FI118709B - Method for monitoring the function of a radio network terminal, an intelligent card for the terminal and an intrusion blocking system - Google Patents

Description

118709

Method for monitoring radio network terminal equipment, smart card for terminal equipment and intrusion prevention system

FIELD OF THE INVENTION The invention relates generally to telecommunication security and in particular to mobile network security, smart cards and intrusion prevention systems.

Background Art 10 Different types of security mechanisms have been developed for telecommunications. One such security mechanism is VPN or Virtual Private Network. VPN is a solution implemented with software, hardware, or a combination of these, enabling secure connections over insecure networks such as the Internet.

Another known security mechanism is a firewall. Firewalls are systems, either software or hardware, that protect an intranet against attacks from outside the intranet. An intranet is, for example, a corporate LAN. A prerequisite for firewall operation is that all network traffic between an internal and external network, such as the Internet, passes through it 20 and that only acceptable network traffic is allowed through the firewall. I do.

• · * * · | · * Antivirus is a protection mechanism against viruses and other malicious software. Anti-virus software scans the contents and features of data and program files to detect malware. The network-level virus IXl 25 anti-virus scan examines network traffic, especially e-mails and their attachments. "*: * Files. Contaminated attachments are removed to prevent damage to the user's: ***: computer.

· · ·

The invention relates in particular to a protection mechanism which:. is called IDS (Intrusion Detection System). The purpose of IDS, or intrusion • · "1/30 detection system is to detect possible intrusions **: * 'attempts at a telecommunications network and act according to predefined instructions. If an intrusion is detected quickly enough, an attacker can:] *]: recognizes and removes instantly from the network The principle is that the earlier an ··· attack is detected, the less damage it will cause • A functioning intrusion detection system can also act as a deterrent, so IDS resembles a firewall. - 2 118709 This information can be used to develop better intrusion prevention techniques.

Intrusion detection is based on the assumption that an intruder's procedure is somehow different from normal. The IDS includes a database storing at least one routine of a normal user and / or a procedure performed by intruders. The actions initiated by the system user are compared with the actions stored in the database and the comparison determines whether the user is an intruder or a normal user.

10 IDS implementations can be classified into the following groups: machine-level intrusion detection systems, referred to as HIDS; network-level detection systems using the acronym NIDS; and IDSs that detect unusual events.

The operation of HIDS implementations focuses on a "machine" or, more specifically, a computer with a specific operating system, which requires the installation of an application, or "agent", on the computer.

N IDS implementations monitor network traffic, so they can also be called network listening programs. NIDS intercepts 20 messages from network traffic and compares the intercepted messages with traces / patterns that occur with known attack techniques. NIDS is usually implemented as a device, * ;; ** that is connected to a monitored network.

• · "; ** [IDSs that detect unusual events are still very theoretical so far. They can, for example, collect data about the times when each user logs into the system, and gives an alert if the user logs on to the system. IDS rigid systems and their algorithms are discussed, for example, in Balajinath B, Raghavan SV ;:. "Intrusion detection through learning behavior model", Computer Com- ** ··! 30 munications, Vol 24, No. 12, July 15, 2001, pages 1202-1212, and in Bou- • * * * kerche A, Annoni Notare M S M; Behavioral Based Intrusion Detection in • · ·: V Mobile Phone Systems, Journal of Parallel and Distributed Computing, Vol O 62, No. 9, 2002, pages 1476-1490.

. ···. IPS stands for Intrusion Prevention System. "[· 35" Intrusion Prevention System ". Intrusion prevention can be understood as comprehensive security, • including, in principle, every possible means of preventing intrusions. In most cases, however, an intrusion prevention system is understood to be an advanced version of the IDS (Intrusion Detection System) described above. Typically, IDS only warns of an intrusion attempt. Instead, IPS is more active as it also prevents an intruder from gaining access and possibly eliminates malicious software used by the intruder.

Anti-virus has recently begun to pay attention to the security features of mobile terminals. The terminals have evolved so that in addition to making calls, they can be used in many types of communication. Modern mobile stations or similar terminals are small computers that can run programs. Most of these programs are so called. firmware installed by the terminal manufacturer on its terminal equipment. However, some of the programs are games or other programs that the user has later installed on their terminal. In the past, when mobile phones could only send and receive text messages, security was easier to secure than today. From a data processing point of view, text messages are data files. While data files are by no means harmless, program files are far more dangerous than data files. A particular risk may be the downloading of games which appear to be malicious software from the Internet to terminals.

Malware may be harmful to the user of the terminal and / or the network operator. Malicious software may send messages or call pu '; **! sounds without the user's knowledge. Messages sent and calls made may incur financial costs to the user. The operator of the network is responsible for: 25 the availability of the network and the services used over the network.

Service denial-of-service attacks that have become familiar from the Internet are in principle also possible in mobile networks.

F-Secure is a company providing a service to improve the security of modern terminal equipment. In this service, you install * · · ·. · * · On the terminal. The 30 antivirus software is updated with SMS (Short Message * '· [Service). The service is intended for terminals with Symbia operating system supported by major: V mobile manufacturers. Terminal antivirus software enhances the security of their mobile users,, ···. whose terminals have that software installed. However, there may be a large number of users in the network of the network operator 35, whose terminals lack antivirus software, * 4,111,709, whereby viruses infiltrate the network via these unprotected terminals.

A disadvantage of the prior art is that in all or almost all public telecommunications networks, the control of the use and security of the terminal equipment 5 is the responsibility of the users of the terminal equipment. Users are unwilling or unable to provide security applications for their terminals. Another disadvantage is that network operators lack effective intrusion prevention systems. For this reason, network operators cannot significantly improve the security of their telecommunication networks, even though they would like to.

