conducted with the \gls{icds} and after the base station had been found the IMSI catcher was started on the same frequency.
diff --git a/Tex/Content/GSM_short.tex b/Tex/Content/GSM_short.tex
index 6a39850..b9b44ca 100644
--- a/Tex/Content/GSM_short.tex
+++ b/Tex/Content/GSM_short.tex
@@ -82,7 +82,7 @@ Up to now the \gls{3gpp} has enhanced mobile standards.
In 2005 the first \gls{hsdpa} network went online.
\gls{hsdpa} \cite{hsdpa} is a protocol that enables mobile users to download data with speeds up to 84\,MBit/s since release 9.
\gls{hsupa} \cite{hsupa} is a related protocol in the \gls{hspa} family that provides similar functionality for uploading data.
-These and other specification are published on the \gls{3gpp} website\footnote{3GPP - Specification Groups, \url{http://www.3gpp.org/} [Online; Accessed 04.2012]}.
+These and other specification are published on the \gls{3gpp} website\footnote{3GPP - Specification Groups, \url{http://www.3gpp.org/Specification-Groups} [Online; Accessed 04.2012]}.
\section{The GSM Network}
\label{sec:network}
@@ -149,7 +149,6 @@ As the name suggests the \gls{sim} card is essentially a data storage that holds
This separation is interesting for the \gls{gsm} user since it allows him\,/\,her to exchange the \gls{me} without having to contact the provider.
Thus it can be used on different frequency bands and is one of the preconditions for roaming.
The \gls{sim} card can either be in plug-in format or ID-1 SIM format which is normally used for telephone cards, credit cards or car installed \gls{me}.
-The plug-in format is also called ID-000 and can be found in ISO/IEC 7810 \cite{ISO7810}.
A subset of other parameters stored on the \gls{eeprom} of the card can be seen in Table \ref{tab:simdata}.
The most important information stored on a \gls{sim} card are the \gls{imsi} and the \gls{ki}.
@@ -229,7 +228,7 @@ Provider &Country &MNC\\
T-Mobile &Germany &01, 06(R)\\
Vodafone &Germany &02, 04(R), 09(R)\\
E-Plus &Germany &03, 05(R), 77(T)\\
-$O_2$ &Germany &07, 08(R), 11(R)\\
+O$_2$ &Germany &07, 08(R), 11(R)\\
Orange &France &00, 01, 02\\
Swisscom &Switzerland &01\\
A1 &Austria &01, 09\\
diff --git a/Tex/Content/Motivation.tex b/Tex/Content/Motivation.tex
index c8b2483..c46b5a3 100644
--- a/Tex/Content/Motivation.tex
+++ b/Tex/Content/Motivation.tex
@@ -3,26 +3,30 @@
\section{Motivation}
Boundless communication for everyone, everywhere, any time.
That was the main idea and dream behind the development of the \gls{gsm} technology.
-Considering its reception and growth \cite{GSM2009,GSM_history2011,GSM_stats2011} it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years.
-The advent of portable radio equipment and microprocessors in the 80's made mobile phones technologically possible.
+Considering its reception and growth it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years \cite{GSM2009,GSM_history2011,GSM_stats2011}.
+The advent of portable radio equipment and microprocessors in the 1980's made mobile phones technologically possible.
From that point on commercialisation started with more and more providers emerging.
With more users, security became an ever more important aspect since confidential telephone calls were now made over radio instead of fixed landlines.
-In 1996 a device was released that took advantage of a security hole in the \gls{gsm} protocol which enabled it to record phone calls and track users.
-This device was developed by Rhode\,\&\,Schwartz and was called IMSI catcher.
+This is an inherent problem of the medium, anybody with suitable equipment can access radio waves while whit landlines physical access was required.
+In 1996 a device was released that took advantage of a security hole in the \gls{gsm} protocol which enabled it to record phone calls and track users \cite{fox}.
+This device was developed by Rhode\,\&\,Schwarz and was called IMSI catcher.
The name refers to the IMSI number, a unique identification of the user inside the \gls{gsm} network.
It can be obtained by the device by impersonating a base station which is the entry point of the subscriber to the network.
By means of a classical man-in-the-middle attack the IMSI catcher lures the subscriber to connect to it and relay the information to a real base station while harvesting the needed information like calls or IMSI numbers invisibly.
+The mobile phone used by the subscriber cannot distinguish between a regular base station and an IMSI catcher and will always connect to the strongest base station available.
-This risk is intensified by the fact that several other projects like the Open Source IMSI catcher \cite{dennis} succeeded in building such an IMSI catcher at a very low cost, using hardware and software that is freely available.
-With this hardware it is considerably easier to eavesdrop on and thus breach the privacy of a neighbour or record corporate phone calls than it was when only landlines were available.
+This risk is intensified by the fact that several other projects like the Open Source IMSI-Catcher \cite{dennis} succeeded in building such an IMSI catcher at a very low cost, using hardware and software that is freely available.
+Basically it is now possible for anyone, be it a jealous spouse or a private investigator, to self-construct these devices in an cost-effective manner.
+With these systems it is considerably easier to eavesdrop on and thus breach the privacy of a neighbour, wife or husband.
+Corporate phone calls are also easier to target this way in the context of industrial espionage if done over a mobile phone.
Up until now countermeasures to IMSI catchers have not been given much attention to since the commercial grade devices were only available to authorities and private abuse was thus not a large issue.
This is where this project is aimed at.
In this project different ways will be explored on how to identify an IMSI catcher based on its differences to a regular base station.
Additionally information of the surrounding area and tracking of different parameters over time is used to isolate suspicious base stations in the perimeter.
We develop a toolbox that makes it possible to gather and analyse information from all available base stations in an easy manner, the \gls{icds}.
-It is also designed to operate in an end user mode where only a very simplified version of the GUI is presented and an evaluation is yielded of whether it is safe to place a phone call or not at the moment.
+It is also designed to operate in an end user mode where only a very simplified version of the GUI is presented and an evaluation is yielded of whether it is safe to place a phone call or not.
The tool operates in a completely passive manner, only on information that is freely broadcasted, never connecting to base stations in question.
This way the system itself stays invisible to the base stations and thus potential IMSI catchers while evaluating them.
@@ -37,10 +41,10 @@ Finally a explanation of how to set up and operate the system together with some
The fourth chapter contains an evaluation of how the system performs in several categories.
First some general performance statistics and results on the individual methods used are collected.
-Afterwards a long-term test over the course of a week is done to examine the false positive and false negative rates of IMSI catcher detection.
+Afterwards a longer test is conducted over the course of one week to see how well the databases the system uses work in a potentially changing environment.
The chapter ends with two simulated attack scenarios.
-In the last chapter, a short summary of the results will be given as well as am outlook of how the system can be extended in several ways.
+In the last chapter, a short summary of the results will be given as well as an outlook of how the system can be extended in several ways.
\section{Disclaimer}
While conducting the practical part of this thesis precautions have been taken not to interrupt or influence radio transmissions made by regular subscribers.
@@ -52,7 +56,7 @@ Operation of the IMSI catcher was restricted to the ARFCN 877 which is officiall
\section{On Typesetting}
To make the thesis more readable a few conventions will be kept throughout this document.
Important words or components of the \gls{icds} are printed \emph{emphasised}.
-\texttt{Typewriter} is used whenever a program or a file name are used in the running text.
+\texttt{Type\-writer} is used whenever a program or a file name are used in the running text.
Code examples can be distinguished by a code listing box that surrounds them.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}%
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
diff --git a/Tex/Master/Master.acn b/Tex/Master/Master.acn
index 5bcc18c..23d6b26 100644
--- a/Tex/Master/Master.acn
+++ b/Tex/Master/Master.acn
@@ -2,7 +2,7 @@
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{1}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{1}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{2}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{2}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{2}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{3}
@@ -439,8 +439,8 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{39}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{39}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{39}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{39}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{FCCH?\glossaryentryfield{fcch}{\glsnamefont{FCCH}}{Frequency Correction Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
\glossaryentry{SCH?\glossaryentryfield{sch}{\glsnamefont{SCH}}{Signalling Channel}{\relax }|setentrycounter{page}\glsnumberformat}{40}
@@ -482,7 +482,7 @@
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{42}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{42}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{43}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{42}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{43}
@@ -490,7 +490,7 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{43}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{44}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{44}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{44}
@@ -506,99 +506,115 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{46}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{46}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{46}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{48}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{48}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{49}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{49}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{50}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{50}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{50}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{51}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{51}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{51}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{51}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{52}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ME?\glossaryentryfield{me}{\glsnamefont{ME}}{Mobile Equipment}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{52}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{53}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{53}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{53}
+\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{53}
+\glossaryentry{MVC?\glossaryentryfield{mvc}{\glsnamefont{MVC}}{Model View Controller}{\relax }|setentrycounter{page}\glsnumberformat}{53}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{54}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{CSV?\glossaryentryfield{csv}{\glsnamefont{CSV}}{Comma Separated Value}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{56}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{55}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{CSV?\glossaryentryfield{csv}{\glsnamefont{CSV}}{Comma Separated Value}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{57}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{59}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{59}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{57}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{58}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{LAI?\glossaryentryfield{lai}{\glsnamefont{LAI}}{Location Area Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{60}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{61}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{61}
+\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{62}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{62}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{63}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{64}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{65}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{65}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{LA?\glossaryentryfield{la}{\glsnamefont{LA}}{Location Area}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{MNC?\glossaryentryfield{mnc}{\glsnamefont{MNC}}{Mobile Network Code}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{67}
@@ -613,67 +629,69 @@
