WO 2006/077563 PCT/EE2006/000002
-1-
"A mobile network security system"
INTRODUCTION
Field of the Invention
The present invention relates to a security system for mobile networks and a method
of providing increased security in mobile networks.
Prior Art Discussion
As with electronic mail, unsolicited messages or spam messages are a problem in the
mobile network environment. The content of these messages is usually aimed to push
the recipient to make use of some charged services. Such messages are a source of
irritation to the user and are often misleading.
Like e-mail spam, spam messages are becoming an increasing source of nuisance to
mobile users. The content of these messages is usually aimed to push the recipient to
make use of some charged services, such as calling a specific charged 0800 number.
This phenomenon is irritating to the recipient who does not fall into the trap, and is
also misleading as the end-user who did fall in the trap will eventually blame the
operator. By using faked source addresses in their messages, spamming parties keep
their identity hidden from operators.
The invention addresses the problem of unsolicited messages in mobile networks.
SUMMARY OF THE INVENTION
According to the invention, there is provided a security system for a mobile network
having a gateway for receiving messages from outside the network and a network
element storing mobile terminal location information, wherein the security system:
monitors in real time messages entering the network through the gateway, and

WO 2006/077563 PCT/IE2006/000002
-2-
decides according to said monitoring if messages are likely to be unsolicited.
The invention also provides a method implemented by a security system for
monitoring messages in a mobile network having a gateway for receiving messages
from outside the network and a network element storing mobile terminal location
information, the method comprising the steps of the security system:
monitoring in real time messages entering the network through the gateway,
and
deciding according to said monitoring if messages are likely to be unsolicited.
In one embodiment, the system blocks messages which are likely to be unsolicited.
In another embodiment, the system also monitors data for a look-up request for a
message, and decides according to said look-up request data and monitoring
messages.
In another embodiment, the system monitors a source address of a look-up request and
a source address of a corresponding message, and decides that the message is likely to
be unsolicited if its source address is different from that of the corresponding look-up
request.
In a further embodiment, the system further comprises a data store and a timer, the
system stores look-up requests received from the gateway in the data store, and
decides that a message is likely to be unsolicited if a corresponding look-up request
has not been received within a pre-set time period.
In one embodiment, the system stores the look-up requests for only a pre-set time
duration, and determines if a request has been received within said pre-set time period
if it is stored in the data store when the data store is searched upon receipt of a
message.

WO 2006/077563 PCT/IE2006/000002
-3-
In another embodiment, the system determines that a look-up request corresponds
with a message if they have the same source address.
In another embodiment, the system activates the timer upon receipt of said request.
In another embodiment, the timer is configured to run from the time of receipt To to a
preset time limit T preset_end.
In a further embodiment, the system facilitates setting the timer time limit T preset_end
for a category of look-up request.
DETAILED DESCRIPTION OF THE INVENTION
Brief Description of the Drawings
The invention will be more clearly understood from the following description of some
embodiments thereof, given by way of example only with reference to the
accompanying drawings in which: -
Fig. 1 is a block diagram illustrating the components of a system of the
invention;
Fig. 2 is flow diagram illustrating the flow of data through the system of Fig.
1; and
Figs. 3 to 6 are message transfer diagrams illustrating operation of the system
in more detail.
Description of the Embodiments
Referring to Fig. 1 a mobile network 1 comprises a security system 2 connected to a
mobile network international gateway 3. The mobile network 1 comprises a HLR
(Home Location Register) 10 and a plurality of user mobile devices 12. The locations

WO 2006/077563 PCT/IE2006/000002
-4-
of devices 12 serviced by an operator are maintained in the HLR 10. For every Mobile
Terminated service that is requested from the network, a look up or Send Routing
Information (SRI) request to the HLR 10 is required to obtain location information in
order to successfully deliver the service, for example a subsequent message.
The security system 2 has a processor 4 programmed to monitor incoming SRI
requests Rl, R2...Rn and incoming messages Ml, M2...Mn. The routing
configuration within the mobile network 1 is such that all potentially suspicious
messages are routed through the security system 2 where they can be analyzed.
Incoming SRI requests include source information. Incoming messages Ml, M2... Mn
are each associated with a prior SRI request. The security system 2 also comprises a
local data store 5 and a timer clock 6. Received SRI requests are monitored, associated
source information is copied to the local data store 5 and an associated counter of the
timer clock 6 is started.
Some features typical of unsolicited messages or spam are as follows:
The HLR is queried by SRI request once per MSISDN, independent of
possible immediate subsequent MT-services, to find out where an end user
mobile terminal Ml typically resides.
The location information retrieved from the HLR query, in response to a look
up request/SRI request, is then used in the time period T thereafter to submit
unsolicited messages destined for the end-user.
Traffic enters a network via the international gateway and directly targets the
recipient mobile terminal Ml without passing through any local service center
(and hence bypasses local network filters).
A faked source address is used in the messages themselves (to prevent tracing
the message back to the originating party).
As a result of the faked source address in the message, the acknowledgement
related to the message will never reach the true originator. In contrast with
regular trustworthy MT services, the outcome of the individual message
deliveries is irrelevant to the originator as long as a significant percentage of
deliveries is successful. The latter criterion is expected to be satisfied due to