10

BRIEF SUMMARY OF THE INVENTION

The invention relates to intrusion prevention systems, but it also exhibits features of firewalls and virus protection.

The invention advantageously utilizes a smart card of a terminal device such as a pre-15 SIM card. The smart card includes a processor and protected memory so it can store and run applications. Due to the protected memory, it is almost impossible to interfere with smart card applications.

The invention includes a method for monitoring the operation of a radio network terminal, an intrusion prevention system for a smart card terminal and radio networks.

The method is for monitoring the operation of a terminal, wherein the terminal comprises a processor, memory, display, user interface, smart card and a communication part capable of communicating at least with a radio network *. Initially, a given trigger (s) triggers: 25 applications placed on the terminal. Then, the application performs at least one test, which * looks for a character (s) for malfunctioning of the terminal. Test si -: * [*: Contains at least one of the following logical comparisons: - Comparison of data streams transmitted through different interfaces of the processor, where the processor has a smartcard interface, · · ». 30, the display, the user interface and the communication part, - a comparison of the data stream transmitted through at least one interface of the processor with the status information associated with the communication part, the status information being stored in memory.

. ***. If the test performed produces a result indicating a malfunction of the communication part, then a predetermined set of actions is performed, which includes at least one action.

5, 118709

An application performing the above method steps is located entirely on the smart card or in the memory of the terminal or in part on the smart card and partly in the memory of the terminal.

The smart card according to the invention is a smart card adapted to carry out the method steps.

The intrusion prevention system for radio networks comprises at least one server and smart card terminals operating in the radio network. The intrusion prevention system, by means of a terminal smart card, performs at least one terminal operation test, which produces the test result. The system then records the test result in the report, delivers the report to the server over the network, and judges from the report whether the terminal in question has been intruded on the network.

BRIEF DESCRIPTION OF THE DRAWINGS In the following, the invention will be described in more detail with reference to the following schematic diagrams, of which Figure 1 illustrates terminal components and terminal processor interfaces, Figure 2 illustrates key steps in the method, Figure 3 shows bus, buffer, and variable reading, ... Figure 5 shows a comparison of the data stream transmitted through at least one interface of the processor and the status of the communication section: Figure 6 shows a comparison of the data received through the user interface. a comparison of the operation of the user inputs and the communication section, Figure 7 shows a comparison of the information content of the display and the operation of the communication section, Figure 8 shows an intrusion prevention system according to the invention, ··· ·. * · *. Figure 9 shows the connections of the IPS server to databases and to registries and systems supporting the intrusion prevention system.

«« T • P «·

DETAILED DESCRIPTION OF THE INVENTION: ***; The purpose of this method is to prevent malicious software from working. The method searches for a sign of the presence of malware on the terminal by means of a test. For example, the test might check the following two things. 1) Has a user of λ 118709 6 pressed a specific key on the terminal to make a call? 2) Does the terminal dial a number? If a terminal dials a number even though the user has not pressed said key, the terminal will operate in a conflicting manner. The test reveals this contradiction, which is 5 signs of malware. The test described above is only one of the possible tests that can be performed by the method.

The following is an imaginary example of a terminal configuration.

FIG. 1 shows parts of the terminal and interfaces of the processor 10 of the terminal. The terminal 101 includes at least the following components: a communication section 102, a processor 103, a memory 104, a smart card 105, a display 106, and a user interface 107. The communication section 102 includes at least a radio section 108 through which the terminal 101 may communicate with the cellular network or other radio network. The radio part may be, for example, a radio part of the GSM (Global System for 15 Mobile Communication) standard or a part of the 3G network defined by the 3GPP (3rd Generation Partnership Project). The terminal may also include multiple radio components for different network standards. The communications portion may further include other portions such as WLAN portion 109 for communicating with a WLAN (Wireless Local Area Network) 20, Bluetooth using Bluetooth technology, portion 110, and Firewire portion 111, i.e., IEEE 1394 or later " Instead of the Bluetooth part 110, the communication part 102 may include, for example, an infrared communication part and / or ** [The Firewire part 111 may include, for example: 25 USB technology ( Universal Serial Bus), which may include other components in addition to or instead of the above:) *]: such as a modem, ISDN card or adapter (Integrated Services Digital

Network) or an ADLS card or adapter (Asymmetric Digital Subscriber •; ·: Line). The central processing unit (CPU) 103 and the memory 104 are. ***. 30 necessary for the operation of the terminal 101. The type of memory is not relevant to the invention. In addition to the memory that is • permanently attached to the terminal, the terminal may include a slot for inserting a ··· memory card. It is advantageous for the invention that the smart card 105 contains a filter. ***. a continuous memory 112 and a processor or CPU 113, whereby it is capable of executing ..II: 35 programs independently of the processor 102 and the memory 104 of the terminal 101.

• ·

The protected memory 112 allows the network operator to block access to the smart card 105 by third parties. Generally, only the network operator can write to or read the protected memory or execute programs in the protected memory. The display 106 is comprised of a plurality of components, of which the graphics card is the most interesting 114, because it conveys information on the display.

The user interface 107 refers to the means by which the user of the terminal 101 can provide inputs. Keyboard 115 is one such device. In addition to the keyboard 115, the user interface may include a joystick 116. The touch sensitive surface 117 makes it possible to implement all or part of the keyboard. It is also possible to implement the touch-sensitive surface so that it can receive inputs from a stylus. Of the parts 102-107 of the terminal 101, the processor 103 is functionally very central as it has interfaces 118-122 with all other parts 102 and 104-107.

The method steps are performed in the terminal, more specifically in the smart card and / or processor of the terminal. Using a smart card is recommended, 15 but the method works without a smart card if necessary. In an intrusion prevention system, each smart card installed in the terminal is a network-backed "bridgehead", which allows the network operator to effectively control the data entering the network and prevent network abuse.

FIGURE 2 illustrates the main steps of the method. The radio terminal 20 includes at least a processor, memory, display, user interface, intelligent. . ·. card and telecommunication part. The terminal processor has interfaces with the smart card, • · · memory, display, user interface and communication part. At first, start-up *; **! An application is placed on the 201 terminals. The application performs at least one test of * · · / / 202. The test looks for a character (s) of malfunctioning of a terminal: · **: 25 doing at least one of the following comparisons: (a) comparing data streams transmitted through different processor interfaces, where the processor has an interface with smart card, memory, display, user interface and communications; b) comparing at least one processor interface: the data stream transmitted through and the status information associated with the communication part. The content and data type of the status information may vary. The status information may be »··, for example, a boolean value indicating whether the communication part of the terminal is active or not. The communication part status information is typically that of the terminal: ···: stored in the operating system memory. Based on Figure 1, it is stated · · *: that the first data stream to be considered can be selected from five interfaces ·· ♦ 35 118-122, followed by the second data stream to be selected from four (remaining interface) data streams. , which indicates the invalid operation of the terminal 203, the application executes a predefined set of actions 204. This set of actions may include at least one of the following actions: Test Reporting over the Radio Network, Blocking Communication Section 5, Interrupting Program Unauthorized Use of Communication Section Thus, the test is performed by an application hosted on the terminal device, and one of the following triggers may trigger the application: terminal activation, timer trip, communication between the terminal and the radio network for example, a user input received through a user interface 10, a program being downloaded to memory, or an alarm received via a radio network.

For the method, it is necessary that the data stream of at least one interface of the processor be readable. In addition to the data stream (s), the status information of the communication part of the terminal can be read.

FIG. 3 shows a bus, buffer, and variable reading. The figure includes a smart card 301 and its parts: protected memory 302 and a processor 303. The figure further includes a processor 304 and a bus 305 connecting the processor to the smart card and a memory 306. The memory 306 includes a variable 307 and a buffer 308 receiving three messages 309. labeled ai-20 only memory-processor interface 310, other interfaces shown in Figure 1. One option from which the method executing application can read data streams of one or more processor interfaces is the · · * "· * bus 305 to which the smart card The bus 305 is connected, for example, the bus 305 is a bus conforming to the standards GSM 11.11, GSM 11.14, ISO 7810 and / or ISO 7814, whereby the smart card or the application embedded in the smart card receives via bus 305, for example, whether the communication part of the terminal is in use or free? The hosted application receives information via the bus, for example, whether the terminal display is enabled or idle? Typically, bus 305 only connects. ···. 30 smart cards and processors. However, the invention is not limited to such a bus implementation, but the bus could also connect the smart card to other parts of the terminal: V, such as the display and the user interface. Thus, the smart card is able to read data from the bus between the smart card and the terminal operating system. ···. communication. This communication may be in accordance with a standard such as GSM 11.11, GSM 11.14, ISO 7810 or ISO 7814. Additionally, or • · alternatively, the smart card can read messages from the bus that have not been sent to the smart card. In this case, it can be said that the smart card captures messages from the bus or that the smart card records the bus data stream. Through the bus, the smart card can read the contents of memory 306. Another option from which an application executing the method steps can read data streams of one or more interfaces of the processor is buffer 5 or a set of buffers. The application then reads the data stream (s) from at least one buffer 308 processed by the terminal operating system and stored in memory 306. Typically, the operating system has one buffer for each of its interfaces. The application needs to know where the memory 306 will be, and the operating system will retain the buffer 308. Similarly, the application must know the data type 309 of the information items / messages 309 of the buffer 10308. The application can read the buffer via bus 305. The status information of the communication part of the terminal is necessary information for certain tests. The application obtains this information from a set of variables containing at least one variable maintained by the operating system. The application can read the communication section status information via bus 305 from variable 307. 15 If any of the above GSM or ISO standards is available, the application can read the communication section status information from the received message in which the terminal operating system has inserted a value for variable 307. The implementation of the application will be facilitated if it is sufficient for the application to master one standard and obtain, through the standard messaging 20, all the information it needs to perform the test (s). One. however, mastering the standard may not be enough. For some tests · · *; "* information may be required which is not available through any standard.

♦ I

'; *) The user must know certain details of the terminal operating system.

:. '* i Such details include, in particular, the location of variables and buffers in memory and their data types. Symbia is an operating system developed by Nokia and some other mobile manufacturers. Symbia is used in many different types of:: *** brands and types of terminals. Microsoft has also developed a widely used operating system for mobile devices. Generally speaking, it can be said that the implementation of the application is one of the following: the application is deployed. ···. 30, the application is completely stored on the memory 306, [·] the application is partially located on the smart card 301 and partly on the memory 306. In this case, the application V is meant by its program code and / or memory areas.

* · ·

If the application program code is at least partially placed ♦. ***. device memory, it may be integrated as part of the terminal operating system. Again, the application operates in accordance with the method steps shown in Figure 2.

10 118709

The application may have been placed on the terminal / smart card already after the terminal / smart card has been manufactured. However, it is possible that at least part of the application will be transferred to the terminal / smart card only later. This transfer is most convenient to accomplish via a radio network.

