WO2010105099A2 - Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions - Google Patents

Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions Download PDF

Info

Publication number
WO2010105099A2
WO2010105099A2 PCT/US2010/027043 US2010027043W WO2010105099A2 WO 2010105099 A2 WO2010105099 A2 WO 2010105099A2 US 2010027043 W US2010027043 W US 2010027043W WO 2010105099 A2 WO2010105099 A2 WO 2010105099A2
Authority
WO
WIPO (PCT)
Prior art keywords
message
messaging service
smsc
mobility management
identifier
Prior art date
Application number
PCT/US2010/027043
Other languages
French (fr)
Other versions
WO2010105099A3 (en
Inventor
Eloy Johan Lambertus Nooren
Original Assignee
Tekelec
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tekelec filed Critical Tekelec
Publication of WO2010105099A2 publication Critical patent/WO2010105099A2/en
Publication of WO2010105099A3 publication Critical patent/WO2010105099A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices
    • H04W88/184Messaging devices, e.g. message centre

Definitions

  • the subject matter described herein relates to methods and systems for detecting fraudulent activity within a telecommunications network. More particularly, the subject matter described herein relates to systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
  • a telecommunications network may support one or more messaging services.
  • One example messaging service is the short message service, or
  • SMS allows the communication of short text messages between mobile communications devices, such as mobile phones, personal digital assistants, and the like.
  • mobile communications devices such as mobile phones, personal digital assistants, and the like.
  • mobile phone is hereinafter used to generically refer to any type of mobile communications device, although the subject matter described herein is not so limited.
  • the delivery of an SMS message is a two-step process. First, if the receiver is a mobile subscriber, the receiver's current location - more specifically, the identity of the mobile switching center (MSC) that is currently serving the receiver's mobile phone, referred to as the serving MSC - must be determined. Second, the MT/SM message is forwarded to the serving MSC, which will transmit the MT/SM message to the receiver's mobile phone.
  • MSC mobile switching center
  • FIG. 1A is a block diagram illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network according to the steps described above.
  • Telecommunications network 100 includes a short messaging service center (SMSC) node 102 for processing SMS messages, such as MT/SM message 104, which was sent from a mobile subscriber, sender 106, and intended for another mobile subscriber, receiver 108.
  • SMSC 102 sends a send routing information for short message (SRI_SM) message 110 to the home location register (HLR) 112 which maintains the current location of receiver 108.
  • HLR 112 sends a response message, such as SRI_SM_ACK message 114, to SMSC 102.
  • SRI_SM short message
  • SRI_SM_ACK message 114 includes information identifying subscriber 108, such as the (IMSI) for subscriber 108.
  • the information identifying subscriber 108 is subscriber 108's IMSI number, represented in Figure 1 as "IMSI#”.
  • SRI_SM_ACK message 114 also includes information identifying the MSC currently serving receiver 108.
  • MSC 116 is currently serving receiver 108, and MSC 116 is identified by its network address, represented in Figure 1 as "ADDR1 ". SMSC 102 then issues a MT_FORWARD_SM message 118 to MSC 116, which delivers what is essentially the original MT/SM message 104' to receiver 108.
  • SMSC 102 is an entity in the originating network and HLR 112 and MSC 116 are entities in a terminating network that is different from the originating network.
  • SRI_SM message 110 contains the address of SMSC 102 at two layers of the signaling message protocol, and thus within two separate sets of message parameters or fields: the signaling connection control part (SCCP) layer and the mobile application part (MAP) layer.
  • SCCP signaling connection control part
  • MAP mobile application part
  • MSC 116 may, upon receiving MT_FORWARD_SM message 118, determine that the message originated from a different network and, in response to that determination, extract the SMSC address from MT_FORWARD_SM message 118.
  • the terminating network may then identify the network to which SMSC 102 belongs and charge a termination fee 120 to the identified originating network.
  • unscrupulous originating network operators may "spoof (falsify) the contents of the SMS message so that the SMS message appears to have come from a third telecommunications network rather than from the actual originating network.
  • Figure 1 B is a block diagram illustrating MT/SM spoofing in the conventional telecommunications network of Figure 1 A. Elements of Figure 1 B are essentially identical to their like-numbered counterparts in Figure 1A, and therefore their descriptions will not be repeated here.
  • Figure 1 B also includes a third network, "NW3", which contains its own SMSC 122.
  • terminating network NW2 receives from originating network NW1 an SMS message, such as MT_FORWARD_SM message 118', with a spoofed origination address (“ADDR3”) that falsely indicates that the SMS message came from SMSC 122.
  • SMS message such as MT_FORWARD_SM message 118'
  • ADDR3 spoofed origination address
  • the terminating network then incorrectly charges termination fee 120' to the third telecommunications network NW3 rather than to the actual originating network NW1.
  • an unscrupulous network operator e.g., the operator of NW1
  • NW1 may fraudulently avoid termination fees that would otherwise be imposed upon it by the terminating network NW2.
  • Spam SMS messages are particularly grievous since the subscriber is often charged a fee for every SMS message received, which results in a subscriber not only receiving unwanted and often offensive SMS messages, but the subscriber having to pay for these unwanted SMS messages.
  • Some subscribers may have plans that have a finite number of SMS messages that may be sent or received within a billing period, where the subscriber is charged a steep fee for every additional message sent or received during that billing period.
  • the charge levied upon the subscriber due to the additional SMS messages may be many times more than the cost of the original subscription.
  • Network operators may then face the prospect of absorbing the cost themselves or risk losing subscribers.
  • the network operator would desire to detect and discard spoofed MT/SM messages.
  • a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier.
  • the messaging service firewall allocates a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall, and stores a correlation between the allocated GTA and an originating SMSC identifier.
  • GTA global title address
  • the messaging service firewall replaces the serving switch identifier in the mobility management reply message with the allocated GTA and routes the modified mobility management reply message.
  • the messaging service firewall then receives a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA, and determines the originating SMSC identifier to which the allocated GTA is correlated.
  • the messaging service firewall compares SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction.
  • a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier.
  • the messaging service firewall generates a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction.
  • the messaging service firewall receives a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters, and extracts the echoed parameters from the messaging service message.
  • the messaging service firewall compares SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
  • the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions.
  • the system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor.
  • SMSC short message service center
  • the messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for: receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; and routing the modified reply message.
  • GTA global title address
  • the spoofing detection module is also for: receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions.
  • the system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor.
  • SMSC short message service center
  • the messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier, and generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction.
  • the spoofing detection module is also for receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
  • the subject matter described herein for detecting and mitigating address spoofing in messaging service transactions may be implemented in hardware, software, firmware, or any combination thereof.
  • the terms “function” or “module” as used herein refer to hardware, software, and/or firmware for implementing the feature being described.
  • the subject matter described herein may be implemented using a non-transitory computer readable medium having stored thereon computer executable instructions that when executed by the processor of a computer control the computer to perform steps.
  • Exemplary computer readable media suitable for implementing the subject matter described herein include non-transitory computer-readable media, such as disk memory devices, chip memory devices, programmable logic devices, and application specific integrated circuits.
  • a computer readable medium that implements the subject matter described herein may be located on a single device or computing platform or may be distributed across multiple devices or computing platforms.
  • FIGS. 1A and 1 B are block diagrams illustrating processing of an
  • Figure 1A illustrates normal (non-fraudulent) MT/SM processing, while Figure 1B illustrates MT/SM address spoofing;
  • Figure 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • Figures 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
  • Figures 4A and 4B are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein; and Figure 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • systems, methods, and computer readable media are provided for detecting and mitigating address spoofing in messaging service transactions.
  • FIG. 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • System 200 includes one more firewall nodes 202 for detecting and mitigating address spoofing.
  • system 200 includes four firewall nodes 202, labeled "FWLT 1 "FWL2", “FWL3”, and "FWL4", respectively.
  • Firewall nodes 202 intercept and process SMS-related messages that may be sent by a short message service center (SMSC) 204.
  • SMSSC short message service center
  • Example messages that may be intercepted include: send routing information for short message (SRI_SM) messages that are sent by SMSC 204 to a home location register (HLR) 206; mobile-terminated forward short message (MT_F_SM) messages that are sent by SMSC 204 to a serving mobile switching center (SRVMSC) 208; and other types of SMS messages.
  • SRI_SM short message
  • HLR home location register
  • MT_F_SM mobile-terminated forward short message
  • SRVMSC serving mobile switching center
  • a signaling message routing node such as signal transfer point (STP) 210, may distribute incoming SMS- related messages to firewall nodes 202.
  • STP 210 may assign incoming SMS-related messages to firewall nodes 202 based on the identity of the intended receiver, generically referred to as the "called party" or CDPA.
  • the called party may be identified using a global title address (GTA).
  • GTA global title address
  • STP 210 may make use of a table, database, or other appropriate construct, such as global title translation (GTT) table 212, that maps a range of called party addresses to particular firewall nodes 202.
  • GTT table 212 maps called parties to firewall nodes 202 according to the called party's GTA.
  • GTT table 212 SMS-related messages that involve called parties with a GTA that matches the pattern "+316261 * " are assigned or forwarded to FWL1 for processing, SMS- related messages that involve called parties with a GTA that matches the pattern "+316262*" are assigned or forwarded to FWL2 for processing, and so on.
  • Each of firewall nodes 202 may access HLR 206 and each may communicate with STP 210, SRVMSC 208, or other telecommunication network nodes.
  • system 200 in Figure 2 includes two separate telecommunications networks: a first network (NW1), which contains SMSC 204; and a second network (NW2), which contains every other element illustrated in Figure 2.
  • NW1 may also be referred to as the originating network
  • NW2 may also be referred to as the terminating network.
  • network identifiers e.g., network addresses
  • SMSC 204 has a network address of "AAA”; of the firewall nodes 202, FWL1 has a network address of "BBB”; HLR 206 has a network address of "CCC”; and SRVMSC 208 has a network address of "DDD”.
  • MS 214 is being served by SRVMSC 208.
  • MS 214 is identified by both a mobile subscriber integrated services digital network (MSISDN) number, "EEE”, and an international mobile subscriber identity (IMSI) number, "FFF”.
  • MSISDN mobile subscriber integrated services digital network
  • EAE mobile subscriber integrated services digital network
  • IMSI international mobile subscriber identity
  • STP 210 has a network address of "GGG”.
  • each firewall node 202 includes a network interface (NWIF) 216 for sending and receiving signaling messages, and a spoofing detection module (SDM) 218.
  • NWIF network interface
  • SDM spoofing detection module
  • spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging
  • spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the
  • Figures 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • Figures 3A, 3B 1 and 3C show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in Figure 2, and therefore their descriptions will not be repeated here.
  • SMSC 204 may send a mobility management request message 300 requesting routing information for a called party mobile subscriber, who is identified by a called party address (CDPA).
  • SMSC 204 sends a send routing information for short message (SRI_SM) message to determine the routing information for mobile subscriber MS 214, whose MSISDN number is "EEE”.
  • SRI_SM short message
  • mobility management request message 300 may include information indicating the source of the message.
  • mobility management request message 300 includes a field or parameter called "SRC", which stores the address of SMSC 204, which has a network address of "AAA”.
  • SRC a field or parameter called "SRC”
  • mobility management request message 300 is received or intercepted by a routing node, STP 210.
  • STP 210 selects one of firewall nodes 202 based on the called party address contained within mobility management request message
  • STP 210 selects FWL1 , whose network address is "BBB", and forwards the SRI_SM message to FWL1 , shown in Figure 3A as message 304.
  • system 200 may have only one firewall node 202, in which case mobility management request message 300 may be routed to that firewall node either with or without the need for STP 210.
  • network NVV2 may not include an STP.
  • firewall node FWL1 202 terminates SRI_SM message 304 and generates a new SRI_SM message 308, which sends to HLR 206.
  • HLR 206 sends a reply message, SRI_SM_ACK 310, containing the IMSI number ("FFF") for MS 214 and an identity of the serving MSC ("DDD").
  • IMSI and serving MSC parameters are displayed in all figures using the format "IMSI@servingMSC".
