• sh7786

Standard Anomaly Management? Not for Mobile Networks!

Mobile network operators (MNOs) are undergoing a massive transition from traditional voice and SMS service providers to purveyors of high speed, multi service platforms that users have quickly grown accustomed to. This transition greatly advances the industry, but also radically increases network complexity, making mobile networks significantly harder to secure and monitor.

The challenge with mobile networks

Mobile networks are very complex and dense environments to manage and secure. A mobile network is a decentralized environment with a high degree of built-in mobility (inherent to the constant movement of people and traffic).

There's also a sizable level of redundancy within network infrastructure, to help ensure availability. Clearly this kind of an environment necessitates automated network management, but to deploy standard solutions is not so simple.

Two-pronged solution

In these types of complex network environments, anomaly detection and management is an excellent means to secure networks, but it requires a multi-layered approach.

So what is anomaly detection? In data mining and machine learning, anomaly detection algorithms identify items, events or observations which do not conform to expected patterns or other items in a dataset. This methodology is often utilized in cyber security practices to detect early stage network breaches. It's common that we see anomaly detection focus on unusual traffic patterns or messages.

Now in the case of the current generation of mobile networks, we have service-oriented networks, with a significant shift towards an IT-based architecture. These are complex and dynamic environments, whose management requires deep expertise of legitimate network behavior, in order to reach the fine granularity needed to detect and analyze anomalies. This can be achieved via:

1. Introduction of a pre-defined network reference model, so that the anomaly detection system can learn specific networks' legitimate behavior (i.e. explicit detection of known threats), and

2. Implicit detection; which can either detect anomalies which contradict a supervised learning-based reference model OR detect anomalies which contradict the seen normal behavior.

It's key that anomaly detection for mobile networks utilizes both network specific knowledge and independent observation.

Unique challenges in action

An environment which assumes faults and failures needs to be able to adeptly handle them (i.e. fault tolerance). If a link in the network fails all together, and you don't know which links are eligible to replace it because you're not looking at the traffic migration patterns - you can falsely detect an anomaly. The anomaly management system needs to be able to take all of these factors into account.

How? By detecting anomalies which contradict a supervised learning based reference model, and by detecting anomalies which contradict the seen normal behavior. The two must go hand in hand.

Assumed malfunctions

There are a few ways that mobile networks can upset or trick anomaly detection systems, creating false positives. A mobile network environment uses standard protocols, which are generic and allow for a wide variety of options. As many fields in messages are optional, one could treat a new use of an optional field as an anomaly and send an alert.

For example, if an optional field in a message is suddenly being used, but all network elements have started using this field, then it's more likely to be a network upgrade than an attack.

If the anomaly management system doesn't take these protocol issues into account, then there would be a consistent flow of false "anomalies" detected in the system all the time. The system would not be trustworthy and it would be a waste of time and personnel. So it’s key that anomaly management systems take these constraints into account.

Mobile networks require proactive anomaly detection

Here's the takeaway. For complex networks that require constant monitoring to abate cyber incidents, anomaly management is a fundamental tool. But in the telecom field it's important that anomaly detection combine network specific knowledge and expertise to detect misuse of the network as well as the ability to draw independent conclusions from the observed traffic.

To learn more about anomaly management for mobile networks, contact us now at info@imvisiontech.com!