The following four figures illustrate how the method step 202, i.e. the test, of Figure 2 is performed. The performance depends firstly on whether the information needed for the test is read from the bus, buffer or variable? The different reading methods were explained above in Figure 3. Secondly, the execution of method step 202 depends on which of the comparisons a) or 10 b) mentioned in Figure 2? FIGURE 4 illustrates a comparison of da streams transmitted through different processor interfaces. When the test performed by the application includes comparison a), the method performs the following sub-steps: reading 401 data streams of different processor interfaces, comparing 402 data streams, and 403 indicating an inoperative result of the communication portion 403 when the data contents of the read data streams differ. For example, the application provides an invalid activity result when the terminal user has selected a person's "X" phone number from a list of names on the smart card, but the telecommunication portion of the terminal establishes a connection to a non-personal 'X' phone number. In this case, a different telephone number is transmitted over the interface between the terminal processor and the user interface than the telephone number transmitted over the interface between the processor and the communication part.

* · * ···] When an application reads data streams from said interfaces, it detects that the phone numbers are different.

In addition or alternatively, process step 202 may be performed as shown in the following figure.

FIG. 5 shows a comparison of the status information of the data stream transmitted through at least one interface of the processor and the communication part. When the application test includes comparison b), the method performs "* · '30 the following sub-steps: reading data stream of at least one interface of processor 501, reading status information of communication section 502, comparing data stream (s) of read data: the data contents of the telecommunication part status information ··· with each other and the data contents 504 giving the result 505 indicating the invalid activity of the telecommunication ·· * part Figures 6 and 7 explain what !!!: 35 means that the data content is inconsistent .

• · 11 118709

Further or alternatively, process step 202 may be performed as shown in the following figure.

FIG. 6 illustrates a comparison of the user inputs received through the user interface and the operation of the telecommunication part, i.e., the performance of the comparison b).

5 The performance of the sub-steps of the method is described from the perspective of the application. The application recognizes 601 a set of commands that is provided through the user interface of the master device and includes at least one command. Many mobile models have a special key that is pressed to establish a voice connection. For example, the key may have a green symbol representing the telephone headset. Thus, during sub-step 601 execution, the application may detect whether or not a key with a green telephone headset has been pressed. If, on the other hand, the command set consists of multiple commands, one may think that several messages / signals related to particular keystrokes must be recognized from the data stream. The application then checks 602, is the command set tar-15 intended to activate the communication part of the terminal? In the absence of a command set among these normal command sets activating the communication part of the terminal, the application next checks 603, is the communication part activated? If the user component command set does not activate the communications component, it is likely that a communications component has been activated by some malware. 20 When a telecommunication part is activated, it is currently active or activated,. if activation is not prevented. The communication part may be thought to be active, for example, when a call is in progress. The communication part becomes * ··· * active when a voice connection is to be established from the terminal or when a text message is to be transmitted from the terminal. The application may execute • ·; 25 guarantees sub-step 603, for example, by reading the value of a given boolean variable.

*: * When the telecommunication part is activated, the application will provide 604 indiscriminate results. If the command set via the user interface is included in the command set activating the communication part of the terminal 602:. the application checks 605 whether the operation of the communication part conforms to any of the communication] ··· '30 activating command set? If the operation of the communications section • · * "differs from the operation of the commands activating the communication section, the application ·· ·: V will output 606 another type of invalid activity result. For example, ··· when the terminal sends an extra SMS to its SMS in addition, the user wants to send.

• · 12 118709

Further or alternatively, process step 202 may be performed as shown in the following figure.

FIG. 7 shows a comparison of the information content of the display and the operation of the communication part, i.e., the performance of the comparison b). The information content 5 is made up of various symbols, of which symbols related specifically to telecommunications are of interest to the method. For example, the text "Calling" displayed on the terminal screen is such a symbol, as well as a figure representing a telephone handset. The following describes the sub-steps of the method from an application point of view. The application recognizes the symbol set 701 In the absence of the above symbol, the application checks 703 whether the communication part is activated? The communication part is considered to be activated when it is currently active or if it is not blocked 15 If the communication part is activated, there is reason to suspect that has been executed by a malicious program, in which case the application returns a result indicating improper operation of the terminal 704. If, instead, a symbol indicating the activity of the communication part appears on the display 702, the application checks 705 for the operation of the telecommunication section corresponds to the activity to which the symbol of the telecommunication section ak-20 is logically connected? For example, the "Calling" symbol is logically associated with the terminal being called. This symbol is not associated with, for example, sending a text message. If the operation of the communication component • · * ”·] differs from the symbolic function, the application provides 706 other V * indicative result.

T: 25 The smart card according to the invention is adapted to carry out the steps of the method described above. The smart card is intended for a terminal operating in a telecommunications network. The telecommunications network may be, for example, a radio network, a mobile network or a fixed network. The smart card is assumed to be located:; *. a terminal comprising a processor, memory, display, user interface, smart card, and communication part. The terminal may be, for example, a mobile station or a · computer whose communications component connects the terminal to the Internet.

: V The smart card 301 shown in Figure 3 is adapted to perform a test on the ··· device for a sign of malfunctioning of the terminal. ·· *. using at least one of the following comparisons: a) comparing data streams transmitted through different processor interfaces. !!!: 35, wherein the processor has an interface with a smart card, memory, display, user interface and communication part 13 118709; or b) at least one processor data stream; comparing the status information related to the communication part, the status information being stored in the memory. When the test is performed, the resultant smart card 301 indicative of a communication unit malfunctioning is adapted to perform a predetermined set of operations including at least one operation.

Figure 4-7 illustrates in more detail the operations that the smart card 301 is adapted to perform.

A smart card is best suited for mobile devices because they typically have a specific key that is used to make a call. Likewise, sending text messages 10 and MMS (Multimedia Messaging Service) messages is executed after a certain or certain key commands. For this reason, it is relatively easy to test the smart card to see if the communication part is malfunctioning.

For computers, testing according to Figure 6 is more difficult because they generally do not have any particular key that activates the communication component. For computers, testing according to Figure 7 is also difficult because of the variety of communication software and the graphical user interfaces containing a plurality of different symbols, the representation of which represents the activity of the communication component. Testing the functionality of the telecommunication part is easier and more reliable if the user is expected to confirm his willingness each time with a particular set of commands. uses the communication part. For example, a command set may consist of • • · · * ;; · * three consecutive presses of the Ctrl key. The smart card 301 then reads 501 the data stream of the computer interface, i.e. the keyboard and the processor interface. In addition, the smart card reads the communication information of the 502 computer's communication part, such as • J S 25 modem. The smart card then compares the data content of the 503 data stream and status information *: ·. If the data contents are conflicting 504, that is, the data stream does not contain «« * «three consecutive presses of the Ctrl key, and yet ··· the modem is in use, the smart card will provide 505 inappropriate activity. result.

As shown in Figure 2, the smart card 301 is capable of performing tests *: * containing a) or b). There are many different types of such tests. Intellig- M · • *.! the card may further be adapted to perform other types of tests. For this' · [[: for this reason, the smart card is adapted to receive at least one communication test. · ». via a secure connection to the network.

FIG. 8 illustrates an intrusion prevention system according to the invention. Said system comprises at least one server 801 as well as radio terminals operating on radio 808807 network 802 with smart card terminals 803 and 804. The system is adapted to perform at least one terminal operation test which produces a test result. The system is further adapted to record test result 805 in terminal 803, to deliver report 805 over radio network 802 to server 801, and to determine on the basis of the report transmitted to server whether the 803 test in the system 803 may be performed. Thus, the system may be configured to perform a test on the terminal 803 for a sign of malfunctioning of the terminal using at least one of the comparisons a) or b) described in connection with FIG. Further, or alternatively, the system is adapted to perform, on the terminal 803, a test representative of another type, in which the terminal is searched for signs of malfunction by comparing the contents of the terminal's memory with the content considered to be valid. For example, the second type of test is as follows. The terminal 803 generates a file list of the programs contained in the terminal memory. Then, each file listing program is searched for in a list that contains certain programs included in the original software of the terminal. If the program you are looking for is missing from the list, then the test will give about 20 tons of activity indicating results. In addition or alternatively, the system is. adapted to perform, on the terminal 803, a test representative of the third type, • »« ** !; ' which looks for signs of invalid activity on a terminal by: ···: comparing the contents of the terminal's memory with what is considered to be inappropriate.

* ·

Typically, a third type of test is a viral test, where a terminal /: 25,803 memory is scanned for signs of virus / malware. In addition, or as a replacement, the system is adapted to perform a fourth type of terminal operation: ***: a representative test, the test result of which contains information about the operation of the terminal. Because viruses / malware often have a specific file name:. ·. mi, it may be useful for the fourth type test to take a file add-on ♦ · · [··. * 30 snapshot of the terminal programs and submit the file listing to T 801. The more advanced fourth type test gathers for example: V the following log information: a ) the terminal program that opened the communication: [[[: connection, b) the time when the communication was opened and c) the time when. ···, the communication ended. In this case, the log information is a test result, which is reported by a test of type 4 · · t "\ 35 in its report to server 801.

· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · The test to be performed may be a test according to the method described in Figures 2 and 4-7. Alternatively, the test may be a second, third, or fourth type of test mentioned above. There are several ways to implement the information content of the report 805. For example, the test may produce the following test result: "Terminal Operation is Normal." In addition to the test result, the report typically includes an identifier of the test that gave the test result, indicating which test was performed on the terminal. The report may contain many messages. In particular, a test result from a fourth type of test may contain a large amount of data, making the report more than one message. In practice, it makes sense to code the test results so that, for example, " matches a short code / string. The server 801 then judges based on the code di / string whether the terminal 803 has penetrated the radio network 802.

It can be assumed that the newly completed terminal includes some tests to investigate the operation of the terminal. Because a number of new malware may have been created after the completion of the terminal 20, tests installed on the terminal may not detect new malware. In this case, new malware may cause damage to the terminal and / or radio *: ··; online. As with fixed networks, it is also important for radio networks to develop terminal tests. When tests: 25 have been developed or completely new tests have been created, these tests must be delivered to the terminals. Therefore, an intrusion prevention system has been adapted to provide the test (s) from the server 801 to the terminal 803. The test delivered from the server may be the first and / or the only test of the terminal 803, or that test may replace an earlier test, or that test may »» · ·. * ·· 30 complement previous test (s) Terminals have make and model specific *** differences, so a specific malware may only cause damage to a specific brand and / or model terminal. Therefore, the intrusion prevention system may provide at least partially different tests for different terminals. 803 and 804. A test for a terminal 803 (or 804) Preferably, the ti is provided over a well-protected telecommunications connection. Good transmission protection means that the test cannot be destroyed or changed when it is sent from server 1β 1 1 8709 801 to terminal 803. Good transmission protection also means that the user of terminal 803 can be assured that the test has been sent from server 801. To ensure transmission protection, utilizes, for example, methods called PKI (Public Key Infrastructure) or 'Secure 5 SMS for SIM Application' (3GPP, TS 23.048). In addition to good transmission protection, it is important that the test delivered to the terminal 803 cannot be unduly removed or changed. The test should therefore have good operational protection. The smart card of the terminal 803 provides good operational protection. Due to the good operational protection, the smart card of the terminal 803 can be considered as a reliable bridge end station 10 for intrusion prevention system, which prevents intrusion attempts on the radio network 801. More specifically, the test blocking at least 15 of the programs, pausing or deleting the program that used the radio section improperly. The set of measures may have been included in the same program code package as the test. Thus, the terminal 803 receives from the server the program code executing the set of actions while receiving the test provided by the server 801. It is also possible that the server 801 provides the executable program code separately. broadcast to the terminal. If any firmware on the terminal 801 or;!, * Other program contains a security hole or otherwise malfunctions, that program may be replaced by a bugfix version.

