Security and Privacy in Next Generation MobileNetworks: LTE and Femtocells

Igor Bilogrevic, supervised by Jean-Pierre HubauxMini-project for the “Security and Cooperation in Wireless Networks” course

Laboratory for computer Communications and Applications (LCA1)EPFL, Lausanne, Switzerland

igor.bilogrevic@epfl.chJanuary 15, 2010

Abstract—Cellular mobile network are used by more than 4billion users worldwide. Yet, security and privacy issues in thenext generation networks have not fully been addressed by thestandardization bodies, as several of the upcoming features wouldinherit many of the current limitations. In this report, we focus ontwo aspects: privacy of user’s identity/location and the security offemtocell networks. First, we show that GSM, UMTS and LTEare still inefficient in the first aspect because of the centrallymanaged identity assignment, and we suggest a simple schemewhere, by combining central and distributed management, pri-vacy can be preserved even in presence of a capillary deploymentof low-range femtocells. Second, by leveraging on the geographicoperational requirements of femtocells, we model the dynamicsamong ISPs and mobile operators in a DDoS defense scenariothat is effective against malicious attackers and transparent forlegitimate users. We propose and numerically evaluate a novelgame-theoretic scheme that, by considering parameters such asInternet traffic and femtocell subscriber shares, could help ISPsand mobile operators making strategic decisions.

Index Terms—Wireless Security, Privacy, Cellular Mobile Net-works, LTE, Femtocells

I. INTRODUCTION

Cellular mobile networks are the most widely used andheavily deployed wireless communication networks in theworld. According to the International TelecommunicationUnion (ITU) [1], by the end of year 2009 there will be4.6 billion mobile cellular telephone subscribers, while thetotal amount of Internet users will exceed 1.6 billion. Eventhough 80% of the current mobile subscribers are still usingthe 2G legacy GSM technology [2], the more data-orientedcounterparts, such as WCDMA and CDMA2000 3G networks,are emerging. By 2010, 3G handsets are expected to be usedby 90% of subscribers in Europe, North America and Japan[3].

The use of mobile devices has rapidly changed since theadvent of GSM. Started as voice only service, digital mobilenetworks have been upgraded in order to support data trafficas well. Modern feature phones and powerful smartphonesare able to surf on the Internet, connect to ebanking services,provide services based on the subscriber’s location and muchmore. It is clear that the sensitivity and confidentiality of datatransiting in mobile networks is of foremost importance bothto businesses and private citizens.

Security and privacy in such networks encompass a broaderset of elements. They concerns the messages that are ex-changed over-the-air, the traffic routed by a mobile operatoron its own internal network and the inter operator traffic.The main assumption underlying the security of the mobilenetworks cited so far is a high trust that each operator hasin its own infrastructure and in other operators with whomit has a roaming contract. The main reasons behind suchpositive attitude are the following: (i) direct ownership andcontrol of the network equipment, (ii) dedicated connectionsand protocols among network components and (iii) the highlyhierarchical decision making process for providing networkresources to mobile devices. Clearly, in case of a substantialchange in the network architecture, such as evolving to aflat all-ip network, the trust relationships would need to berevisited.

Long Term Evolution (LTE) is the mobile network tech-nology for the next generation mobile communications, asdefined by the 3rd Generation Partnership Project (3GPP) andstandardized in December 2008 [4]. Among the key featuresthat it provides, such as increased data-rates, lower latenciesand better spectral efficiency, one of the most interesting isthe radically novel all-ip core network architecture, known asEvolved Packet Core (EPC). This essential component of theEvolved Packet System (EPS, which includes the radio access,the core network and the handset) is of great importance forsupporting the high-speed connections and ensuring smoothhandovers among LTE and other technologies such as GSMand WCDMA. Moreover, LTE is expected to make extensiveuse of user-installed, very low-power and low-range basestations (femtocells), in order to achieve its goals of spectralefficiency and high-speeds for a greater number of users.

As a consequence, the combination of LTE, all-ip networkarchitecture and femtocells is stimulating the emergence ofnew security and privacy threats. For instance, it becomeseasier for a malicious user to tamper with the femtocell, asit resides directly at the user’s premises, or to disrupt thelegitimate communications both at the femtocell and at thecore network level, due to the openness of the IP networks.Moreover, as LTE is an evolution of the existing 2G-3G stan-dards and is backward-compatible with them, it also inheritsdifferent vulnerabilities at the protocol level. Specifically, the

2

privacy of the user’s permanent identity and his/her geographiclocation is at risk both at the air interface (use of identifiers)and at the application layer (location based services).

In this report, we explore one privacy and one security threatrelated to the all-ip and femtocell network architectures. Firstof all, we show that the identity management in LTE does notprovide sufficient location privacy on the air interface for theusers, and we suggest a simple scheme to overcome the issue.Second, we analyze a scenario involving distributed denial ofservice (DDoS) attacks on the femtocell core network compo-nents, the femtocell gateways, and we present a novel gametheoretic model to represent the interactions and outcomes ofa protection demand/offer scenario between a mobile operatorand different ISPs. We analytically determine the conditionsleading to the best response strategies and we numericallyevaluate our scheme with two example games.

