How subscriber awareness augments mobile network security

Sebastian Müller portrait

By Sebastian Müller
Published on: 06.01.2022

In 2016, just under half of humanity owned a smartphone. That number has now risen to 80 %. Along with such a great expansion in mass connectivity comes great responsibility for mobile networks, the ether through which thousands of gigabytes of data navigate every day. Keeping these data safe and the networks secure has therefore become a key priority for mobile operators, especially as they continue grappling with new threats and vulnerabilities. According to a recent report1, 97 % of organizations in 2020 faced at least one mobile threat that used multiple attack vectors and at least 40 % of the world’s mobile devices are inherently vulnerable to cyberattacks.

Over the past years, network security functions such as next-gen firewalls or security information and event management (SIEM) solutions have played a critical role in identifying and managing network threats for mobile networks. These functions are often paired with monitoring and deep packet inspection (DPI) capabilities, such as those provided by R&S®PACE 2, for timely detection of traffic and applications that are suspicious and anomalous.

While application awareness greatly facilitates the implementation of various security policies for mobile networks, the use of load balancing, a mechanism by which traffic is allocated to a network subsystem, often leaves network security functions with huge visibility gaps, as a subscriber session is typically split into separate streams that are routed to different devices. How does this impact network security?

Myriad mobile networks, myriad dangers

Mobile networks are susceptible to attacks of various forms. Malware attacks, for example, easily take place when users unwittingly click on something that triggers a drive-by download which then installs malware such as viruses or spyware on a system. Spyware can garner information about a user’s internet usage, passwords and contacts and pass this to a third party. Viruses can actively harm a device and mine information. These attacks can be sourced from seemingly innocuous or legitimate links or applications.

Mobile networks are also vulnerable to distributed-denial-of-service (DDoS) attacks in which a perpetrator tries to take down a website or web application by overwhelming it with traffic from multiple locations. Mobile devices and networks can get entangled in DDoS attacks in two ways: either by being used as part of the botnet that renders another web node unavailable or as part of the web service or process itself that is targeted by a botnet.

Mobile networks can also be subject to fraud of various kinds. They can be abused by an imposter taking over a legitimate account, either by phishing, card fraud, call center fraud or through simply stealing devices. Compromised accounts can be used for various nefarious purposes. This can be the illegal usage of network capacity as in the case of unauthorized peer-to-peer applications and illegal tethering. Fraud can also be used to break into operators’ subscriber databases, leading to mass data or identity theft.

These threats become even more pronounced with 5G.

5G’s service classes, namely enhanced mobile broadband (eMBB) and massive machine type communications (mMTC), will see the number of endpoints growing exponentially. These endpoints will increase the attack surface of the network, making it increasingly difficult for operators to secure these devices against tampering, hijacking and being manipulated as gateways for accessing valuable network resources and for launching attacks on the network.

Complete visibility for intelligent load balancing

For handling each of the threats discussed above, full visibility into a subscriber session is critical. Conventional load balancing, however, impairs this visibility by presenting only part of the malicious or anomalous traffic to the onward processing tool. Such tools gain full visibility only upon the completion of postprocessing reconciliations and aggregations. By then, however, attacks would have already penetrated the targeted applications and network resources and caused major damage.

To address this, operators are moving to intelligent load balancing. The GTP subscriber resolution module by Rohde & Schwarz (R&S®GSRM) makes this possible. R&S®GSRM is an OEM software module that builds on the extensive and deep expertise of Rohde & Schwarz in mobile network intelligence. It uses the correlation of GTP control and user traffic to identify subscribers in real time, allowing all packets from a single subscriber session to be processed in the same sequence, delivering complete visibility into every session.

R&S®GSRM can be embedded directly in a security tool or deployed in network packet brokers to deliver intelligent load balancing for various security subsystems in the mobile core. With subscriber awareness, a network packet broker can filter, aggregate and forward all packets from a single session to the same network security tool, increasing its visibility into sessions that are potentially malicious.

Subscriber-aware threat management

Subscriber awareness greatly improves the capacity and capabilities of security functions in the mobile core. Intrusion prevention systems, which monitor, report and block malicious activity in a network, can easily single out traffic that does not conform to normal patterns, for example, continuous sessions connecting to a sensitive application such as a banking site. Data overages can be discerned, indicating that a phone has been hijacked or a device stolen. Similarly, web filtering subsystems can also be improved, as attempts to access blocked or blacklisted applications can be identified instantaneously. Unusually large file transfers can be detected early before confidential and critical data is siphoned off enterprises and public agencies. The same would also apply to DDoS attacks, which become visible when a large number of successive requests is registered from the same subscriber. In all these use cases, network security solutions leverage complete visibility provided by R&S®GSRM which allows for packets from a single subscriber session to be processed together without any loss of information.

R&S®GSRM provides subscriber awareness, helping to analyze attacks and network anomalies on a granular level so that risks inherent across different applications, users and geographies can be identified and used to design responsive policies for network security. This granular analysis enables security tools and operators to manage security incidents in the future. Data benchmarks based on historical usage patterns at the subscriber, subscriber group and application level are readily available through aggregation and filtering enabled by subscriber resolution that is provided by R&S®GSRM.

In the context of 5G, the need for higher bandwidth and speeds across applications that are data-intensive and that connect to multiple end nodes simultaneously poses new challenges for operators. They have to ensure that a sudden shift in traffic patterns is not caused by the activities of threat actors. With session aggregation, such patterns become easy to decipher as the session information is complete and can be compared to past consumption patterns in real time. This helps to detect network abuses such as fraud or SIM cloning and the hijacking of end nodes aimed at stealing network resources and destabilizing the network.

R&S®GSRM in combination with R&S®PACE 2 makes it possible for application and subscriber awareness to work hand in hand, delivering enhanced network intelligence to manage and improve mobile network security. R&S®GSRM uses a lightweight, fast-performing software module that can be deployed in the mobile core to restore complete visibility into user sessions for meaningful and effective management of subscriber traffic where traffic brokering is used. Network security vendors in particular benefit from subscriber-aware traffic filtering and aggregation enabled by an engine that is built specifically for this task, giving them the power to keep networks safe and going at all times.


1 Mobile Security Report 2021 by Check Point

Sebastian Müller portrait

Sebastian Müller

Contact me on LinkedIn

Sebastian is a passionate DPI thought leader guiding a cross-functional team to build the networks of the future with leading traffic analytics capabilities. He has over ten years of dedicated experience in the telecom and cybersecurity domain, providing him with deep understanding of market requirements and customer needs. When he’s not at work, you can either find him on his road bike or hiking in the mountains.


Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque