Search

US-20260129615-A1 - SYSTEM AND METHOD FOR DETECTING LOCATION ANOMALIES OF MOBILE DEVICES

US20260129615A1US 20260129615 A1US20260129615 A1US 20260129615A1US-20260129615-A1

Abstract

Aspects of the subject disclosure may include, for example, a device, having a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations of: generating a hash table of keys from identifiers for mobile devices in a communications network; filtering records of signaling events received from the communications network; sorting the records of signaling events to generate a time sequence of records for each key; determining a trajectory for each key in the time sequence of records; and generating an alert responsive to discovering a location anomaly in the trajectory. Other embodiments are disclosed.

Inventors

  • Yaron Koral
  • Ashima Mangla
  • Feng Wang

Assignees

  • AT&T INTELLECTUAL PROPERTY I, L.P.

Dates

Publication Date
20260507
Application Date
20260106

Claims (20)

  1. 1 . A device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: filtering and sorting records of signaling events received from a communications network to generate a time sequence of the records for each key of a hash table of keys from International Mobile Equipment Identifiers (IMEIs) for mobile devices; determining a trajectory for each key in the time sequence of the records; calculating a speed of a mobile device from the trajectory, wherein the mobile device is associated with a respective key; and generating an alert responsive to discovering a location anomaly in the trajectory, wherein the alert is based on the speed exceeding a threshold.
  2. 2 . The device of claim 1 , wherein the trajectory is determined from real time difference measurements.
  3. 3 . The device of claim 2 , wherein a distance between two adjacent points in the trajectory are determined using a haversine formula.
  4. 4 . The device of claim 1 , wherein a first number of IMEIs exceeds ten million.
  5. 5 . The device of claim 4 , wherein a second number of the records exceeds 100 million and wherein the operations are performed in about two hours.
  6. 6 . The device of claim 5 , wherein the signaling events comprise a handover event, a tracking area update, a service request, or a combination thereof.
  7. 7 . The device of claim 6 , wherein the operations further comprise eliminating false positives from the alert.
  8. 8 . The device of claim 7 , wherein eliminating the false positives comprises checking that a first distance between a mobile device and a cell tower identified in the signaling events is below a first threshold.
  9. 9 . The device of claim 8 , wherein eliminating the false positives comprises checking that a second distance between two adjacent points in the trajectory is above a second threshold.
  10. 10 . The device of claim 9 , wherein the first threshold and the second threshold are determined by machine learning.
  11. 11 . The device of claim 10 , wherein the processing system comprises a plurality of processors operating in a distributed computing environment.
  12. 12 . A non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of operations, the operations comprising: generating a time sequence of records associated with each key of a hash table of keys from International Mobile Equipment Identifiers (IMEIs) for mobile device from records of signaling events in a communications network; determining a trajectory for each key in the time sequence of the records; calculating a speed of a mobile device associated with a respective key; and generating an alert responsive to discovering a location anomaly, wherein the alert is based on the speed exceeding a threshold.
  13. 13 . The non-transitory machine-readable medium of claim 12 , wherein the operations further comprise determining points in the trajectory from real time difference measurements, wherein a distance between two adjacent points in the trajectory are determined using a haversine formula.
  14. 14 . The non-transitory machine-readable medium of claim 12 , wherein a first number of IMEIs exceeds ten million.
  15. 15 . The non-transitory machine-readable medium of claim 12 , wherein a second number of the records exceeds 100 million and wherein the operations are performed in about two hours.
  16. 16 . The non-transitory machine-readable medium of claim 12 , wherein signaling events associated with the records comprise a handover event, a tracking area update, a service request, or a combination thereof.
  17. 17 . The non-transitory machine-readable medium of claim 16 , wherein the operations further comprise eliminating false positives from the alert, wherein eliminating the false positives comprise checking that a first distance between the mobile device and a cell tower identified in the signaling events is below a first threshold and checking that a second distance between two adjacent points in the trajectory is above a second threshold, wherein the first threshold and the second threshold are determined by machine learning.
  18. 18 . The non-transitory machine-readable medium of claim 17 , wherein the processing system comprises a plurality of processors operating in a distributed computing environment.
  19. 19 . A method, comprising: generating, by a processing system comprising a processor, a time sequence of records associated with each key of a hash table of keys from International Mobile Equipment Identifiers (IMEIs) for mobile devices from records of signaling events in a communications network; determining, by the processing system, a trajectory for a mobile device associated with each key in the time sequence of the records; calculating, by the processing system, a speed of the mobile device based on the trajectory; and generating, by the processing system, an alert responsive to discovering a location anomaly in the trajectory, wherein the alert is based on the speed exceeding a threshold.
  20. 20 . The method of claim 19 , wherein the signaling events associated with the records comprise a handover event, a tracking area update, a service request, or a combination thereof.

