Signalling System Number 7 (SS7) is used between mobile networks to enable various functions including: supporting voice interconnection; roaming mobility management; and internetwork Short Message Service (SMS). SS7 was developed before the Internet age, where large, normally state-owned organisations, ran telephone networks. Little time was spent protecting the protocols from abuse as it was thought that the barriers to entry were sufficiently high to protect networks. Mobile networks typically use SS7 to pass information about roaming customers, ensuring that such customers can register on networks and receive their calls or text messages.
With the introduction of Internet Protocol (IP) as an alternative transport layer, SS7 is now much more available to those who would want to abuse it. Examples of this abuse that impact customers and the network include:                HLR lookup—for example see http://gateway.txtnation.com/solutions/networklookup/numberqueries/numberlookup?ads=google&ppc=globalhlr;        location tracking—for example see http://www.washingtonpost.com/business/technololy/for-sale-systemsthat-can-secretly-track-where-cellphone-users-go-around-theglobe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html;        Anti-Steering of Roaming (A-SoR), which tries to overcome a network operator's ability to direct their roaming customers to a preferred network operator, increasing costs for customers and has been banned by GSMA (see http://pctelecoms.blogspot.co.uk/2010/04/anti-sor-activities-banned-bygsms-barg.html); and        badly (or maliciously) designed Machine-to-Machine (M2M) systems—these solutions have sent SS7 traffic into networks, but with no associated financial payment.        
One problem with detecting fraudulent use of SS7 based application protocols is that only a small number of abusive signalling messages are needed and these are easily hidden within the mass of legitimate traffic. Referring first to FIG. 1, there is schematically shown how malicious traffic, in this case anti-SoR signalling, may be hidden within roaming signalling. Roaming partner networks (Network A to network F) are shown to be constructed from many diverse network elements. These may be elements that are one or more of: well defined by standards (for instance HLR, SMSC, VLR); legitimate customised nodes; and illegitimate nodes (for example A-SoR).
As the signalling traffic from all roaming partners to a target home network tends to be sent over a common transit network, identifying the true origin of signalling traffic is difficult, leading to the opportunity for a malicious attacker to spoof the identity of a legitimate partner in their signalling traffic either for commercial gain, or to attack the target network.
Malicious traffic can be generated from legitimate networks with a valid roaming agreement. In this case, an A-SoR entity in such a malicious network (Network A) may generate signalling to try to cause a roaming UE in the targeted network to roam on a network preferred by Network A. Moreover, malicious traffic can be generated from nodes within that network that also generate legitimate traffic.
It is not straightforward to identify suspicious network elements so that automatic or manual controls can be put in place to protect networks. This difficulty is equally applicable to all SS7 network operators. Various anti-fraud techniques are already implemented within GSM networks, but these tend to be targeted at specific threats (such as Anti-Steering of Roaming, HLR lookup). For example: http://www.cellusys.com/roaming-solutions/; http://www.cellusys.com/roaming-solutions/anti-steering-detectionprevention/; a product sold by Gemalto N.V., under the Trade Marked name LinqUs Roaming Director. SS7 firewall capabilities are known, but typically these do not provide much more protection than that provided by Access Control Lists (ACLs) based on the lower layer SS7 protocol nodal addresses.
Thus, multiple techniques may be needed to combat different threats, adding to cost and complexity. It is also expected that new threats will arrive and predicting those threats adds a further dimension to the already significant challenges that telecommunications network operators face.