ITU-T X 1126-2017 Guidelines on mitigating the negative effects of infected terminals in mobile networks (Study Group 17).pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T X.1126 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2017) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Secure applications and services Mobile security Guidelines on mitigating the negative effect

2、s of infected terminals in mobile networks Recommendation ITU-T X.1126 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.

3、499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security managem

4、ent X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.117

5、9 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 In

6、ternet of things (IoT) security X.1360X.1369 Intelligent transportation system (ITS) security X.1370X.1379 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.

7、1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines

8、X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1126 (03/2017) i Recommendation ITU-T X.1126 Guidelines on mitigating the negative effects of infected te

9、rminals in mobile networks Summary Recommendation ITU-T X.1126 provides guidelines to mobile operators to restrain the infected terminals by utilizing technologies in the mobile network to protect both subscribers and mobile operators. This Recommendation describes the characteristics and effects of

10、 malicious software caused by unhealthy ecosystems in the mobile environment. Based on network-side technologies, this Recommendation focuses on mitigating the vicious effects caused by infected terminals. This Recommendation defines and organizes the mitigating measures and corresponding technologi

11、es. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X.1126 2017-03-30 17 11.1002/1000/13194 Keywords Infection, malicious software, mobile network, terminal. * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed

12、 by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1126 (03/2017) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies

13、(ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunicat

14、ion Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of in

15、formation technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating a

16、gency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or s

17、ome other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or

18、 implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development p

19、rocess. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore stro

20、ngly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2017 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1126 (03/2017) iii Table of Contents Page 1 Scope . 1 2 Refer

21、ences . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 1 5 Conventions 2 6 Framework and processes . 2 7 Discovery 3 7.1 Collection of applications and attack reports . 4 7.2 Analysis of infected terminals and known malicious

22、 software 4 7.3 Analysis of new malicious software . 4 8 Governing . 6 8.1 Governing measures . 7 8.2 Prevention . 7 8.3 Restriction . 8 9 Information sharing 8 Bibliography. 9 iv Rec. ITU-T X.1126 (03/2017) Introduction The rapid expansion and development of operating systems for mobile devices has

23、 created a large and vibrant market for the mobile industry. Around this valuable market, many ecosystems have grown to in order to take advantage of its benefits. However, the powerful capabilities of current mobiles could also be abused by malicious software to hack the vulnerabilities of terminal

24、s, as well as networks and services, causing great damage. Note that a healthy ecosystem should be promoted over a “closed garden“ in legacy mobile systems, to secure the mobile market and protect the benefits of all relevant partners. Healthy ecosystems have been successful in some countries. Note

25、also that mobile market ecosystems are highly diversified in some countries, although some of them are irresponsible, unhealthy or even dangerous. The negative effects of irresponsible ecosystems could cause great damage to mobile subscribers and networks, in addition to malicious software. Sometime

26、s, even mobile subscribers and networks in a healthy ecosystem can be affected by infected terminals, as most mobile Internet services are currently global. The potential risks of malicious software spreading primarily in irresponsible ecosystems are listed as follows. For subscribers: privacy theft

27、, e.g., eavesdropping and location tracking; asset loss, e.g., system malfunction and data destruction; malicious transaction and consumption, e.g., sending expensive messages and dialling international call centres; malicious software propagation to attack other terminals; sending spam to annoy oth

28、er subscribers; fraud and blackmail. For operators, attacks on network entities, mobile services and other terminals, include: occupation of massive resources of networks or mobile services, resulting in their compromise and subscriber complaints about quality of service; hijacking service hosts and

29、 even network entities. Malicious software brings more damaging effects to the mobile Internet than to the traditional wired Internet for following reasons. The mobile Internet is an emerging market, with a relatively slow development of the corresponding security mechanisms. Mobile terminals are of

30、ten the carriers of private and confidential business deals, which are highly attractive targets to the hackers. Mobile networks have fewer resources, and a flood-style attack consumes them more easily and heavily. Many mobile terminals are strongly coupled with their networks. Malicious service and

31、 privacy theft could lead to operator revenue loss, subscriber complaints and legal issues. Open or cracked mobile operating systems provide breeding grounds that are out of operator control for malicious software. Mobile terminals often have numerous data exchange interfaces, e.g., universal serial