The rest of the report is structured as follows. In SectionII we present the network architectures of LTE, UMTS andfemtocells, as well as the main features that have an impact onsecurity and privacy. In Section III we identify two importantprivacy and security challenges that are due to the LTE andthe femtocell infrastructure: identity/location privacy and corenetwork security. In Section IV we briefly introduce the relatedwork and in Section V we start delineating our solution forthe first challenge, by leveraging on research done in themobile ad hoc networks (MANETs) field. In Section VI wedevelop a novel game theoretic model for the analysis of theinteractions between ISPs and mobile operators, in order toprovide protection against DDoS attacks on the mobile corenetwork. We conclude the report and provide ideas for futurework in Section VII.

II. LTE AND UMTS NETWORK ARCHITECTURES

In this section, we delineate the differences in the networkarchitectures between LTE and UMTS (radio access and corenetwork) that are relevant to the security and privacy issuesdiscussed in this report. Figure 1 shows a basic networkarchitecture for UMTS (left) and LTE (right), with a clearseparation between the core network (CN) components andthe radio access network (RAN). More information about thearchitecture and security of LTE RAN/CN can be found in[5], [6], [7], whereas [8], [9] are related to UMTS.

A. Radio Access Network

The RAN is responsible for all the radio interface relatedfeatures of the network, and it is the point of entry tothe mobile network for any compatible wireless device. Inaddition to en/decapsulating data, it performs radio channeland power management controls, handover procedures andover-the-air encryption/integrity for data and signaling trafficto and from the wireless devices (User Equipment, UE). Due tothe broadcast nature of the wireless medium, the air interfaceis the most vulnerable to eavesdropping and traffic injection,and thus several measures have been taken in order to mitigatethose risks. Eventhough it might be non trivial to break thealgorithm and obtain the secret key, the user privacy is still

at risk due to protocol flaws enabling a malicious user witha femtocell to track the whereabouts of a subscriber. We willdiscuss the issue in more detail in Section V.

In LTE and UMTS, all user and signaling traffic is encryptedand integrity protected against misuse by malicious entities onthe air interface. The use of a shared secret key between theUniversal Subscriber Identity Module (USIM) in the mobiledevice and the home network ensures that only authorizedusers and legitimate network operators can communicate andexchange information. There are, however, major differencesin the way encryption and trust is managed in LTE and UMTS.

The UMTS the air interface encryption is terminated at theRNC, while in LTE it is terminated in the eNodeB (similarto GSM). UMTS uses encryption/integrity key pairs that areindependent of the network that is currently serving the UE.Moreover, these keys must not be changed during a handover,if the UE is still served by the same SGSN. In LTE, on thecontrary, the keys are not transfered as such from the homenetwork to the eNodeBs but they are derived from layer tolayer, depending on the particular serving network and thespecific eNodeB that is used by the mobile device. As aconsequence, LTE has already been developed with limitedtrust in network components and external partners from thebeginning.

B. Femtocells

As defined by the Femto Forum [10], a non-profit member-ship organization supported by different standardization bodiesand equipment manufacturers, femtocells are low-power wire-less access points that operate in licensed spectrum to connectstandard mobile devices to a mobile operators network usingresidential DSL or cable broadband connections. The maindifferences with respect to traditional base stations, such as(e)NodeBs, are the following. Femtocells are• installed by users at their own premises, without the

involvement of authorized operator’s technicians,• user-friendly and low-cost devices,• connected to the operator’s network through a public

(insecure) connection, provided by a potentially differentservice provider.

From a mobile device’s perspective, being connected to a(e)NodeB or a femtocell is equivalent, because the protocolsand security standards used at the air interface are exactly thesame. From a malicious user’s point of view, on the contrary,it makes a substantial difference because for a malicioususer it is much easier to tamper with a small and low-cost(£160 [11]) femtocell than it could be with a bigger devicelocated on a rooftop. Moreover, as the traffic between thefemtocell and core network goes through the Internet, new andunprecedentedly seen attacks become possible. We discuss theissue in Section III.

C. Core Network

The core network components of both UMTS and LTE,shown in Figure 1 (middle), are responsible for the stor-age of subscriber information, billing, mobility management,

3

Radio NetworkController

RNC

Serving GPRSSupport Node

SGSN

Gateway GPRSSupport Node

GGSN

CoreNetwork

RadioAccessNetwork

ExternalNetworks

Home Location Register

Visited Location Register

Interconnections

Home Subscriber ServerServingGatewaySGW

Packet DataNetwork Gateway

MobilityManagement

EntityMME

NodeB

eNodeB

GPRS Network(UMTS)

Evolved Packet System (LTE)

Internet, other networks

Internet, other networks

FemtoGateway

Femtocell

Femto Gateway

Femtocell

InternetInternet

LegendControl + user data

User dataControl signalling

Figure 1. Simplified UMTS and LTE network architectures.

authentication/authorization and routing of user data to itsdestination. Without this infrastructure, the calls and dataservices cannot be successfully established. Usually, the corenetwork is protected from external access by firewalls locatedat its edges, and both LTE and UMTS have security measuresin place to thwart malicious attacks on core components. Insidethe core network, encryption is not specified for UMTS andnot mandatory for LTE, although the IP interfaces in LTEcan be protected by using IPSec secure connections amongthe RAN and CN components. In practice, as LTE supportsinterconnections with non-3GPP networks such as WiMax andWiFi, IPSec tunnels are used inside the core network to protectthe confidentiality of information. Integrity, on the contrary, isnot protected for performance reasons [12].