Description

CROSS REFERENCE TO RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 18/193,759 filed on Mar. 31, 2023. All sections of the aforementioned application are incorporated by reference herein in their entirety. FIELD OF THE DISCLOSURE The subject disclosure relates to a system and method for detecting location anomalies of mobile devices. BACKGROUND As one of the most critical and widely used Internet of Things (IoT) devices, connected cars are a favorite target of adversarial attacks by attackers, such as hijacking attacks and spoofing attacks. Deploying logic countermeasures may not be possible over all mobile devices. BRIEF DESCRIPTION OF THE DRAWINGS Reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein: FIG. 1 is a block diagram illustrating an exemplary, non-limiting embodiment of a communications network in accordance with various aspects described herein. FIG. 2A is a block diagram illustrating an example, non-limiting embodiment of a system for detecting location anomalies functioning within the communication network of FIG. 1 in accordance with various aspects described herein. FIG. 2B is a block diagram illustrating an example, non-limiting embodiment of components of a system for detecting location anomalies in accordance with various aspects described herein. FIG. 2C is a block diagram illustrating an example, non-limiting embodiment of trajectory reconstruction of a mobile device in accordance with various aspects described herein. FIG. 2D is a block diagram illustrating an example, non-limiting embodiment of an idle state of a mobile device in accordance with various aspects described herein. FIG. 2E is a block diagram illustrating an example, non-limiting embodiment of a mobile device creating a distant event in accordance with various aspects described herein. FIG. 2F depicts an illustrative embodiment of a method in accordance with various aspects described herein. FIG. 3 is a block diagram illustrating an example, non-limiting embodiment of a virtualized communication network in accordance with various aspects described herein. FIG. 4 is a block diagram of an example, non-limiting embodiment of a computing environment in accordance with various aspects described herein. FIG. 5 is a block diagram of an example, non-limiting embodiment of a mobile network platform in accordance with various aspects described herein. FIG. 6 is a block diagram of an example, non-limiting embodiment of a communication device in accordance with various aspects described herein. DETAILED DESCRIPTION The subject disclosure describes, among other things, illustrative embodiments for a system and method for detecting location abnormalities of mobile devices. A wireless carrier may monitor Radio Access Network (RAN) events to identify location anomalies. A location anomaly usually indicates that an adversarial entity (attacker) located away from the mobile device hijacked the mobile device's network identifiers. Disclosed are a system and method that detects location anomalies from RAN-event-based location information. The main challenge is overcoming the vast amount of event data generated by tens of millions of cars (i.e., vehicles, connected cars or mobile devices, as interchangeably used herein) simultaneously and using an approximate location rather than an accurate location. Identifying these anomalies is a valuable asset for car vendors to secure their cars. Other embodiments are described in the subject disclosure. One or more aspects of the subject disclosure include a device, having a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations of: generating a hash table of keys from International Mobile Equipment Identifiers (IMEIs) for mobile devices in a communications network; filtering records of signaling events received from the communications network; sorting the records of signaling events to generate a time sequence of records for each key; determining a trajectory for each key in the time sequence of records; and generating an alert responsive to discovering a location anomaly in the trajectory. One or more aspects of the subject disclosure include a non-transitory machine-readable medium, including executable instructions that, when executed by a processing system including a processor, facilitate performance of operations of: generating a hash table of keys from International Mobile Equipment Identifiers (IMEIs) for mobile devices in a communications network; filtering records of signaling events received from the communications network; generating a time sequence of records associated with each key in the hash table; determining a trajectory for each key in the time sequence of records; and generating an alert responsive to discovering a location anomaly in the trajectory. One or more asp