Therefore, it is important that the intrusion prevention system continuously maintains the security of the terminals of the radio network 802. For this reason, the system is adapted to provide a program code packet from the server 801 via the radio network 802 to the terminal 803, the packet server 801, via radio network 802, at least partially different program code packets 806 and 807 for different radio network terminals 803 and 804, wherein program code packet 806 or 807 t contains [at least one of the following program codes: executing a particular test: code V, executing a particular set of operations code, or code that fixes a particular malicious terminal program, which is any program that runs on a terminal. *. * · \

35 As with the method of the invention and the smart card, · · In the case of an intrusion prevention system, one of the following exciters may trigger a test run on the terminal 803: starting the terminal, triggering the timer, establishing a communication between the terminal and downloading a program into the terminal's memory or an alarm received via a radio-5 network. The excitation received over the radio network is from server 801.

Intrusion Prevention System Server 801 may be referred to as an IPS server. Tests to test the operation of the terminal may have been stored in the memory of the IPS server. Preferably, the tests are arranged in a database 10 to enable the management of the tests. Access to the database requires a user interface to add tests to the database and possibly modify or delete tests. In addition, the user interface controls which tests are delivered to which terminal. The simplest version of the IPS server contains only a test database and a connection to the radio network. In order to ensure reliable and efficient operation of the IPS server, it preferably includes other connections as well.

FIG. 9 illustrates the connections of the IPS server to databases and registers and systems supporting the IPS system. For example, the IPS server 901 may be the server 801 shown in Figure 8. The radio network and terminals are omitted from Figure 9. However, it can be assumed that the IPS server 901 reads, ... tests from the test database 902, transmits the read tests over the radio network to the • · · III devices and receives reports from the terminals. IPS server 901 stores *; · *! These reports can be found in the Report Database 903. Reports can be used to draw • ♦ · * · ”conclusions about the operation of the radio network and terminals, and to obtain p! 25 cartridges for designing new tests. Reports sent by the terminals can be used to produce various types of status reports. Status alerts can be generated at regular intervals or when a certain threshold value (s) is reached. Some status reports are for operator's own use only. The status message can be sent, for example, to • · · ·. · * ·. 30 radios to the O&M center. It is also possible that some status reports are company-specific so that the status? - "· * web information relates to the terminals used by the particular company. In addition, or alternatively, appropriate content information may be sent to a security monitoring organization such as '' GERT Coordination Center" 35 (CERT / CC). One of the registers used in the Intrusion Prevention System is the Equipment Identity Register (EIR) 904. This equipment register 904 contains 18 1 1 8709 information about the vulnerability of the terminals, and different terminal brands and models have their own weaknesses, and EIF allows the exchange of information between different operators. operator) to identify a vulnerability in a terminal, Elisa may report it to the EIF, which will be communicated to other op-5 operators who are examining the content of the EIF. to update the EIR content as new viruses are discovered. Of the operator's own systems, billing system 905 in particular is a useful source of information for the intrusion prevention system. The billing system contains information describing calls and messages 10 such as the caller's number, the recipient's number and the cost of the call or message. The billing system 905 may be configured to send a message to the IPS server 901 when a certain amount of billing is reached. The message includes, for example, the billing amount and telephone number, and whether the said telephone number is a caller or recipient's telephone number. Since the billing system 905 assists the IPS server 901, it is conceivable that the intrusion prevention system also comprises a billing system. Thus, the billing amount is one example of a threshold at which the IPS server generates a status report. In addition to transmitting status information, the IPS server may take steps to protect the operation of the radio-20 network. In this case, one or more terminals may be. ... sets the blocking service on via the Home Location Register (HLR) «» · 906. In particular, the following blocking services are useful for the intrusion prevention system: blocking calls to a specific number, blocking the reception of messages and / or sending messages where the messages are SMS. or MMS (Multimedia ... T Messaging Service).

ί .., * ί An intrusion prevention system is configured to receive by the server 901 information affecting the operation of the system from at least one of the following:: * · exhaustive data sources: report sent by terminal 805, report database ··· ·. · * ·. 30,903, where the reports transmitted by the terminals are stored, a radio network counting / counting system 905, a radio network subscriber register 906, an EIR (Equipment Identity *): 904. In addition, the system is adapted to perform a) operations; determined by the data received; and / or (b) the operations determined by the data generated by the combining of received data; ··· 35; and / or (c) the operations performed by the received data or the data generated by the combination 19 1 1 8709 reach a predetermined threshold or thresholds. Here are some typical system actions.

The intrusion prevention system, if necessary, is adapted to store the report provided by the terminal by the IPS server 901 in the report-5 database 903 and to generate at least one status report based on the contents of the report database 903 on the IPS server. Further, the system may be configured to receive, on the IPS server, a message sent by billing system 905 in response to a predetermined billing amount being exceeded for at least one set of telephone numbers, and then generating at least one status message based on the content of said message. . For example, a set of numbers may include telephone numbers with a particular prefix. Further, the system may be configured to read from the IPS server 901 the terminal vulnerability information from the EIR 904 and apply to the terminal a set of actions based on these vulnerability information. In this case, for example, the IPS server starts a test on the terminal or delivers a new test to the terminal. Further, the system may be adapted to enable at least one blocking service by the IPS server through the radio network subscriber directory. The blocking service is one example of the fact that instead of or in addition to monitoring by means of tests, an IPS server 20 may trigger a set of actions that restrict the operation of one or more terminals. Typically, a set of actions restricts • »i! ** access from the terminal to the radio network.