  • FWL1 202 may modify the original mobility management request message 300 in such as manner as to guarantee that the response from HLR 206 returns through FWL1 202.
  • FWL1 202 may update the source information in the routing label so that it appears to HLR 206 that the mobility management request message originated from FWL1 202.
  • firewall node FWL1 202 has at its disposal a pool of addresses or other form of identity by which it may be identified.
  • FWL1 202 has a collection of global title addresses (GTAs), shown as values "GTAO" through "GTA9".
  • GTAs global title addresses
  • GTAO global title addresses
  • GTA7 an available GTA to be used for a message delivery transaction, of which mobility management request message 300 is only the first part.
  • FWL1 202 stores a correlation between the selected or allocated GTA and information identifying an originating SMSC.
  • FWL1 202 may store correlation information in the form of a correlation record in a table, database, or other form of data storage and retrieval.
  • FWL1 202 may use the selected GTA as a key and store the address of the originating SMSC 204 and the identity of the MSC currently serving the mobile subscriber.
  • FWL1 202 may use the key "GTA7" to store the value "AAA" in a record field labeled "SRC” and to store the value "DDD" in a record field labeled "SRVMSC".
  • firewall nodes 202 may allocate each of its available GTAs to only one correlation record at a time; allocated GTAs are then unavailable to be allocated again until the allocated GTA is deallocated or released back into the pool.
  • a GTA may be deallocated or released as a result of various trigger conditions, such as the completion (or abandonment) of the mobility management transaction to which the GTA is associated, explicit instruction from the network operator or provisioning system, node, module, or service reset, etc.
  • FWL1 202 terminates SRI_SM_ACK message 314 that it receives from HLR 206 and generates a new SRI_SM_ACK message 318, which it forwards to SMSC 204.
  • Generated SRI_SM_ACK message 318 contains the IMSI for MS 214, i.e., "FFF", but instead of the address of SRVMSC 208, FWL1 202 replaces the actual value "DDD" with the address of the selected GTA, e.g., "GTA7". In this manner, FWL1 202 can guarantee that, as will be shown below, other messages involved in the message delivery transaction will also be routed through FWL1 202.
  • Figure 3B illustrates detection of a spoofed MT/SM message
  • 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message.
  • SMSC 204 in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message.
  • SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 320 to what SMSC 204 has been told is the MSC that is currently serving MS 214.
  • MT_F_SM message 320 is addressed to FWL1 202.
  • SMSC 204 attempts to spoof the source address of the MT_F_SM message in order to avoid a termination fee from NW2.
  • MT_F_SM message 320 includes false information, shown as "FAKE_ADDR" in Figure 3B, in the SRC field of MT_F_SM message 320.
  • MT_F_SM message 320 is received by FWL1 202.
  • FWL1 FWL1
  • FWL1 202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 320.
  • the key is "GTA7" and the value of the correlation data is the address of the source of mobility management request message 300, or "AAA”.
  • FWL1 202 may then simply compare the purported source of MT_F_SM message 320 ("FAKE_ADDR") with the source of the associated mobility management request message 300 ("AAA”), and determine that MTJF_SM message 320 has a spoofed address. As shown in block 324 of Figure 3B, FWL1 202 may then discard the MT_F_SM message or otherwise prohibit it from being forwarded to SRVMSC 208.
  • FIG 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message.
  • SMSC 204 in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message.
  • SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 328 to what SMSC 204 has been told is the MSC that is currently serving MS 214.
  • MT_F_SM message 328 is addressed to FWL1 202.
  • MT_F_SM message 328 is a legitimate MT/SM message that contains the true identity of the source SMSC 204: the "SRC" field contains the address of SMSC 204, which is "AAA".
  • MT_F_SM message 328 is received by FWL1 202.
  • FWL1 202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 328.
  • the key is "GTA7" and the correlation data associated with that key is the address of the source of mobility management request message 300 ("AAA"), and the identity of the MSC currently serving MS 214 ("DDD").
  • FWL1 202 may then simply compare the purported source of MT_F_SM message 328 ("AAA") with the source of the associated mobility management request message 300 ("AAA”), and determine that MT_F_SM message 328 is legitimate. FWL1 202 may then forward the legitimate message 334 to currently serving MSC 208.
  • Figures 4A and 4B are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein.
  • Figures 4A and 4B show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in Figure 2, and therefore their descriptions will not be repeated here.
  • MT/SM spoofing detection and mitigation is accomplished without the need to store correlation data.
  • a firewall node responds to a mobility management query, such as an SRI_SM or similar, with what is herein referred to as a "synthetic" response.
  • a synthetic response is a mobility management query response, such as an SRI SM ACK or similar, that appears to be a real response but which does not contain real data.
  • the synthetic response is constructed in such as way as to guarantee that any subsequent mobility management message that is associated with the first mobility management request will: a) be directed to the same firewall that created and issued the synthetic response, and b) include information that identifies the original mobility management request.
  • the firewall node stores the correlation data in the synthetic response itself, and presumes that when a subsequent mobility management message, such as a mobility service request, arrives, the subsequent mobility management message will contain the correlation data that the firewall node needs to perform spoofing detection and mitigation. This process will now be described in detail using Figures 4A and 4B.
  • an SMSC may send a mobility management request message requesting routing information for a called party mobile subscriber, such as MS 214, identified by MSISDN number ("EEE").
  • SMSC 204 sends SRI_SM message 400, the message requesting routing information for mobile subscriber MS 214, whose MSISDN number is "EEE”.
  • SRI_SM message 400 is received and routed by STP 210, which directs SRI_SM message 400 to firewall node, FVVL 202.
  • FWL 202 does not forward the SRI_SM message to an HLR, but instead generates a synthetic response message, SRI_SM_ACK message 404.
  • a real SRI_SM_ACK message would return the IMSI number of the mobile subscriber called party, and an identifier of the MSC currently serving the mobile subscriber called party.
  • a real SRI_SM_ACK message would return an IMSI value of "FFF" and a serving MSC identifier of "DDD".
  • FWL 202 creates a synthetic SRI_SM_ACK message 404 that stores the MSISDN number from SRI_SM message 400 in the IMSI field and stores the address of the source of SRI_SM message 400 in the serving MSC field.
  • FWL 202 cannot completely replace the contents of the serving MSC identifier (e.g., address "DDD") with the address of the source of SRI_SM message 400 (e.g., address "AAA”), because the serving MSC identifier is subsequently used by SMSC 204 as the destination for the message service request.
  • address AAA the address of the source of SRI_SM message 400
  • synthetic SRI_SM_ACK message 404 included address AAA in the serving MSC field, a subsequent MT_F_SM message would be delivered back to SMSC 204.
  • the serving MSC address is an MSISDN number, of the format shown below:
  • CC country code
  • NDC network destination code
  • SN subscriber number.
  • the CC and NDC fields must contain values that are correct for FWL 202, so that the subsequent messaging service message is directed to the correct country and network to which FWL 202 belongs. This leaves only the SN field, which FWL 202 uses to store the address "AAA". In one embodiment, only a portion of address AAA is stored in the SN portion of the serving MSC field; as will be seen below, this is enough information to detect spoofing. In another embodiment, also described below, the various pieces of information needed for correlation and spoofing detection may be combined, encrypted, and/or compressed to fit into the available spaces of the IMSI and serving MSC fields within synthetic SRI_SM_ACK message 404.
  • FWL 202 issues synthetic SRI_SM_ACK message 404 with the IMSI field containing value "EEE” (the MSISDN number for MS 214) and the serving MSC field containing a first portion that identifies the network to which FWL 202 belongs (shown as “NW2" in Figure 4A) and a second portion that identifies the source of SRI SM message 400 (shown as "AAA” in Figure 4A).
  • EEE the MSISDN number for MS 214
  • NW2 the MSISDN number for MS 214
  • AAA the source of SRI SM message 400
  • SMSC 204 receives synthetic SRI_SM_ACK message 404 and uses the IMSI@servingMSC information to issue a message service request message to what it believes to the serving MSC.
  • SMSC 204 issues MT_F_SM message 408 to the address "NW2+AAA".
  • address "NW2+AAA” is not a real address; but the "NW2" portion of the address is enough for SMSC 204 to know that MT_F_SM message 408 must be routed first to STP 210, which receives MT_F_SM message 408.
  • STP 210 uses MAP filtering to determine that MT_F_SM message 408 is a mobility management service message, and therefore forwards the message to FWL 202.
  • the forwarded MT_F_SM message 412 is thus guaranteed to go to the same firewall node that received and processed the original mobility management query message (e.g., SRI_SM message 400) that is associated with the subsequent mobility management service message (e.g., MT_F_SM message 404.)
  • SRI_SM message 400 the original mobility management query message
  • MT_F_SM message 404 the subsequent mobility management service message
  • FWL 202 would determine that MT_F_SM message 412 was spoofed, and would have discarded MT_F_SM message 412, and the process would have ended there. Since, in the embodiment illustrated in Figure 4B, MT_F_SM message 412 is authentic, FWL 202 now performs all of the necessary steps for SMS message delivery. First, FWL 202 queries HLR 206 for the location of MS 214 (SRI_SM message 418) and gets a response (SRI_SM_ACK message 420).
  • Second FWL 202 modifies MT_F_SM message 412 to include the authentic IMSI number and serving MSC identifier (e.g., FFF@DDD) and forwards the modified MT_F_SM message 424 to the correct serving MSC, SRVMSC 208.
  • the serving MSC may then issue a termination fee 426 to the originating SMSC 204. It may be desirable to obscure the fact that the SRI_SM_ACK message that FWL 202 sends to SMSC 204 is synthetic.
  • the correlation data that FWL 202 stores in the IMSI and serving MSC fields of synthetic SRI_SM_ACK message 404 may be encrypted. This is illustrated in Figure 5.
  • Figure 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein.
  • Figure 5 illustrates in more detail selected parameters of SRI_SM message 400, synthetic SRI_SM_ACK message 404, MT_F_SM message 412, and SRI SM message 418, from Figures 4A and 4B.
  • FWL 202 receives SRI_SM message 400, which includes two parameters: the SCCP SMSC (SRC) parameter 500, which is in MSISDN format, and the called party (CDPA) parameter 502, also in MSISDN format.
  • SRC SCCP SMSC
  • CDPA called party
  • FWL 202 uses the country code (CC) and network destination code (NDC) fields of SRC parameter 500 and all of the fields of CDPA parameter 502 as input into an encryption algorithm 504.
  • Encryption algorithm 504 may also require an encryption key 506 as input.
  • the output of encryption algorithm 504 is used to generate synthetic SRI_SM_ACK message 404, which has two parameters: the IMSI number (IMSI) parameter 508 and the serving MSC (SRVMSC) parameter 510.
  • IMSI parameter 508 is in the IMSI format, which includes the following fields:
  • SRVMSC parameter 510 is in the MSISDN format.
  • the output of encryption algorithm 504 includes data that will be placed into the MSIN field of IMSI parameter 508 and the SN field of SRVMSC parameter 510.
  • the CC and NDC fields of SRVMSC parameter 510 must contain CC and NDC values that will cause the subsequent MTJF_SM message 412 to be routed to the network to which FWL 202 belongs, so that FWL 202 will receive subsequent MT_F_SM message 412.
  • the CC and NCD fields of CDPA parameter 502 may be compressed or replaced with an alias 512 to save space.
  • Figure 5 also illustrates in detail the parameters within MT_F_SM message 412, which also includes an IMSI parameter 514 and a SRVMSC parameter 516.
  • IMSI parameter 514 should be the same as IMSI parameter 508 and the contents of SRVMSC parameter 516 should be the same as SRVMSC parameter 510.
  • FWL 202 will extract information from the MSIN field of IMSI parameter 514 and the SN field of SRVMSC parameter 516, and use them as input into a decryption algorithm 518.
  • Decryption algorithm 518 may also use a decryption key 520, which may be the same key or a different key from encryption key 506, depending on whether the encryption algorithm is symmetric or asymmetric, respectively.
  • the output of decryption algorithm 518 includes data that will be placed into the CC, NDC, and SN fields of SCCP SMSC (SCR) parameter 522 and into the CC and NDC fields of SRVMSC parameter 524 of SRI_SM message 418.
  • the output of decryption algorithm 518 may include an alias 526 which must be decompressed or mapped to a set of data for the CC and NDC fields of IMSI parameter 522.
  • the correlation data stored by FWL 202 in various fields within SRI_SM_ACK message 404 will return to FWL 202 via the equivalent fields of MT_F_SM message 412. From the recovered correlation data, FWL 202 has enough information to reconstruct its own SRI_SM message 418, which it will send to HLR 206.
  • FWL 202 can compare the SCCP SMSC parameter
  • the entity that sends the original SRI_SM message may be different from the entity that sends the subsequent MT_F_SM message.
  • the same entity may send both messages but that entity may be a cluster of nodes, or a single node that uses multiple addresses.
  • SCCP SMSC parameter 522 may not be exactly the same as source address of MT_F_SM message 412.
  • the purpose of spoofing is usually to redirect a termination fee from the originating network to a third network, comparing only the CC and NDC fields of the two addresses is enough to determine whether or not MT_F_SM message
  • encryption algorithm 504 and decryption algorithm 518 may use fields or portions of fields other than those illustrated in Figure 5. Also, other means of obscuring the fact that
  • SRI_SM_ACK message 404 is synthetic or obscuring the data contained within
  • SRI SM ACK message 404 is contemplated, including compression of data, mapping of data, etc. It will be understood that various details of the subject matter described herein may be changed without departing from the scope of the subject matter described herein. For example, the methods and systems described herein are not limited to SMS messages, but may apply to other messaging services, such as multimedia messaging services (MMS), may also apply to other mobility management related services, and may also apply to other telecommunication services that first locate a called party and then send data to that called party.
  • MMS multimedia messaging services

Abstract

Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. According to one aspect, the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction. A messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier. The messaging service firewall allocates a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall, and stores a correlation between the allocated GTA and an originating SMSC identifier. The messaging service firewall replaces the serving switch identifier in the mobility management reply message with the allocated GTA and routes the modified mobility management reply message. The messaging service firewall then receives a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA, and determines the originating SMSC identifier to which the allocated GTA is correlated. The messaging service firewall compares SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.

Description

DESCRIPTION
SYSTEMS, METHODS, AND COMPUTER READABLE MEDIA FOR DETECTING AND MITIGATING ADDRESS SPOOFING IN MESSAGING
SERVICE TRANSACTIONS
PRIORITY CLAIM
This application claims the benefit of U.S. Provisional Patent Application Serial No. 61/159,323, filed March 11 , 2009; the disclosure of which is incorporated herein by reference in its entirety.
TECHNICAL FIELD
The subject matter described herein relates to methods and systems for detecting fraudulent activity within a telecommunications network. More particularly, the subject matter described herein relates to systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
BACKGROUND
A telecommunications network may support one or more messaging services. One example messaging service is the short message service, or
SMS. SMS allows the communication of short text messages between mobile communications devices, such as mobile phones, personal digital assistants, and the like. For brevity, the term "mobile phone" is hereinafter used to generically refer to any type of mobile communications device, although the subject matter described herein is not so limited.
The delivery of an SMS message is a two-step process. First, if the receiver is a mobile subscriber, the receiver's current location - more specifically, the identity of the mobile switching center (MSC) that is currently serving the receiver's mobile phone, referred to as the serving MSC - must be determined. Second, the MT/SM message is forwarded to the serving MSC, which will transmit the MT/SM message to the receiver's mobile phone.
Figure 1A is a block diagram illustrating processing of an MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network according to the steps described above. Telecommunications network 100 includes a short messaging service center (SMSC) node 102 for processing SMS messages, such as MT/SM message 104, which was sent from a mobile subscriber, sender 106, and intended for another mobile subscriber, receiver 108. To determine the current location of receiver 108, SMSC 102 sends a send routing information for short message (SRI_SM) message 110 to the home location register (HLR) 112 which maintains the current location of receiver 108. HLR 112 sends a response message, such as SRI_SM_ACK message 114, to SMSC 102. SRI_SM_ACK message 114 includes information identifying subscriber 108, such as the (IMSI) for subscriber 108. In the conventional system illustrated in Figure 1 , the information identifying subscriber 108 is subscriber 108's IMSI number, represented in Figure 1 as "IMSI#". SRI_SM_ACK message 114 also includes information identifying the MSC currently serving receiver 108. In the conventional system illustrated in Figure 1A, MSC 116 is currently serving receiver 108, and MSC 116 is identified by its network address, represented in Figure 1 as "ADDR1 ". SMSC 102 then issues a MT_FORWARD_SM message 118 to MSC 116, which delivers what is essentially the original MT/SM message 104' to receiver 108.
In the scenario where sender 106 is in a first mobile telecommunications network and receiver 108 is in a second mobile telecommunications network, the SMS message is communicated from the first network, hereinafter referred to as the originating network, to the second network, hereinafter referred to as the terminating network. In the conventional network illustrated in Figure 1A, SMSC 102 is an entity in the originating network and HLR 112 and MSC 116 are entities in a terminating network that is different from the originating network.
It is not uncommon for a terminating network to charge a termination fee for receiving and processing SMS messages that originate from other networks. The terminating network may determine the identity of the originating network - and thus determine whom to charge - by looking at the source address fields within either SRI_SM message 110 or MT_FORWARD_SM message 118. Moreover, both SRI_SM message 110 and MTJFC>RWARD_SM message 118 contain the address of SMSC 102 at two layers of the signaling message protocol, and thus within two separate sets of message parameters or fields: the signaling connection control part (SCCP) layer and the mobile application part (MAP) layer. Table 1, below, lists the parameter names for the two messages and the two layers.
Figure imgf000005_0001
In the conventional telecommunication network illustrated in Figure 1A1 MSC 116 may, upon receiving MT_FORWARD_SM message 118, determine that the message originated from a different network and, in response to that determination, extract the SMSC address from MT_FORWARD_SM message 118. The terminating network may then identify the network to which SMSC 102 belongs and charge a termination fee 120 to the identified originating network. To avoid being charged a termination fee for SMS messages sent to the terminating network, unscrupulous originating network operators may "spoof (falsify) the contents of the SMS message so that the SMS message appears to have come from a third telecommunications network rather than from the actual originating network. Figure 1 B is a block diagram illustrating MT/SM spoofing in the conventional telecommunications network of Figure 1 A. Elements of Figure 1 B are essentially identical to their like-numbered counterparts in Figure 1A, and therefore their descriptions will not be repeated here. In addition to the originating and terminating networks of Figure 1A, now labeled as "NW1" and "NW2", respectively, Figure 1 B also includes a third network, "NW3", which contains its own SMSC 122. In the scenario illustrated in Figure 1 B, terminating network NW2 receives from originating network NW1 an SMS message, such as MT_FORWARD_SM message 118', with a spoofed origination address ("ADDR3") that falsely indicates that the SMS message came from SMSC 122. The terminating network then incorrectly charges termination fee 120' to the third telecommunications network NW3 rather than to the actual originating network NW1. In this manner, an unscrupulous network operator (e.g., the operator of NW1) may fraudulently avoid termination fees that would otherwise be imposed upon it by the terminating network NW2.
This is a particularly pernicious problem in light of unwanted solicitations, colloquially called "spam", which flood the world's email systems daily with millions or billions of unwanted messages. The entities that generate these unwanted communications have recently started sending spam via SMS. Spam SMS messages are particularly grievous since the subscriber is often charged a fee for every SMS message received, which results in a subscriber not only receiving unwanted and often offensive SMS messages, but the subscriber having to pay for these unwanted SMS messages. Some subscribers may have plans that have a finite number of SMS messages that may be sent or received within a billing period, where the subscriber is charged a steep fee for every additional message sent or received during that billing period. In a worst case scenario, the charge levied upon the subscriber due to the additional SMS messages may be many times more than the cost of the original subscription. Network operators may then face the prospect of absorbing the cost themselves or risk losing subscribers. In this scenario particularly, the network operator would desire to detect and discard spoofed MT/SM messages.
Accordingly, in light of the potential for fraudulent spoofing of SMS addresses, there exists a need for systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions.
SUMMARY
According to one aspect, the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction. A messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier. The messaging service firewall allocates a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall, and stores a correlation between the allocated GTA and an originating SMSC identifier. The messaging service firewall replaces the serving switch identifier in the mobility management reply message with the allocated GTA and routes the modified mobility management reply message. The messaging service firewall then receives a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA, and determines the originating SMSC identifier to which the allocated GTA is correlated. The messaging service firewall compares SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
According to another aspect, the subject matter described herein includes a method for detecting and mitigating address spoofing in a messaging service transaction. A messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor receives a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier. The messaging service firewall generates a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction. The messaging service firewall receives a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters, and extracts the echoed parameters from the messaging service message. The messaging service firewall compares SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information. In response to determining that the messaging service message contains spoofed address information, the messaging service firewall discards the messaging service message.
According to yet another aspect, the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions. The system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor. The messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for: receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; and routing the modified reply message. The spoofing detection module is also for: receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
According to yet another aspect, the subject matter described herein includes a system for detecting and mitigating address spoofing in messaging service transactions. The system includes a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor. The messaging service firewall includes a network interface for sending and receiving signaling messages and a spoofing detection module for receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier, and generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction. The spoofing detection module is also for receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
The subject matter described herein for detecting and mitigating address spoofing in messaging service transactions may be implemented in hardware, software, firmware, or any combination thereof. As such, the terms "function" or "module" as used herein refer to hardware, software, and/or firmware for implementing the feature being described. In one exemplary implementation, the subject matter described herein may be implemented using a non-transitory computer readable medium having stored thereon computer executable instructions that when executed by the processor of a computer control the computer to perform steps. Exemplary computer readable media suitable for implementing the subject matter described herein include non-transitory computer-readable media, such as disk memory devices, chip memory devices, programmable logic devices, and application specific integrated circuits. In addition, a computer readable medium that implements the subject matter described herein may be located on a single device or computing platform or may be distributed across multiple devices or computing platforms.
BRIEF DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the subject matter described herein will now be explained with reference to the accompanying drawings, wherein like reference numerals represent like parts, of which: Figures 1A and 1 B are block diagrams illustrating processing of an
MT/SM message in a conventional signaling system #7 (SS7) based telecommunications network. Figure 1A illustrates normal (non-fraudulent) MT/SM processing, while Figure 1B illustrates MT/SM address spoofing;
Figure 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
Figures 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein;
Figures 4A and 4B are signaling message flow diagrams illustrating messages communicated within a system during an exemplary process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein; and Figure 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. DETAILED DESCRIPTION
In accordance with the subject matter disclosed herein, systems, methods, and computer readable media are provided for detecting and mitigating address spoofing in messaging service transactions.
Reference will now be made in detail to exemplary embodiments of the present invention, examples of which are illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings to refer to the same or like parts. Figure 2 is a block diagram illustrating an exemplary system for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. System 200 includes one more firewall nodes 202 for detecting and mitigating address spoofing. In the embodiment illustrated in Figure 2, system 200 includes four firewall nodes 202, labeled "FWLT1 "FWL2", "FWL3", and "FWL4", respectively. Firewall nodes 202 intercept and process SMS-related messages that may be sent by a short message service center (SMSC) 204. Example messages that may be intercepted include: send routing information for short message (SRI_SM) messages that are sent by SMSC 204 to a home location register (HLR) 206; mobile-terminated forward short message (MT_F_SM) messages that are sent by SMSC 204 to a serving mobile switching center (SRVMSC) 208; and other types of SMS messages.
In the embodiment illustrated in Figure 2, a signaling message routing node, such as signal transfer point (STP) 210, may distribute incoming SMS- related messages to firewall nodes 202. In one embodiment, STP 210 may assign incoming SMS-related messages to firewall nodes 202 based on the identity of the intended receiver, generically referred to as the "called party" or CDPA. The called party may be identified using a global title address (GTA). In one embodiment, STP 210 may make use of a table, database, or other appropriate construct, such as global title translation (GTT) table 212, that maps a range of called party addresses to particular firewall nodes 202. In the embodiment illustrated in Figure 2, GTT table 212 maps called parties to firewall nodes 202 according to the called party's GTA. In GTT table 212, SMS-related messages that involve called parties with a GTA that matches the pattern "+316261*" are assigned or forwarded to FWL1 for processing, SMS- related messages that involve called parties with a GTA that matches the pattern "+316262*" are assigned or forwarded to FWL2 for processing, and so on. Each of firewall nodes 202 may access HLR 206 and each may communicate with STP 210, SRVMSC 208, or other telecommunication network nodes.
For the purposes of illustration only and without limitation, system 200 in Figure 2 includes two separate telecommunications networks: a first network (NW1), which contains SMSC 204; and a second network (NW2), which contains every other element illustrated in Figure 2. In the examples of MT/SM spoofing detection and mitigation below, NW1 may also be referred to as the originating network and NW2 may also be referred to as the terminating network. For ease of illustration and without limitation, some of the nodes within system 200 will be given network identifiers, e.g., network addresses, in simplified form. For example, in the embodiment illustrated in Figure 2, SMSC 204 has a network address of "AAA"; of the firewall nodes 202, FWL1 has a network address of "BBB"; HLR 206 has a network address of "CCC"; and SRVMSC 208 has a network address of "DDD". In the embodiment illustrated in Figure 2, a mobile subscriber (MS) 214 is being served by SRVMSC 208. MS 214 is identified by both a mobile subscriber integrated services digital network (MSISDN) number, "EEE", and an international mobile subscriber identity (IMSI) number, "FFF". STP 210 has a network address of "GGG". The operation of system 200 will now be described. In the embodiment, illustrated in Figure 2, each firewall node 202 includes a network interface (NWIF) 216 for sending and receiving signaling messages, and a spoofing detection module (SDM) 218.
In one embodiment, spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
In an alternative embodiment, spoofing detection module 218 is for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and, in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message. Figures 3A, 3B, and 3C are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. Figures 3A, 3B1 and 3C show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in Figure 2, and therefore their descriptions will not be repeated here.
Referring now to Figure 3A, in one embodiment, SMSC 204 may send a mobility management request message 300 requesting routing information for a called party mobile subscriber, who is identified by a called party address (CDPA). In the embodiment illustrated in Figure 3A, SMSC 204 sends a send routing information for short message (SRI_SM) message to determine the routing information for mobile subscriber MS 214, whose MSISDN number is "EEE".
In one embodiment, mobility management request message 300 may include information indicating the source of the message. In the embodiment illustrated in Figure 3A, mobility management request message 300 includes a field or parameter called "SRC", which stores the address of SMSC 204, which has a network address of "AAA". In one embodiment, mobility management request message 300 is received or intercepted by a routing node, STP 210.
At block 302, STP 210 selects one of firewall nodes 202 based on the called party address contained within mobility management request message
300. In the embodiment illustrated in Figure 3A, STP 210 selects FWL1 , whose network address is "BBB", and forwards the SRI_SM message to FWL1 , shown in Figure 3A as message 304. In alternative embodiments, system 200 may have only one firewall node 202, in which case mobility management request message 300 may be routed to that firewall node either with or without the need for STP 210. In one embodiment, network NVV2 may not include an STP.
Forwarding an unmodified SRI_SM message from FWL1 202 to HRL 206 does not guarantee that the response to the SRI_SM message, such as an SRI_SM_ACK message, will return through FWL1 202. Thus, in one embodiment, at block 306, firewall node FWL1 202 terminates SRI_SM message 304 and generates a new SRI_SM message 308, which sends to HLR 206. HLR 206 sends a reply message, SRI_SM_ACK 310, containing the IMSI number ("FFF") for MS 214 and an identity of the serving MSC ("DDD"). For brevity, the IMSI and serving MSC parameters are displayed in all figures using the format "IMSI@servingMSC". Alternatively, FWL1 202 may modify the original mobility management request message 300 in such as manner as to guarantee that the response from HLR 206 returns through FWL1 202. For example, FWL1 202 may update the source information in the routing label so that it appears to HLR 206 that the mobility management request message originated from FWL1 202.
In one embodiment, firewall node FWL1 202 has at its disposal a pool of addresses or other form of identity by which it may be identified. In the embodiment illustrated in Figure 3A, FWL1 202 has a collection of global title addresses (GTAs), shown as values "GTAO" through "GTA9". At block 312, FWL1 202, selects an available GTA (e.g., "GTA7") to be used for a message delivery transaction, of which mobility management request message 300 is only the first part.
At block 314, FWL1 202 stores a correlation between the selected or allocated GTA and information identifying an originating SMSC. In one embodiment, FWL1 202 may store correlation information in the form of a correlation record in a table, database, or other form of data storage and retrieval. In the embodiment illustrated in Figure 3A, FWL1 202 may use the selected GTA as a key and store the address of the originating SMSC 204 and the identity of the MSC currently serving the mobile subscriber. For example, FWL1 202 may use the key "GTA7" to store the value "AAA" in a record field labeled "SRC" and to store the value "DDD" in a record field labeled "SRVMSC". In one embodiment, firewall nodes 202 may allocate each of its available GTAs to only one correlation record at a time; allocated GTAs are then unavailable to be allocated again until the allocated GTA is deallocated or released back into the pool. A GTA may be deallocated or released as a result of various trigger conditions, such as the completion (or abandonment) of the mobility management transaction to which the GTA is associated, explicit instruction from the network operator or provisioning system, node, module, or service reset, etc.
At block 316, FWL1 202 terminates SRI_SM_ACK message 314 that it receives from HLR 206 and generates a new SRI_SM_ACK message 318, which it forwards to SMSC 204. Generated SRI_SM_ACK message 318 contains the IMSI for MS 214, i.e., "FFF", but instead of the address of SRVMSC 208, FWL1 202 replaces the actual value "DDD" with the address of the selected GTA, e.g., "GTA7". In this manner, FWL1 202 can guarantee that, as will be shown below, other messages involved in the message delivery transaction will also be routed through FWL1 202. By guaranteeing that all messages involved in the message delivery transaction are seen by the same node (e.g., FWL1 202), this ensures the opportunity to compare the address of the originating SMSC (e.g., SMSC 204) as reported in the mobility management query message with the address of the originating SMSC as reported in any subsequent message service message that is part of the same mobility management transaction. If the addresses are not the same, this is a very likely indication of spoofing. The process continues in Figures 3B and 3C.
Figure 3B illustrates detection of a spoofed MT/SM message, and Figure
3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message. Starting with Figure 3B, in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message. Thus, SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 320 to what SMSC 204 has been told is the MSC that is currently serving MS 214. Actually, MT_F_SM message 320 is addressed to FWL1 202. In the embodiment illustrated in Figure 3B, SMSC 204 attempts to spoof the source address of the MT_F_SM message in order to avoid a termination fee from NW2. Thus, MT_F_SM message 320 includes false information, shown as "FAKE_ADDR" in Figure 3B, in the SRC field of MT_F_SM message 320. MT_F_SM message 320 is received by FWL1 202. At block 322, FWL1
202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 320. In the embodiment illustrated in Figure 3B, the key is "GTA7" and the value of the correlation data is the address of the source of mobility management request message 300, or "AAA". FWL1 202 may then simply compare the purported source of MT_F_SM message 320 ("FAKE_ADDR") with the source of the associated mobility management request message 300 ("AAA"), and determine that MTJF_SM message 320 has a spoofed address. As shown in block 324 of Figure 3B, FWL1 202 may then discard the MT_F_SM message or otherwise prohibit it from being forwarded to SRVMSC 208.
Figure 3C illustrates processing of a legitimate (i.e., non-spoofed) MT/SM message. In Figure 3C, in response to receiving SRI_SM_ACK message 318 from FWL1 202, SMSC 204 now has enough information to deliver the MT/SM message. Thus, SMSC 204 may issue a mobile-terminated forward short message (MT_F_SM) message 328 to what SMSC 204 has been told is the MSC that is currently serving MS 214. Actually, MT_F_SM message 328 is addressed to FWL1 202. In the embodiment illustrated in Figure 3C, MT_F_SM message 328 is a legitimate MT/SM message that contains the true identity of the source SMSC 204: the "SRC" field contains the address of SMSC 204, which is "AAA".
MT_F_SM message 328 is received by FWL1 202. At block 330, FWL1 202 extracts the key, which FWL1 202 will use to look up the correlation information, from received MT_F_SM message 328. In the embodiment illustrated in Figure 3C, the key is "GTA7" and the correlation data associated with that key is the address of the source of mobility management request message 300 ("AAA"), and the identity of the MSC currently serving MS 214 ("DDD"). FWL1 202 may then simply compare the purported source of MT_F_SM message 328 ("AAA") with the source of the associated mobility management request message 300 ("AAA"), and determine that MT_F_SM message 328 is legitimate. FWL1 202 may then forward the legitimate message 334 to currently serving MSC 208.
Figures 4A and 4B are signaling message flow diagrams illustrating messages communicated within exemplary system 200 during a process for detecting and mitigating address spoofing in messaging service transactions according to another embodiment of the subject matter described herein. Figures 4A and 4B show messages communicated between SMSC 204, STP 210, FWL1 202, HLR 206, and SRVMSC 208. These nodes are identical to their like-numbered counterparts illustrated in Figure 2, and therefore their descriptions will not be repeated here.
In the embodiment illustrated in Figures 4A and 4B, MT/SM spoofing detection and mitigation is accomplished without the need to store correlation data. Instead, a firewall node responds to a mobility management query, such as an SRI_SM or similar, with what is herein referred to as a "synthetic" response. A synthetic response is a mobility management query response, such as an SRI SM ACK or similar, that appears to be a real response but which does not contain real data. Instead, the synthetic response is constructed in such as way as to guarantee that any subsequent mobility management message that is associated with the first mobility management request will: a) be directed to the same firewall that created and issued the synthetic response, and b) include information that identifies the original mobility management request.
In other words, rather than storing correlation data within the firewall node, the firewall node stores the correlation data in the synthetic response itself, and presumes that when a subsequent mobility management message, such as a mobility service request, arrives, the subsequent mobility management message will contain the correlation data that the firewall node needs to perform spoofing detection and mitigation. This process will now be described in detail using Figures 4A and 4B.
In one embodiment, an SMSC may send a mobility management request message requesting routing information for a called party mobile subscriber, such as MS 214, identified by MSISDN number ("EEE"). In the embodiment illustrated in Figure 4A, SMSC 204 sends SRI_SM message 400, the message requesting routing information for mobile subscriber MS 214, whose MSISDN number is "EEE". SRI_SM message 400 is received and routed by STP 210, which directs SRI_SM message 400 to firewall node, FVVL 202.
At block 402 in Figure 4A, FWL 202 does not forward the SRI_SM message to an HLR, but instead generates a synthetic response message, SRI_SM_ACK message 404. A real SRI_SM_ACK message would return the IMSI number of the mobile subscriber called party, and an identifier of the MSC currently serving the mobile subscriber called party. In the embodiment illustrated in Figure 4A, for example, a real SRI_SM_ACK message would return an IMSI value of "FFF" and a serving MSC identifier of "DDD". Instead, FWL 202 creates a synthetic SRI_SM_ACK message 404 that stores the MSISDN number from SRI_SM message 400 in the IMSI field and stores the address of the source of SRI_SM message 400 in the serving MSC field.
However, FWL 202 cannot completely replace the contents of the serving MSC identifier (e.g., address "DDD") with the address of the source of SRI_SM message 400 (e.g., address "AAA"), because the serving MSC identifier is subsequently used by SMSC 204 as the destination for the message service request. If synthetic SRI_SM_ACK message 404 included address AAA in the serving MSC field, a subsequent MT_F_SM message would be delivered back to SMSC 204. To overcome this problem, only a portion of the serving MSC address field in synthetic SRI_SM_ACK message 404 contains the address of the source of the SRI_SM message 400. In one embodiment, the serving MSC address is an MSISDN number, of the format shown below:
CC : NDC : SN where CC = country code, NDC = network destination code, and SN = subscriber number. The CC and NDC fields must contain values that are correct for FWL 202, so that the subsequent messaging service message is directed to the correct country and network to which FWL 202 belongs. This leaves only the SN field, which FWL 202 uses to store the address "AAA". In one embodiment, only a portion of address AAA is stored in the SN portion of the serving MSC field; as will be seen below, this is enough information to detect spoofing. In another embodiment, also described below, the various pieces of information needed for correlation and spoofing detection may be combined, encrypted, and/or compressed to fit into the available spaces of the IMSI and serving MSC fields within synthetic SRI_SM_ACK message 404.
Referring again to Figure 4A, block 402, FWL 202 issues synthetic SRI_SM_ACK message 404 with the IMSI field containing value "EEE" (the MSISDN number for MS 214) and the serving MSC field containing a first portion that identifies the network to which FWL 202 belongs (shown as "NW2" in Figure 4A) and a second portion that identifies the source of SRI SM message 400 (shown as "AAA" in Figure 4A). This information is represented as "EEE@NW2+AAA" in Figure 4A. At block 406, SMSC 204 receives synthetic SRI_SM_ACK message 404 and uses the IMSI@servingMSC information to issue a message service request message to what it believes to the serving MSC. In the embodiment illustrated in Figure 4A, SMSC 204 issues MT_F_SM message 408 to the address "NW2+AAA". However, as described above, address "NW2+AAA" is not a real address; but the "NW2" portion of the address is enough for SMSC 204 to know that MT_F_SM message 408 must be routed first to STP 210, which receives MT_F_SM message 408.
At block 410, STP 210 uses MAP filtering to determine that MT_F_SM message 408 is a mobility management service message, and therefore forwards the message to FWL 202. The forwarded MT_F_SM message 412 is thus guaranteed to go to the same firewall node that received and processed the original mobility management query message (e.g., SRI_SM message 400) that is associated with the subsequent mobility management service message (e.g., MT_F_SM message 404.) The process continues in Figure 4B. Upon receipt of forwarded
MT_F_SM message 412, FWL 202 determines the source of MT_F_SM message 412 with the information, stored in the serving MSC field, that identifies the source of SRI_SM message 400, as shown in block 414. In the embodiment illustrated in Figure 3B, FWL 202 determines that MT_F_SM message 412 came from SMSC 204 (identified by address "AAA") and that the source of SRI_SM message 400 was also SMSC 204, because the serving MSC field of MT_F_SM message 412 also contains the value "AAA". At block 416, FWL 202 compares the two values, determines that they match (AAA == AAA), and thus determines that MT_F_SM message 412 is not spoofed. Had the two values not matched, FWL 202 would determine that MT_F_SM message 412 was spoofed, and would have discarded MT_F_SM message 412, and the process would have ended there. Since, in the embodiment illustrated in Figure 4B, MT_F_SM message 412 is authentic, FWL 202 now performs all of the necessary steps for SMS message delivery. First, FWL 202 queries HLR 206 for the location of MS 214 (SRI_SM message 418) and gets a response (SRI_SM_ACK message 420). Second FWL 202 modifies MT_F_SM message 412 to include the authentic IMSI number and serving MSC identifier (e.g., FFF@DDD) and forwards the modified MT_F_SM message 424 to the correct serving MSC, SRVMSC 208. The serving MSC may then issue a termination fee 426 to the originating SMSC 204. It may be desirable to obscure the fact that the SRI_SM_ACK message that FWL 202 sends to SMSC 204 is synthetic. Thus, in one embodiment, the correlation data that FWL 202 stores in the IMSI and serving MSC fields of synthetic SRI_SM_ACK message 404 may be encrypted. This is illustrated in Figure 5. Figure 5 is a block diagram illustrating a method for encrypting the data necessary for detecting and mitigating address spoofing in messaging service transactions according to an embodiment of the subject matter described herein. Figure 5 illustrates in more detail selected parameters of SRI_SM message 400, synthetic SRI_SM_ACK message 404, MT_F_SM message 412, and SRI SM message 418, from Figures 4A and 4B.
In one embodiment, FWL 202 receives SRI_SM message 400, which includes two parameters: the SCCP SMSC (SRC) parameter 500, which is in MSISDN format, and the called party (CDPA) parameter 502, also in MSISDN format. FWL 202 uses the country code (CC) and network destination code (NDC) fields of SRC parameter 500 and all of the fields of CDPA parameter 502 as input into an encryption algorithm 504. Encryption algorithm 504 may also require an encryption key 506 as input. The output of encryption algorithm 504 is used to generate synthetic SRI_SM_ACK message 404, which has two parameters: the IMSI number (IMSI) parameter 508 and the serving MSC (SRVMSC) parameter 510. IMSI parameter 508 is in the IMSI format, which includes the following fields:
MCC : MNC : MSIN where MCC = mobile country code, MNC = mobile network code, and MSIN = mobile subscriber identity number. SRVMSC parameter 510 is in the MSISDN format.
In the embodiment illustrated in Figure 5, the output of encryption algorithm 504 includes data that will be placed into the MSIN field of IMSI parameter 508 and the SN field of SRVMSC parameter 510. As described above, the CC and NDC fields of SRVMSC parameter 510 must contain CC and NDC values that will cause the subsequent MTJF_SM message 412 to be routed to the network to which FWL 202 belongs, so that FWL 202 will receive subsequent MT_F_SM message 412. In one embodiment, the CC and NCD fields of CDPA parameter 502 may be compressed or replaced with an alias 512 to save space.
Figure 5 also illustrates in detail the parameters within MT_F_SM message 412, which also includes an IMSI parameter 514 and a SRVMSC parameter 516. If MT_F_SM message 412 is related to SRI_SM_ACK message 404, the contents of IMSI parameter 514 should be the same as IMSI parameter 508 and the contents of SRVMSC parameter 516 should be the same as SRVMSC parameter 510. In response to receiving MT_F_SM message 412, FWL 202 will extract information from the MSIN field of IMSI parameter 514 and the SN field of SRVMSC parameter 516, and use them as input into a decryption algorithm 518. Decryption algorithm 518 may also use a decryption key 520, which may be the same key or a different key from encryption key 506, depending on whether the encryption algorithm is symmetric or asymmetric, respectively.
In the embodiment illustrated in Figure 5, the output of decryption algorithm 518 includes data that will be placed into the CC, NDC, and SN fields of SCCP SMSC (SCR) parameter 522 and into the CC and NDC fields of SRVMSC parameter 524 of SRI_SM message 418. In one embodiment, the output of decryption algorithm 518 may include an alias 526 which must be decompressed or mapped to a set of data for the CC and NDC fields of IMSI parameter 522. In this manner, the correlation data stored by FWL 202 in various fields within SRI_SM_ACK message 404 will return to FWL 202 via the equivalent fields of MT_F_SM message 412. From the recovered correlation data, FWL 202 has enough information to reconstruct its own SRI_SM message 418, which it will send to HLR 206.
To detect spoofing, FWL 202 can compare the SCCP SMSC parameter
522, which stores information indicating the source of original SRI_SM message 400, with the contents of the SCCP SMSC parameter for MT_F_SM message 412 (not shown in Figure 5). If the two values are the same,
MT_F_SM message 412 is legitimate.
In some systems, however, the entity that sends the original SRI_SM message may be different from the entity that sends the subsequent MT_F_SM message. Alternatively, the same entity may send both messages but that entity may be a cluster of nodes, or a single node that uses multiple addresses.
In these scenarios, the contents of SCCP SMSC parameter 522 may not be exactly the same as source address of MT_F_SM message 412. However, since the purpose of spoofing is usually to redirect a termination fee from the originating network to a third network, comparing only the CC and NDC fields of the two addresses is enough to determine whether or not MT_F_SM message
412 is spoofed.
The embodiment illustrated in Figure 5 is for illustration purposes and is not intended to be limiting. For example, encryption algorithm 504 and decryption algorithm 518 may use fields or portions of fields other than those illustrated in Figure 5. Also, other means of obscuring the fact that
SRI_SM_ACK message 404 is synthetic or obscuring the data contained within
SRI SM ACK message 404 is contemplated, including compression of data, mapping of data, etc. It will be understood that various details of the subject matter described herein may be changed without departing from the scope of the subject matter described herein. For example, the methods and systems described herein are not limited to SMS messages, but may apply to other messaging services, such as multimedia messaging services (MMS), may also apply to other mobility management related services, and may also apply to other telecommunication services that first locate a called party and then send data to that called party.
Furthermore, the foregoing description is for the purpose of illustration only, and not for the purpose of limitation.