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{VoIP?\glossaryentryfield{voip}{\glsnamefont{VoIP}}{Voice over IP}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{69}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{70}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{71}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{71}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{71}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{71}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{71}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{72}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{72}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{72}
\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{73}
-\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{72}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{74}
+\glossaryentry{CID?\glossaryentryfield{cid}{\glsnamefont{CID}}{Cell Identity}{\relax }|setentrycounter{page}\glsnumberformat}{74}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{76}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{TMSI?\glossaryentryfield{tmsi}{\glsnamefont{TMSI}}{Temporary IMSI}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{77}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{78}
diff --git a/Tex/Master/Master.aux b/Tex/Master/Master.aux
index fab65bc..72c5b47 100644
--- a/Tex/Master/Master.aux
+++ b/Tex/Master/Master.aux
@@ -15,30 +15,15 @@
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\citation{GSM2009}
-\citation{GSM_history2011}
-\citation{GSM_stats2011}
-\citation{GSM2009}
-\citation{kommsys2006}
-\citation{GSM2009}
-\citation{fox}
-\citation{def_catcher}
-\citation{mueller}
-\citation{osmo_wiki_c123}
-\citation{protocols1999}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\citation{protocols1999}
-\citation{kommsys2006}
-\citation{GSM2009}
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\citation{GSM2009}
\citation{GSM_history2011}
\citation{GSM_stats2011}
+\citation{fox}
\citation{dennis}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
@@ -88,7 +73,6 @@
\newlabel{sec:ms}{{2.2.1}{8}}
\citation{GSM0207}
\citation{protocols1999}
-\citation{ISO7810}
\FN@pp@footnote@aux{3}{9}
\FN@pp@footnote@aux{4}{9}
\citation{protocols1999}
@@ -230,27 +214,27 @@
\newlabel{tab:c123_specs}{{3.1}{37}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37}}
\newlabel{sec:osmo_phones}{{3.1.2}{37}}
-\FN@pp@footnote@aux{10}{37}
\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{38}}
\newlabel{fig:osmo_c123}{{3.1}{38}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38}}
-\FN@pp@footnote@aux{11}{38}
+\FN@pp@footnote@aux{10}{38}
\citation{GSM2009}
\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{39}}
\newlabel{fig:osmo_setup}{{3.2}{39}}
\@writefile{toc}{\contentsline {section}{\numberline {3.2}Procedure}{39}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{39}}
+\newlabel{sec:info_gathering}{{3.2.1}{39}}
\citation{GSM2009}
\citation{GSM2009}
\citation{protocols1999}
\citation{protocols1999}
\citation{protocols1999}
+\citation{sysinfos}
\@writefile{lot}{\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{40}}
\newlabel{tab:tc_mapping}{{3.2}{40}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{40}}
-\newlabel{sec:info_gathering}{{3.2.1}{40}}
\@writefile{lof}{\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{41}}
\newlabel{fig:si1}{{3.3}{41}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{43}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}text waiting for a passive subscriber.}}{43}}
\newlabel{fig:paging}{{3.4}{43}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43}}
\newlabel{sec:info_evaluation}{{3.2.2}{43}}
@@ -259,72 +243,72 @@
\@writefile{toc}{\contentsline {subsubsection}{Configuration Rules}{44}}
\@writefile{lot}{\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{45}}
\newlabel{tab:context_rules}{{3.4}{45}}
-\FN@pp@footnote@aux{12}{45}
+\FN@pp@footnote@aux{11}{45}
\@writefile{toc}{\contentsline {subsubsection}{Context Rules}{45}}
+\citation{richy}
\@writefile{toc}{\contentsline {paragraph}{Neighbourhood Structure}{46}}
-\FN@pp@footnote@aux{13}{46}
-\FN@pp@footnote@aux{14}{46}
+\FN@pp@footnote@aux{12}{46}
\@writefile{lof}{\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{47}}
\newlabel{fig:neighbourhood_example}{{3.5}{47}}
\@writefile{lof}{\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{48}}
\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Normal neighbourhood}}}{48}}
\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Tainted neighbourhood}}}{48}}
\newlabel{fig:structure_comparison}{{3.6}{48}}
-\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{48}}
-\newlabel{tab:database_rules}{{3.5}{48}}
-\@writefile{toc}{\contentsline {subsubsection}{Database Rules}{48}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{49}}
+\newlabel{tab:database_rules}{{3.5}{49}}
+\@writefile{toc}{\contentsline {subsubsection}{Database Rules}{49}}
\citation{wiki_cells}
-\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{49}}
-\newlabel{tab:scan_rules}{{3.6}{49}}
-\FN@pp@footnote@aux{15}{49}
-\FN@pp@footnote@aux{16}{49}
-\FN@pp@footnote@aux{17}{49}
-\@writefile{toc}{\contentsline {subsubsection}{Scan Rules}{49}}
-\@writefile{toc}{\contentsline {subsubsection}{Remaining Issues and Paging}{50}}
-\newlabel{sec:paging}{{3.2.2}{50}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{51}}
-\newlabel{sec:evaluators}{{3.2.3}{51}}
-\@writefile{toc}{\contentsline {section}{\numberline {3.3}Implementation}{51}}
-\newlabel{sec:icds}{{3.3}{51}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}}
-\newlabel{fig:architecture}{{3.7}{52}}
+\@writefile{lot}{\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{50}}
+\newlabel{tab:scan_rules}{{3.6}{50}}
+\FN@pp@footnote@aux{13}{50}
+\FN@pp@footnote@aux{14}{50}
+\FN@pp@footnote@aux{15}{50}
+\@writefile{toc}{\contentsline {subsubsection}{Scan Rules}{50}}
+\@writefile{toc}{\contentsline {subsubsection}{Remaining Issues and Paging}{51}}
+\newlabel{sec:paging}{{3.2.2}{51}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{52}}
+\newlabel{sec:evaluators}{{3.2.3}{52}}
+\@writefile{toc}{\contentsline {section}{\numberline {3.3}Implementation}{52}}
+\newlabel{sec:icds}{{3.3}{52}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Architecture}{52}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{53}}
-\newlabel{fig:python_dict}{{3.8}{53}}
-\FN@pp@footnote@aux{18}{53}
-\FN@pp@footnote@aux{19}{53}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}}
-\newlabel{sec:configuration}{{3.3.2}{53}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{54}}
-\newlabel{sec:icds_operation}{{3.3.3}{54}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{55}}
-\newlabel{fig:icds}{{3.9}{55}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Usage}{57}}
-\newlabel{sec:user_mode}{{3.3.4}{57}}
-\@writefile{toc}{\contentsline {paragraph}{Conducting sweep scans:}{57}}
-\newlabel{fig:databases_window}{{3.10(a)}{58}}
-\newlabel{sub@fig:databases_window}{{(a)}{58}}
-\newlabel{fig:rules_window}{{3.10(b)}{58}}
-\newlabel{sub@fig:rules_window}{{(b)}{58}}
-\newlabel{fig:filters_window}{{3.10(c)}{58}}
-\newlabel{sub@fig:filters_window}{{(c)}{58}}
-\newlabel{fig:pch_window}{{3.10(d)}{58}}
-\newlabel{sub@fig:pch_window}{{(d)}{58}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{58}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Databases window.}}}{58}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Rules window.}}}{58}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(c)}{\ignorespaces {Filters window.}}}{58}}
-\@writefile{lof}{\contentsline {subfigure}{\numberline{(d)}{\ignorespaces {PCH scan window.}}}{58}}
-\newlabel{fig:dialogs}{{3.10}{58}}
-\@writefile{toc}{\contentsline {paragraph}{Using and obtaining Cell ID Information:}{59}}
-\@writefile{toc}{\contentsline {paragraph}{Building or using a Local Area Database:}{59}}
-\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{60}}
-\newlabel{fig:user_mode}{{3.11}{60}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{53}}
+\newlabel{fig:architecture}{{3.7}{53}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{54}}
+\newlabel{fig:python_dict}{{3.8}{54}}
+\FN@pp@footnote@aux{16}{54}
+\FN@pp@footnote@aux{17}{54}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Configuration}{54}}
+\newlabel{sec:configuration}{{3.3.2}{54}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{55}}
+\newlabel{sec:icds_operation}{{3.3.3}{55}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{56}}
+\newlabel{fig:icds}{{3.9}{56}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.4}Usage}{58}}
+\newlabel{sec:user_mode}{{3.3.4}{58}}
+\@writefile{toc}{\contentsline {paragraph}{Conducting sweep scans:}{58}}
+\@writefile{toc}{\contentsline {paragraph}{Using and obtaining Cell ID Information:}{58}}
+\newlabel{fig:databases_window}{{3.10(a)}{59}}
+\newlabel{sub@fig:databases_window}{{(a)}{59}}
+\newlabel{fig:rules_window}{{3.10(b)}{59}}
+\newlabel{sub@fig:rules_window}{{(b)}{59}}
+\newlabel{fig:filters_window}{{3.10(c)}{59}}
+\newlabel{sub@fig:filters_window}{{(c)}{59}}
+\newlabel{fig:pch_window}{{3.10(d)}{59}}
+\newlabel{sub@fig:pch_window}{{(d)}{59}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{59}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(a)}{\ignorespaces {Databases window.}}}{59}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(b)}{\ignorespaces {Rules window.}}}{59}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(c)}{\ignorespaces {Filters window.}}}{59}}
+\@writefile{lof}{\contentsline {subfigure}{\numberline{(d)}{\ignorespaces {PCH scan window.}}}{59}}
+\newlabel{fig:dialogs}{{3.10}{59}}
+\@writefile{toc}{\contentsline {paragraph}{Building or using a Local Area Database:}{60}}
\@writefile{toc}{\contentsline {paragraph}{Conducting a PCH Scan:}{60}}
-\@writefile{toc}{\contentsline {paragraph}{Utilising User Mode:}{60}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{61}}
+\newlabel{fig:user_mode}{{3.11}{61}}
+\@writefile{toc}{\contentsline {paragraph}{Utilising User Mode:}{61}}
\citation{catcher_catcher}
-\@writefile{toc}{\contentsline {section}{\numberline {3.4}Related Projects}{61}}
-\FN@pp@footnote@aux{20}{61}
+\@writefile{toc}{\contentsline {section}{\numberline {3.4}Related Projects}{62}}
+\FN@pp@footnote@aux{18}{62}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{\numberline {4}Evaluation}{63}}
@@ -337,149 +321,170 @@
\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{64}}
\newlabel{fig:durations}{{4.1}{64}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{65}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in seconds for fetching the information.}}{65}}
\newlabel{tab:coverage}{{4.2}{65}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{65}}
-\citation{dennis}
-\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{66}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Paging Messages and Immediate Assignments (per 10 seconds) for the four German providers at different locations.}}{66}}
\newlabel{tab:pagings}{{4.3}{66}}
-\@writefile{toc}{\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{66}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{66}}
-\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{67}}
-\newlabel{fig:setup}{{4.2}{67}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{66}}
+\citation{dennis}
+\@writefile{toc}{\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{67}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{67}}
+\FN@pp@footnote@aux{19}{67}
+\FN@pp@footnote@aux{20}{67}
\FN@pp@footnote@aux{21}{67}
-\FN@pp@footnote@aux{22}{67}
-\FN@pp@footnote@aux{23}{67}
+\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{68}}
+\newlabel{fig:setup}{{4.2}{68}}
\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{68}}
\newlabel{fig:openbts_parameters}{{4.3}{68}}
-\@writefile{toc}{\contentsline {subsubsection}{Modifications to the ICDS Configuration}{68}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{68}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{69}}
-\newlabel{tab:err_configs}{{4.4}{69}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{70}}
-\newlabel{tab:par_change}{{4.5}{70}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{70}}
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{70}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{71}}
-\newlabel{tab:longterm_test}{{4.6}{71}}
-\@writefile{lot}{\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{71}}
-\newlabel{tab:consistent_parameters}{{4.7}{71}}
-\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher as a new Cell}{72}}
-\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{72}}
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion}{73}}
+\@writefile{toc}{\contentsline {subsubsection}{Modifications to the ICDS Configuration}{69}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Configuration and Context Rules Evaluation}{69}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{70}}
+\newlabel{tab:err_configs}{{4.4}{70}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.5}{\ignorespaces Configuration and Context Rule results for Config 1.}}{70}}
+\newlabel{tab:config_rules_eval}{{4.5}{70}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Scan Rules Evaluation}{71}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.4}Database Rules Evaluation}{71}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.6}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{72}}
+\newlabel{tab:par_change}{{4.6}{72}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.5}Realistic Scenarios}{72}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.7}{\ignorespaces Results of the database evaluation.}}{73}}
+\newlabel{tab:longterm_test}{{4.7}{73}}
+\@writefile{lot}{\contentsline {table}{\numberline {4.8}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{73}}
+\newlabel{tab:consistent_parameters}{{4.8}{73}}
+\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher as a new Cell}{74}}
