ArticlePDF Available

Abstract and Figures

Software-Defined Mobile Network (SDMN) architecture integrates SDN (Software Defined Networks), Network Functions Virtualization (NFV) and cloud computing principles within the mobile networking environments to transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems. However, the SDMN architecture with the separation of the control and data planes can introduce new security challenges for mobile networks. It will significantly change the way security is managed and applied for mobile networks. This article discusses the security challenges, vulnerabilities and opportunities that need to be investigated and addressed for future SDMNs. It also highlights how common security threats in IP networks such as the Internet are now applicable in new open and IP based SDMNs
Content may be subject to copyright.
34 July/August 2016 Copublished by the IEEE Computer and Reliability Societies 1540-7993/16/$33.00 © 2016 IEEE
SECURITY SMORGASBORD
Opportunities and Challenges of
Software-Defi ned Mobile Networks in
Network Security
Madhusanka Liyanage | University of Oulu
Ahmed Bux Abro | VMware
Mika Ylianttila | University of Oulu
Andrei Gurtov | Linköping University and ITMO University
To transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems, sof tware-
defi ned mobile network (SDMN) architecture integrates software-defi ned networks, network functions
virtualization, and cloud computing principles. However, because SDMN architecture separates control
and data planes, it can introduce new security challenges.
Mobile network operators are facing challenges
due to the rapid growth in data tra c, particu-
larly from the high number of smartphones and sophis-
ticated network services. Today’s mobile networks
support various network services, such as voice over
IP, high-density video streaming, Internet TV, elec-
tronic payments, and mobile cloud services.  erefore,
mobile operators now compete with a new class of com-
petitors including over-the-top players, cloud operators,
and established Internet service provider (ISP) giants.
us, mobile operators must roll out new network ser-
vices and applications rapidly to maintain a competi-
tive edge.  ey also need to improve performance at a
lower operational cost to provide high-quality services
for a ractive prices.1
However, legacy mobile networks o en struggle w ith
limitations such as stationary and expensive equipment,
complex control protocols, and con guration inter-
faces (see Table 1), which hinder the development
of telecommunications networks.1,2 In this context,
so ware- de ned network (SDN), network functions
virtualization (NFV), and cloud computing principles
are promising technologies that might address the limi-
tations in legacy mobile networks. So ware-de ned
mobile network (SDMN) architecture integrates these
technologies in the mobile network environment.
SDN introduces the concept of decoupling the con-
trol plane (CP) from the data plane (DP) and allows
control of the network via a centralized controller. SDN
has three key a ributes:1,2
logically centralized intelligence—a controller with a
global view that can manage the entire mobile network.
programmability—the ability to use advanced
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
www.computer.org/security 35
soware programming techniques to modify network
behavior and functions; and
abstraction—the ability to hide complex network
infrastructure and protocols behind the network OS;
business applications can abstract underlying network
information with the help of SDN.
NFV enables decoupling of the network functions
from proprietary hardware appliances, so they can run
in soware.3
Cloud computing concepts bring rich computa-
tional resources to the network operators. It moves
the computing power and data storage away from the
mobile backhaul devices and into powerful and cen-
tralized computing platforms. ese services can be
accessed on demand.
With the separation of the control and data planes,
the SDMN architecture can be leveraged to improve
mobile network security and to help introduce new
SDN-based security mechanisms to deal with tradi-
tional security challenges and threats. Moreover, open
IP–based telecommunications networks are now
vulnerable to security threats that are applicable to com-
mon IP networks, such as the Internet. is will signi-
cantly change the way security is managed and applied
in future mobile networks’ security mechanisms. In this
article, we introduce the SDMN architecture, describe
security mechanisms used in legacy mobile networks,
and discuss the SDMN architecture’s expected security
advantages and threat vectors.
Software-Defined Mobile Networks
SDMN architecture consists of three layers: DP, CP,
and application plane (AP).1,2,4 Figure 1 illustrates the
SDMN architecture.
e DP consists of mobile network elements such as
base stations, femtocell stations, gateways, routers, and
switches;1 it’s also called the inastructure layer. e
mobile backhaul network consists of DP switches and
links between them. Base stations, femtocell stations,
access points, and external gateways are connected to
the border switches. DP switches route the backhaul
trac based on ow rules, which are installed by the
network controller.