The report 805 of the terminal 803 may act as a wake-up call to the intrusion prevention system, i.e. the server 801 will trigger a set of actions: 25 upon receipt of the report with specific contents 805. If at least some of the connections shown in Figure 9 are available on the server 801 databases,: ***: registers and systems, the trigger may be another report sent by the terminal, Generally speaking, the trigger is the data or combination of data obtained from a single report, report database 903, EIF 904, calc. ·· * .30 of the interrogation system 905 and / or the HLR 906. As a result of the excitation, the server 801 initiates a predetermined set of actions, some of the actions in this sequence may be performed by the terminal (s) and some in the HLR, for example.

; · **. The following two examples deal with excitations and sets of actions.

* · 20 1 1 8 7 0 9

In the first example, the IPS server reads from the EIR that a certain type of mobile device has a program that is a security risk. The IPS server then supplies a program code packet containing the set of measures to eliminate that program to the mobile stations concerned. Later, when a patch is available for 5 programs, the IPS server will deliver a patch to those mobile stations.

In another example, the IPS server receives a message from the billing system that a very large number of calls have been made to a particular telephone number within a short period of time. The message sent by the billing system also includes information about the mobile stations from which the calls have been made. In this case, the IPS server starts a test on those mobile stations, which takes a file list of the programs contained in the mobile stations. Lists of files end up with reports in a report database where their contents are examined. The study reveals that one particular game program can be found in all file lists. Later, further investigation reveals that this game program is malicious.

In addition to the above examples, there are a number of other ways obvious to those skilled in the art to utilize the intrusion prevention system of the invention. Based on the teachings of this application, those skilled in the art will be able to create variations of the method, method, smart card and intrusion prevention system of the invention. Variations of these • 1 · li; however, they may be considered within the scope of the invention.

• · *; **. 1 The method and the smart card can in principle be utilized in any • • communication network. The intrusion prevention system is intended for a radio network, which may be, for example, a GSM network or a General Packet Radio Service (GPRS), a Universal Mobile Telecommunications System (UMTS) or a Wireless Local Area Network (WLAN).

• · · · · 1 · · · · · · · · · · · · · · · · · · · ···

Claims (40)