Compared to UMTS, the CN of LTE has a “flatter” architec-ture, meaning that there are fewer relays between source anddestination. As a consequence, the eNodeBs have are nowable to perform radio spectrum management and handoverprocessing without involving upper layer devices, as opposedto UMTS. We can see this difference in Figure 1, as the linksthat are present among eNodeBs are absent among nodeBs.

III. SECURITY AND PRIVACY CHALLENGES

In the following sections, we develop two arguments rel-evant to security and privacy in mobile networks. First, wepresent the current mechanisms used to ensure the privacyof the user’s permanent identity on the air interface throughtemporary identifiers. We claim that by increasing the numberof base stations in order to boost data-rates and signal quality,tracking and identifying users could become much easierand cheaper thanks to femtocells. Second, we develop a

game-theoretic model to represent a possible security scenariofor the upcoming deployment of femtocells and their corenetwork components, the femtocell gateways. ISPs and mobileoperators make decisions on the security demand/offer for thefemtocell infrastructure by considering distributed denial ofservice (DDoS) attacks on femtocell gateways.

IV. RELATED WORK

There has been some recent work in the area of location andidentity privacy protection in cellular networks. In [13], DeMulder et al. use real cellular location traces to de-anonymizesubscribers, leveraging on first-order Markov chains to modeland predict movements of users based on partially availableprevious location traces. Koein and Oleshchuk [14] develop anovel authentication protocol, PP3WAKA, for UMTS systemsin a way to preserve the location privacy of the subscribervis-a-vis the home network. By using a 3-way authenticationscheme among UE-Serving Network-Home Network, theirprotocol derives medium and short term security associationswhile providing location privacy with respect to the homenetwork.

However, as the two studies do not provide solutions toprivacy issues on the radio interface, we explored the solutionsthat the research community developed for MANETs. Ourintent is to leverage on the state-of-the-art in the latter tosuggest a cellular network-friendly scheme for identity andlocation privacy.

On the security front, DDoS attacks are a well knownphenomena for large companies hosting a multitude of webservers sparse around the globe, such as eBay, Amazon orYahoo [15]. In order to deal with such attacks in a systematic

4

way, Mirkovic [16] proposes a general classification of attacksand defense mechanisms, such that system developers andresearchers can better observe and react to the inherentlydifferent attacks by exploiting their common traits. If thedetection of ongoing DDoS attacks is best performed at thevictim site, the suppression mechanisms are most effectivenear the source, as it is possible to filter the malicious trafficfrom the genuine connections and avoid the former to evenreach and saturate the final link with the target. This ideahas been investigated in several studies ([17], [18], [19], [20])suggesting that a distributed solution is better suited againstlarge-scale DDoS attacks than one localized only at the finallink with the target. The requirement is that different ISPs areable and willing to cooperate in order to provide protection,and the authors agree that a failure to reach an agreementcould jeopardize the effectiveness of their solutions. Only in[20] more than one ISP is strictly required to implement thesolution, otherwise even a single ISP would be able to ensurea partial level of protection.

One work that specifically aims at femtocells and mobileoperators is [21], where femtocell gateways are the targets ofDDoS attacks perpetrated with the intent to extort money frommobile operators. The authors manage to obtain real pricesfor such attacks but fail to illustrate any countermeasures thatmake use of the specific features of femtocell networks, suchas the need for femtocells to be located in geographic regionswhere the mobile operator has the right to use the spectrum.Our DDoS defense scheme presents a model that leverages onincentives that cooperation among ISPs could bring both tothem and to mobile operators.

V. IDENTITY AND LOCATION PRIVACY

UMTS and LTE standards mandate the use of temporaryidentifiers to address mobile devices on the air interface, when-ever a service is requested. The issue of identity confidentialityprotection was already raised in the early GSM networks andthe solution that is being adopted ever since has been updatedbut never substantially revisited.

A (P)-TMSI, or (Packet)-Temporary Mobile SubscriberIdentity, is the way mobile subscribers are identified over theair on packet/circuit-switched mobile networks in GSM andUMTS [22]. LTE uses a very similar concept called GUTI, theGlobally Unique Temporary Identity [23]. These are attributedonly after a successful authentication procedure, which takesplace only when the network has the means to identify thehome network of the mobile subscriber wishing to access theserving network. If the serving network has no valid creden-tials of the mobile user, it must establish the user identityand verify its rights before granting any service. This is doneby asking the mobile subscriber for its permanent identity(or IMSI, the International Mobile Subscriber Identity), whichis sent in cleartext by the mobile device. Once the servingnetwork obtains the authentication information for the mobilesubscriber, the mutual authentication procedure is executedand the subscriber is eventually given a TMSI (or GUTI) andallowed to use the network.

Pseudo A

Pseudo APseudo B

Pseudo APseudo C

Pseudo APseudo D

Figure 2. Improved use of temporary identifiers in cellular mobile networks,based on base station beacon message density and low-range sensing of localdevices. The blue discs represent real UMTS or GSM base station placements.

Even though subscribers are given temporary identitiesfor using the network, the issues of identity privacy andlocation tracking are still open. TMSIs (or GUTIs) are usuallyunchanged in a given location (or tracking) area, which iscomposed by up to a hundred adjacent cells. Considering a realUMTS network base station deployment in the city of Geneva(Figure 2), it is likely that a mobile user would have the sametemporary identity while moving from one place to the otheras shown in the figure. Not only it would be possible for mali-cious users to track the movements of mobile subscribers, butlow-cost femtocells would allow an unprecedented precisionas well. One might think about the implications for curiousemployers that are eager to know whether an employee isgoing to a competitor or for governmental agencies willing totrack people but without an authorization.

A solution that would help overcoming the limits of theinfrequent and static assignment of temporary identifiers incellular networks would consist in adapting the assignment ofthe IDs to the current context. This would require the mobilephones to dynamically decide when to change identifier,based on their own observation of the surroundings and thuschanging from the network controlled to a user-triggered IDchange. In the example of Figure 2, this could be representedby the assignment of different temporary IDs while the useris moving from west to east in the densely covered area ofGeneva.

In this sense, there has been substantial work in MANETsregarding the use and change of temporary identifiers, orpseudonyms, to protect location privacy of the mobile nodes.One concept that has been extensively studied is that ofa mix zone [24], a region where mobile devices changepseudonyms and where their location cannot be monitored,such that the adversary is not able to link the previous withthe new pseudonym for each node exiting the mix zone.A further optimization of the placement of such zones hasbeen performed by Freudiger et al. [25], who maximized theeffectiveness of mix zones by placing them in strategic places

5

with “high node density and unpredictable mobility”.When planning a cellular network, mobile operators have

to decide where and how many base stations to install, inorder to provide an optimal trade-off between service quality,availability and cost. A densely populated area, such as thecenter of Geneva, will have many more cells than a rural areawith a lower population density. As each cell has a uniquecell ID, a mobile device is able to assess whether the currentlocation has a high cell density or not by reading the cellbroadcast messages. Moreover, the majority of recent feature-phones and smartphones is equipped with Bluetooth radiotechnology for low-range ad hoc connectivity. Combined withthe cell ID broadcast messages, Bluetooth can be used todefine more precisely the number of neighboring devices andtrigger the coordinated temporary ID (or pseudonym) change.

Although this would enhance subscriber privacy, it woulddo so with an increase traffic on the mobile network. Ascurrently each new pseudonym assignment requires, in normaloperation, two message exchanges over the air [5], the extratraffic load grows linearly with the number of mobile devicesin a given area. One way to overcome the issue would beto aggregate multiple pseudonym messages on the downlink(network → mobile device) and to broadcast only one suchmessage, encrypting each pseudonym with the already estab-lished individual session keys.

The straight forward scheme to enhance identity and loca-tion privacy in cellular networks that we suggested uses boththe existing infrastructure and the ad hoc connections (Blue-tooth, WiFi) among devices. Although it would be possibleto integrate this scheme in the existing smartphones with justa software update, the main challenge is to adapt the alreadyestablished and costly infrastructure components. Further re-search is therefore envisaged in combined infrastructure/adhoc identity management in cellular networks that would takeadvantage of the existing radio technologies.

VI. LOCATION-AWARE FEMTOCELL DDOS DEFENSE

One important security issue of current and next generationcellular networks will be related to the use of femtocells inorder to provide better signal quality, service availability anddata-rates to the subscribers. If, on one hand, this seems tobe a very palatable solution for mobile operators as it avoidsinvestments on the backbone connection, on the other handthe exposure to the public Internet has severe drawbacks.One of them is the public IP address that each femtocellgateway would be assigned, and to which tenths of thousandsfemtocells would connect to. DoS attacks are usually carriedout against a service running on a specific IP address inorder to deny access to legitimate users and cause damageto the service owner. A distributed DoS (DDoS) attack hasthe same goal but it is usually much more difficult to prevent,as it exploits a great number of zombie computers to generateapparently legitimate connections to the given IP address. It isclear that if the gateways were to suffer intense DDoS attacks,customers would not be able to connect to them anymore and

XX

X X

XX

FemtocellGW

Attacker

ISP border router

Figure 3. DDoS attack scenario on a femtocell gateway operated by a Swissmobile operator. The border routers, possibly owned by different ISPs, protectthe gateway by either cooperating with each other or by allowing a single ISPi to install its own protection mechanisms at their sites.

would not get the service they are paying for. Ultimately, theycould also change their mobile operator.

In this section, we develop a game theoretic model for thedefense against DDoS attacks coming from outside of a givenregion/Country. The idea is based on the fact that femtocellsare allowed to operate only in specific regions/Countries wherethe mobile operator has the license to operate in a given radiospectrum. As a consequence, any attempt to connect to afemtocell gateway from outside that region will not succeedin any case, thus there is no need to route the traffic to thegateway if it comes from outside the allowed region. Thisway, the mobile operator can continue to serve legitimateusers while avoiding to provide resources to foreign maliciousattackers.

Our intent is not to provide a bullet-proof protection for anyDDoS attack but rather to substantially limit the damage thatcould result from massive DDoS attacks coming from outsidea specific region/Country. Figure 3 shows a possible attackscenario on a Swiss femtocell gateway.

In the next subsections, we describe the system model andthe relative game theoretic analysis.

A. System Model

We assume that in a specific region/Country R, there isa mobile operator facing the decision whether to protectits femtocell gateways against DDoS attacks (coming fromoutside of R) or not. This protection can be provided by theISPs present in R, such that the defense is not concentrated atthe final link with the femtocell gateway but rather at the edgesof R. This would enable a transparent access to the femtocellgateways from inside R and put the first line of defense againstexternal DDoS attacks closer to their sources.

We assume that an ISP could either provide protectionby cooperating with other ISPs, on its own or not protectat all. If an ISP cooperates with others in order to provideprotection, then it can lower its costs by sharing them withthe other parties. In this case, it also gets only a share of thebenefits (provided by the mobile operator) to compensate forthe extra costs of setting up the protection mechanisms. If

6

an ISP protects the mobile operator on its own, it gets all thebenefits but has a greater cost as well, depending on its currentInternet traffic share. If an ISP does not provide protection, itdoes not get any benefits but, at the same time, it does notbear any additional cost.

B. Threat Model

We assume that a large number of zombie terminals areused in order to perpetrate DDoS attacks on the femtocellgateways. They have real IP addresses and can perform moresophisticated connection procedures than DoS attackers. Thisis motivated by the fact that they are able to handle simplepreliminary challenge-response mechanisms and thus appearrelatively similar to legitimate users.

C. Game Theoretic Analysis

We model the DDoS defense problem as a Stackelbergdynamic game of complete information. The leader (mobileoperator) chooses its strategy first and then the followers(ISPs), knowing the strategy of the leader, select their ownstrategies in order to maximize their payoffs. Once the leaderhas chosen its strategy, the followers play the game in asimultaneous fashion, i.e. all ISP select their strategies at thesame time. Hereafter we detail the players, strategies andpayoffs of the game. Figure 4 illustrates the game in itsextensive form.

1) Players: The set of players is P ={Op, ISP1, . . . , ISPn}, where• Op is the mobile operator and leader of the game• ISP1,. . . ,ISPn are the different ISPs (followers) that could

provide protection to Op2) Strategies: The set of strategies is S = {SOp, SISP }

where• SOp = {Protected, Vulnerable} = {P, V } is the choice

of the mobile operator to be either protected againstDDoS attacks or to remain vulnerable

• SISP = {Alone, Cooperate, Nothing} = {A,C,N} arethe possible choices for any ISP to either provide theprotection alone, i.e. without any cooperation with otherISPs, to cooperate with other ISPs or not to provide anyprotection at all

Note that the mobile operator could also be an ISP.3) Payoffs:

a) Mobile Operator: The mobile operator’s payoffs uOpare defined in the following way:

uOp =

{bprot − cprot if sOp = P

−catt if sOp = V

=

{catt

∑j protecting(αj + µj)− catt · ρ

−cattwhere• catt > 0 is the attack induced cost (could be a function

of the annual revenue of the mobile operator)• 0 ≤ αj ≤ 1 is the overall Internet traffic share of ISP j

for a given region/Country

Table ILIST OF SYMBOLS.

SYMBOL DEFINITION

𝒃𝒃𝒑𝒑𝒑𝒑𝒑𝒑𝒑𝒑 = 𝑐𝑐𝑎𝑎𝑎𝑎𝑎𝑎 � (𝛼𝛼𝑗𝑗 +𝑗𝑗 𝑝𝑝𝑝𝑝𝑝𝑝𝑎𝑎𝑝𝑝𝑐𝑐𝑎𝑎𝑝𝑝𝑝𝑝𝑝𝑝

𝜇𝜇𝑗𝑗 ) Benefit for the mob. op. for being protected against DDoS attacks

𝒃𝒃𝒑𝒑𝒑𝒑𝒑𝒑 = 𝑐𝑐𝑝𝑝𝑝𝑝𝑝𝑝𝑎𝑎 Benefit for the ISP providing protection on its own

𝒃𝒃𝒋𝒋,𝒄𝒄𝒑𝒑𝒑𝒑𝒑𝒑 = 𝛼𝛼𝑗𝑗 ∙ 𝑏𝑏𝑎𝑎𝑝𝑝𝑎𝑎 Benefit for the ISP j providing protection when cooperating

𝒄𝒄𝒂𝒂𝒑𝒑𝒑𝒑 Cost of the DDoS attack for the mob. op. 𝒄𝒄𝒋𝒋,𝒂𝒂𝒂𝒂 = 𝑐𝑐𝑎𝑎𝑎𝑎𝑎𝑎 (1 − 𝛼𝛼𝑗𝑗 )𝑓𝑓(𝜇𝜇𝑗𝑗 ) Cost for ISP j providing protection on its own

𝒄𝒄𝒋𝒋,𝒄𝒄𝒑𝒑𝒑𝒑𝒑𝒑 = 𝑐𝑐𝑎𝑎𝑎𝑎𝑎𝑎 (𝛼𝛼𝑗𝑗 −1𝑃𝑃� 𝛼𝛼𝑝𝑝

𝑝𝑝≠𝑗𝑗 |𝑠𝑠𝑝𝑝=𝐶𝐶) Cost for ISP j providing protection when

cooperating

𝒄𝒄𝒑𝒑𝒑𝒑𝒑𝒑𝒑𝒑 = 𝜌𝜌 ∙ 𝑐𝑐𝑎𝑎𝑎𝑎𝑎𝑎 Cost for the mob. Op. for being protected against DDoS attacks

Op Subscript used for the mob. op. j Subscript used for ISP j 𝜶𝜶𝒋𝒋 % of Internet traffic routed by ISP j

𝝁𝝁𝒋𝒋 % of femtocell subscribers of the mob. op. connected to Internet through ISP j

𝒇𝒇(𝝁𝝁𝒋𝒋) Positive, convex and decreasing function 𝝆𝝆 % of risk that mob. op. wants to be assured

• 0 ≤ µj ≤ 1 is the share of femtocell subscribers of themobile operator Op connected to Internet via ISP j

• 0 ≤ ρ ≤ 1 is the percentage of risk for which the mobileoperator wants to be assured by the ISP(s).

All relevant symbols are defined in Table I.b) ISPs - Case A: For an ISP j, if αj+

∑i6=j|si=C αi ≥

ρ, i.e. when the joint effort of the ISPs could cover the riskof the mobile operator, each ISP j has the following payofffunction uj , :

uj = bj − cj =

btot − cj,al if sj = A

bj,coop − cj,coop if sj = C

0 if sj = N

=

cprot − catt(1− αj)f(µj)αj · btot − catt(αj − 1

P

∑i6=j|si=C αi)

0

=

catt(ρ− (1− αj)f(µj))catt(αj(ρ− 1) +

∑i6=j|si=C αi

P )

0

where f(µj) is a positive, decreasing convex function and Pis the number of cooperating ISPs, i.e. P = |{j|sj = C}|.

c) ISPs - Case B: For an ISP j, if αj+∑i6=j|si=C αi <

ρ, i.e. when the joint effort of the ISPs cannot cover the riskof the mobile operator, then the payoff uj of each ISP j is:

uj = bj − cj =

btot − cj,al if sj = A

btot − cj,al − ε if sj = C

0 if sj = N

=

catt(ρ− (1− αj)e−µj )

catt(ρ− (1− αj)e−µj )− ε0

7

Mobile Operator

ISP 1

ISP 2

ISP 3

P V

A C N A C N

A C N A C N A C N

ISP n

Figure 4. Extensive form representation of the Stackelberg DDoS defense game.

where ε > 0. This would de facto render the C strategy nonrational for any player, leaving them the choice only betweenA or N .

D. Best Response Strategies

Based on the payoffs, we present the best response strategiesfor the mobile operator Op and any ISP j, ∀j = 1 . . . n.

1) Mobile Operator Op: The best response strategy for themobile operator is:

brOp(s−Op) =

{P if

∑jprotecting(αj + µj) > ρ− 1

V otherwise(1)

That is, the mobile operator wants to be protected as soonas any of the ISPs that is offering protection has some trafficshare, which is always the case.

2) ISPs - Case A:∑i 6=j|si=C αi + αj ≥ ρ: We show a

detailed derivation for the best response strategy of any ISP jfor the Case A:

brj(s−j) =

A if uj(sj = A) > uj(sj = C)∧uj(sj = A) > uj(sj = N)→ (i)

C if uj(sj = C) > uj(sj = A)∧uj(sj = C) > uj(sj = N)→ (ii)

N otherwise

We now compute the conditions on αj for the two cases (i)and (ii).

(i) uj(sj = A, s−j) > uj(sj = C, s−j)

ρ− (1− αj)f(µj) > αj(ρ− 1) +

∑i 6=j|si=C αi

P

αj >

∑i6=j|si=C αi

P − ρ+ f(µj)

1− ρ+ f(µj)= τ1

uj(sj = A, s−j) > uj(sj = N, s−j)

ρ− (1− αj)f(µj) > 0

αj >f(µj)− ρf(µj)

= 1− ρ

f(µj)= τ2

Summing up, we have that

brj(s−j) = A if αj > max(τ1, τ2)

(ii) uj(sj = C, s−j) > uj(sj = A, s−j)

αj < τ1

uj(sj = C, s−j) > uj(sj = N, s−j)

αj(ρ− 1) +

∑i6=j|si=C αi

P> 0

αj <

∑i6=j|si=C αi

P

1− ρ= τ3

Summing up, we have that

brj(s−j) = C if αj < min(τ1, τ3)

a) Results - ISPs - Case A: The best response strategyfor any ISP j, under Case A, is

brj(s−j) =

A if αj > max(τ1, τ2)

C if αj < min(τ1, τ3)

N otherwise(2)

3) ISPs - Case B:∑i 6=j|si=C αi+αj < ρ: We present here

only the final results for the best response strategy of any ISPj under Case B. The detailed computations are analog to CaseA.

brj(s−j) =

{A if αj > τ2

N otherwise(3)

8

ISP 1 ISP 2α 0.4 0.2μ 0.7 0.2

ISP 1 ISP 2α 0.7 0.2μ 0.3 0.1

00.20.40.60.8

1

ISP 1 ISP 2

αμ

00.20.40.60.8

1

ISP 1 ISP 2

αμ

(a) Game 1 initial conditions, ρ =0.5.

ISP 1 ISP 2α 0.4 0.2μ 0.7 0.2

ISP 1 ISP 2α 0.7 0.2μ 0.3 0.1

00.20.40.60.8

1

ISP 1 ISP 2

αμ

00.20.40.60.8

1

ISP 1 ISP 2

αμ

(b) Game 2 initial conditions, ρ =0.9.

Figure 5. Initial conditions for the two numerical examples of the DDoSdefense game.

Given the best response strategies, we now propose twoexample games and compute the related Stackelberg Nashequilibria.

E. Numerical Evaluation

In order to have a better insight on the practical implicationsof the previous results, we show hereafter two example gamesbetween one mobile operator and two ISPs, with the inputparameters as in Figure 5. Moreover, we assume that f(µj) =e−µj as it fulfills the requirements specified in Section VI-C3,∀0 ≤ µj ≤ 1.

1) Game 1: The best response strategies for ISP 1 and ISP2 are:

ISP1 :br(N) = A, br(A) = A, br(C) = A

ISP2 :br(N) = N, br(A) = N, br(C) = C

Therefore, the unique pure strategy Nash equilibrium is s∗ =(A,N), where ISP 1 provides protection to the mobile operatoron its own and ISP 2 does not contribute. In this game,the risk factor is moderate (ρ = 0.5). We see that ISP 1has a substantial traffic share and an even greater femtocellsubscriber base while ISP 2, on the contrary, has relativelysmall traffic and femtocell subscriber shares. As the costfor providing protection for ISP 2 would not justify theinvestment, it would prefer not to invest at all and leave thatto ISP 1.

2) Game 2: The best response strategies for ISP 1 and ISP2 are:

ISP1 :br(N) = A, br(A) = A, br(C) = A

ISP2 :br(N) = A, br(A) = A, br(C) = N

The unique pure strategy Nash equilibrium is s∗ = (A,A),where both ISP 1 and ISP 2 want to provide protection ontheir own, without cooperating with the competing ISP. In thisgame, the risk factor is very high (ρ = 0.9) and ISP 1 has avery substantial traffic share but a relatively small femtocellsubscriber base. ISP 2 has a relatively small traffic share andan even smaller femtocell subscriber base. Nevertheless, ISP 2would prefer to compete with ISP 1 in order to be the exclusivepartner of the mobile operator for its protection.

This could be perhaps explained by the fact that both ISPshave a relatively small femtocell subscriber base (compared totheir traffic shares) and thus they would both try to increase

their benefits by stipulating an exclusive agreement with themobile operator, given that neither one of them has alreadya strong femtocell subscriber share. The main difference be-tween the two ISPs would then be the amount of resources thatthey are willing and capable to invest for the protection. The“small” ISP 2 might not have enough resources to ultimatelyget the deal with the mobile operator, who might choose ISP1 instead. The greater traffic share of ISP 1 might convincethe mobile operator that the deal with ISP 1 could have betterguarantees and assurance for a lasting agreement, without anynegative and sudden changes.

Even with this explanation, the issue of the choice betweenISP 1 and ISP 2 still remains. One way to address this couldbe to take into account other parameters, such as the annualrevenue of the ISPs and Service Level Agreements, in thepayoff functions; otherwise, a more thorough formulation andthe subsequent optimization of the payoff functions could leadto cooperation rather than competition.

VII. CONCLUSION AND FUTURE WORK

LTE and femtocells are in their experimental and, respec-tively, first commercial phases. Combined together with anall-IP core architecture, they promise better service levels anddata-rates than current 2G and 3G networks. In order to accom-modate more users and to increase security, the standardizationbody (3GPP) has put more intelligence in the next generationbase stations, enabling them to decide autonomously the radiochannel characteristics (handover, power, channel assignment)for each user.

The security and privacy aspects are, nevertheless, addressedby the core network. Authorization, key and identity man-agement in LTE are done by the mobility management entity(MME), in conjunction with the USIM card, where the long-term shared secret key is stored and used for the generationof different session keys specific to each serving network. Thecentral role of the core network in the security features isbeneficial on one hand, as it ensures that the trust relationshipbetween subscriber and home network is safe, but on theother hand it impedes dynamic and mobile device controlledactions that could guarantee an even better privacy and securityprotection.

In this report, we have covered one privacy issue relatedto the identity management and one security aspect linkedto the adoption of femtocell technology. We showed that byusing femtocells, the temporary identity assignment might nolonger be sufficient to fulfill its goals, as the capillary deploy-ment of such low-cost and low-range equipment will make itmuch easier for malicious users to track the movements ofsubscribers with high precision. Ultimately, it would be easierto link the temporary to the permanent identity and thus tocompromise the confidentiality guarantees that are specifiedin the standards. We showed that, by using peer-to-peer radiotechnologies that already exist on current handsets, the currentstate-of-the-art in MANET research could be applied to cel-lular networks, with a better over-the-air privacy for the end-user and without compromising the core network awareness.

9

The drawback is that the established standards would need tobe revisited in light of the user-triggered ID change, and thiscould put a heavy demand on mobile operators worldwide,who might prefer not to invest on the update until theirbusiness begins to suffer, i.e. until their customers changeoperator.

Yet another problem that we highlighted with femtocellsand the all-IP core network is the openness of the femtocellgateways to Internet-based DDoS attacks. By exploiting thelocation-specific features of femtocells, such as the locationin which they are authorized to operate, we developed amodel that could help to better understand the upcomingdynamics between ISPs and mobile operators. These entitiesmight collaborate in order to ensure an efficient protectionwhile, at the same time, enabling a transparent service forlegitimate users. As it was a first attempt to strategically modelinteractions among mobile operators and ISPs in a specificCountry, we acknowledge that our scheme still leaves somequestions unanswered and would thus greatly benefit fromfurther research.