Claims

CLAIMS What is claimed is:
1. A method for detecting and mitigating address spoofing in a messaging service transaction, the method comprising: at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor: receiving a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, the mobility management query and the mobility management reply message being associated with a mobility management transaction, the mobility management reply message including a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; storing a correlation between the allocated GTA and an originating SMSC identifier; replacing the serving switch identifier in the mobility management reply message with the allocated GTA; routing the modified mobility management reply message; receiving a message service message associated with the mobility management transaction, the messaging service message being addressed to the allocated GTA; determining the originating SMSC identifier to which the allocated GTA is correlated; comparing SMSC identifier information extracted from the messaging service message with the originating SMSC identifier to which the allocated GTA is correlated to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
2. The method of claim 1 comprising generating a message detail record based on the attempted delivery of the message service message.
3. A method for detecting and mitigating address spoofing in a messaging service transaction, the method comprising: at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor: receiving a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message in response to the query message, the reply message including a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters from the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
4. The method of claim 3 comprising generating a message detail record based on the attempted delivery of the message service message.
5. The method of claim 3 wherein receiving the messaging service message associated with the message delivery transaction comprises receiving the messaging service message from a signaling message routing node that uses mobile application part (MAP) screening to route received messaging service messages.
6. A system for detecting and mitigating address spoofing in messaging service transactions, the system comprising: a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor, the messaging service firewall including: a network interface for sending and receiving signaling messages; and a spoofing detection module for: receiving, from the network interface, a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; routing the modified reply message; receiving, from the network interface, a message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
7. The system of claim 6 wherein the messaging service firewall generates a message detail record based on the attempted delivery of the message service message.
8. A system for detecting and mitigating address spoofing in messaging service transactions, the system comprising: a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor, the messaging service firewall including: a network interface for sending and receiving signaling messages; and a spoofing detection module for: receiving, from the network interface, a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving, from the network interface, a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
9. The system of claim 8 wherein the messaging service firewall generates a message detail record based on the attempted delivery of the message service message.
10. The system of claim 8 comprising a signaling message routing node that uses mobile application part (MAP) screening to route messaging service messages to the messaging service firewall.
11. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising: at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor: receiving a mobility management reply message that is sent by a mobile location register element in response to an associated mobility management query, where the mobility management reply message includes a message service recipient identifier and a serving switch identifier; allocating a global title address (GTA) from a pool of global title addresses within a range of global title addresses assigned to the firewall; generating and storing a correlation record that associates the GTA with an originating SMSC identifier; replacing the serving switch identifier in the reply message with the firewall GTA; routing the modified reply message; receiving the message service message including the allocated GTA and using the allocated GTA to locate the correlation record; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the correlation record to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
12. A non-transitory computer readable medium having stored thereon executable instructions that when executed by the processor of a computer control the computer to perform steps comprising: at a messaging service firewall separate from a short message service center (SMSC) and implemented on a platform including at least one processor: receiving a mobility management query message associated with a message delivery transaction that is sent by an originating SMSC element, where the mobility management query message includes a message service recipient identifier and a first originating SMSC identifier; generating a mobility management reply message, in response to the query message, that includes a least a portion of the first originating SMSC identifier in one or more parameters of the reply message that trigger the originating SMSC to echo the parameters in a subsequent message associated with the message delivery transaction; receiving a messaging service message associated with the message delivery transaction, where the messaging service message includes the echoed parameters; extracting the echoed parameters in the messaging service message; comparing SMSC identifier information extracted from the messaging service message with SMSC identifier information contained in the routing label of the received messaging service message to determine if the messaging service message contains spoofed address information; and in response to determining that the messaging service message contains spoofed address information, discarding the messaging service message.
PCT/US2010/027043 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions WO2010105099A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15932309P 2009-03-11 2009-03-11
US61/159,323 2009-03-11

Publications (2)

Publication Number Publication Date
WO2010105099A2 true WO2010105099A2 (en) 2010-09-16
WO2010105099A3 WO2010105099A3 (en) 2011-01-13

Family

ID=42729117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2010/027043 WO2010105099A2 (en) 2009-03-11 2010-03-11 Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Country Status (2)

Country Link
US (2) US20100235911A1 (en)
WO (1) WO2010105099A2 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8326265B2 (en) 2008-10-17 2012-12-04 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for detection of an unauthorized service message in a network
US8909266B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for short message service (SMS) forwarding
US8908864B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US10616200B2 (en) 2017-08-01 2020-04-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (MME) authentication for outbound roaming subscribers using diameter edge agent (DEA)
US10834045B2 (en) 2018-08-09 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for conducting a time distance security countermeasure for outbound roaming subscribers using diameter edge agent
US10931668B2 (en) 2018-06-29 2021-02-23 Oracle International Corporation Methods, systems, and computer readable media for network node validation
US10952063B2 (en) 2019-04-09 2021-03-16 Oracle International Corporation Methods, systems, and computer readable media for dynamically learning and using foreign telecommunications network mobility management node information for security screening
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11622255B2 (en) 2020-10-21 2023-04-04 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (SMF) registration request
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8307039B2 (en) * 2007-10-24 2012-11-06 Research In Motion Limited Method for disambiguating email recipient fields in an electronic device
US9338618B2 (en) * 2012-02-23 2016-05-10 Markport Limited Home routing system and method for mobile networks
US9667730B2 (en) * 2013-03-14 2017-05-30 Comcast Cable Communications, Llc Systems and methods for abandonment detection and mitigation
EP3000212B1 (en) * 2013-05-23 2020-05-06 Markport Limited Sms fraud detection
DE102014117713B4 (en) 2014-12-02 2016-12-01 GSMK Gesellschaft für sichere mobile Kommunikation mbH Method and device for securing a signaling system No. 7 interface
GB2534864A (en) * 2015-01-30 2016-08-10 Dialogue Malta Ltd Identification of sources of media traffic through a network
US9565528B2 (en) * 2015-04-08 2017-02-07 Verizon Patent And Licensing Inc. Providing a message based on translating a beacon identifier to a virtual beacon identifier
CN108243420A (en) * 2016-12-26 2018-07-03 中国移动通信集团公司 A kind of processing method and processing device of fraud text message number
CN109996191A (en) * 2017-12-29 2019-07-09 中兴通讯股份有限公司 Multimedia message verification method, server, mobile terminal and computer readable storage medium
CN108810833B (en) * 2018-05-18 2021-11-02 努比亚技术有限公司 Mobile phone number binding information management method and device and computer readable storage medium
US11115383B2 (en) * 2018-05-24 2021-09-07 Texas Instruments Incorporated System on chip firewall memory architecture
WO2023069302A1 (en) * 2021-10-18 2023-04-27 AB Handshake Corporation Method and system for detecting sms parameters manipulation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070011261A1 (en) * 2004-12-03 2007-01-11 Madams Peter H C Apparatus for executing an application function using a mail link and methods therefor
WO2007084503A2 (en) * 2006-01-17 2007-07-26 Cibernet Corporation Use of service identifiers to authenticate the originator of an electronic message
US20080026778A1 (en) * 2006-07-25 2008-01-31 Yigang Cai Message spoofing detection via validation of originating switch