+\@writefile{toc}{\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{74}}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {5}Conclusion}{75}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {5.1}Summary}{73}}
-\@writefile{lof}{\contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{74}}
-\newlabel{fig:decision_process}{{5.1}{74}}
-\@writefile{toc}{\contentsline {section}{\numberline {5.2}Future Work}{75}}
+\@writefile{toc}{\contentsline {section}{\numberline {5.1}Summary}{75}}
+\@writefile{lof}{\contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{76}}
+\newlabel{fig:decision_process}{{5.1}{76}}
+\@writefile{toc}{\contentsline {section}{\numberline {5.2}Future Work}{77}}
\FN@pp@footnotehinttrue
\bibstyle{acm}
\citation{*}
\bibdata{../Content/Bibliography}
-\bibcite{GSM0405}{1}
-\bibcite{GSM0406}{2}
-\bibcite{GSM0505}{3}
-\bibcite{GSM0207}{4}
-\bibcite{ISO7810}{5}
-\bibcite{gsm0502}{6}
-\bibcite{GSM23078}{7}
-\bibcite{GSM23003}{8}
+\bibcite{GSM23003}{1}
+\bibcite{GSM0405}{2}
+\bibcite{gsm0502}{3}
+\bibcite{GSM0505}{4}
+\bibcite{GSM0406}{5}
+\bibcite{sysinfos}{6}
+\bibcite{hsupa}{7}
+\bibcite{hsdpa}{8}
\bibcite{3gpp_Proposal2000}{9}
-\bibcite{GSM2009}{10}
-\bibcite{mueller}{11}
-\bibcite{fox}{12}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{Bibliography}{77}}
-\bibcite{GSM_stats2011}{13}
-\bibcite{GSM_history2011}{14}
-\bibcite{osmo_slides}{15}
+\@writefile{toc}{\contentsline {chapter}{Bibliography}{79}}
+\bibcite{GSM2009}{10}
+\bibcite{GSM0207}{11}
+\bibcite{mueller}{12}
+\bibcite{fox}{13}
+\bibcite{GSM_stats2011}{14}
+\bibcite{GSM_history2011}{15}
\bibcite{overview1994}{16}
\bibcite{protocols1999}{17}
-\bibcite{hsdpa}{18}
-\bibcite{hsupa}{19}
-\bibcite{catcher_catcher}{20}
-\bibcite{osmo_c123}{21}
-\bibcite{osmo_wiki_c123}{22}
-\bibcite{osmo_rationale}{23}
-\bibcite{criminal_justice}{24}
-\bibcite{kommsys2006}{25}
-\bibcite{overview1996}{26}
-\bibcite{def_catcher}{27}
-\bibcite{ITU1200}{28}
-\bibcite{ITU212}{29}
-\bibcite{dennis}{30}
-\bibcite{wiki_cells}{31}
-\bibcite{imsi_wiki}{32}
-\bibcite{blacklisting}{33}
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {A}GSM}{81}}
+\bibcite{catcher_catcher}{18}
+\bibcite{osmo_wiki_c123}{19}
+\bibcite{osmo_rationale}{20}
+\bibcite{def_catcher}{21}
+\bibcite{criminal_justice}{22}
+\bibcite{kommsys2006}{23}
+\bibcite{overview1996}{24}
+\bibcite{ITU1200}{25}
+\bibcite{ITU212}{26}
+\bibcite{dennis}{27}
+\bibcite{osmo_slides}{28}
+\bibcite{wiki_cells}{29}
+\bibcite{imsi_wiki}{30}
+\bibcite{blacklisting}{31}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\citation{GSM2009}
+\citation{GSM_history2011}
+\citation{GSM_stats2011}
+\citation{GSM2009}
+\citation{kommsys2006}
+\citation{GSM2009}
+\citation{fox}
+\citation{def_catcher}
+\citation{mueller}
+\citation{osmo_wiki_c123}
+\citation{protocols1999}
+\FN@pp@footnotehinttrue
+\citation{protocols1999}
+\citation{kommsys2006}
+\citation{GSM2009}
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\@writefile{toc}{\contentsline {chapter}{\numberline {A}GSM}{87}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {A.1}Interfaces}{81}}
-\newlabel{sec:interfaces}{{A.1}{81}}
-\@writefile{lot}{\contentsline {table}{\numberline {A.1}{\ignorespaces Interface found in the GSM network.}}{81}}
-\@writefile{toc}{\contentsline {section}{\numberline {A.2}Channel Combinations}{82}}
-\newlabel{sec:combinations}{{A.2}{82}}
-\@writefile{lot}{\contentsline {table}{\numberline {A.2}{\ignorespaces Possible mappings of channels onto Multiframes}}{82}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.1}Interfaces}{87}}
+\newlabel{sec:interfaces}{{A.1}{87}}
+\@writefile{lot}{\contentsline {table}{\numberline {A.1}{\ignorespaces Interface found in the GSM network.}}{87}}
+\@writefile{toc}{\contentsline {section}{\numberline {A.2}Channel Combinations}{88}}
+\newlabel{sec:combinations}{{A.2}{88}}
+\@writefile{lot}{\contentsline {table}{\numberline {A.2}{\ignorespaces Possible mappings of channels onto Multiframes}}{88}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {B}OsmocomBB}{83}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {B}OsmocomBB}{89}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {B.1}Installation}{83}}
-\newlabel{sec:osmo_install}{{B.1}{83}}
-\@writefile{toc}{\contentsline {section}{\numberline {B.2}Usage}{84}}
-\newlabel{sec:osmo_usage}{{B.2}{84}}
-\@writefile{toc}{\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{85}}
-\newlabel{sec:osmo_serial_schematics}{{B.3}{85}}
-\FN@pp@footnote@aux{24}{85}
-\@writefile{lof}{\contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{85}}
+\@writefile{toc}{\contentsline {section}{\numberline {B.1}Installation}{89}}
+\newlabel{sec:osmo_install}{{B.1}{89}}
+\@writefile{toc}{\contentsline {section}{\numberline {B.2}Usage}{90}}
+\newlabel{sec:osmo_usage}{{B.2}{90}}
+\@writefile{toc}{\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{91}}
+\newlabel{sec:osmo_serial_schematics}{{B.3}{91}}
+\FN@pp@footnote@aux{22}{91}
+\@writefile{lof}{\contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{91}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{87}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{93}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {C.1}Extextions}{87}}
-\newlabel{sec:extensions}{{C.1}{87}}
-\@writefile{toc}{\contentsline {section}{\numberline {C.2}Example Configuration}{89}}
-\newlabel{sec:example_config}{{C.2}{89}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.1}Extextions}{93}}
+\newlabel{sec:extensions}{{C.1}{93}}
+\@writefile{toc}{\contentsline {section}{\numberline {C.2}Example Configuration}{95}}
+\newlabel{sec:example_config}{{C.2}{95}}
\FN@pp@footnotehinttrue
+\citation{protocols1999}
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {D}System Information}{93}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {D}System Information}{99}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\newlabel{sec:system_infos}{{D}{93}}
+\newlabel{sec:system_infos}{{D}{99}}
\FN@pp@footnotehinttrue
-\@writefile{lof}{\contentsline {figure}{\numberline {D.1}{\ignorespaces System Information 1 Message}}{94}}
-\@writefile{lof}{\contentsline {figure}{\numberline {D.2}{\ignorespaces System Information 2 Message}}{95}}
-\@writefile{lof}{\contentsline {figure}{\numberline {D.3}{\ignorespaces System Information 3 Message}}{96}}
-\@writefile{lof}{\contentsline {figure}{\numberline {D.4}{\ignorespaces System Information 4 Message}}{97}}
+\@writefile{lof}{\contentsline {figure}{\numberline {D.1}{\ignorespaces System Information 1 Message}}{100}}
+\@writefile{lof}{\contentsline {figure}{\numberline {D.2}{\ignorespaces System Information 2 Message}}{101}}
+\@writefile{lof}{\contentsline {figure}{\numberline {D.3}{\ignorespaces System Information 3 Message}}{102}}
+\@writefile{lof}{\contentsline {figure}{\numberline {D.4}{\ignorespaces System Information 4 Message}}{103}}
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{\numberline {E}Evaluation Data}{99}}
+\@writefile{toc}{\contentsline {chapter}{\numberline {E}Evaluation Data}{105}}
\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{lol}{\addvspace {10\p@ }}
-\@writefile{toc}{\contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{99}}
-\newlabel{sec:lac_change_test}{{E.1}{99}}
-\@writefile{lot}{\contentsline {table}{\numberline {E.1}{\ignorespaces Configurations used for the rx\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}LAC Change Rules test.}}{99}}
-\@writefile{toc}{\contentsline {section}{\numberline {E.2}Long Term Test}{99}}
-\newlabel{sec:long_term_test}{{E.2}{99}}
+\@writefile{toc}{\contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{105}}
+\newlabel{sec:lac_change_test}{{E.1}{105}}
+\@writefile{lot}{\contentsline {table}{\numberline {E.1}{\ignorespaces Configurations used for the rx\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}LAC Change Rules test.}}{105}}
+\@writefile{toc}{\contentsline {section}{\numberline {E.2}Database Rules Test}{105}}
+\newlabel{sec:long_term_test}{{E.2}{105}}
\FN@pp@footnotehinttrue
+\@writefile{lot}{\contentsline {table}{\numberline {E.2}{\ignorespaces Configurations used for the Database Rules test.}}{106}}
\FN@pp@footnotehinttrue
-\@writefile{toc}{\contentsline {chapter}{Acronyms}{101}}
+\@writefile{toc}{\contentsline {chapter}{Acronyms}{107}}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
\gdef \LT@i {\LT@entry
diff --git a/Tex/Master/Master.bbl b/Tex/Master/Master.bbl
index ffc8f74..b00fb6e 100644
--- a/Tex/Master/Master.bbl
+++ b/Tex/Master/Master.bbl
@@ -1,131 +1,138 @@
\begin{thebibliography}{10}
+\bibitem{GSM23003}
+{\sc {3GPP Technical Specification Group Core Network and Terminals}}.
+\newblock {Numbering, addressing and identification}.
+\newblock \emph{TS 23.003}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.003/23003-a30.zip},
+ September 2011.
+
\bibitem{GSM0405}
-Data link (dl) layer; general aspects.
-\newblock GSM 04.05,
- \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.05/0405-802.zip},
- 1999.
+{\sc {3GPP Technical Specification Group GSM/EDGE Radio Access Network}}.
+\newblock {Data link (DL) Layer: General aspects}.
+\newblock \emph{TS 04.05}, \emph{DOC file}
+ \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.05/0405-802.zip}, May
+ 2002.
-\bibitem{GSM0406}
-Mobile station - base station system (ms - bss) interface; data link (dl) layer
- specification.
-\newblock GSM 04.06,
- \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.06/0406-840.zip},
- 1999.
+\bibitem{gsm0502}
+{\sc {3GPP Technical Specification Group GSM/EDGE Radio Access Network}}.
+\newblock {Multiplexing and Multiple Access on the Radio Path}.
+\newblock \emph{TS 05.02}, \emph{DOC file}
+ \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.02/0502-8b0.zip},
+ June 2003.
\bibitem{GSM0505}
-Radio access network: Radio transmission and reception.
-\newblock GSM 05.05,
+{\sc {3GPP Technical Specification Group GSM/EDGE Radio Access Network}}.
+\newblock {Radio Access Network: Radio transmission and reception}.
+\newblock \emph{TS 05.05}, \emph{DOC file},
\url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.05/0505-8k0.zip},
- 1999.
-
-\bibitem{GSM0207}
-Digital cellular telecommunications system (phase 2+): Mobile stations (ms)
- features.
-\newblock GSM 02.07,
- \url{http://www.3gpp.org/ftp/Specs/archive/02_series/02.07/0207-710.zip},
- 2000.
+ November 2005.
-\bibitem{ISO7810}
-Identification cards -- physical characteristics.
-\newblock ISO/IEC 7810:2003,
- \url{http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?%
-csnumber=31432}, 2003.
+\bibitem{GSM0406}
+{\sc {3GPP Technical Specification Group GSM/EDGE Radio Access Network}}.
+\newblock {Mobile Station - Base Station System (MS - BSS) interface: Data Link
+ (DL) layer specification}.
+\newblock \emph{TS 04.06}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/archive/04_series/04.06/0406-840.zip},
+ December 2008.
-\bibitem{gsm0502}
-Multiplexing and multiple access on the radio path.
-\newblock GSM 05.02,
- \url{http://www.3gpp.org/ftp/Specs/archive/05_series/05.02/0502-8b0.zip},
- 2003.
+\bibitem{sysinfos}
+{\sc {3GPP Technical Specification Group GSM/EDGE Radio Access Network}}.
+\newblock {Mobile radio interface layer 3 specification: Radio Resource Control
+ (RRC) protocol}.
+\newblock \emph{TS 44.018}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}, March 2012.
-\bibitem{GSM23078}
-Customised applications for mobile network enhanced logic.
-\newblock GSM 23.078,
- \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.078/23078-b00.zip},
- 2011.
+\bibitem{hsupa}
+{\sc {3GPP Technical Specification Group Radio Access Network}}.
+\newblock {Medium Access Control (MAC) protocol specification}.
+\newblock \emph{TS 25.321}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}, December 2011.
-\bibitem{GSM23003}
-Numbering, addressing and identification.
-\newblock GSM 23.003,
- \url{http://www.3gpp.org/ftp/Specs/archive/23_series/23.003/23003-a30.zip},
- 2011.
+\bibitem{hsdpa}
+{\sc {3GPP Technical Specification Group Radio Access Network}}.
+\newblock {UE Radio Access capabilities}.
+\newblock \emph{TS 25.306}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/html-info/25306.htm}, March 2012.
\bibitem{3gpp_Proposal2000}
{\sc Chaudhury, P., Mohr, W., and Onoe, S.}
-\newblock The 3gpp proposal for imt-2000.
+\newblock {The 3GPP proposal for IMT-2000}.
\newblock {\em Communications Magazine, IEEE 37}, 12 (1999), 72--81.
\bibitem{GSM2009}
{\sc Ebersp\"{a}cher, J., V\"{o}gel, H.-J., Bettstetter, C., and Hartmann, C.}
-\newblock {\em GSM -- Architecture, Protocols and Services}.
+\newblock {\em {GSM -- Architecture, Protocols and Services}}.
\newblock Wiley, 2009.
+\bibitem{GSM0207}
+{\sc ETSI}.
+\newblock {Digital cellular telecommunications system (Phase 2+): Mobile
+ Stations (MS) features}.
+\newblock \emph{TS 02.07}, \emph{DOC file},
+ \url{http://www.3gpp.org/ftp/Specs/archive/02_series/02.07/0207-710.zip},
+ March 2000.
+
\bibitem{mueller}
{\sc Federrath, H.}
-\newblock Protection in mobile communications.
+\newblock {Protection in mobile communications}.
+\newblock In {\em {Multilateral Security in Communications – Technology,
+ Infrastructure, Economy}\/} (1999), G.~M\"uller and K.~Rannenberg, Eds.,
+ Addison-Wesley-Longman, pp.~349--364.
\bibitem{fox}
{\sc Fox, D.}
-\newblock Der imsi-catcher.
+\newblock {Der IMSI-catcher}.
\newblock {\em Datenschutz und Datensicherheit 26}, 4 (2002), 212--215.
\bibitem{GSM_stats2011}
-Gsm/3g stats.
-\newblock \url{http://www.gsacom.com/news/statistics.php4}, 2011.
-\newblock [Accessed: 28/11/2011].
+{\sc {Global mobile Suppliers Association}}.
+\newblock {GSM/3g Stats}.
+\newblock \emph{WWW document},
+ \url{http://www.gsacom.com/news/statistics.php4}, [Online; Accessed 06.2012].
\bibitem{GSM_history2011}
-Brief history of gsm and the gsma.
-\newblock \url{http://www.gsm.org/about-us/history.htm}, 2011.
-\newblock [Accessed: 28/11/2011].
-
-\bibitem{osmo_slides}
-{\sc Harald~Welte, S.~M.}
-\newblock Osmocombb - running your own gsm stack on a phone.
-\newblock
- \url{http://events.ccc.de/congress/2010/Fahrplan/attachments/1771_osmocombb-%
-27c3.pdf}, 2010.
+{\sc {GSM Association}}.
+\newblock {Brief History of GSM and the GSMA}.
+\newblock \emph{WWW document}, \url{http://www.gsma.com/aboutus/history/},
+ [Online; Accessed 06.2012].
\bibitem{overview1994}
{\sc Haug, T.}
-\newblock Overview of gsm: philosophy and results.
+\newblock \emph{Overview of GSM: philosophy and results}.
\newblock {\em International Journal of Wireless Information Networks 1}, 1
(1994), 7--16.
\bibitem{protocols1999}
{\sc Heine, G.}
-\newblock {\em GSM networks: protocols, terminology, and implementation}.
+\newblock {\em {GSM networks: Protocols, Terminology, and Implementation}}.
\newblock Artech House, 1999.
-\bibitem{hsdpa}
-{UE} radio access capabilities.
-\newblock 3GPP TS 25.306,
- \url{http://www.3gpp.org/ftp/Specs/html-info/25306.htm}, 2011.
-
-\bibitem{hsupa}
-Medium access control (mac) protocol specification.
-\newblock 3GPP TS 25.321,
- \url{http://www.3gpp.org/ftp/Specs/html-info/25321.htm}, 2011.
-
\bibitem{catcher_catcher}
{\sc OsmocomBB}.
-\newblock Catcher catcher.
-\newblock \url{http://opensource.srlabs.de/projects/catcher/wiki}, 2011.
-
-\bibitem{osmo_c123}
-{\sc OsmocomBB}.
-\newblock Motorola c123.
-\newblock \url{http://en.wikipedia.org/wiki/Cell_ID}, 2012.
+\newblock {Catcher Catcher}.
+\newblock \emph{Project Wiki},
+ \url{http://opensource.srlabs.de/projects/catcher/wiki}, [Online; Accessed
+ 01.2012].
\bibitem{osmo_wiki_c123}
{\sc OsmocomBB}.
-\newblock Project rationale.
-\newblock \url{http://bb.osmocom.org/trac/wiki/ProjectRationale}, 2012.
+\newblock {Motorola C123}.
+\newblock \emph{Project Wiki},
+ \url{http://bb.osmocom.org/trac/wiki/MotorolaC123}, [Online; Accessed
+ 06.2012].
\bibitem{osmo_rationale}
{\sc OsmocomBB}.
-\newblock Project rationale.
-\newblock \url{http://bb.osmocom.org/trac/wiki/ProjectRationale}, 2012.
+\newblock {Project Rationale}.
+\newblock \emph{Project Wiki},
+ \url{http://bb.osmocom.org/trac/wiki/ProjectRationale}, [Online; Accessed
+ 06.2012].
+
+\bibitem{def_catcher}
+{\sc Ries, U.}
+\newblock {IMSI-Catcher für 1500 Euro im Eigenbau}.
+\newblock \emph{WWW document}, \url{http://heise.de/-1048919}, August 2010.
\bibitem{criminal_justice}
{\sc Safferling, C.}
@@ -135,49 +142,59 @@ Medium access control (mac) protocol specification.
\bibitem{kommsys2006}
{\sc Sauter, M.}
-\newblock {\em Grundkurs mobile Kommunikationssysteme : von UMTS, GSM und GRPS
- zu Wireless LAN und Bluetooth Piconetzen}.
+\newblock {\em {Grundkurs mobile Kommunikationssysteme : von UMTS, GSM und GRPS
+ zu Wireless LAN und Bluetooth Piconetzen}}.
\newblock Vieweg, 2006.
\bibitem{overview1996}
{\sc Scourias, J.}
-\newblock Overview of gsm: The global system for mobile communications.
-\newblock {\em University of Waterloo\/} (1996).
-
-\bibitem{def_catcher}
-{\sc Security, H.}
-\newblock Imsi-catcher für 1500 euro im eigenbau.
-\newblock
- \url{http://www.heise.de/security/meldung/IMSI-Catcher-fuer-1500-Euro-im-Eig%
-enbau-1048919.html}, 2010.
+\newblock {Overview of GSM: The global system for mobile communications}.
+\newblock \emph{University of Waterloo}, \emph{PDF file},
+ \url{http://ccnga.uwaterloo.ca/publications/pdfs/TR-96-01.pdf}, 1996.
\bibitem{ITU1200}
{\sc {Telecomunication standardization sector of ITU}}.
-\newblock Intelligent network.
-\newblock {\em SERIES Q: Switching and Signaling Q1200}, 7 (1997).
+\newblock {General series Intelligent Network Recommendation structure}.
+\newblock \emph{Recommendation Q1200}, \emph{DOC file},
+ \url{http://www.itu.int/rec/T-REC-Q.1200-199709-I/en}, September 1997.
\bibitem{ITU212}
{\sc {Telecomunication standardization sector of ITU}}.
-\newblock List of mobile country or geographical area codes, 2010.
+\newblock {List of Mobile Country or Geographical Area Codes}.
+\newblock \emph{Complements to Recommendation E.212}, \emph{PDF file},
+ \url{http://www.itu.int/itudoc/itu-t/ob-lists/icc/e212_685.html}, January
+ 2004.
\bibitem{dennis}
{\sc Wehrle, D.}
-\newblock Open source imsi catcher.
+\newblock {Open Source IMSI-Catcher}.
+\newblock \emph{Master Thesis at the Chair of Communication Systems at Freiburg
+ University}, October 2009.
+
+\bibitem{osmo_slides}
+{\sc Welte, H., and Markgraf, S.}
+\newblock {OsmocomBB - Running your own GSM stack on a phone}.
+\newblock \emph{PDF file},
+ \url{http://events.ccc.de/congress/2010/Fahrplan/attachments/1771_osmocombb-%
+27c3.pdf}, July 2010.
\bibitem{wiki_cells}
{\sc Wikipedia}.
-\newblock Cell id.
-\newblock \url{http://bb.osmocom.org/trac/wiki/MotorolaC123}, 2012.
+\newblock {Cell ID}.
+\newblock \emph{WWW document}, \url{http://en.wikipedia.org/wiki/Cell_ID},
+ [Online; Accessed 02.2012].
\bibitem{imsi_wiki}
{\sc Wikipedia}.
-\newblock Equipment identity register.
-\newblock \url{http://de.wikipedia.org/wiki/IMSI-Catcher}, 2012.
+\newblock {IMSI-Catcher}.
+\newblock \emph{WWW document}, \url{http://de.wikipedia.org/wiki/IMSI-Catcher},
+ [Online; Accessed 02.2012].
\bibitem{blacklisting}
{\sc Wikipedia}.
-\newblock Equipment identity register.
-\newblock
- \url{http://en.wikipedia.org/wiki/Central_Equipment_Identity_Register}, 2012.
+\newblock {Equipment Identity Register}.
+\newblock \emph{WWW document},
+ \url{http://en.wikipedia.org/wiki/Central_Equipment_Identity_Register},
+ [Online; Accessed 06.2012].
\end{thebibliography}
diff --git a/Tex/Master/Master.blg b/Tex/Master/Master.blg
index b72852f..d53ac52 100644
--- a/Tex/Master/Master.blg
+++ b/Tex/Master/Master.blg
@@ -2,56 +2,47 @@ This is BibTeX, Version 0.99c (TeX Live 2009/Debian)
The top-level auxiliary file: Master.aux
The style file: acm.bst
Database file #1: ../Content/Bibliography.bib
-Warning--to sort, need author or key in GSM0207
-Warning--to sort, need author or key in ISO7810
-Warning--to sort, need author or key in GSM23003
-Warning--to sort, need author or key in gsm0502
-Warning--to sort, need author or key in GSM0405
-Warning--to sort, need author or key in GSM0406
-Warning--to sort, need author or key in GSM0505
-Warning--to sort, need author or key in GSM23078
+Warning--I didn't find a database entry for "syinfos"
Warning--can't use both author and editor fields in GSM2009
-Warning--empty journal in mueller
-Warning--empty journal in dennis
-You've used 33 entries,
+You've used 31 entries,
2253 wiz_defined-function locations,
- 692 strings with 7884 characters,
-and the built_in function-call counts, 6854 in all, are:
-= -- 655
-> -- 184
+ 693 strings with 8872 characters,
+and the built_in function-call counts, 7427 in all, are:
+= -- 699
+> -- 255
< -- 0
-+ -- 86
-- -- 52
-* -- 344
-:= -- 1043
-add.period$ -- 86
-call.type$ -- 33
-change.case$ -- 126
++ -- 107
+- -- 76
+* -- 396
+:= -- 1212
+add.period$ -- 93
+call.type$ -- 31
+change.case$ -- 127
chr.to.int$ -- 0
-cite$ -- 44
-duplicate$ -- 273
-empty$ -- 745
-format.name$ -- 52
-if$ -- 1518
+cite$ -- 32
+duplicate$ -- 283
+empty$ -- 746
+format.name$ -- 76
+if$ -- 1596
int.to.chr$ -- 0
-int.to.str$ -- 33
-missing$ -- 14
-newline$ -- 155
-num.names$ -- 42
-pop$ -- 223
+int.to.str$ -- 31
+missing$ -- 11
+newline$ -- 158
+num.names$ -- 64
+pop$ -- 227
preamble$ -- 1
-purify$ -- 96
+purify$ -- 99
quote$ -- 0
-skip$ -- 215
+skip$ -- 218
stack$ -- 0
-substring$ -- 257
-swap$ -- 53
+substring$ -- 278
+swap$ -- 71
text.length$ -- 0
text.prefix$ -- 0
top$ -- 0
-type$ -- 126
-warning$ -- 11
-while$ -- 50
-width$ -- 35
-write$ -- 302
-(There were 11 warnings)
+type$ -- 118
+warning$ -- 1
+while$ -- 74
+width$ -- 33
+write$ -- 314
+(There were 2 warnings)
diff --git a/Tex/Master/Master.dvi b/Tex/Master/Master.dvi
index cc9953d..cf04416 100644
--- a/Tex/Master/Master.dvi
+++ b/Tex/Master/Master.dvi
Binary files differ
diff --git a/Tex/Master/Master.ist b/Tex/Master/Master.ist
index 8f2e7d6..b111f6b 100644
--- a/Tex/Master/Master.ist
+++ b/Tex/Master/Master.ist
@@ -1,5 +1,5 @@
% makeindex style file created by the glossaries package
-% for document 'Master' on 2012-6-6
+% for document 'Master' on 2012-6-10
actual '?'
encap '|'
level '!'