WO 2006/077563 PCT/IE2006/000002
-5-
the prior SRI request revealing the typical locations of the target mobile
stations Ml, M2,.. .Mn.
The system 1 and method of the invention operate to prevent messages with the above
noted features from passing through. The method of operation involves monitoring
SRI requests and incoming messages. As noted above the location information
retrieved from the HLR query, in response to a look-up request/SRI request, is then
used in the time period T thereafter to submit unsolicited messages destined for the
end-user. The clock timer 6 is thus preset to run from the time of receipt of a SRI
request T0 to a preset time limit T preset_end. The timer value may be implemented on
the basis of parameters, such as the location of the source of the SRI.
Referring to Fig. 2, the method performed by the security system 4 includes the
following steps:
1. When a SRI request enters the network 1 through the international gateway 3:
the request is passed on,
a timer is started in the clock 6,
relevant source information is copied to the local data store 5, including
the originating address and the terminating mobile station address
(MSISDN),
if the timer expires without a subsequent message then the associated
source information of the SRI request is removed from the local store
or kept internally for tracing purposes.
2. A message entering the network is monitored and analyzed and action
performed depending on the outcome of the analysis.
If no prior SRI request was observed within the time limits set by the
timer, then the message is not passed on and an acknowledgement is
generated. Since the source address in the message itself is likely to be
faked, the acknowledgement is expected not to reach back to the true
originator and hence the choice between a positive or negative
acknowledgement is an implementation-dependent choice of the

WO 2006/077563 PCT/IE2006/000002
-6-
operator. The system associates a message with a look-up request on
the basis of the termination mobile station identification (MSISDN).
If a prior SRI request was observed within the above time limit it is
subjected to a further test in which the source information of the
message is compared to the source information of the earlier location
request.
If the two source addresses are not identical then the message is not
passed on. Again, according to operator-chosen settings a positive or
negative acknowledgement may be sent back. The source address of the
prior SRI request can be marked as suspicious and kept for further
investigation as it is the true source of these unsolicited messages.
If the two source addresses match, the message is passed on for
delivery and the timer is restarted.
Figs. 3-6 illustrate the dynamics of operation of the system in more detail. The "@"-
component refers to an external entity/message source, the "G"-component is the
gateway through which the message/SRI enters the local network, the "F'-component
is the system of the invention, the "H"-component is the local HLR which contains the
locations of all mobile devices in the network, and finally the mobile pictogram refers
to the mobile devices themselves.
The (internal) architecture of the security system includes a proxy which is able to
look into the relevant details of a passing message/SRI request and a data store for
keeping relevant data related to (recent) SRI requests so that these details can be
compared to those of subsequent messages.
In case an SRI enters, at least the following information is stored: source address of
the originator of the SRI, identification of the mobile for which the query is intended,
and the current time. As soon as a message itself is received then the recipient address
of that message is used to perform a lookup in the store. In case one (or more)
registration of a prior SRI is found then the source address of that SRI is compared to
that of the message itself. If no prior SRI is found (Fig 6), if no matching source
address is found (Fig 5) or if the time between the SRI and the message itself is larger

WO 2006/077563 PCT/IE2006/000002
-7-
than some configurable value (Fig 4) then the message is not let through. Else, the
message is delivered normally (Fig 3).
The system of the invention enables real time monitoring and control of unsolicited
messages arriving in a mobile network. This method prevents mobile users from
receiving untraceable messages with fake source addresses from an international
source by monitoring and controlling international traffic as described above.
The method of the invention serves to prevent unsolicited messages from passing
through mobile networks. It has the advantage that traceability is guaranteed and that
end users are not bothered by these messages.
The invention is not limited to the embodiments described but may be varied in
construction and detail.