Table 1. Limitations in present mobile networks.
Limitation Impact
Scalability Existing static and overprovisioned mobile networks are inflexible and costly to scale to keep up with
increasing trac demands.
Complex network management Most backhaul devices, such as eNodeBs (evolved NodeBs) and mobility management entities, lack
common control interfaces. erefore, significant expertise and platform resources are required to
manage mobile networks.
Inflexibility e standardization process for mobile networks is lengthy. It takes many months or years to introduce
new services.
High cost Mobile operators don’t have the flexibility to “mix and match” capabilities from dierent vendor
devices. is directly increases the network’s capital expenditure. In addition, manual configuration and
inflexibility increase the network’s operating expenses.
Multioperator or
multitechnology environment
Telecommunications networks contain diverse wireless technologies (for instance, Enhanced Data Rates
for GSM [Global System for Mobile Communications] Evolution, Wideband Code Division Multiple
Access, Long-Term Evolution, and Wi-Fi) and support many virtual private operators. It’s challenging
to manage the interoperability of multivendor physical devices that use dierent configurations with
various policy and security requirements in a multioperator environment.
Complex and expensive network
devices
Some mobile backhaul devices must handle extensive functionality. For instance, Packet Data Network
Gateway is responsible for many important data plane functions such as trac monitoring, billing,
quality-of-service (QoS) management, access control, and parental controls. us, the devices are
complex and expensive.
Increasing network congestion Despite limited radio bandwidth, the demand for mobile data is increasing rapidly. erefore, mobile
network operators must use smaller cells to accommodate the trac growth, which ultimately
increases the number of base stations in the network. As a result, mobile backhaul networks will face
congestion in a manner similar to datacenter networks.
Frequent mobility and roaming Telecommunications networks support multiple access technologies (for example, 2G, 3G, 4G, and
Wi-Fi). Mobile users often move across dierent access networks, increasing network management
complexity. For instance, interpreting interdomain policies to guarantee consistent security and QoS
dynamically and eciently is challenging with various access technologies.
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
36 IEEE Securi ty & Privacy July/August 2016
SECURITY SMORGASBORD
e CP contains a logically centralized controller1
the brain that manages every function in the network.
e network OS runs on top of the controller to sup-
port the control functions.2 e controller uses a control
protocol, such as OpenFlow,1 to communicate with DP
switches. In some deployment models, a part of CP so-
ware can reside on network routers or DP switches.
e AP consists of all the telecommunications net-
work’s control and business applications. In SDMN
architecture, the traditional mobile network control
entities, such as policy and charging rules function
(PCRF), home subscriber server (HSS), mobility man-
agement entity (MME), and authentication autho-
rization and accounting (AAA), will run as soware
applications at the application layer.2
Table 2 shows the SDMN architecture’s expected
benets.
Security Mechanisms in Mobile Networks
Here, we present the security mechanisms used in leg-
acy mobile networks and describe their limitations.
Securing Only the Perimeter
Todays telecommunications networks heavily rely on
perimeter security mechanisms.5,6 Mobile network
edges interfacing to external networks are considered
the most vulnerable points in the network and are pro-
tected by intrusion prevention systems (IPSs), rewalls,
customer edge switching (CES), carrier-grade network
address translators (NATs), and so on. ese security
mechanisms are implemented only at the perimeter of
the mobile network, leaving the internal network wide
open for security threats.5 Figure 2 illustrates the secu-
rity mechanisms used in today’s LTE networks.
Distributed and Uncoordinated Security
Mechanisms
A diverse set of security mechanisms is deployed on dif-
ferent sections of the mobile network.6 For instance,
LTE networks use radio network layer encryption for
the radio access network, and Internet Protocol Secu-
rity (IPsec) encryption for the backhaul network. ese
security mechanisms work autonomously with limited
awareness of other network devices.
Telecommunications networks should also sup-
port backward compatibility for old access technolo-
gies. Today’s telecommunications networks support a
diverse set of wireless technologies, including general
packet radio service (GPRS), Enhanced Data Rates for
GSM (Global System for Mobile Communications)
Evolution, wideband code division multiple access
(WCDMA), LTE, and Wi-Fi. Each wireless technology
Figure 1. e software-defined mobile network (SDMN) architecture integrates software-defined networks (SDNs), network functions
virtualization (NFV), and cloud computing principles. It consists of an application, control, and data plane.