Family Cites Families (119)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0328606D0 (en) 2003-11-21 2004-01-14 Intellprop Ltd Telecommunications services apparatus and method
US6047327A (en) 1996-02-16 2000-04-04 Intel Corporation System for distributing electronic information to a targeted group of users
US5684951A (en) 1996-03-20 1997-11-04 Synopsys, Inc. Method and system for user authorization over a multi-user computer system
US5768509A (en) 1996-04-08 1998-06-16 Adc Newnet, Inc. Short message server without local customer database
US9418381B2 (en) 2000-04-14 2016-08-16 Citigroup Credit Services, Inc. (USA) Method and system for notifying customers of transaction opportunities
SE508514C2 (en) * 1997-02-14 1998-10-12 Ericsson Telefon Ab L M Method and apparatus for transmitting short messages in a telecommunication system comprising a mobile communication system
FI106603B (en) 1998-03-26 2001-02-28 Nokia Networks Oy Sending multicast services to the target area
US6308075B1 (en) * 1998-05-04 2001-10-23 Adc Telecommunications, Inc. Method and apparatus for routing short messages
US6597688B2 (en) 1998-06-12 2003-07-22 J2 Global Communications, Inc. Scalable architecture for transmission of messages over a network
KR100325961B1 (en) 1999-07-16 2002-03-07 Method and system for providing customized information during call setup process in telecommunication systems
EP1230815B1 (en) * 1999-11-17 2005-10-19 Swisscom Mobile AG Method and system for preparing and transmitting sms messages in a mobile radio network
US20020010745A1 (en) 1999-12-09 2002-01-24 Eric Schneider Method, product, and apparatus for delivering a message
FI110975B (en) * 1999-12-22 2003-04-30 Nokia Corp Prevention of fraud in telecommunication systems
US7136634B1 (en) 1999-12-22 2006-11-14 Nokia Corporation System and method for displaying information included in predetermined messages automatically
US6564055B1 (en) 2000-01-21 2003-05-13 Telecommunication Systems, Inc. Intelligent roaming database (IRDB) updating
AU2001234620A1 (en) 2000-01-28 2001-08-07 Ibeam Broadcasting Corporation Method and apparatus for client-side authentication and stream selection in a content distribution system
EP2160039B1 (en) * 2000-03-07 2012-06-06 Tekelec Screening of mobile application part (map) messages
US20040221011A1 (en) 2000-04-10 2004-11-04 Steven Smith High volume electronic mail processing systems and methods having remote transmission capability
US6577723B1 (en) 2000-07-13 2003-06-10 At&T Wireless Service, Inc. Application of TCAP criteria in SCCP routing
US7394818B1 (en) 2000-09-22 2008-07-01 Qwest Communications International Inc. Extended multi-line hunt group communication
FI114000B (en) 2000-11-08 2004-07-15 Mikko Kalervo Vaeaenaenen Electronic short message and marketing procedure and corresponding devices
US7155001B2 (en) 2001-10-24 2006-12-26 Sbc Properties, L.P. System and method for restricting and monitoring telephone calls
EP1213931A3 (en) * 2000-12-05 2003-03-19 Siemens Aktiengesellschaft Method for sending and receiving Short Messages in a mobile radio network
US7177917B2 (en) 2000-12-27 2007-02-13 Softwired Ag Scaleable message system
FI112153B (en) 2000-12-28 2003-10-31 Nokia Corp Management of messages in a communication system
US7072976B2 (en) 2001-01-04 2006-07-04 Sun Microsystems, Inc. Scalable routing scheme for a multi-path interconnection fabric
US6947738B2 (en) 2001-01-18 2005-09-20 Telefonaktiebolaget Lm Ericsson (Publ) Multimedia messaging service routing system and method
US7343317B2 (en) 2001-01-18 2008-03-11 Nokia Corporation Real-time wireless e-coupon (promotion) definition based on available segment
FI115744B (en) 2001-02-08 2005-06-30 Nokia Corp communication Service
KR20020071296A (en) 2001-03-06 2002-09-12 삼성전자 주식회사 Method for forwarding short message in mobile telecommunication system
WO2002076077A1 (en) 2001-03-16 2002-09-26 Leap Wireless International, Inc. Method and system for distributing content over a wireless communications system
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
SE0101087D0 (en) 2001-03-26 2001-03-26 Obnex Technologies Hb System for distribution of position-dependent information
US20020147928A1 (en) 2001-04-10 2002-10-10 Motorola, Inc. Method of information dissemination in a network of end terminals
GB0109525D0 (en) 2001-04-18 2001-06-06 Telsis Holdings Ltd Managing text message traffic in mobile telephone networks
US20020187794A1 (en) 2001-05-04 2002-12-12 Comverse Network Systems, Ltd. SMS automatic reply and automatic handling
TW511365B (en) 2001-05-15 2002-11-21 Corbett Wall Method allowing individual user to record song and forward to others for listening by connecting to a service provider with telecommunication device signal
GB2393886B (en) 2001-06-22 2005-05-11 Emblaze Systems Ltd MMS system and method with protocol conversion suitable for mobile/portable handset display
KR20030000491A (en) 2001-06-25 2003-01-06 에스케이 텔레콤주식회사 Method for forwarding a short message
US7389118B2 (en) 2001-06-29 2008-06-17 Nokia Corporation System and method for person-to-person messaging with a value-added service
WO2003024136A1 (en) 2001-09-12 2003-03-20 Aircross Co., Ltd. Push advertisement in mobile communications network and mobile terminal suitable for the same
US20030069991A1 (en) 2001-10-09 2003-04-10 Brescia Paul T. Location-based address provision
US6996579B2 (en) 2001-11-02 2006-02-07 At&T Corp. E-coupon service for location-aware mobile commerce which determines whether to supply requested e-coupons based on the number of requests received in a processing cycle, and a threshold number of requests required to make expected returns from redeemed coupons greater than advertising fees
US7116972B1 (en) 2001-11-16 2006-10-03 Sprint Spectrum L.P. Method and system for control over call handling
US7072667B2 (en) 2001-12-31 2006-07-04 Nokia Corporation Location information service for a cellular telecommunications network
US7644436B2 (en) * 2002-01-24 2010-01-05 Arxceo Corporation Intelligent firewall
ITPI20020025A1 (en) 2002-04-18 2003-10-20 Pietro Baracco METHOD TO MODIFY THE TEXT OF A MESSAGE SENT BETWEEN TWO TELEPHONE TERMINALS
WO2004010257A2 (en) 2002-07-19 2004-01-29 M-Qube, Inc. System and method to initiate a mobile data communication utilizing a trigger system
US20040019695A1 (en) 2002-07-25 2004-01-29 International Business Machines Corporation Messaging system and method using alternative message delivery paths
FR2844948B1 (en) 2002-09-23 2005-01-07 Eastman Kodak Co METHOD FOR ARCHIVING MULTIMEDIA MESSAGES
US20040203581A1 (en) 2002-10-07 2004-10-14 Msafe Ltd. Method system and device for monitoring data pushed to a wireless communication device
US20050021666A1 (en) 2002-10-08 2005-01-27 Dinnage David M. System and method for interactive communication between matched users
KR100511300B1 (en) 2002-12-31 2005-08-31 엘지전자 주식회사 Method for enhanced short message service
DE10303958B4 (en) 2003-01-31 2005-03-03 Siemens Ag Method and system for inserting a multimedia message multiple element into a multimedia message
US7248857B1 (en) 2004-02-27 2007-07-24 Cingular Wireless Ii, Llc System and method for enhanced message notification
DE602004010098T3 (en) 2003-05-06 2014-09-04 Apple Inc. METHOD FOR MODIFYING A MESSAGE STORAGE AND TRANSMISSION NETWORK SYSTEM AND DATA ANSWERING SYSTEM
CA2528452C (en) 2003-05-08 2017-04-18 Ari Kahn Call management protocol for insufficient credit
WO2004102345A2 (en) 2003-05-09 2004-11-25 Tekelec Methods and systems for providing short message gateway functionality in a telecommunications network
US7299050B2 (en) 2003-05-12 2007-11-20 Tekelec Methods and systems for generating, distributing, and screening commercial content
EP1705885B1 (en) 2003-05-15 2013-02-13 Huawei Technologies Co., Ltd. A system and method for providing rbt in communication network
CA2526415C (en) 2003-05-16 2014-09-16 Gerald Hewes Mobile messaging short code translation and routing system and method
US20040243719A1 (en) 2003-05-28 2004-12-02 Milt Roselinsky System and method for routing messages over disparate networks
US7660898B2 (en) 2003-07-29 2010-02-09 At&T Intellectual Property I, L.P. Presence enhanced telephony service architecture
US20080125117A1 (en) * 2004-02-18 2008-05-29 John Yue Jun Jiang Method and system for providing roaming services to outbound roamers using home network Gateway Location Register
WO2005048019A2 (en) 2003-09-04 2005-05-26 Emc Corporation Data message mirroring and redirection
US7447219B2 (en) 2003-09-29 2008-11-04 Redknee Inc. System and method for implementing a universal messaging gateway (UMG)
CN1625146A (en) 2003-12-02 2005-06-08 华为技术有限公司 Method and system for realizing sharing intelligent route
US20050130685A1 (en) 2003-12-12 2005-06-16 Mark Jenkin Method and apparatus for inserting information into an unused portion of a text message
US8112103B2 (en) 2004-01-16 2012-02-07 Kuang-Chao Eric Yeh Methods and systems for mobile device messaging
US7269431B1 (en) 2004-01-16 2007-09-11 Cingular Wireless Ii, Llc System for forwarding SMS messages to other devices
GB0406119D0 (en) * 2004-03-18 2004-04-21 Telsis Holdings Ltd Telecommunications services apparatus and method
KR100600335B1 (en) 2004-03-22 2006-07-14 주식회사 팬택앤큐리텔 Data provision method with short message service
EP1730975A1 (en) 2004-03-29 2006-12-13 Intellprop Limited Telecommunications services apparatus and method for modifying the routing of mobile terminated short messages (sms)
US7961663B2 (en) 2004-04-05 2011-06-14 Daniel J. LIN Peer-to-peer mobile instant messaging method and device
WO2005101863A2 (en) 2004-04-12 2005-10-27 Bayne Anthony J System and method for the distribution of advertising and associated coupons via mobile media platforms
EP1736016B1 (en) 2004-04-14 2015-06-24 MBalance Research B.V. Method for preventing the delivery of short message service message spam
US7403537B2 (en) * 2004-04-14 2008-07-22 Tekelec Methods and systems for mobile application part (MAP) screening in transit networks
US7120455B1 (en) 2004-05-20 2006-10-10 Cellco Partnership Method and system for mobile instant messaging using multiple interfaces
US7155243B2 (en) 2004-06-15 2006-12-26 Tekelec Methods, systems, and computer program products for content-based screening of messaging service messages
US20060028429A1 (en) * 2004-08-09 2006-02-09 International Business Machines Corporation Controlling devices' behaviors via changes in their relative locations and positions
CN101053264B (en) 2004-08-14 2011-03-23 基鲁萨有限公司 Methods for identifying messages and communicating with users of a multimodal message service
US20060047572A1 (en) 2004-08-26 2006-03-02 Jeffery Moore Text and multimedia messaging-based layered service and contact method, auction method and method of conducting business
IES20040693A2 (en) * 2004-10-14 2006-04-19 Anam Mobile Ltd A messaging system and method
ATE415790T1 (en) 2004-10-27 2008-12-15 Intellprop Ltd DEVICE AND METHOD FOR TELECOMMUNICATION SERVICES
GB0425905D0 (en) 2004-11-25 2004-12-29 Intellprop Ltd Telecommunications services apparatus and method
CN101112075A (en) 2004-12-06 2008-01-23 罗姆韦尔有限公司 Scalable message forwarding
US7454164B2 (en) 2004-12-28 2008-11-18 Lucent Technologies Inc. Providing a multimedia message with a multimedia messaging service message in a mobile environment
US7941165B2 (en) 2005-03-02 2011-05-10 Cisco Technology, Inc. System and method for providing a proxy in a short message service (SMS) environment
US20060211406A1 (en) * 2005-03-17 2006-09-21 Nokia Corporation Providing security for network subscribers
US20060218613A1 (en) 2005-03-22 2006-09-28 Bushnell William J System and method for acquiring on-line content via wireless communication device
US8014762B2 (en) 2005-03-31 2011-09-06 Qualcomm Incorporated Time and location-based non-intrusive advertisements and informational messages
US7209759B1 (en) 2005-06-23 2007-04-24 Cisco Technology, Inc. Method and system for customizing distributed short message routing
US8099114B2 (en) 2005-07-28 2012-01-17 At&T Mobility Ii Llc Personal short codes for SMS
EP1935204A4 (en) 2005-09-23 2013-04-03 Grape Technology Group Inc Enhanced directory assistance system and method including location and search functions
US8677020B2 (en) 2005-10-17 2014-03-18 Amobee Inc. Device, system and method of wireless delivery of targeted advertisements
US20080051066A1 (en) 2005-12-05 2008-02-28 Fonemine, Inc. Digital personal assistant and automated response system
IL173011A (en) 2006-01-08 2012-01-31 Picscout Ltd Image insertion for cellular text messaging
US20070206747A1 (en) 2006-03-01 2007-09-06 Carol Gruchala System and method for performing call screening
US7817987B2 (en) 2006-03-07 2010-10-19 Motorola, Inc. Apparatus and method for handling messaging service message adaptation
US7912908B2 (en) 2006-03-27 2011-03-22 Alcatel-Lucent Usa Inc. Electronic message forwarding control
US7747264B2 (en) 2006-05-18 2010-06-29 Myriad Group Ag Method and apparatus for delivering advertisements to mobile users
US8170584B2 (en) 2006-06-06 2012-05-01 Yahoo! Inc. Providing an actionable event in an intercepted text message for a mobile device based on customized user information
US9219952B2 (en) 2006-06-09 2015-12-22 Starscriber Corporation Voiding calls to signal supplementary services
KR20080006225A (en) 2006-07-11 2008-01-16 에스케이 텔레콤주식회사 Service system and method of instant transmission premium sms
US7606202B2 (en) 2006-07-28 2009-10-20 Tekelec Methods, systems, and computer program products for offloading call control services from a first network of a first type to a second network of a second type
US8204057B2 (en) 2006-10-26 2012-06-19 Tekelec Global, Inc. Methods, systems, and computer program products for providing an enriched messaging service in a communications network
US8199892B2 (en) 2006-10-26 2012-06-12 Tekelec Methods, systems, and computer program products for providing a call attempt triggered messaging service in a communications network
US20080113677A1 (en) 2006-11-11 2008-05-15 Rajeev Kumar Madnawat Mobile to mobile service invocation framework using text messsaging
KR100850734B1 (en) 2006-12-13 2008-08-06 삼성전자주식회사 Method For Transmitting Message Of Portable Terminal
US20080161028A1 (en) 2007-01-03 2008-07-03 Tekelec Methods, systems and computer program products for a redundant, geographically diverse, and independently scalable message service (MS) content store
US7941129B2 (en) 2007-01-11 2011-05-10 At&T Mobility Ii Llc Multi-way messaging with forwarding
US20080207181A1 (en) 2007-02-28 2008-08-28 Roamware Method and system for applying value added services on messages sent to a subscriber without affecting the subscriber's mobile communication
KR20080111175A (en) 2007-03-30 2008-12-23 (주)옴니텔 System and method for advertisement using free sms
US7930208B2 (en) 2007-03-30 2011-04-19 Wmode Incorporated Method and system for delivery of advertising content in short message service (SMS) messages
US20080287150A1 (en) 2007-04-16 2008-11-20 John Yue Jun Jiang Method and system for inserting advertisment content into a text message
US8326265B2 (en) * 2008-10-17 2012-12-04 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for detection of an unauthorized service message in a network
US20100210292A1 (en) 2009-02-16 2010-08-19 Eloy Johan Lambertus Nooren Extending a text message with content
US20100233992A1 (en) 2009-03-11 2010-09-16 Eloy Johan Lambertus Nooren Methods, systems, and computer readable media for short message service (sms) forwarding
US20100235911A1 (en) 2009-03-11 2010-09-16 Eloy Johan Lambertus Nooren Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070011261A1 (en) * 2004-12-03 2007-01-11 Madams Peter H C Apparatus for executing an application function using a mail link and methods therefor
WO2007084503A2 (en) * 2006-01-17 2007-07-26 Cibernet Corporation Use of service identifiers to authenticate the originator of an electronic message
US20080026778A1 (en) * 2006-07-25 2008-01-31 Yigang Cai Message spoofing detection via validation of originating switch

