Dandelion - Revealing malicious groups of interest in large mobile networks

Abstract

There are an enormous number of security anomalies that occur across the Internet on a daily basis. These anomalies are typically viewed as individual security events that are manually analyzed in order to detect an attack and take action. Important characteristics of an attack may go unnoticed due to limited manual resources. Mobile attacks introduce further complexity by typically traversing multiple types of networks making correlation and detection even more challenging. In this paper, we propose a system Dandelion, which aims to automatically correlate individual security anomalies together to reveal an entire mobile attack campaign. The system also identifies previously unknown malicious network entities that are highly correlated. Our prototype system correlates thousands of network anomalies across both the SMS and IP networks of a large US tier-1 mobile service provider, reducing them to approximately 20∼30 groups of interest a day. To demonstrate Dandelion’s value, we show how our system has provided the critical information necessary to human analysts in detecting and mitigating previously unknown mobile attacks.