Radio
network
Access
network
Policy and
charging
rules
functions
Application plane
Control plane
e-UTRA
Mobile user
Mobile user
Mobile user
Access
point
Legacy 3GPP
Non-3GPP
eNodeBs
NodeBs
Home
subscriber
server
Authenti-
cation
author-
ization and
accounting
Content
delivery
network
IP TV
Preaggregation
network
Aggregation
network
Core
network
Mobility
management
entity
Network OS
DP switch 1
DP switch 2
DP switch 3
DP switch 4
DP switch 5
DP switch 6
Data plane
DP switch 7DP switch 7
DP switch 8
DP switch 9
DP switch 10
Femtocell
Internet
Virtualized network
elements and
services
Northbound interface
Network
controller
Control protocol
for example, OpenFlow
Voice
over
IP
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
www.computer.org/security 37
uses independent security mechanisms and policies.6
Such distributed, independent, and uncoordinated
security mechanisms increase the complexity and
resource utilization of security management tasks and
ultimately reduce overall network performance.6
Tightly Coupled to Physical Resources
Security policies and mechanisms in present-day mobile
networks are tightly coupled to physical resources, such
as switch ports and interfaces, rather than to network
services and user applications.5 Such policies were su-
cient for legacy telecommunications networks because
they supported mainly voice and text message services.
However, todays telecommunications networks oer
advanced network services, such as mobile banking,
e-health applications, mobile payments, email, and
secure Web browsing. ese modern services require
higher levels of security protection at multiple levels.
erefore, isolated security mechanisms with ad hoc
policies will be inecient in future mobile networks.
Lack of Adaptation
Current mobile networks mostly use reactive security
mechanisms and can’t make real-time decisions rap-
idly and collaboratively. In other words, it’s challenging
to dynamically adjust the security policies quickly by
monitoring and detecting abnormal behaviors or mali-
cious events in a mobile network with thousands of
backhaul nodes.6
Moreover, most security mechanisms are static or
tightly coupled with devices. Such security policies can’t
be changed without reseing or replacing the whole
device. However, mobile networks are very dynamic
environments, and network parameters change rap-
idly. Future mobile networks will require dynamically
adjustable security mechanisms without interrupting
the ongoing services.
Lack of Interoperability
Present-day mobile networks use a diverse set of secu-
rity mechanisms; each serves a dedicated security func-
tion such as NAT, IPS, rewall, IPsec tunneling, and
deep packet inspection.5 ese many security solutions
are designed by dierent vendors; most are vendor pro-
prietary solutions. erefore, the “mixed and matched”
use of dierent security solutions is extremely dicult
or impossible in today’s networks.
Overprovisioned Security Mechanisms
Security mechanisms in current telecommunications
Table 2. Key benefits of software-defined mobile networks (SDMNs).
Benefit Description
Logically centralized control A centralized controller can make control decisions based on the global view of the network. ese
decisions are more accurate and ecient than existing autonomous system–based decisions.
Flexibility SDMN architecture defines a common standard among the backhaul devices. erefore, the
controller can manage any SDN-enabled mobile network component from any vendor as long as
there’s a common stranded platform, such as OpenFlow.
Automatic network management Automatic network management allows the deployment of new network services and functions in a
matter of hours instead of days. Also, it’s possible to dynamically fine-tune the device configurations
to achieve better resource utilization and security and lower congestion than static configurations.
Furthermore, troubleshooting network configuration is very fast due to the controller’s global view.
Virtualized abstraction SDMN architecture hides the complexity of various access technologies and topologies. SDMN’s
network programmability and proposed flow model support granular policy control, flexible trac
aggregation, and partition.
Higher rate of innovation e network programmability and common application programming interfaces accelerate business
innovation in mobile networks. e operator has the flexibility to quickly innovate and test various
novel controlling applications on top of the network OS. Deploying these novel software-based
applications is faster than deploying today’s hardware-based applications.
More granular network control e flow-based control model in SDN architecture allows the application of granular flow
control policies, such as session, user, device, and application levels. Moreover, the controller can
dynamically change these control policies based on network behavior.
On-demand provision and online
scaling up of resources
SDN concepts enable the adaptation of network virtualization. Virtualizing network devices oers
the on-demand provisioning of resources when needed and scaling of resources to satisfy demand.
Low-cost backhaul devices SDN architecture removes the control plane from backhaul devices, so they’re needed only for very
basic functions. erefore, SDN switches don’t require hardware with high processing power; the
data plan can use low-cost switches with low processing.
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
38 IEEE Securi ty & Privacy July/August 2016
SECURITY SMORGASBORD
networks are designed to handle the heaviest trac loads.
Service disruptions are avoided by oversizing the net-
work capacity and overpopulating the resources for secu-
rity mechanisms. erefore, most security resources are
underutilized for a long period of time.5 Furthermore,
mobile networks support backward compatibility and
interoperability to maintain dierent generations of tech-
nologies, such as 2G, 3G, 4G, Wi-Fi, and WiMAX. Most
telecommunications operators use independent and sepa-
rate security mechanisms and policies for each technology.
Mobile networks can’t optimize security resource
utilization due to the absence of centralized intelli-
gence, proper visibility, and coordination among secu-
rity devices.6
Vulnerability to IP-Based Attacks
Recent IP-based mobile networks (for instance, LTE
and LTE-Advanced) are vulnerable to security aacks
such as distributed denial of service (DDoS), insider
aacks, botnets, and other IP-based aacks.5,6
DDoS aacks are common in telecommunications
networks. More than 90 percent of mobile operators
experienced DDoS aacks in 2012.7 Unprotected and
always-on devices, such as smartphones and tablets,
are great platforms for aackers to launch DDoS. For
instance, aackers can deploy a botnet on a smartphone
to carry out DDoS aacks on a mobile network.
In the latest mobile networks, the IP-based backhaul
networks are connected to other IP networks such as
the Internet. Hence, mobile networks are exposed to
millions of untrusted devices, particularly on the Inter-
net. Aackers can utilize these unsecured public devices
to jeopardize mobile networks by using a full range of
IP- and Web-based aacks (see Table 3).5,6
In traditional 2G and 3G networks, user trac
isn’t routed through telecommunications networks
like in ISP, but rather is tunneled using the GPRS
tunneling protocol. us, other users can’t access
the backhaul devices—for instance, they couldn’t
ping Serving GPRS Support Node from external net-
works.5 However, the conversion of telecommunica-
tions networks to an IP-based open architecture will
increase the risks for IP-based security aacks. In this
context, running traceroute—a network tool used to
determine the trac path for network packets from
source to destination host addresses—from a mobile
phone will show the IP addresses of all network back-
haul devices.6
Figure 2. Security systems and services used in a typical LTE security architecture. Various systems are positioned to oer intra- and intersystem
security and to protect user equipment, EUTRAN, and EPC. USIM is Universal Subscriber Identity Module, eNB is evolved NodeB, DPI is deep packet
inspection, GW is gateway, IMS is IP multimedia subsystem, GTP is GPRS tunneling protocol, and SCTP is Stream Control Transmission Protocol.
USIM
RNL
encryption
• Authentication
• SCTP firewall
• DPI/intrusion prevention
system (IPS)
User
equipment
E-UTRAN
2NB3
2NB1
2NB2
Mobility
management
entity (MME)
IPsec tunnel
GTP tunnels
S1-U IPsec
tunnel
IPsec
tunnel
GTP tunnels
MME
S-GW P-GW PCRF
HSS
GTP tunnels
AKA
X2
X2
X2
Internet
IMS
S1 firewall
• Authentication
• DPI
• SCTP Firewall
• Network address
translator (NAT)
S8 firewall
• CG-NAT
• Customer edge switching
• IPS/DPI
• URL filtering
SGI firewall
Evolved packet system
Evolved packet core
S6a
SGi
Roaming
network
Gx Rx
S8
S8
S11
S1-MME
S1-U
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
www.computer.org/security 39
Insider aacks are also common in mobile networks.
An operator’s employer can make unauthorized changes,
such as reducing buer sizes, queue lengths, and timer
values, to aect network performance. For instance,
microcell base stations aren’t physically secured in the
same way as conventional base stations, and they’re
highly vulnerable to tampering.5 Such aacks are di-
cult to identify, even with audit trails.