diff --git a/Tex/Master/Master.lof b/Tex/Master/Master.lof
index 4febf20..97c492b 100644
--- a/Tex/Master/Master.lof
+++ b/Tex/Master/Master.lof
@@ -18,33 +18,33 @@
\contentsline {figure}{\numberline {3.1}{\ignorespaces Circuit board of the Motorola C123 with its components \cite {osmo_wiki_c123}.}}{38}
\contentsline {figure}{\numberline {3.2}{\ignorespaces Interaction of the OsmocomBB components with the ICDS software.}}{39}
\contentsline {figure}{\numberline {3.3}{\ignorespaces System Information 2 Message \cite {protocols1999}.}}{41}
-\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call/text waiting for a passive subscriber.}}{43}
+\contentsline {figure}{\numberline {3.4}{\ignorespaces Procedure taken when the network has a call\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}text waiting for a passive subscriber.}}{43}
\contentsline {figure}{\numberline {3.5}{\ignorespaces Some base stations and their neighbourhood connections at the Faculty of Engineering.}}{47}
\contentsline {figure}{\numberline {3.6}{\ignorespaces Comparison between a normal neighbourhood subgraph and a tainted one.}}{48}
\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Normal neighbourhood}}}{48}
\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Tainted neighbourhood}}}{48}
-\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{52}
-\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{53}
-\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{55}
-\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{58}
-\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{58}
-\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Rules window.}}}{58}
-\contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Filters window.}}}{58}
-\contentsline {subfigure}{\numberline {(d)}{\ignorespaces {PCH scan window.}}}{58}
-\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{60}
+\contentsline {figure}{\numberline {3.7}{\ignorespaces System architecture of the ICDS. The arrows indicate the flow of data.}}{53}
+\contentsline {figure}{\numberline {3.8}{\ignorespaces Configuration Dictionary in the settings file.}}{54}
+\contentsline {figure}{\numberline {3.9}{\ignorespaces The ICDS main window.}}{56}
+\contentsline {figure}{\numberline {3.10}{\ignorespaces Dialogs for different settings.}}{59}
+\contentsline {subfigure}{\numberline {(a)}{\ignorespaces {Databases window.}}}{59}
+\contentsline {subfigure}{\numberline {(b)}{\ignorespaces {Rules window.}}}{59}
+\contentsline {subfigure}{\numberline {(c)}{\ignorespaces {Filters window.}}}{59}
+\contentsline {subfigure}{\numberline {(d)}{\ignorespaces {PCH scan window.}}}{59}
+\contentsline {figure}{\numberline {3.11}{\ignorespaces The User Mode window.}}{61}
\addvspace {10\p@ }
\contentsline {figure}{\numberline {4.1}{\ignorespaces Scan durations for the sample data sets.}}{64}
-\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{67}
+\contentsline {figure}{\numberline {4.2}{\ignorespaces Open Source IMSI Catcher (left) with USRP (black) and external clock (blue) and the ICDS (right) with the Motorola C123 connected.}}{68}
\contentsline {figure}{\numberline {4.3}{\ignorespaces Excerpt of a \texttt {OpenBTS.conf}.}}{68}
\addvspace {10\p@ }
-\contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{74}
+\contentsline {figure}{\numberline {5.1}{\ignorespaces ICDS decision finding process outlined.}}{76}
\addvspace {10\p@ }
\addvspace {10\p@ }
-\contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{85}
+\contentsline {figure}{\numberline {B.1}{\ignorespaces Serial cable schematics.}}{91}
\addvspace {10\p@ }
\addvspace {10\p@ }
-\contentsline {figure}{\numberline {D.1}{\ignorespaces System Information 1 Message}}{94}
-\contentsline {figure}{\numberline {D.2}{\ignorespaces System Information 2 Message}}{95}
-\contentsline {figure}{\numberline {D.3}{\ignorespaces System Information 3 Message}}{96}
-\contentsline {figure}{\numberline {D.4}{\ignorespaces System Information 4 Message}}{97}
+\contentsline {figure}{\numberline {D.1}{\ignorespaces System Information 1 Message}}{100}
+\contentsline {figure}{\numberline {D.2}{\ignorespaces System Information 2 Message}}{101}
+\contentsline {figure}{\numberline {D.3}{\ignorespaces System Information 3 Message}}{102}
+\contentsline {figure}{\numberline {D.4}{\ignorespaces System Information 4 Message}}{103}
\addvspace {10\p@ }
diff --git a/Tex/Master/Master.log b/Tex/Master/Master.log
index c408a2f..1d77bca 100644
--- a/Tex/Master/Master.log
+++ b/Tex/Master/Master.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 6 JUN 2012 21:38
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 10 JUN 2012 18:18
entering extended mode
%&-line parsing enabled.
**Master.tex
@@ -1000,17 +1000,17 @@ File: ../Images/unisiegel.pdf Graphic file (type pdf)
<use ../Images/unisiegel.pdf>
LaTeX Font Info: Font shape `T1/ptm/bx/sc' in size <20.74> not available
(Font) Font shape `T1/ptm/b/sc' tried instead on input line 18.
-LaTeX Font Info: Try loading font information for U+msa on input line 27.
+LaTeX Font Info: Try loading font information for U+msa on input line 28.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2009/06/22 v3.00 AMS symbols A
)
-LaTeX Font Info: Try loading font information for U+msb on input line 27.
+LaTeX Font Info: Try loading font information for U+msb on input line 28.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2009/06/22 v3.00 AMS symbols B
)
-LaTeX Font Info: Try loading font information for U+esvect on input line 27.
+LaTeX Font Info: Try loading font information for U+esvect on input line 28.
(/usr/share/texmf-texlive/tex/latex/esvect/uesvect.fd
@@ -1037,50 +1037,28 @@ Underfull \hbox (badness 10000) in paragraph at lines 1--5
[]
-) [1] (../Content/Acknowledgements.tex
+) [1] (../Content/Abstract.tex
LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <10.95> not available
(Font) Font shape `T1/ptm/b/n' tried instead on input line 2.
-) [2
-
-] (../Content/Abstract.tex)
-(../Content/Disclaimer.tex) [3
-] [4
+(/usr/share/texmf-texlive/tex/latex/ucs/data/uni-0.def
+File: uni-0.def 2004/10/17 UCS: Unicode data U+0000..U+00FF
+) [2
+]) [3]
+(../Content/Acknowledgements.tex) [4
+] [5
-]
-LaTeX Font Info: Try loading font information for T1+phv on input line 149.
+] (../Content/Dedication.tex) [6]
+LaTeX Font Info: Try loading font information for T1+phv on input line 143.
(/usr/share/texmf-texlive/tex/latex/psnfss/t1phv.fd
File: t1phv.fd 2001/06/04 scalable font definitions for T1/phv.
)
LaTeX Font Info: Font shape `T1/phv/bx/n' in size <10.95> not available
-(Font) Font shape `T1/phv/b/n' tried instead on input line 149.
- (./Master.lof
-LaTeX Font Info: Try loading font information for T1+pcr on input line 38.
-
-(/usr/share/texmf-texlive/tex/latex/psnfss/t1pcr.fd
-File: t1pcr.fd 2001/06/04 font definitions for T1/pcr.
-) [5
-
-
-])
-\tf@lof=\write8
-\openout8 = `Master.lof'.
-
- [6] (./Master.lot)
-\tf@lot=\write9
-\openout9 = `Master.lot'.
-
-
-[7
-
-
-] [8
-
-
-] (./Master.toc
+(Font) Font shape `T1/phv/b/n' tried instead on input line 143.
+ (./Master.toc
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 2.
@@ -1090,39 +1068,47 @@ Class scrbook Info: You've told me to use the font selection of the element
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 39.
- [9]
+ [7
+
+
+
+
+
+
+]
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 66.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 79.
-Class scrbook Info: You've told me to use the font selection of the element
-(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 82.
+(scrbook) on input line 80.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 83.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 86.
+(scrbook) on input line 84.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 90.
+(scrbook) on input line 87.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 93.
+(scrbook) on input line 91.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
(scrbook) on input line 94.
Class scrbook Info: You've told me to use the font selection of the element
(scrbook) `sectioning' that is an alias of element `disposition'
-(scrbook) on input line 97.
+(scrbook) on input line 95.
+Class scrbook Info: You've told me to use the font selection of the element
+(scrbook) `sectioning' that is an alias of element `disposition'
+(scrbook) on input line 98.
)
-\tf@toc=\write10
-\openout10 = `Master.toc'.
+\tf@toc=\write8
+\openout8 = `Master.toc'.
+
- [10] (../Content/Motivation.tex
+[8] (../Content/Motivation.tex
Chapter 1.
Class scrbook Warning: \float@addtolists detected!
@@ -1139,26 +1125,19 @@ LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <14.4> not available
-]
+] [2]
+LaTeX Font Info: Try loading font information for T1+pcr on input line 59.
+ (/usr/share/texmf-texlive/tex/latex/psnfss/t1pcr.fd
+File: t1pcr.fd 2001/06/04 font definitions for T1/pcr.
+)
LaTeX Font Info: Font shape `T1/pcr/bx/n' in size <10.95> not available
-(Font) Font shape `T1/pcr/b/n' tried instead on input line 60.
-
-Overfull \hbox (4.57838pt too wide) in paragraph at lines 53--65
-\T1/ptm/m/n/10.95 ment. Im-por-tant words or com-po-nents of the []ICDS are pri
-nted \T1/ptm/m/it/10.95 em-pha-sised\T1/ptm/m/n/10.95 . \T1/pcr/m/n/10.95 Typew
-riter
- []
+(Font) Font shape `T1/pcr/b/n' tried instead on input line 64.
-
-Underfull \hbox (badness 10000) in paragraph at lines 53--65
+Underfull \hbox (badness 10000) in paragraph at lines 57--69
[]
-
-Underfull \vbox (badness 1005) has occurred while \output is active []
-
- [2])
-(../Content/GSM_short.tex [3] [4
+) (../Content/GSM_short.tex [3] [4
]
@@ -1171,7 +1150,7 @@ File: omsptm.fd
LaTeX Font Info: Font shape `OMS/ptm/m/n' in size <10.95> not available
(Font) Font shape `OMS/cmsy/m/n' tried instead on input line 33.
[6]
-<../Images/Architecture.png, id=76, 370.45602pt x 204.81319pt>
+<../Images/Architecture.png, id=70, 370.45602pt x 204.81319pt>
File: ../Images/Architecture.png Graphic file (type png)
<use ../Images/Architecture.png> [7]
@@ -1181,398 +1160,364 @@ LaTeX Font Info: Font shape `T1/ptm/bx/n' in size <12> not available
Underfull \vbox (badness 2285) has occurred while \output is active []
[12]
-<../Images/Authentication.png, id=97, 359.1819pt x 323.0469pt>
+<../Images/Authentication.png, id=91, 359.1819pt x 323.0469pt>
File: ../Images/Authentication.png Graphic file (type png)
<use ../Images/Authentication.png>
Underfull \vbox (badness 6808) has occurred while \output is active []
[13 <../Images/Authentication.png (PNG copy)>] [14]
-<../Images/Mapping.png, id=105, 337.28409pt x 115.19838pt>
+<../Images/Mapping.png, id=98, 337.28409pt x 115.19838pt>
File: ../Images/Mapping.png Graphic file (type png)
<use ../Images/Mapping.png> [15 <../Images/Mapping.png (PNG copy)>] [16]
-<../Images/Cells.png, id=112, 98.72083pt x 88.8921pt>
+<../Images/Cells.png, id=106, 98.72083pt x 88.8921pt>
File: ../Images/Cells.png Graphic file (type png)
<use ../Images/Cells.png>
-<../Images/real_Cells.PNG, id=113, 743.02594pt x 496.10344pt>
+<../Images/real_Cells.PNG, id=107, 743.02594pt x 496.10344pt>
File: ../Images/real_Cells.PNG Graphic file (type png)
<use ../Images/real_Cells.PNG> [17 <../Images/Cells.png (PNG copy)> <../Images/
real_Cells.PNG>] [18]
-<../Images/Cipher.png, id=123, 387.72855pt x 131.02551pt>
+<../Images/Cipher.png, id=117, 387.72855pt x 131.02551pt>
File: ../Images/Cipher.png Graphic file (type png)
<use ../Images/Cipher.png>
Underfull \vbox (badness 2495) has occurred while \output is active []
[19 <../Images/Cipher.png (PNG copy)>] [20]
-<../Images/TDMAFDMA.png, id=132, 254.53494pt x 133.33815pt>
+<../Images/TDMAFDMA.png, id=125, 254.53494pt x 133.33815pt>
File: ../Images/TDMAFDMA.png Graphic file (type png)
<use ../Images/TDMAFDMA.png>
-<../Images/Frames.png, id=133, 331.28568pt x 291.39264pt>
+<../Images/Frames.png, id=126, 331.28568pt x 291.39264pt>
File: ../Images/Frames.png Graphic file (type png)
<use ../Images/Frames.png>
-<../Images/Bursts.png, id=134, 371.90141pt x 134.78355pt>
+<../Images/Bursts.png, id=127, 371.90141pt x 134.78355pt>
File: ../Images/Bursts.png Graphic file (type png)
<use ../Images/Bursts.png> [21 <../Images/TDMAFDMA.png (PNG copy)>] [22 <../Ima
ges/Frames.png (PNG copy)> <../Images/Bursts.png (PNG copy)>] [23]
-<../Images/Channels.png, id=144, 272.60245pt x 169.47314pt>
+<../Images/Channels.png, id=138, 272.60245pt x 169.47314pt>
File: ../Images/Channels.png Graphic file (type png)
<use ../Images/Channels.png> [24 <../Images/Channels.png (PNG copy)>] [25]
-[26] <../Images/imsi_catcher.jpg, id=155, 280.15778pt x 225.73222pt>
+[26] <../Images/imsi_catcher.jpg, id=148, 280.15778pt x 225.73222pt>
File: ../Images/imsi_catcher.jpg Graphic file (type jpg)
<use ../Images/imsi_catcher.jpg>
-<../Images/usrp.jpg, id=156, 1204.5pt x 844.65562pt>
+<../Images/usrp.jpg, id=149, 1204.5pt x 844.65562pt>
File: ../Images/usrp.jpg Graphic file (type jpg)
<use ../Images/usrp.jpg>
-[27] <../Images/catcher_attack.png, id=161, 321.52924pt x 277.08318pt>
+[27] <../Images/catcher_attack.png, id=155, 321.52924pt x 277.08318pt>
File: ../Images/catcher_attack.png Graphic file (type png)
<use ../Images/catcher_attack.png> [28 <../Images/imsi_catcher.jpg> <../Images/
usrp.jpg>] [29 <../Images/catcher_attack.png (PNG copy)>]
-<../Images/replace_attack.png, id=168, 356.94153pt x 162.67976pt>
+<../Images/replace_attack.png, id=162, 356.94153pt x 162.67976pt>
File: ../Images/replace_attack.png Graphic file (type png)
<use ../Images/replace_attack.png> [30]
Underfull \vbox (badness 10000) has occurred while \output is active []
- [31 <../Images/replace_attack.png (PNG copy)>]
-(/usr/share/texmf-texlive/tex/latex/ucs/data/uni-0.def
-File: uni-0.def 2004/10/17 UCS: Unicode data U+0000..U+00FF
-) [32])
-(../Content/Detection.tex [33] [34
+ [31 <../Images/replace_attack.png (PNG copy)>] [32]) (../Content/Detection.tex
+ [33]
+[34
]
Chapter 3.
-[35] <../Images/c123_pcb.png, id=188, 1284.8pt x 790.955pt>
+[35] <../Images/c123_pcb.png, id=182, 1284.8pt x 790.955pt>
File: ../Images/c123_pcb.png Graphic file (type png)
<use ../Images/c123_pcb.png> [36] [37]
-<../Images/OsmoStructure.png, id=196, 387.00584pt x 79.13565pt>
+<../Images/OsmoStructure.png, id=189, 387.00584pt x 79.13565pt>
File: ../Images/OsmoStructure.png Graphic file (type png)
<use ../Images/OsmoStructure.png> [38 <../Images/c123_pcb.png (PNG copy)>]
-Underfull \vbox (badness 1694) has occurred while \output is active []
+[39 <../Images/OsmoStructure.png (PNG copy)>]
+<../Images/sysinfo2marked.png, id=197, 261.32832pt x 440.55792pt>
+File: ../Images/sysinfo2marked.png Graphic file (type png)
- [39 <../Images/OsmoStructure.png (PNG copy)>]
-<../Images/sysinfo2.png, id=203, 261.32832pt x 440.55792pt>
-File: ../Images/sysinfo2.png Graphic file (type png)
-
-<use ../Images/sysinfo2.png>
-
-LaTeX Warning: Float too large for page by 61.98238pt on input line 180.
-
-[40] [41 <../Images/sysinfo2.png (PNG copy)>]
-<../Images/Paging.png, id=210, 167.95547pt x 144.61227pt>
+<use ../Images/sysinfo2marked.png> [40] [41 <../Images/sysinfo2marked.png (PNG
+copy)>] <../Images/Paging.png, id=204, 167.95547pt x 144.61227pt>
File: ../Images/Paging.png Graphic file (type png)
<use ../Images/Paging.png> [42] [43 <../Images/Paging.png (PNG copy)>] [44]
-[45] <../Images/neighbourhoods_fak.png, id=224, 1829.83624pt x 2708.1175pt>
+[45] <../Images/neighbourhoods_fak.png, id=218, 1829.83624pt x 2708.1175pt>
File: ../Images/neighbourhoods_fak.png Graphic file (type png)
<use ../Images/neighbourhoods_fak.png>
LaTeX Warning: Float too large for page by 3.59608pt on input line 329.
+
+LaTeX Warning: Citation `richy' on page 46 undefined on input line 341.
+
LaTeX Font Info: Font shape `T1/phv/bx/n' in size <14.4> not available
-(Font) Font shape `T1/phv/b/n' tried instead on input line 365.
+(Font) Font shape `T1/phv/b/n' tried instead on input line 366.
[46] [47 <../Images/neighbourhoods_fak.png (PNG copy)>] [48] [49] [50] [51]
-<../Images/Architecture_software.png, id=245, 341.76483pt x 182.91537pt>
+<../Images/Architecture_software.png, id=239, 341.76483pt x 182.91537pt>
File: ../Images/Architecture_software.png Graphic file (type png)
-<use ../Images/Architecture_software.png> [52 <../Images/Architecture_software.
-png (PNG copy)>]
+<use ../Images/Architecture_software.png> [52] [53 <../Images/Architecture_soft
+ware.png (PNG copy)>]
LaTeX Font Info: Font shape `T1/pcr/m/it' in size <10.95> not available
-(Font) Font shape `T1/pcr/m/sl' tried instead on input line 580.
- [53] <../Images/ICDS.png, id=253, 1325.95375pt x 864.22874pt>
+(Font) Font shape `T1/pcr/m/sl' tried instead on input line 600.
+ [54]
+<../Images/ICDS.png, id=250, 1325.95375pt x 864.22874pt>
File: ../Images/ICDS.png Graphic file (type png)
-<use ../Images/ICDS.png> [54] [55 <../Images/ICDS.png (PNG copy)>] [56]
-<../Images/databases_window.png, id=264, 366.36874pt x 459.7175pt>
+<use ../Images/ICDS.png> [55] [56 <../Images/ICDS.png (PNG copy)>] [57]
+<../Images/databases_window.png, id=261, 366.36874pt x 459.7175pt>
File: ../Images/databases_window.png Graphic file (type png)
<use ../Images/databases_window.png>
-<../Images/rules_window.png, id=265, 284.06125pt x 568.1225pt>
+<../Images/rules_window.png, id=262, 284.06125pt x 568.1225pt>
File: ../Images/rules_window.png Graphic file (type png)
<use ../Images/rules_window.png>
-<../Images/filter_window.png, id=266, 332.24126pt x 293.095pt>
+<../Images/filter_window.png, id=263, 332.24126pt x 293.095pt>
File: ../Images/filter_window.png Graphic file (type png)
<use ../Images/filter_window.png>
-<../Images/pch_window.png, id=267, 270.00874pt x 273.02pt>
+<../Images/pch_window.png, id=264, 270.00874pt x 273.02pt>
File: ../Images/pch_window.png Graphic file (type png)
-<use ../Images/pch_window.png> [57] [58 <../Images/databases_window.png> <../Im
+<use ../Images/pch_window.png> [58] [59 <../Images/databases_window.png> <../Im
ages/rules_window.png> <../Images/filter_window.png (PNG copy)> <../Images/pch_
-window.png>] [59] <../Images/user_window.png, id=280, 368.37625pt x 469.755pt>
+window.png>] [60] <../Images/user_window.png, id=277, 368.37625pt x 469.755pt>
File: ../Images/user_window.png Graphic file (type png)
<use ../Images/user_window.png>
Underfull \vbox (badness 10000) has occurred while \output is active []
- [60 <../Images/user_window.png>]) (../Content/Evaluation.tex [61] [62
-
-
-]
+ [61 <../Images/user_window.png>]) (../Content/Evaluation.tex [62]
Chapter 4.
+[63
-Overfull \hbox (3.33815pt too wide) in paragraph at lines 18--32
- [][]
- []
-[63] [64] [65] [66]
-<../Images/catcherICDS.jpg, id=304, 3474.9825pt x 1906.12125pt>
-File: ../Images/catcherICDS.jpg Graphic file (type jpg)
+] [64] [65]
+Underfull \vbox (badness 7944) has occurred while \output is active []
-<use ../Images/catcherICDS.jpg> [67 <../Images/catcherICDS.jpg>]
-Overfull \hbox (20.58582pt too wide) in paragraph at lines 238--244
-\T1/ptm/m/n/10.95 Rules trig-gered: LAC/Provider Map-ping, Neigh-bour-hood Stru
-c-ture, AR-FCN/Provider
- []
+ [66]
+<../Images/catcherICDS.jpg, id=298, 3474.9825pt x 1906.12125pt>
+File: ../Images/catcherICDS.jpg Graphic file (type jpg)
-[68] [69] [70] [71]) (../Content/Conclusion.tex [72]
+<use ../Images/catcherICDS.jpg> [67] [68 <../Images/catcherICDS.jpg>] [69]
+[70] [71] [72] [73]) (../Content/Conclusion.tex [74]
Chapter 5.
<../Images/flowchart.png, id=324, 340.31943pt x 407.31372pt>
File: ../Images/flowchart.png Graphic file (type png)
-<use ../Images/flowchart.png> [73
-
-
-] [74 <../Images/flowchart.png (PNG copy)>]
-[75]) [76] (./Master.bbl
-Underfull \hbox (badness 2818) in paragraph at lines 17--21
-[]\T1/ptm/m/n/10.95 Radio ac-cess net-work: Ra-dio trans-mis-sion and re-cep-ti
-on. GSM 05.05,
- []
+<use ../Images/flowchart.png> [75
-Underfull \hbox (badness 10000) in paragraph at lines 17--21
-\T1/pcr/m/n/10.95 http : / / www . 3gpp . org / ftp / Specs / archive / 05 _ se
-ries / 05 .
+] [76 <../Images/flowchart.png (PNG copy)>]
+[77]) [78] (./Master.bbl
+Underfull \hbox (badness 3179) in paragraph at lines 4--9
+[]\T1/ptm/m/sc/10.95 3GPP Tech-ni-cal Spec-i-fi-ca-tion Group Core Net-work and
+ Ter-
[]
-Underfull \hbox (badness 10000) in paragraph at lines 30--34
-[]\T1/ptm/m/n/10.95 Identification cards -- phys-i-cal char-ac-ter-is-tics. IS
-O/IEC 7810:2003,
+Underfull \hbox (badness 10000) in paragraph at lines 4--9
+\T1/pcr/m/n/10.95 http : / / www . 3gpp . org / ftp / Specs / archive / 23 _ se
+ries / 23 . 003 /
[]
-Underfull \hbox (badness 10000) in paragraph at lines 30--34
-\T1/pcr/m/n/10.95 http : / / www . iso . org / iso / iso _ catalogue / catalogu
-e _ tc /
+Underfull \hbox (badness 2753) in paragraph at lines 11--16
+[]\T1/ptm/m/sc/10.95 3GPP Tech-ni-cal Spec-i-fi-ca-tion Group GSM/EDGE Ra-dio A
+c-cess
[]
-Underfull \hbox (badness 10000) in paragraph at lines 36--40
-\T1/pcr/m/n/10.95 3gpp . org / ftp / Specs / archive / 05 _ series / 05 . 02 /
-0502-[]8b0 . zip$\T1/ptm/m/n/10.95 ,
+Underfull \hbox (badness 7238) in paragraph at lines 11--16
+\T1/ptm/m/sc/10.95 Net-work\T1/ptm/m/n/10.95 . Data link (DL) Layer: Gen-eral
+as-pects. \T1/ptm/m/it/10.95 TS 04.05\T1/ptm/m/n/10.95 ,
[]
-Underfull \hbox (badness 10000) in paragraph at lines 42--46
-\T1/pcr/m/n/10.95 http : / / www . 3gpp . org / ftp / Specs / archive / 23 _ se
-ries / 23 . 078 /
+Underfull \hbox (badness 1112) in paragraph at lines 11--16
+\T1/ptm/m/it/10.95 DOC file $\T1/pcr/m/n/10.95 http : / / www . 3gpp . org / ft
+p / Specs / archive / 04 _ series /
[]
-Underfull \hbox (badness 10000) in paragraph at lines 48--52
-\T1/pcr/m/n/10.95 org / ftp / Specs / archive / 23 _ series / 23 . 003 / 23003-
-[]a30 . zip$\T1/ptm/m/n/10.95 ,
+Underfull \hbox (badness 1112) in paragraph at lines 18--23
+\T1/ptm/m/it/10.95 DOC file $\T1/pcr/m/n/10.95 http : / / www . 3gpp . org / ft
+p / Specs / archive / 05 _ series /
[]
-[77
+[79
-]
-Underfull \hbox (badness 3428) in paragraph at lines 73--76
-[]\T1/ptm/m/n/10.95 Gsm/3g stats. $\T1/pcr/m/n/10.95 http : / / www . gsacom .
- com / news / statistics . php4$\T1/ptm/m/n/10.95 ,
+] (/usr/share/texmf-texlive/tex/latex/ucs/data/uni-32.def
+File: uni-32.def 2004/10/17 UCS: Unicode data U+2000..U+20FF
+)
+Underfull \hbox (badness 1210) in paragraph at lines 112--117
+[]\T1/ptm/m/sc/10.95 OsmocomBB\T1/ptm/m/n/10.95 . Catcher Catcher. \T1/ptm/m/
+it/10.95 Project Wiki\T1/ptm/m/n/10.95 , $\T1/pcr/m/n/10.95 http : / / opensour
+ce .