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8326265B2 (en) 2008-10-17 2012-12-04 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for detection of an unauthorized service message in a network
US8909266B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Methods, systems, and computer readable media for short message service (SMS) forwarding
US8908864B2 (en) 2009-03-11 2014-12-09 Tekelec Netherlands Group, B.V. Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US10616200B2 (en) 2017-08-01 2020-04-07 Oracle International Corporation Methods, systems, and computer readable media for mobility management entity (MME) authentication for outbound roaming subscribers using diameter edge agent (DEA)
US10931668B2 (en) 2018-06-29 2021-02-23 Oracle International Corporation Methods, systems, and computer readable media for network node validation
US10834045B2 (en) 2018-08-09 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for conducting a time distance security countermeasure for outbound roaming subscribers using diameter edge agent
US10952063B2 (en) 2019-04-09 2021-03-16 Oracle International Corporation Methods, systems, and computer readable media for dynamically learning and using foreign telecommunications network mobility management node information for security screening
US11411925B2 (en) 2019-12-31 2022-08-09 Oracle International Corporation Methods, systems, and computer readable media for implementing indirect general packet radio service (GPRS) tunneling protocol (GTP) firewall filtering using diameter agent and signal transfer point (STP)
US11553342B2 (en) 2020-07-14 2023-01-10 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming security attacks using security edge protection proxy (SEPP)
US11751056B2 (en) 2020-08-31 2023-09-05 Oracle International Corporation Methods, systems, and computer readable media for 5G user equipment (UE) historical mobility tracking and security screening using mobility patterns
US11825310B2 (en) 2020-09-25 2023-11-21 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming spoofing attacks
US11832172B2 (en) 2020-09-25 2023-11-28 Oracle International Corporation Methods, systems, and computer readable media for mitigating spoofing attacks on security edge protection proxy (SEPP) inter-public land mobile network (inter-PLMN) forwarding interface
US11622255B2 (en) 2020-10-21 2023-04-04 Oracle International Corporation Methods, systems, and computer readable media for validating a session management function (SMF) registration request
US11528251B2 (en) 2020-11-06 2022-12-13 Oracle International Corporation Methods, systems, and computer readable media for ingress message rate limiting
US11770694B2 (en) 2020-11-16 2023-09-26 Oracle International Corporation Methods, systems, and computer readable media for validating location update messages
US11818570B2 (en) 2020-12-15 2023-11-14 Oracle International Corporation Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks
US11812271B2 (en) 2020-12-17 2023-11-07 Oracle International Corporation Methods, systems, and computer readable media for mitigating 5G roaming attacks for internet of things (IoT) devices based on expected user equipment (UE) behavior patterns
US11700510B2 (en) 2021-02-12 2023-07-11 Oracle International Corporation Methods, systems, and computer readable media for short message delivery status report validation
US11516671B2 (en) 2021-02-25 2022-11-29 Oracle International Corporation Methods, systems, and computer readable media for mitigating location tracking and denial of service (DoS) attacks that utilize access and mobility management function (AMF) location service
US11689912B2 (en) 2021-05-12 2023-06-27 Oracle International Corporation Methods, systems, and computer readable media for conducting a velocity check for outbound subscribers roaming to neighboring countries

Also Published As

Publication number Publication date
US20100235911A1 (en) 2010-09-16
US20130095793A1 (en) 2013-04-18
WO2010105099A3 (en) 2011-01-13
US8908864B2 (en) 2014-12-09

Similar Documents

Publication Publication Date Title
US8908864B2 (en) Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions
US11265695B2 (en) MMS termination on different networks
US8005493B2 (en) Messaging system and method
US7751836B2 (en) Methods, systems, and computer program products for short message service (SMS) spam filtering using e-mail spam filtering resources
US7797003B2 (en) Telecommunication services apparatus and methods for addressing the problem of mobile terminated message faking
JP4011125B2 (en) Roaming method and apparatus belonging to the method
US8199892B2 (en) Methods, systems, and computer program products for providing a call attempt triggered messaging service in a communications network
US20080207181A1 (en) Method and system for applying value added services on messages sent to a subscriber without affecting the subscriber's mobile communication
EP3000212B1 (en) Sms fraud detection
JP2006178999A (en) Storage of anti-spam black list
US10498678B2 (en) Method for user reporting of spam mobile messages and filter node
GB2431547A (en) Identifying communications between telecommunications networks
GB2379135A (en) Method and system for routing calls to a mobile telecommunications device
EP2725831B1 (en) Method for using a user equipment in a coverage area of a visited public land mobile network, public land mobile network and computer program product
US20100112993A1 (en) Method, device and system for message identification
EP2387259B1 (en) Method for routing a message
GB2435156A (en) Communication system for accessing more than one device at a single address
JP2009005339A (en) System and method for providing multimedia messaging service
US9338618B2 (en) Home routing system and method for mobile networks
IES84271Y1 (en) A messaging system and method
GB2397975A (en) Reducing costs due to ported mobile subscribers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10751448

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10751448

Country of ref document: EP

Kind code of ref document: A2