REFERENCES

[1] The World in 2009: ICT Facts and Figures, ITUReport, 2009. Visited on 24.11.2009. [Online]. Available:http://www.itu.int/net/TELECOM/World/2009/newsroom/pdf/stats ict200910.pdf

[2] GSM Association Market Data Summary Q22009. Visited on 24.11.2009. [Online]. Available:http://www.gsmworld.com/newsroom/market-data/market data summary.htm

[3] Merril Lynch, “Wireless data growth: how far, how fast and who wins?”2007.

[4] 3GPP LTE. Visited on 25.11.2009. [Online]. Available:http://www.3gpp.org/LTE

[5] 3GPP TS 23.401 v8.7.0, “General Packet Radio Service (GPRS)enhancements for Evolved Universal Terrestrial Radio Access Network(E-UTRAN) access,” Visited on 25.11.2009. [Online]. Available:http://www.3gpp.org/ftp/Specs/archive/23

series/23.401/23401-870.zip[6] 3GPP TS 36.300 v8.10.0, “Evolved Universal Terrestrial Radio Access

(E-UTRA) and Evolved Universal Terrestrial Radio Access Network(E-UTRAN); Overall description,” Visited on 25.11.2009. [Online].Available: http://www.3gpp.org/ftp/Specs/archive/36

series/36.300/36300-8a0.zip[7] 3GPP TS 33.401 v8.5.0, “3GPP System Architecture Evolution (SAE):

Security architecture,” Visited on 25.11.2009. [Online]. Available:http://www.3gpp.org/ftp/Specs/Archive/33

series/33.401/33401-850.zip[8] 3GPP TS 23.002 v4.8.0, “Network architecture,” Visited on 24.12.2009.

[Online]. Available: http://www.3gpp.org/ftp/Specs/archive/23series/23.002/23002-480.zip

[9] 3GPP TS 33.102 v4.5.0, “3G Security; Security ar-chitecture,” Visited on 24.12.2009. [Online]. Available:http://www.3gpp.org/ftp/Specs/archive/33

series/33.102/33102-450.zip[10] Femto Forum. Visited on 29.11.2009. [Online]. Available:

http://www.femtoforum.org/femto/aboutfemtocells.php[11] Vodafone Access Gateway. Visited on 26.12.2009. [Online]. Avail-

able: http://shop.vodafone.co.uk/shop/mobile-accessories/vodafone-access-gateway

[12] Valttieri Niemi and Marc Blommaert, “3GPP security hot topics:LTE/SAE and Home (e)NB,” 2009, 4th ETSI Workshop, Sophia An-tipolis.

[13] Y. De Mulder, G. Danezis, L. Batina, and B. Preneel, “Identification vialocation-profiling in GSM networks,” in Proceedings of the 7th ACMworkshop on Privacy in the electronic society. ACM New York, NY,USA, 2008, pp. 23–32.

[14] G. Koien and V. Oleshchuk, “Location Privacy for Cellular Systems;Analysis and Solution,” Lecture Notes in Computer Science, vol. 3856,p. 40, 2006.

[15] L. Garber, “Denial-of-service attacks rip the Internet,” Computer,vol. 33, no. 4, pp. 12–17, 2000.

[16] J. Mirkovic, “A taxonomy of DDoS attack and DDoS defense mech-anisms,” ACM SIGCOMM Computer Communication Review, vol. 34,no. 2, pp. 39–53, 2004.

[17] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-baseddefense mechanisms countering the DoS and DDoS problems,” ACMComputing Surveys (CSUR), vol. 39, no. 1, p. 3, 2007.

[18] S. Chen and Q. Song, “Perimeter-based defense against high bandwidthDDoS attacks,” IEEE Transactions on Parallel and Distributed Systems,vol. 16, no. 6, pp. 526–537, 2005.

[19] J. Mirkovic, M. Robinson, P. Reiher, and G. Oikonomou, “DistributedDefense Against DDOS Attacks,” University of Delaware CIS Depart-ment Technical Report CIS-TR-2005, vol. 2, 2005.

[20] C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govin-dan, “Cossack: Coordinated suppression of simultaneous attacks,” inProceedings of DISCEX III. Citeseer, 2003, pp. 2–13.

[21] V. Segura and J. Lahuerta, “Modeling the economic incentives of DDoSAttacks: femtocell case study,” The Eighth Workshop on the Economicsof Information Security (WEIS 2009), 2009.

[22] 3GPP TS 23.003 v4.9.0, “Numbering, addressing andidentification,” Visited on 27.12.2009. [Online]. Available:http://www.3gpp.org/ftp/Specs/archive/23 series/23.003/23003-490.zip

[23] 3GPP TS 23.003 v8.6.0, “Numbering, addressing andidentification,” Visited on 27.12.2009. [Online]. Available:http://www.3gpp.org/ftp/Specs/archive/23 series/23.003/23003-870.zip

[24] A. Beresford and F. Stajano, “Location privacy in pervasive computing,”IEEE Pervasive Computing, pp. 46–55, 2003.

[25] J. Freudiger, R. Shokri, and J.-P. Hubaux, “On the optimal placementof mix zones,” in The 9th Privacy Enhancing Technologies Symposium.Springer, 2009.