[]
-
-Underfull \hbox (badness 2680) in paragraph at lines 83--88
-[]\T1/ptm/m/sc/10.95 Harald Welte, S. M. \T1/ptm/m/n/10.95 Os-mo-combb - run-n
-ing your own gsm stack
+[80]
+Underfull \hbox (badness 1783) in paragraph at lines 162--167
+[]\T1/ptm/m/sc/10.95 Telecomunication stan-dard-iza-tion sec-tor of ITU\T1/ptm/
+m/n/10.95 . List of Mo-
[]
-Underfull \hbox (badness 1454) in paragraph at lines 83--88
-\T1/ptm/m/n/10.95 on a phone. $\T1/pcr/m/n/10.95 http : / / events . ccc . de
-/ congress / 2010 / Fahrplan /
+Underfull \hbox (badness 1259) in paragraph at lines 162--167
+\T1/ptm/m/n/10.95 bile Coun-try or Ge-o-graph-i-cal Area Codes. \T1/ptm/m/it/1
+0.95 Com-ple-ments to Rec-om-men-da-
[]
-Underfull \hbox (badness 2035) in paragraph at lines 111--114
-[]\T1/ptm/m/sc/10.95 OsmocomBB\T1/ptm/m/n/10.95 . Catcher catcher. $\T1/pcr/m
-/n/10.95 http : / / opensource . srlabs . de /
+Underfull \hbox (badness 10000) in paragraph at lines 194--199
+\T1/pcr/m/n/10.95 wikipedia . org / wiki / Central _ Equipment _ Identity _ Reg
+ister$\T1/ptm/m/n/10.95 ,
[]
+) [81] [82
-Underfull \hbox (badness 10000) in paragraph at lines 148--153
-[]\T1/ptm/m/sc/10.95 Security, H. \T1/ptm/m/n/10.95 Imsi-catcher für 1500 euro
- im eigen-
- []
+] (./Master.lof [83])
+\tf@lof=\write9
+\openout9 = `Master.lof'.
-Underfull \hbox (badness 10000) in paragraph at lines 148--153
-\T1/ptm/m/n/10.95 bau. $\T1/pcr/m/n/10.95 http : / / www . heise . de / securi
-ty / meldung /
- []
+ [84] (./Master.lot)
+\tf@lot=\write10
+\openout10 = `Master.lot'.
+ [85
-Underfull \hbox (badness 10000) in paragraph at lines 148--153
-\T1/pcr/m/n/10.95 IMSI-[]Catcher-[]fuer-[]1500-[]Euro-[]im-[]Eigenbau-[]1048919
- . html$\T1/ptm/m/n/10.95 ,
- []
-[78]
-Underfull \hbox (badness 10000) in paragraph at lines 168--171
-[]\T1/ptm/m/sc/10.95 Wikipedia\T1/ptm/m/n/10.95 . Cell id. $\T1/pcr/m/n/10.95
- http : / / bb . osmocom . org / trac / wiki /
- []
-
-) [79] (../Content/Appendix.tex [80
+]
+(../Content/Appendix.tex [86
]
Appendix A.
-[81] [82]
+[87] [88]
Appendix B.
-[83
+[89
-]
-Overfull \hbox (19.167pt too wide) in paragraph at lines 96--98
-\T1/pcr/m/n/10.95 pch_scan.c\T1/ptm/m/n/10.95 must be moved to \T1/pcr/m/n/10.9
-5 osmocom-bb/src/host/layer23/src/misc
- []
-
-
-Overfull \hbox (6.91444pt too wide) in paragraph at lines 104--104
- []\T1/pcr/m/n/10.95 bin_PROGRAMS = bcch_scan ... cbch_sniff catcher pch_scan[]
-
- []
-
-
-Overfull \hbox (5.81935pt too wide) in paragraph at lines 115--115
-[] \T1/pcr/m/n/10.95 ../../target/firmware/board/compal_e88/layer1.compalram.bi
-n[]
- []
-
-[84] <../Images/t191cable.jpg, id=363, 702.625pt x 609.27625pt>
+] [90] <../Images/t191cable.jpg, id=376, 702.625pt x 609.27625pt>
File: ../Images/t191cable.jpg Graphic file (type jpg)
-<use ../Images/t191cable.jpg> [85 <../Images/t191cable.jpg>] [86
+<use ../Images/t191cable.jpg> [91 <../Images/t191cable.jpg>] [92
]
Appendix C.
-Underfull \hbox (badness 10000) in paragraph at lines 147--163
+Underfull \hbox (badness 10000) in paragraph at lines 149--165
[]
-Underfull \hbox (badness 10000) in paragraph at lines 147--163
+Underfull \hbox (badness 10000) in paragraph at lines 149--165
[]
-Underfull \hbox (badness 10000) in paragraph at lines 147--163
+Underfull \hbox (badness 10000) in paragraph at lines 149--165
[]
-Underfull \hbox (badness 10000) in paragraph at lines 164--196
+Underfull \hbox (badness 10000) in paragraph at lines 166--198
[]
-Underfull \hbox (badness 10000) in paragraph at lines 164--196
+Underfull \hbox (badness 10000) in paragraph at lines 166--198
[]
-Underfull \hbox (badness 10000) in paragraph at lines 164--196
+Underfull \hbox (badness 10000) in paragraph at lines 166--198
[]
Underfull \vbox (badness 7981) has occurred while \output is active []
- [87]
-[88]
-Overfull \hbox (5.4829pt too wide) in paragraph at lines 320--321
-[][][][][][][][][][][][][][][][][][][][][][][][][][]
+ [93]
+[94]
+Underfull \hbox (badness 10000) in paragraph at lines 201--348
+
[]
-Underfull \hbox (badness 10000) in paragraph at lines 199--326
+Underfull \hbox (badness 10000) in paragraph at lines 201--348
[]
-Underfull \hbox (badness 10000) in paragraph at lines 199--326
+Underfull \hbox (badness 10000) in paragraph at lines 201--348
[]
-Underfull \hbox (badness 10000) in paragraph at lines 199--326
+Underfull \hbox (badness 10000) in paragraph at lines 201--348
[]
Underfull \vbox (badness 10000) has occurred while \output is active []
- [89]
-[90] [91] [92
-
+ [95]
+[96]
+Underfull \vbox (badness 10000) has occurred while \output is active []
-]
+ [97]
+[98]
Appendix D.
-<../Images/sysinfo1.png, id=390, 260.172pt x 393.1488pt>
+<../Images/sysinfo1.png, id=402, 260.172pt x 393.1488pt>
File: ../Images/sysinfo1.png Graphic file (type png)
<use ../Images/sysinfo1.png>
-LaTeX Warning: Float too large for page by 0.9002pt on input line 334.
+LaTeX Warning: Float too large for page by 0.9002pt on input line 356.
+<../Images/sysinfo2.png, id=403, 261.32832pt x 440.55792pt>
File: ../Images/sysinfo2.png Graphic file (type png)
+
<use ../Images/sysinfo2.png>
-LaTeX Warning: Float too large for page by 61.98238pt on input line 339.
+LaTeX Warning: Float too large for page by 61.98238pt on input line 361.
-<../Images/sysinfo3.png, id=391, 284.45473pt x 373.49136pt>
+<../Images/sysinfo3.png, id=404, 284.45473pt x 373.49136pt>
File: ../Images/sysinfo3.png Graphic file (type png)
<use ../Images/sysinfo3.png>
-<../Images/sysinfo4.png, id=392, 252.07776pt x 370.0224pt>
+<../Images/sysinfo4.png, id=405, 252.07776pt x 370.0224pt>
File: ../Images/sysinfo4.png Graphic file (type png)
-<use ../Images/sysinfo4.png> [93] [94 <../Images/sysinfo1.png (PNG copy)>]
-[95] [96 <../Images/sysinfo3.png (PNG copy)>] [97 <../Images/sysinfo4.png (PNG
-copy)>] [98
+<use ../Images/sysinfo4.png> [99
+
+
+] [100 <../Images/sysinfo1.png (PNG copy)>]
+[101 <../Images/sysinfo2.png (PNG copy)>] [102 <../Images/sysinfo3.png (PNG cop
+y)>] [103 <../Images/sysinfo4.png (PNG copy)>] [104
]
Appendix E.
-) (./Master.acr [99] [100
+)
+LaTeX Warning: `!h' float specifier changed to `!ht'.
-]
+(./Master.acr [105] [106]
Underfull \hbox (badness 2626) in paragraph at lines 73--74
[]|\T1/ptm/m/n/10.95 Conférence Eu-ropéenne des Ad-min-is-tra-tions des
[]
@@ -1582,37 +1527,43 @@ Underfull \hbox (badness 10000) in paragraph at lines 89--90
[]|\T1/ptm/m/n/10.95 Electrically Erasable Pro-grammable Read-Only
[]
-[101
+[107
+
+
+
+
+] [108] [109]) [110] (./Master.aux)
+LaTeX Warning: There were undefined references.
-] [102] [103]) [104] (./Master.aux) )
+ )
Here is how much of TeX's memory you used:
- 25033 strings out of 493848
- 468950 string characters out of 1152824
- 738815 words of memory out of 3000000
- 27636 multiletter control sequences out of 15000+50000
+ 25287 strings out of 493848
+ 471945 string characters out of 1152824
+ 750814 words of memory out of 3000000
+ 27886 multiletter control sequences out of 15000+50000
83343 words of font info for 111 fonts, out of 3000000 for 9000
714 hyphenation exceptions out of 8191
61i,13n,72p,1076b,1344s stack positions out of 5000i,500n,10000p,200000b,50000s
-{/usr/share/texmf-texlive/fonts/enc/dvips/
-base/8r.enc}</usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmex10.pfb
-></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmmi10.pfb></usr/shar
-e/texmf-texlive/fonts/type1/public/amsfonts/cm/cmmi12.pfb></usr/share/texmf-tex
-live/fonts/type1/public/amsfonts/cm/cmmi8.pfb></usr/share/texmf-texlive/fonts/t
-ype1/public/amsfonts/cm/cmr10.pfb></usr/share/texmf-texlive/fonts/type1/public/
-amsfonts/cm/cmr8.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/c
-msy10.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmsy8.pfb></
-usr/share/texmf-texlive/fonts/type1/public/eurosym/feymr10.pfb></usr/share/texm
-f-texlive/fonts/type1/public/amsfonts/latxfont/lcircle1.pfb></usr/share/texmf-t
-exlive/fonts/type1/urw/courier/ucrb8a.pfb></usr/share/texmf-texlive/fonts/type1
-/urw/courier/ucrr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrro
-8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/helvetic/uhvb8a.pfb></usr/shar
-e/texmf-texlive/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-texlive/font
-s/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/ut
-mr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmri8a.pfb>
-Output written on Master.pdf (116 pages, 18951952 bytes).
+{/usr/share/texmf-texlive/fonts/enc/dvips/base/8r.enc}</usr/share/texmf-texli
+ve/fonts/type1/public/amsfonts/cm/cmex10.pfb></usr/share/texmf-texlive/fonts/ty
+pe1/public/amsfonts/cm/cmmi10.pfb></usr/share/texmf-texlive/fonts/type1/public/
+amsfonts/cm/cmmi12.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm
+/cmmi8.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmr10.pfb><
+/usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmr8.pfb></usr/share/te
+xmf-texlive/fonts/type1/public/amsfonts/cm/cmsy10.pfb></usr/share/texmf-texlive
+/fonts/type1/public/amsfonts/cm/cmsy8.pfb></usr/share/texmf-texlive/fonts/type1
+/public/eurosym/feymr10.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfon
+ts/latxfont/lcircle1.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrb
+8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/courier/ucrr8a.pfb></usr/share
+/texmf-texlive/fonts/type1/urw/courier/ucrro8a.pfb></usr/share/texmf-texlive/fo
+nts/type1/urw/helvetic/uhvb8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/tim
+es/utmb8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmr8a.pfb></usr/
+share/texmf-texlive/fonts/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/
+fonts/type1/urw/times/utmri8a.pfb>
+Output written on Master.pdf (120 pages, 20274633 bytes).
