|
Work item:
|
Q.DMSA
|
|
Subject/title:
|
Principles for detection and mitigation of signalling attacks in telecommunication networks
|
|
Status:
|
Under study [Issued from previous study period]
|
|
Approval process:
|
AAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2025-12 (Medium priority)
|
|
Liaison:
|
SG17
|
|
Supporting members:
|
Vaulto (Israel), China Telecom
|
|
Summary:
|
Signalling protocols play a cornerstone role in providing different ICT services from the simple audio/video sessions to the complex digital financial services widely used over the globe. These protocols and telecommunication networks were designed without consideration for security and privacy. It enables attacks on ICT infrastructure including exploiting signalling protocols used for different ICT services.
While other domains which use the Internet employ sophisticated, stateful methods to detect cyber-attacks, such as Application Layer Firewalls (ALF) and Machine Learning (ML) based threat detection to protect their assets. Existing ICT infrastructure does not use such methods and relay on stateless inspection of each signalling message.
ITU-T Q.3057, Q.3062 & Q.3063 have defined the addition of a trust layer to signalling, however, attacks can stem from a trusted peer , thus additional layers of protection are required to detect and mitigate complex signalling attacks.
The boundary of the telco’s security domain is the recommended reference point for detecting and mitigating complex signalling attacks which can span over several protocols and stem from a source which is either trusted, or a source in which trust cannot be applied to due to local or regional regulations.
This recommendation specifies principles for detecting complex signalling attacks to enhance signalling security in telecom communication networks. To enable telecom operators to defend against classical signalling attacks (single request attacks), stateful attacks (which involve more than one request) and complex attacks which span several signalling protocols across multiple generations of telecom networks. Implementation of the principles detailed in this recommendation at the operator’s network perimeter will enable signalling attack detection and mitigation.
The comprehensive detection and mitigation framework presented in this recommendation provides a layered defense strategy against a wide spectrum of telecom signalling threats. By signalling message authentication, stringent configuration practices, real-time heuristic analysis, anomaly detection, and cross-protocol consistency checks, operators can create a resilient signalling network environment.
This multi-layered approach ensures that even if one defense mechanism is bypassed, others are in place to identify, flag, and neutralize malicious activity. As telecom networks evolve, continuous adaptation of these methods—aligned with emerging networks and threat landscapes—will be essential to maintaining the integrity, confidentiality, and availability of signalling systems.
Embracing these detection and mitigation strategies is not only a technical imperative but also a critical component of overall network security governance, ensuring that telecom operators remain one step ahead of threat actors in a dynamic threat environment.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2023-10-25 13:03:26
|
|
Last update:
2025-04-01 17:00:13
|