Multiaccess and Multioperator Environment
Mobile networks maintain backward compatibility and
interoperability to support dierent generations of tech-
nologies (for instance, 2G, 3G, 4G, and LTE-Advanced).
Moreover, a telecommunications network’s operational
environment consists of dierent operators—capacity
providers, virtual operators, and ISPs. is leads to
complex security policy negotiation processes, privacy
concerns, and potential policy conicts. erefore,
enforcing security in today’s telecommunications net-
works is a challenge. Most telecommunications opera-
tors use independent and separate security mechanisms
and policies for each technology and operator.8 is
increases both security mechanisms’ resource utiliza-
tion and mobility management costs.
Lack of Visibility and
High Monitoring Overhead
Todays mobile networks lack end-to-end visibility due
to closed network equipment and distributed security
mechanisms. However, end-to-end monitoring is the
only mechanism that can ensure mobile network avail-
ability. erefore, operators must implement many net-
work probes to monitor trac in each sector, which
leads to high monitoring overhead in terms of network
bandwidth and operational cost. Still, 60 percent of
telecommunications operators lack full visibility of
their backhaul network trac.9
Owing to these limitations, traditional security solu-
tions are dicult to deploy, manage, program, and scale.
erefore, future mobile networks demand advanced,
intelligent, and collaborative security systems to miti-
gate the above limitations.
Expected Security Advantages of SDMNs
e adaptation of SDMN concepts oers new features
such as centralized intelligence, network programma-
bility, abstraction, NFV, common device standards,
and ow-based trac management, which will be par-
ticularly useful in implementing dynamic, exible, and
manageable security mechanisms in future telecommu-
nications networks.1,8,10 Table 4 lists possible use cases
of new SDMN features to overcome existing mobile
network security challenges.
Here, we provide a high-level analysis of key SDMN
features that can be used to apply security for future
mobile networks.
Centralized Intelligence
and Control Orchestration
e SDMN controller has centralized intelligence and
can monitor security breaches over the entire net-
work.10 e controller not only makes informed deci-
sions but also optimizes resource utilization for security.
Validating and synchronizing various security policies
will be fast and ecient with centralized intelligence. e
controller can remove overlapping rules and optimize the
decision-making phase for operational eciency.
Granular Policy Management
SDMN supports more granular policy management
Table 3. Attacks from the Internet and external networks.
Attack type Trigger and description Impact on mobile networks
Distributed denial of service (DDoS) A set of attackers sends a large volume of fake trac (for
instance, malformed ping requests in ping-of-death attacks
and TCP synchronous requests in TCP SYN denial-of-
service attacks) to consume mobile network resources.
e backhaul devices are unresponsive
to legitimate trac.
Replay An attacker intercepts legitimate signaling trac and
overwhelms the network by retransmitting it continuously.
e backhaul devices are unresponsive
to legitimate signaling trac.
IP port scans An attacker performs port scans on mobile network
elements to identify the active ports and exploits their
vulnerabilities.
Collected IP port scan information can
be used to plan a sophisticated targeted
network attack.
Overbilling and billing evasion An attacker hijacks the IP address of a legitimate subscriber
and uses it to download or send data at the expense of the
legitimate subscriber.
e operator loses revenue.
Domain Name Server (DNS)
hijacking
DNS queries are redirected to a rogue DNS server. Service quality is reduced or the
connection is terminated.
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
40 IEEE Securi ty & Privacy July/August 2016
SECURITY SMORGASBORD
schemes than the existing mobile networks. e con-
troller can enforce security policies based on appli-
cation, service, user, ow, device, and other levels.10
Such ne-grained enforcement and security policies
are necessary to provide carrier-grade services while
supporting millions of dynamic users in a single
mobile network.
Scalability and Flexibility
SDMN architecture supports virtualized security
solutions and allows dynamic scaling of the security
resources to match trac load.3 It reduces the require-
ment to allocate physical resources to correspond with
heavy trac loads. Virtualized security solutions are cost
ecient because optimizing the utilization of network
Table 4. SDMN concepts that improve mobile network security.
