summaryrefslogtreecommitdiffstats
path: root/Tex/Presentation/presentation.tex
blob: 63fc0f0f69e0f558b8c42c4fb1970b40fe084ae4 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
\documentclass{beamer}

\usepackage{xspace}
\usepackage{default}
\usepackage{pgfplots}
\usepackage{tabularx}
\usepackage{listings}
\usepackage{booktabs}
\usepackage{etex}
\usepackage{courier}


\lstset{language=Python,
        basicstyle=\footnotesize\ttfamily, % Standardschrift
        breaklines=true,                   % Zeilen werden Umgebrochen
}


\title[IMSI Catcher Detection]{IMSI Catcher Detection System using the OsmocomBB Framework}
\author[Thomas Mayer]{Thomas Mayer\\[3mm]\footnotesize {Advisors: Prof.\ Dr.\ Gerhard Schneider}\\\footnotesize{\hspace{-5mm}Dennis Wehrle}\\\footnotesize{\hspace{-6mm}Konrad Meier}}
\institute[Uni Freiburg]{Albert-Ludwigs-Universit\"at Freiburg \\ Technische Fakult\"at \\ Institut f\"ur Informatik \\ Lehrstuhl f\"ur Kommunikationssysteme}
\date{19.\,03.\,2012}

\mode<presentation>{
  \useoutertheme[width=0pt]{zusatz}
  \usetheme{Frankfurt}
	\setbeamertemplate{section in toc shaded}[default][40]
	\setbeamertemplate{subsection in toc shaded}[default][40]
}

\newcommand{\tocsection}[1]{
  \section{#1}
  \begin{frame}{Content}
    \tableofcontents[sectionstyle=show/shaded,subsectionstyle=show/show/hide]
  \end{frame}
 }

\begin{document}

\begin{frame}[empty]{}
\maketitle
\end{frame}

\begin{frame}{Content}
\tableofcontents[sectionstyle=show/show,subsectionstyle=show/show/hide]
\end{frame}

\tocsection{Background}
\subsection{IMSI Catcher}
\begin{frame}{Mode of Operation}
\begin{center}
	\includegraphics[width=.9\textwidth]{IMSICatcher}
\end{center}
\end{frame}

\begin{frame}{Threats}
\begin{block}{Technical Possibilities}
\begin{itemize}
	\item Tapping and recording of phone calls
	\item Localisation of subscribers
	\item Suppression of communication
\end{itemize}
\end{block}
Other concerns:
\begin{itemize}
	\item Cannot target individuals
	\item No emergency calls possible
	\item Procedural law situation
	\item Hard to prove operation in retrospect
\end{itemize}
... risk intensified by homebrew IMSI catcher projects!
\end{frame}

\subsection{IMSI Catcher Detection}
\begin{frame}{Detection}
Main Question: How to detect such a device?
\begin{itemize}
	\item<1-> Actively connect to the catcher
	\begin{itemize}
		\item<1-> Localisation possible once connected
	\end{itemize}
	\item<1-> \color<2>{red}Passively gather information
\end{itemize}
\vspace{.8cm}
\visible<2>{Procedure: Information that is publicly available
\begin{itemize}
	\item Broadcast Control Channel
	\begin{itemize}
		\item System Information Messages 1-4
		\item SI 1 and 2 of special interest
	\end{itemize}
	\item Parameters that can be measured
\end{itemize}
}
\end{frame}

\begin{frame}{Parameters}
Parameters measured:
\begin{itemize}
	\item Signal Strength
\end{itemize}
\vspace{.3cm}
Parameters harvested from SI:
\begin{itemize}
	\item ARFCN
	\item Country and Provider Codes
	\item Cell ID and Location Area Code
	\item Neighbouring Cell List
	\item Base Station Identification (not yet used)
\end{itemize}
\begin{alertblock}<2>{Main Problem}
Parameters that can be set, can be forged!
\end{alertblock}
\end{frame}