WO 2006/077563 PCT/EE2006/000002
-8-
Claims
1. A security system for a mobile network (1) having a gateway (3) for receiving
messages from outside the network and a network element (10) storing mobile
terminal location information, wherein the security system (2):
monitors in real time messages entering the network through the gateway (3),
and
decides according to said monitoring if messages are likely to be unsolicited.
2. A system as claimed in claim 1, wherein the system blocks messages which
are likely to be unsolicited.
3. A system as claimed in claims 1 or 2, wherein the system also monitors data
for a look-up request for a message, and decides according to said look-up
request data and monitoring messages.
4. A system as claimed in claim 3, wherein the system monitors a source address
of a look-up request and a source address of a corresponding message, and
decides that the message is likely to be unsolicited if its source address is
different from that of the corresponding look-up request.
5. A system as claimed in claims 3 or 4, wherein the system further comprises a
data store and a timer, the system stores look-up requests received from the
gateway in the data store, and decides that a message is likely to be unsolicited
if a corresponding look-up request has not been received within a pre-set time
period.
6. A system as claimed in claim 5, wherein the system stores the look-up requests
for only a pre-set time duration, and determines if a request has been received
within said pre-set time period if it is stored in the data store when the data
store is searched upon receipt of a message.

WO 2006/077563 PCT/IE2006/000002
-9-
7. A system as claimed in claims 5 or 6, wherein the system determines that a
look-up request corresponds with a message if they have the same source
address.
8. A system as claimed in any of claims 5 to 7 wherein the system activates the
timer (6) upon receipt of said request.
9. A system as claimed in claim 8, wherein the timer is configured to run from
the time of receipt To to a preset time limit Tpreset_end.
10. A system as claimed in of claims 5 to 9, wherein the system facilitates setting
the timer time limit T preset_end for a category of look-up request.
11. A method implemented by a security system for monitoring messages in a
mobile network (1) having a gateway (3) for receiving messages from outside
the network and a network element (10) storing mobile terminal location
information, the method comprising the steps of the security system (2):
monitoring in real time messages entering the network through the gateway
(3), and
deciding according to said monitoring if messages are likely to be unsolicited.
12. A method as claimed in claim 11, wherein the system blocks messages which
are likely to be unsolicited.
13. A method as claimed in claims 11 or 12, wherein the system also monitors
data for a look-up request for a message, and decides according to said look-up
request data and monitoring messages.
14. A method as claimed in claim 13, wherein the system monitors a source
address of a look-up request and a source address of a corresponding message,

WO 2006/077563 PCT/EE2006/000002
-10-
and decides that the message is likely to be unsolicited if its source address is
different from that of the corresponding look-up request.
15. A method as claimed in claims 13 or 14, wherein, the system stores look-up
requests received from the gateway in the data store, and decides that a
message is likely to be unsolicited if a corresponding look-up request has not
been received within a pre-set time period.
16. A method as claimed in claim 15, wherein the system stores the look-up
requests for only a pre-set time duration, and determines if a request has been
received within said pre-set time period if it is stored in the data store when the
data store is searched upon receipt of a message.
17. A method as claimed in claims 15 or 16, wherein the system determines that a
look-up request corresponds with a message if they have the same source
address.
18. A method as claimed in any of claims 15 to 17 wherein the system activates a
timer (6) upon receipt of said request.
19. A method as claimed in claim 18, wherein the timer is configured to run from
the time of receipt T0 to a preset time limit Tpreset_end,
20. A method as claimed in any of claims 15 to 19, wherein the system facilitates
setting the timer time limit T preset_end for a category of look-up request.
21. A computer readable medium comprising software code for performing a
method of any of claims 11 to 20 when executing on a digital data processor.

A security system for a mobile network (1) has a gateway (3) for receiving messages from outside the network and
a HLR (10) storing mobile terminal location information. The security system monitors in real time messages entering the network
through the gateway (3), and decides according to said monitoring if messages are likely to be unsolicited. The system may block
messages which are likely to be unsolicited. The system monitors a source address of a look-up request and a source address of
a corresponding message, and decides that the message is likely to be unsolicited if its source address is different from that of the
corresponding look-up request. The system further comprises a data store (5) and a timer (6), and stores look- up requests received
from the gateway in the data store, and decides that a message is likely to be unsolicited if a corresponding look-up request has not
been received within a pre-set time period.