Security issue SDMN mitigation mechanism Relevant SDMN feature
Securing only the
perimeter
Security mechanisms aren’t coupled to a specific section of the network. Abstraction
Common security mechanisms can be applied to any section of the network. Network functions virtualization
(NFV) and common device
standards
Distributed and
uncoordinated security
mechanisms
Dierent security mechanisms have centralized security policy management
and coordination.
Centralized intelligence
Eliminate the vendor-specific security mechanisms. Common device standards
Tightly coupled to
physical resources
Security mechanisms are independent of infrastructure. Abstraction
Security mechanisms are decoupled from infrastructure devices and
implemented in cloud-based resources.
NFV
Security policies are applied at more granular levels such as user, application,
or session.
Flow-based trac management
Lack of adaptation Various security mechanisms have centralized monitoring and dynamic
policy application.
Centralized intelligence
Software applications allow rapid and ecient change of the security
mechanisms.
Network programmability
Lack of interoperability Eliminate the vendor-specific security mechanisms. Common device standards
All security mechanisms are managed by the centralized controller. Centralized intelligence
Overprovisioned
security mechanisms
Dynamically adjust the security mechanisms to satisfy varying trac
demands.
Centralized intelligence
Security mechanisms use and share cloud-based resources. NFV
Common security mechanisms are implemented over multiple access
technologies.
NFV, centralized control
Security mechanisms are modified quickly according to trac demands. Network programmability
Vulnerability to various
attacks
Real-time monitoring identifies and drops malicious trac as early as
possible.
Centralized intelligence and
control
Fast deployment of new security mechanisms prevents new attacks. Network programmability
Ecient forensics with holistic network informatics prevent future attacks. Enhanced visibility
Multiaccess and
multioperator
environment
Common security mechanisms are implemented over multiple access
technologies and operators.
NFV and centralized control
Complex network access technologies and protocols to security applications
are hidden.
Abstraction
Lack of visibility and
monitoring overhead
e entire network is monitored in real time. Centralized intelligence and
control
Network-monitoring resources are scaled to match trac demand without
changing the physical infrastructure.
NFV
Common monitoring tools can be used to monitor every section of the
network.
Common device standards
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
www.computer.org/security 41
resources is possible. Moreover, the security resources
are available on demand, and security policies can
extend across multiaccess and multioperator networks.8
Abstraction
SDMN abstracts the security away from physical con-
structs such as stateful port rewalls, wire sniers, and
multiaccess technologies.8,10 us, it’s possible to imple-
ment common security mechanisms that can be deployed
repeatedly without concern for underlying physical infra-
structure capabilities and access technologies.
Dynamic Attack Mitigation
Network security personnel can leverage a centralized
controller to monitor network activity and use it to
detect anomalous behavior and mitigate it with higher
accuracy. For instance, malicious trac generated by an
aack can be dropped as early as possible (for instance,
the wireless edge for mobile-based DDoS aacks) rather
than allowing it to reach the core network switches.11
Moreover, holistic network informatics are useful and
ecient for forensics.
Flow Paradigm
e SDMN controller can monitor the entire network
and isolate ows—labeling certain ows as suspicious
and restricting backhaul devices from processing pack-
ets from these ows.10 In this context, ow-based pol-
icy enforcement can be more eective than existing
packet-based analysis and improves the eciency of
security mechanisms.
Dynamic and Flexible Adjustment
SDMN enables on-demand dynamic and exible secu-
rity policy adjustment by using network programmability.
Security administrators can dynamically adjust security
mechanisms to protect the network and optimize resource
utilization. More important, these policies aren’t tied to
the physical conguration or the user’s access technol-
ogy.8,10 us, they can be reprogrammed and upgraded
without changing or reseing the physical hardware.
Real-Time Monitoring and Decision Making
SDMNs’ centralized architecture oers networkwide
real-time security monitoring. e controller can
facilitate dynamic security policy alteration, real-time
security service insertion, and accurate network foren-
sics measures.10
e controller can also help with informed deci-
sion making by blending historical and real-time net-
work status and performance data. For instance, it can
be used to assign resource limits for malicious network
segments as a proactive security mechanism against
denial-of-service (DoS) aacks.11
Virtualized Middleboxes
e operator has the exibility to simplify the DP
devices by integrating their functionality in the SDMN
network controller.3 erefore, traditional middleboxes
such as CES, NAT, and rewalls can be implemented in
virtualized resources. is reduces the complexity and
cost of security devices.