\tocsection{Current State}
\subsection{Architecture}
\begin{frame}{Overview}
\begin{center}
	\includegraphics[width=\textwidth]{Architecture}
\end{center}

\end{frame}

\begin{frame}{Components}
Model/View/Controller oriented design with plug-in rules and evaluators
\begin{itemize}
	\item Data Model:
	\begin{itemize}
		\item Constantly updated by the OsmocomBB Framework
	\end{itemize}
	\item Rules:
	\begin{itemize}
		\item Mapping: $\text{DataModel}~\rightarrow~\{\text{Ok}\vert\text{Warning}\vert\text{Critical}\}$
		\item Different kinds of rules
		\item Constant re-evaluation
	\end{itemize}
	\item Evaluators:
	\begin{itemize}
		\item Gathers and aggregates rule results for a base station
		\item Conservative Evaluator
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Rules}
\begin{frame}{Rules}{Parameter Mapping and Context Rules}
Parameter Mappings:
\begin{itemize}
	\item Simple implication rules
	\item Mapping of parameter to range
	\item Integrity checks on single base stations
\end{itemize}
Context Rules:
\begin{itemize}
	\item Compare parameters with surrounding base stations
	\item See how well a base station fits in its neighbourhood
\end{itemize}
\begin{exampleblock}{Examples}
\begin{itemize}
	\item Check whether the ARCFN is in the registered range of the respective provider
	\item Check whether LAC is consistent with neighbouring LACs
\end{itemize}
\end{exampleblock}
\end{frame}

\begin{frame}{Rules}{Neighbourhood Rules}
Analyse the structure of the neighbourhood graph:
\begin{center}
\includegraphics[width=.9\textwidth]{Neighbours}
\end{center}
\end{frame}

\tocsection{To Do}
\subsection{Rules}
\begin{frame}{Rules}{Databases}
\begin{alertblock}{Problem}
Forged parameters!
\end{alertblock}
Possible solution:
\begin{itemize}
	\item Cell ID Databases:
	\begin{itemize}
		\item Many official and open databases (Nokia/OpenCellID)
		\item Used for localisation, but can also be used vice versa!
	\end{itemize}
	\item Local Area Database:
	\begin{itemize}
		\item Learn surroundings
		\item 'Trustworthiness Score'
		\item Can use signal strength
	\end{itemize}
\end{itemize}
\end{frame}

\subsection{Evaluators}
\begin{frame}{Evaluators}{Bayes Filter}
\begin{block}{Bayesian Filtering}
A statistical algorithm that can be used to predict the class of an object given certain evaluations and base probabilities.
Uses Bayes theorem:
\[P(A\vert B)= \frac{P(B\vert A) \cdot P(A)}{P(B)}\]
\end{block}

\begin{exampleblock}{Bayes for a single Rule}
\[P(\text{B1 is catchter}\vert \text{R1 yields warning})\] 
\[=\frac{P(\text{R1 yields warning}\vert \text{B1 is catchter}) \cdot P(\text{B1 is catchter})}{P(\text{R1 yields warning})}\]
\end{exampleblock}
\end{frame}

\begin{frame}{Evaluators}{Bayes Filter (contd.)}
Bayes Theorem is recursive:
\begin{itemize}
	\item Evaluate P(B1 is catcher$\vert$R1 yields warning, R2 yields ok, $\ldots$)
	\item Further refinement possible:
	\begin{itemize}
		\item Refine base probabilities (enlarge database)
		\item Finer grained rule results than only three classes
		\item $\ldots$
	\end{itemize}
\end{itemize}
\end{frame}

\tocsection{Demo}
\subsection{Demo}
\begin{frame}{Demo}
\begin{center}
	\huge{Demo}
\end{center}
\end{frame}

\begin{frame}{The End}
\begin{center}
	\huge{Thank you for your attention! Questions?}
\end{center}
\end{frame} 

\end{document}