32、 bus (USB), secure digital (SD) card slot, and Bluetooth, many of which operators cannot secure. In order to mitigate the damage from malicious software and to trace the sources of threats, it is vital to manage infected terminals on the network side, a responsibility and obligation of mobile operat

33、ors. Rec. ITU-T X.1126 (03/2017) 1 Recommendation ITU-T X.1126 Guidelines on mitigating the negative effects of infected terminals in mobile networks 1 Scope This Recommendation provides guidelines on mitigating the negative effects of infected terminals on the network side in mobile networks. This

34、Recommendation introduces a framework that organizes the guidelines according to processes. Furthermore, this Recommendation discusses the principles, policies and technologies in these processes. Conformance with this Recommendation is not to be taken as any proof of evidence for claiming complianc

35、e with any national or regional law, regulation or policy. The technical, organizational and procedural means described in this Recommendation do not in any way guarantee the constitution of any level of security that may be put upon certain correspondence by specific national or regional law, regul

36、ation or policy. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 blacklist b-ITU-T X.1245: An identification list of persons or sources in communication services, where the identifications of the list are denied to ac

37、cess particular communication resources. 3.1.2 malware b-ITU-T X.1211: Malicious software designed specifically to damage or disrupt a system, attacking confidentiality, integrity and/or availability. NOTE Examples include: viruses, ransomware, spyware, adware and scareware. 3.1.3 mobile network b-I

38、TU-T X.1121: A network that provides wireless network access points to mobile terminals. 3.1.4 mobile terminal b-ITU-T X.1121: An entity that has wireless network access function and connects a mobile network for data communication with application servers or other mobile terminals. 3.1.5 spamming b

39、-ITU-T X.1244: A chain of activities carried out by spammers to send spam, such as collection of target lists, creation of spam, delivery of spam, etc. 3.2 Terms defined in this Recommendation This Recommendation defines the following term: 3.2.1 botnet: A group of compromised computer systems that

40、are infected with malicious software and connected in a coordinated fashion for malicious purposes without the owners knowledge, e.g., to transmit malicious software or spam, or to launch attacks. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: App App

41、lication running on mobile terminals 2 Rec. ITU-T X.1126 (03/2017) API Application Programming Interface C samples of Apps from App stores or markets. 7.2 Analysis of infected terminals and known malicious software Some infected terminals can be identified from attack reports. Additional signature m

42、atching can assist in finding some new Apps that contain known malicious software. Analysis of infected terminals and known malicious software is used to locate malicious controllers hiding in the network. The Internet protocol (IP) addresses in the controlling packets of infected terminals require

43、analysis to identify IP sources that command infected terminals or collect the status of infected terminals. Dynamic analysis shall be adopted for known malicious software found in Apps to check whether there is any update by malicious controllers. 7.3 Analysis of new malicious software Based on the

44、 Apps obtained from App stores, new malicious software can be discovered by behaviour, static and dynamic analyses. 7.3.1 Malicious codes and executables analysis Static analysis: This approach is used to understand suspected malicious software at a syntactic level. For example, a mobile application

45、 can be disassembled by reverse-engineering techniques to get its manifest file (containing information about permissions that the application accesses) and source codes. By examining the manifest file and scanning the application programming interface (API) invoking characteristics, a number of mal

46、icious attempts can be recognized in terms of some typical detection policies: if any unnecessary and sensitive access privilege is permitted; if the network API is invoked to access malicious Internet sources; if the process API is invoked to terminate an application; if the process API is invoked

47、to export contact information to a specific location; Rec. ITU-T X.1126 (03/2017) 5 if the behaviour of the reading secure digital (SD) (memory) card or the subscriber identity module (SIM) card is abnormal; if there is an exchange of data with known malicious uniform resource locators (URLs); if th

48、ere is a service subscription short message service (SMS) not requested by the subscriber; If there are some instructions to control the mobile terminal remotely. Dynamic analysis: The approach runs and monitors suspicious mobile malicious software in a controlled (and even virtualized) environment

49、(such as sandboxes). The following are some typical detection policies. a) Botnet communication: i) Description: The bot has to report its existence to a command and control (C samples of Apps containing known malicious software; samples of new malicious software; list of malicious controllers. The above information is vital for operators to take appropriate measures in the processes described in clauses 8 and 9. 8 Governing In the governing process, discovery process ou