PDF statistics:
- 492 PDF objects out of 1000 (max. 8388607)
+ 505 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 500000)
- 178 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 183 words of extra memory for PDF output out of 10000 (max. 10000000)
diff --git a/Tex/Master/Master.lot b/Tex/Master/Master.lot
index 2c68aa1..7fce79b 100644
--- a/Tex/Master/Master.lot
+++ b/Tex/Master/Master.lot
@@ -9,22 +9,24 @@
\contentsline {table}{\numberline {3.2}{\ignorespaces Type Codes and the corresponding System Information Types \cite {GSM2009}.}}{40}
\contentsline {table}{\numberline {3.3}{\ignorespaces Configuration Rules implemented inside the ICDS.}}{44}
\contentsline {table}{\numberline {3.4}{\ignorespaces Context Rules implemented inside the ICDS.}}{45}
-\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{48}
-\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{49}
+\contentsline {table}{\numberline {3.5}{\ignorespaces Database Rules implemented inside the ICDS.}}{49}
+\contentsline {table}{\numberline {3.6}{\ignorespaces Scan Rules implemented inside the ICDS.}}{50}
\addvspace {10\p@ }
\contentsline {table}{\numberline {4.1}{\ignorespaces Key values of the data sets used for performance tests.}}{63}
-\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in s for fetching the information.}}{65}
-\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Pagings and Immediate Assignments (per 10\tmspace +\thickmuskip {.2777em}s) for the four German providers at different locations.}}{66}
-\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{69}
-\contentsline {table}{\numberline {4.5}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{70}
-\contentsline {table}{\numberline {4.6}{\ignorespaces Results of the long-term evaluation.}}{71}
-\contentsline {table}{\numberline {4.7}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{71}
+\contentsline {table}{\numberline {4.2}{\ignorespaces Coverage for Google Mobile Maps and OpenCellID on the data sets with the time needed in seconds for fetching the information.}}{65}
+\contentsline {table}{\numberline {4.3}{\ignorespaces Number of Paging Messages and Immediate Assignments (per 10 seconds) for the four German providers at different locations.}}{66}
+\contentsline {table}{\numberline {4.4}{\ignorespaces Erroneous configurations for the IMSI catcher.}}{70}
+\contentsline {table}{\numberline {4.5}{\ignorespaces Configuration and Context Rule results for Config 1.}}{70}
+\contentsline {table}{\numberline {4.6}{\ignorespaces Results obtained testing the \emph {rx} and \emph {LAC Change rules}.}}{72}
+\contentsline {table}{\numberline {4.7}{\ignorespaces Results of the database evaluation.}}{73}
+\contentsline {table}{\numberline {4.8}{\ignorespaces Consistent parameter configurations in the Freiburg area for the four German providers.}}{73}
\addvspace {10\p@ }
\addvspace {10\p@ }
-\contentsline {table}{\numberline {A.1}{\ignorespaces Interface found in the GSM network.}}{81}
-\contentsline {table}{\numberline {A.2}{\ignorespaces Possible mappings of channels onto Multiframes}}{82}
+\contentsline {table}{\numberline {A.1}{\ignorespaces Interface found in the GSM network.}}{87}
+\contentsline {table}{\numberline {A.2}{\ignorespaces Possible mappings of channels onto Multiframes}}{88}
\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
\addvspace {10\p@ }
-\contentsline {table}{\numberline {E.1}{\ignorespaces Configurations used for the rx\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}LAC Change Rules test.}}{99}
+\contentsline {table}{\numberline {E.1}{\ignorespaces Configurations used for the rx\tmspace +\thinmuskip {.1667em}/\tmspace +\thinmuskip {.1667em}LAC Change Rules test.}}{105}
+\contentsline {table}{\numberline {E.2}{\ignorespaces Configurations used for the Database Rules test.}}{106}
diff --git a/Tex/Master/Master.pdf b/Tex/Master/Master.pdf
index 58134ec..415e7b8 100644
--- a/Tex/Master/Master.pdf
+++ b/Tex/Master/Master.pdf
Binary files differ
diff --git a/Tex/Master/Master.synctex.gz b/Tex/Master/Master.synctex.gz
index 9bb03a5..7e1ee9f 100644
--- a/Tex/Master/Master.synctex.gz
+++ b/Tex/Master/Master.synctex.gz
Binary files differ
diff --git a/Tex/Master/Master.tex b/Tex/Master/Master.tex
index 0f4e241..4302782 100644
--- a/Tex/Master/Master.tex
+++ b/Tex/Master/Master.tex
@@ -125,29 +125,21 @@
\pagenumbering{roman}
\input{../Content/Declaration}
\clearpage
+\input{../Content/Abstract}
+\clearpage
\input{../Content/Acknowledgements}
\clearpage
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% Abstract %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%\pagestyle{empty}
-\input{../Content/Abstract}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% Disclaimer %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\input{../Content/Disclaimer}
+\newpage
+\phantom{a}
+\newpage
+\input{../Content/Dedication}
+\clearpage
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Create ListOfTables and ListOfFigures %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\clearpage{\thispagestyle{scrplain}\cleardoublepage}
-\listoffigures
-\listoftables
\tableofcontents
\clearpage{\thispagestyle{scrplain}\cleardoublepage}
\pagenumbering{arabic}
@@ -179,7 +171,8 @@
\nocite{*}
%*******************************************************************************************************
\bibliography{../Content/Bibliography}
-
+\listoffigures
+\listoftables
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Appendix %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
diff --git a/Tex/Master/Master.toc b/Tex/Master/Master.toc
index ad7d0af..6375272 100644
--- a/Tex/Master/Master.toc
+++ b/Tex/Master/Master.toc
@@ -43,55 +43,56 @@
\contentsline {subsection}{\numberline {3.1.2}Motorola C123}{37}
\contentsline {subsection}{\numberline {3.1.3}OsmocomBB and ICDS}{38}
\contentsline {section}{\numberline {3.2}Procedure}{39}
-\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{40}
+\contentsline {subsection}{\numberline {3.2.1}Information Gathering}{39}
\contentsline {subsection}{\numberline {3.2.2}Information Evaluation}{43}
\contentsline {subsubsection}{Configuration Rules}{44}
\contentsline {subsubsection}{Context Rules}{45}
\contentsline {paragraph}{Neighbourhood Structure}{46}
-\contentsline {subsubsection}{Database Rules}{48}
-\contentsline {subsubsection}{Scan Rules}{49}
-\contentsline {subsubsection}{Remaining Issues and Paging}{50}
-\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{51}
-\contentsline {section}{\numberline {3.3}Implementation}{51}
+\contentsline {subsubsection}{Database Rules}{49}
+\contentsline {subsubsection}{Scan Rules}{50}
+\contentsline {subsubsection}{Remaining Issues and Paging}{51}
+\contentsline {subsection}{\numberline {3.2.3}Base Station Evaluation}{52}
+\contentsline {section}{\numberline {3.3}Implementation}{52}
\contentsline {subsection}{\numberline {3.3.1}Architecture}{52}
-\contentsline {subsection}{\numberline {3.3.2}Configuration}{53}
-\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{54}
-\contentsline {subsection}{\numberline {3.3.4}Usage}{57}
-\contentsline {paragraph}{Conducting sweep scans:}{57}
-\contentsline {paragraph}{Using and obtaining Cell ID Information:}{59}
-\contentsline {paragraph}{Building or using a Local Area Database:}{59}
+\contentsline {subsection}{\numberline {3.3.2}Configuration}{54}
+\contentsline {subsection}{\numberline {3.3.3}Graphical User Interface}{55}
+\contentsline {subsection}{\numberline {3.3.4}Usage}{58}
+\contentsline {paragraph}{Conducting sweep scans:}{58}
+\contentsline {paragraph}{Using and obtaining Cell ID Information:}{58}
+\contentsline {paragraph}{Building or using a Local Area Database:}{60}
\contentsline {paragraph}{Conducting a PCH Scan:}{60}
-\contentsline {paragraph}{Utilising User Mode:}{60}
-\contentsline {section}{\numberline {3.4}Related Projects}{61}
+\contentsline {paragraph}{Utilising User Mode:}{61}
+\contentsline {section}{\numberline {3.4}Related Projects}{62}
\contentsline {chapter}{\numberline {4}Evaluation}{63}
\contentsline {section}{\numberline {4.1}Performance Evaluation}{63}
\contentsline {subsection}{\numberline {4.1.1}Scan Duration}{64}
\contentsline {subsection}{\numberline {4.1.2}Cell ID Databases}{65}
-\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{65}
-\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{66}
-\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{66}
-\contentsline {subsubsection}{Modifications to the ICDS Configuration}{68}
-\contentsline {subsection}{\numberline {4.2.2}Rule Evaluation}{68}
-\contentsline {subsection}{\numberline {4.2.3}Long-Term Test}{70}
-\contentsline {subsection}{\numberline {4.2.4}Attack Scenarios}{70}
-\contentsline {subsubsection}{IMSI Catcher as a new Cell}{72}
-\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{72}
-\contentsline {chapter}{\numberline {5}Conclusion}{73}
-\contentsline {section}{\numberline {5.1}Summary}{73}
-\contentsline {section}{\numberline {5.2}Future Work}{75}
-\contentsline {chapter}{Bibliography}{77}
-\contentsline {chapter}{\numberline {A}GSM}{81}
-\contentsline {section}{\numberline {A.1}Interfaces}{81}
-\contentsline {section}{\numberline {A.2}Channel Combinations}{82}
-\contentsline {chapter}{\numberline {B}OsmocomBB}{83}
-\contentsline {section}{\numberline {B.1}Installation}{83}
-\contentsline {section}{\numberline {B.2}Usage}{84}
-\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{85}
-\contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{87}
-\contentsline {section}{\numberline {C.1}Extextions}{87}
-\contentsline {section}{\numberline {C.2}Example Configuration}{89}
-\contentsline {chapter}{\numberline {D}System Information}{93}
-\contentsline {chapter}{\numberline {E}Evaluation Data}{99}
-\contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{99}
-\contentsline {section}{\numberline {E.2}Long Term Test}{99}
-\contentsline {chapter}{Acronyms}{101}
+\contentsline {subsection}{\numberline {4.1.3}PCH Scans}{66}
+\contentsline {section}{\numberline {4.2}IMSI Catcher Detection}{67}
+\contentsline {subsection}{\numberline {4.2.1}Open Source IMSI Catcher}{67}
+\contentsline {subsubsection}{Modifications to the ICDS Configuration}{69}
+\contentsline {subsection}{\numberline {4.2.2}Configuration and Context Rules Evaluation}{69}
+\contentsline {subsection}{\numberline {4.2.3}Scan Rules Evaluation}{71}
+\contentsline {subsection}{\numberline {4.2.4}Database Rules Evaluation}{71}
+\contentsline {subsection}{\numberline {4.2.5}Realistic Scenarios}{72}
+\contentsline {subsubsection}{IMSI Catcher as a new Cell}{74}
+\contentsline {subsubsection}{IMSI Catcher replacing an old Cell}{74}
+\contentsline {chapter}{\numberline {5}Conclusion}{75}
+\contentsline {section}{\numberline {5.1}Summary}{75}
+\contentsline {section}{\numberline {5.2}Future Work}{77}
+\contentsline {chapter}{Bibliography}{79}
+\contentsline {chapter}{\numberline {A}GSM}{87}
+\contentsline {section}{\numberline {A.1}Interfaces}{87}
+\contentsline {section}{\numberline {A.2}Channel Combinations}{88}
+\contentsline {chapter}{\numberline {B}OsmocomBB}{89}
+\contentsline {section}{\numberline {B.1}Installation}{89}
+\contentsline {section}{\numberline {B.2}Usage}{90}
+\contentsline {section}{\numberline {B.3}Serial Cable Schematics}{91}
+\contentsline {chapter}{\numberline {C}IMSI Catcher Detection System}{93}
+\contentsline {section}{\numberline {C.1}Extextions}{93}
+\contentsline {section}{\numberline {C.2}Example Configuration}{95}
+\contentsline {chapter}{\numberline {D}System Information}{99}
+\contentsline {chapter}{\numberline {E}Evaluation Data}{105}
+\contentsline {section}{\numberline {E.1}Rx and LAC Change Test}{105}
+\contentsline {section}{\numberline {E.2}Database Rules Test}{105}
+\contentsline {chapter}{Acronyms}{107}
diff --git a/Tex/Master/Titlepage.tex b/Tex/Master/Titlepage.tex
index a6a57a0..bb04ad8 100644
--- a/Tex/Master/Titlepage.tex
+++ b/Tex/Master/Titlepage.tex
@@ -15,14 +15,15 @@
% Title
\rule{0.7\linewidth}{0.5mm} \\[0.7cm]
- \textsc{\huge \bfseries Imsi Catcher Detection}\\[0.4cm]
+ \textsc{\huge \bfseries Imsi Catcher Detection System}\\[0.4cm]
\rule{0.7\linewidth}{0.5mm} \\[1.5cm]
% Author and supervisor
\begin{minipage}{0.4\textwidth}
\begin{flushleft} \large
\emph{Author:}\\
- Thomas Mayer
+ Thomas Mayer\\
+ tom.f.mayer@gmail.com
\end{flushleft}
\end{minipage}
\begin{minipage}{0.4\textwidth}