臺灣博碩士論文加值系統

本論文對4G/5G的通話系統安全進行研究，且針對常見的來電顯示偽裝進行檢測機制的開發，該通話系統與傳統基於電路交換技術的系統不同，是由IP多媒體子系統(IMS，IP Multimedia Subsystem)所支援，基於對談發起協定(SIP，Session InitiationProtocol)建立通話，SIP的訊息可以使得終端應用程式了解更多通話對方的電信網路、手機型號和通話狀態資訊，本團隊利用機器學習分析來電的通話資訊和來電顯示號碼的通話資訊是否一致，作為檢測機制的依據，進而開發一套來電偽裝偵測技術，只需將檢測應用程式安裝於手機上，不需對4G/5G核心網作修改，即可運作。該技術在手機還未響鈴時，即開始進行偵測，爭取在響鈴前完成偵測，避免干擾使用者，在某些狀況下，有可能必須等到響鈴或是接電話後才能分辨。此檢測技術的優點在於使用者可以在自己的手機上獨立完成偵測，已在國內兩大電信商和美國一大電信商驗證其有效性。

The 4G/5G call system is being deployed worldwide and will become the mainstream system that supports cellular call services. In this thesis, we conduct a security study of the 4G/5G callsystem, especially focusing on the development of the call ID spoofing detection manner. This call system is supported based on the IP Multimedia Subsystem (IMS) instead of the traditional circuit-switched telecom telephony. Its call services operate based on the Session Initiation Protocol (SIP), which contains the information of IMS system, end devices, and call status. We have developed a technique of call ID spoofing detection which just needs to install anapplication on smartphones without any support from 4G/5G core networks. It starts to dodetection before the phone’s ringtone so that it can minimize the disturbance on the user from the ID-spoofing calls. In some cases, the detection can only be done after the phone rings orthe call is accepted. The merit of this technique is that the user can finish the detection usingonly his/her smartphone; we have validate its effectiveness with two Taiwan carriers and one U.S. carrier, which allow the callee to probe the caller’s information using the incoming callID while receiving a call. The callee can validate that the call ID belongs to the actual callerby checking whether the actual caller’s information is consistent with the probed caller’s. Thisdetection application can operate at run time and detect the call ID spoofing before the calleestarts to talk.

Abstract. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
摘要. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Acknowledgement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Table of Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
List of Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
List of Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Phone call in LTE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 Attack Surface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2 Attack Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4Related Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 Endpoint-only. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 Network-assisted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5Feasibility Test on Remote UE State Detection. . . . . . . . . . . . . . . . . . . . 8
5.1 Making a Call Probe from Callee. . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Call Status Inference on Call-ID Owner. . . . . . . . . . . . . . . . . . . . . 10
5.3 Call Status Inference on Caller. . . . . . . . . . . . . . . . . . . . . . . . . . 14
6Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1 Challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.1.1 C1: Brute Force on Features Takes Too Much Times to Converge. . . 19
6.1.2 C2: Adversary Might Disturb The Probing. . . . . . . . . . . . . . . 20
6.2 Relative Component. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.3 Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

[1]“New data shows ftc received 2.2 million fraud reports from consumers in 2020,” FederalTrade Commission, Tech. Rep., Apr. 2021.
[2]“Truecaller insights 2021 u.s. spam & scam report,” Truecaller, Tech. Rep., Jun. 2021.
[3]Truecaller, (2021). [Online]. Available:https://www.truecaller.com
[4]Whoscall, (2021). [Online]. Available:https://whoscall.com
[5]SpoofCard, (2021). [Online]. Available:https://www.spoofcard.com
[6]Fake Caller ID, (2021). [Online]. Available:https://fakecallerid.io
[7]SpoofTel, (2021). [Online]. Available:https://www.spooftel.com
[8]H. Mustafa, W. Xu, A. R. Sadeghi, and S. Schulz, “You Can Call but You Can’t Hide:Detecting Caller ID Spoofing Attacks,” inProc. IEEE/IFIP International Conference onDependable Systems and Networks (DSN), Atlanta, GA, USA, Jun. 2014.
[9]H. Mustafa, W. Xu, A.-R. Sadeghi, and S. Schulz, “End-to-End Detection of Caller IDSpoofing Attacks,” vol. 15, no. 3, pp. 423–436, Jun. 2018.
[10]H. Deng, W. Wang, and C. Peng, “CEIVE: Combating Caller ID Spoofing on 4G MobilePhones Via Callee-Only Inference and Verification,” inProc. International Conference onMobile Computing and Networking (MobiCOM), New York, NY, USA, Oct. 2018.
[11]J. Li, F. Faria, J. Chen, and D. Liang, “A mechanism to authenticate caller id,” inProc.World Conference on Information Systems and Technologies (WorldCIST), Porto SantoIsland, Madeira, Portugal, Apr. 2017.
[12]S. T. Chow, V. Choyi, and D. Vinokurov, “Caller name authentication to prevent calleridentity spoofing,” U.S. Patent 9241013, Jan. 19, 2016.
[13]Y. Cai, “Validating caller ID information to protect against caller ID spoofing,” U.S. Patent8254541, Aug. 28, 2012.
[14]S. A. Danis, “Systems and methods for caller ID authentication, spoof detection and listbased call handling,” U.S. Patent 9060057, Jun. 16, 2015.
[15]H. Tu, A. Doupe, Z. Zhao, and G.-J. Ahn, “Toward Standardization of Authenticated CallerID Transmission,”IEEE Communications Standards Magazine, vol. 1, no. 3, pp. 30–36,Oct. 2017.
[16]J. Song, H. Kim, and A. Gkelias, “iVisher: Real-Time Detection of Caller ID Spoofing,”ETRI Journal, vol. 36, no. 5, pp. 865–875, Oct. 2014.
[17]B. K. Sekwon Kim and H. Kim, “Abnormal VoLTE call setup between UEs,” inProc. ofInternationalConferenceonSecurityandManagement(SAM), Las Vegas, USA, Jul. 2015.
[18]A. Sheoran, S. Fahmy, C. Peng, and N. Modi, “Nascent: Tackling Caller-ID Spoofing in4G Networks via Efficient Network-Assisted Validation,” inProc. IEEE Conference onComputer Communications (INFOCOM), Paris, France, Apr. 2019.
[19]“Combating Spoofed Robocalls with Caller ID Authentication,” Federal CommunicationsCommission, Tech. Rep., Apr. 2021.
[20]Y.-H. Lu, C.-Y. Li, Y.-Y. Li, S. H.-Y. Hsiao, T. Xie, G.-H. Tu, and W.-X. Chen, “Ghost callsfrom operational 4g call systems: Ims vulnerability, call dos attack, and countermeasure,”inProceedings of the 26th Annual International Conference on Mobile Computing andNetworking, ser. MobiCom ’20, London, United Kingdom, 2020.28