21 1 18709 A method for monitoring terminal operation, said terminal comprising a processor, memory, display, user interface, smart card and communication section capable of communicating at least with radio network 5, characterized by launching an application located on the terminal, performing an using at least one of the following comparisons: comparing data streams transmitted through different processor interfaces, wherein the processor has an interface with a smart card, memory, display, user interface and communication section, - comparing status information of at least one processor data stream and communication section, - being stored in memory and performing a predetermined set of operations including at least one operation when the test performed produces a communication part a result indicating invalid activity. Method according to claim 1, characterized in that:. . ·. that the set of actions includes at least one of the actions: test-related * * · reporting via the radio network, blocking the communication section, interrupting the program that used the communication section incorrectly, deleting the program «« * / ". ... T that any of the following triggers an application embedded in the smart card: ϊ,., Ϊ booting the terminal, triggering the timer, establishing communication between the terminal and the radio network, through the user interface: receiving user input, downloading the program to the radio or ·· * *. ** ·. 30 retrieved excitation • · • t * „·. 4. The method of claim 1, characterized in that, in the test, the data streams / data streams are read from the bus to which the smart card is connected.: ** ' The method of claim 1 ä, characterized in that, in the test run, the data streams / data streams are read from at least one buffer stored in memory processed by the terminal operating system. 118709 22 6. A method according to claim 1, characterized in that, during the test, the status information of the communication part is obtained from a set of variables contained in at least one variable maintained by the operating system and stored in the memory. A method according to claim 1, characterized in that the embodiment of the application is one of the following: the application is completely on the smart card, the application is completely on the memory, the application is partly on the smart card and partly on the memory. A method according to claim 1, characterized in that at least part of the application is transmitted over the radio network to the terminal. A method according to claim 1, characterized in that, when the test includes the first comparison method, the following sub-steps are performed: reading data streams of different processor interfaces, comparing data streams and, when the data contents of data streams differ from each other. The method of claim 1, characterized in that, when the test includes the second method of comparison, the following sub-steps are performed: • * · reading data stream of at least one interface of the processor, • · *; : compares the data contents of the read data stream (s) and the telecommunication data: 25 data statuses are compared with each other, and in the case of conflicting data, a result indicating the invalid operation of the telecommunication part is given. A method according to claim 1, characterized in that the user input and the communication part obtained through the user interface; Comparison of activities shall comprise the following sub - steps:. 30 recognizing a set of commands, / * including at least one command, via a master interface; V checks whether the command set is intended to activate the communication part of the terminal and, in the absence of the command set, the terminal communication. * * ·. of the command section activating the component, 35 checks whether the communication section is activated and, in a positive case, 118709 23 provides a result indicative of invalid activity. Method according to claim 11, characterized in that when the command set provided through the user interface is included among the activating command sets of the communication part of the terminal, 5 the operation of the communication part is in accordance with a command activating the communication part and a result indicating another type of invalid activity is provided. about how the command set works. 13. A method according to claim 1, characterized in that the test comprises the steps implemented by an application embedded in the smart card: detecting a set of symbols displayed on the master display including at least one symbol, checking whether the symbol set contains a symbol intended to represent communication activity; whether the telecommunication part is active and when the telecommunication part is active, a result indicating invalid activity is given. A method according to claim 13, characterized in that, when said symbol is on the screen, it is checked whether the operation of the communication part corresponds to a command set activating the communication part and] · provides a result indicating another type of invalid activity, when: 25 operation of the communication part differs from the operation of the activating command of the communication part,. * · *.: a \ ": 15. A smart card for a communication network terminal, the terminal comprising a processor, · ·. * · *. 30, • · * / [characterized in that the smart card is adapted to carry out a test on the terminal for a sign of malfunctioning of the terminal using at least one of the following comparisons:. ·· *. - da transmitted via different processor interfaces comparisons of streams 35 where the processor has an interface with a smart card, memory, display, user interface, and communications section, 24.181709 - comparing data stream and status information associated with at least one interface of the processor, the status information being stored memory. and, when the test is performed, the smart card of the result indicating the invalid operation of the communication part 5 is adapted to perform a predetermined set of actions including at least one operation. The smart card according to claim 15, characterized in that the set of actions includes at least one of the actions: reporting the test 10 over the communication network, blocking the use of the communication part, interrupting the program that used the communication part improperly, deleting the program. A smart card according to claim 15, characterized in that any of the following triggers triggers a test run: terminal 15, timer trip, communication between the terminal and the communication network, user input received through the user interface, program downloading or a signal received through the communication network. The smart card according to claim 15, characterized in that, in the test, the smart card is adapted to read data streams / data streams from the bus to which the smart card is connected. The smart card according to claim 15, characterized by: *: **! that in the test, the smart card is adapted to read data streams / data streams • · · / *: from at least one buffer stored in memory by the operating system of the terminal. A smart card according to claim 15, characterized in that the communication section status information is available from a set of variables contained in the at least one variable maintained by the operating system and stored in the memory. ··· ·; ***. The smart card according to claim 15, characterized in that the smart card is adapted to read data flows of different processor interfaces and compare data streams and data contents of data streams. The smart card according to claim 15, characterized in that: M 35, the smart card is adapted to read data streams of at least one interface of the processor, 118709 25 to read the status information of the communication part and compare the information content of the read data stream (s) and the communication part status information. The smart card according to claim 15, characterized in that the smart card is adapted to recognize a command set including the at least one command via a master interface, to check whether the command set is intended to activate the communication part of the terminal, and to verify whether the communication part is activated. The smart card according to claim 15, characterized in that the smart card is adapted to identify a symbol set including at least one symbol on the display of the main device, to check whether the symbol set contains a symbol intended to represent the communication part activity and to check whether the communication part is active. A smart card according to claim 15, characterized in that the communication network is one of the networks: a radio network, a mobile network, a fixed network. . ·. A smart card according to claim 15, characterized in that the smart card is adapted to receive at least one test via a secure connection to the communication network. / / 27. Intrusion prevention system for radio network, il ·: ·: ί 25 characterized in that said system comprises at least one φ. * Γ server and smart network terminals operating in the radio network, the system being adapted to be executed by the terminal device. at least one terminal operation! test that produces a test result, 30 record the test result in a report on the terminal and ··· „*. submit the report to the server over the radio network and determine, based on the report submitted to the server, whether * ···: from the terminal has penetrated the radio network. A system according to claim 27, characterized in that the system is adapted to perform a test by the terminal 118709 26 for a sign of malfunctioning of the terminal using at least one of the following comparisons: - mutual flow of data streams transmitted through different interfaces of the processor. comparing where the processor has an interface with a smart card, memory, display, user interface and a communication part, - comparing the data stream transmitted with at least one interface of the processor and the status information associated with the communication part, the status information being stored in memory. The system of claim 27, characterized in that the system is adapted to perform on the terminal a test of another type in which the terminal is searched for signs of malfunctioning by comparing the contents of the memory with the content considered to be valid. A system according to claim 27, characterized in that the system is adapted to perform a third type test on the terminal, whereby the terminal is searched for signs of malfunctioning by comparing the contents of the memory with the contents considered irrelevant. The system of claim 27, characterized in that the rigid system is adapted. perform a fourth type test on the terminal, the test result of which is to provide information about the operation of the terminal. A system according to claim 27, characterized in that the system is adapted to perform a predetermined set of operations on the terminal, including .. at least one of the operations: a radio network part of the terminal. ··· blocking access, at least in part, interrupting a program that used the radio section improperly, deleting the program. A system according to claim 27, characterized by: *** 30, wherein the system is adapted to ··· supply a program code packet from a server to a terminal, the program code packet containing at least a test code. A system according to claim 27, characterized in that the system is adapted to provide at least partially different program code packets from the server to different radio network terminals, wherein the program code packet contains at least one one of the following executable codes: executable code for a particular test, executable code for a specific set of actions, or code that corrects a particular malicious terminal program. System according to claim 27, characterized in that the system is adapted to: receive on the server information affecting the operation of the system from at least one of the following data sources: a report transmitted by the terminal, a report database storing the reports transmitted by the terminals, a radio network billing system; EIR (Equip-10 ment Identity Register). System according to claim 35, characterized in that the system is adapted to: perform operations which are at least partially determined by the information received. The system of claim 35, characterized in that the system is adapted to store a report provided by the terminal by the server in a report database and to generate at least one status report on the server based on the contents of the report database. . ·. A system according to claim 35, characterized in that the system is adapted to receive on the server the data sent by the billing system. a message sent in response to exceeding a predetermined billing amount J 25 for a set of numbers containing at least one telephone number, and providing the server with at least one status message based on the contents of said »t message. A system according to claim 35, characterized in that the system is fitted ··· *. ** ·. 30 retrieve from the server the terminal vulnerability information from the EIF and • «·: ti · * to target the terminal to the set of vulnerability information. A system according to claim 35, characterized in that the system is adapted to enable at least one blocking service on the terminal by the server through the radio network subscriber directory. 118709 28