Economically Viable
SDMN architecture signicantly reduces the resources
required for security by optimizing resources and
implementing middleboxes in virtual environments. It
eliminates the need for complex and expensive security
devices in the network and decreases capital expendi-
ture network costs.3 In addition, adoption of the SDMN
concepts oers exible management, dynamic counter-
measures, and automatic conguration, reducing oper-
ating expenses.10 Moreover, these security mechanisms
can be automatically executed, signicantly reducing
human errors.
reat Vectors for SDMN Architecture
Despite the expected advantages, adopting SDMN con-
cepts also brings many security disadvantages. e pro-
posed open network architecture of SDMN minimizes
the technological gap between the common IP net-
works and telecommunications networks. As a result,
SDMNs would become vulnerable to most aacks in
general SDN networks.
Here, we present the main potential threat vectors
for SDMNs and possible security threats for each vec-
tor.2,8,12 We also highlight the common SDN security
threats in SDMNs.
Attacks on the AP
Controlling legacy mobile networks is a complex task
because it involves a diverse set of network components
with dierent functions and control protocols. e
knowledge of these devices was limited only to mobile
network engineers because most of these carrier-grade
control protocols weren’t used in any other networks.
us, manipulating such protocols is dicult without
expert knowledge.5 However, SDMN allows third-party
soware applications, which run on the AP, to control
and manage the mobile network.8
Manipulating a soware application is comparably
easier than traditional control protocols. For instance, a
back door to a soware application can be used to gain
unauthorized access to HSS and steal user parameters,
such as billing and account information, cryptographic
primitives, authentication keys, and last known loca-
tions.12 Moreover, most applications developed in-
house lack digitally signed codes and carry dierent
vulnerabilities, such as buer overow and null pointers
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
42 IEEE Securi ty & Privacy July/August 2016
SECURITY SMORGASBORD
issues. Such applications cause major threats to the
smooth operation of mobile networks.12
Authentication of soware applications at the AP is
also important. Malicious soware applications can act as
mobile control entities such as HSS to provide fake user
proles, MME to activate unauthorized bearers, or Packet
Data Network Gateways to disrupt mobility events.8
Moreover, many secure communication channels
(for instance, SDMN control channels) rely on encryp-
tion to protect the transmied data’s integrity and con-
dentiality. Aackers can use malicious soware to
compromise encryption algorithms; for instance, the
Heartbleed bug manipulates the OpenSSL crypto-
graphy library.13
Attacks on the CP
Legacy mobile networks were designed in a distributed
fashion with a set of complex devices and protocols.
In this context, adversaries had to plan aacks so as to
manipulate a diverse set of independent network com-
ponents and protocols. However, an aacker’s job has
become easier in SDMNs because control resides in a
central location. e network controller is an SDMN’s
single point of failure and most DoS aackers’ default
target.9,12 e controller has multiple vulnerable points,
such as AP entities, application programmable inter-
faces, its own OS, and soware vulnerabilities.9,12
e SDMN controller is also vulnerable to aacks
from the application layer via a northbound interface.
Application-layer soware is authorized to install con-
trol programs, feed updates, and other operator policies
to the controller. us, an aacker can use application-
layer soware to reprogram the controller’s functions.12
Moreover, the SDMN controller itself is a soware
program that runs on top of an OS. Such OS platforms
might have their own vulnerabilities and loopholes that
can be used to aack the SDMN CP. For instance, the
underlying OS platform might use insecure protocols
such as HP or telnet, or might not be fully updated
with security patches.9,12
SDMN consists of thousands of DP switches
spread across a large geographic area. Each DP switch
needs frequent communication with the controller.
erefore, SDMNs use multiple controllers (distrib-
uted controllers) to cope with delay or latency con-
straints. In such a multiple-controller environment,
interfederated conicts can occur owing to inconsis-
tency in the controller congurations, reducing net-
work resistance.14
Attacks on the DP
SDMNs are now vulnerable to ow-poisoning aacks,
which are similar to route-poisoning aacks in IP net-
works. In a ow-poisoning aack, adversaries inject
invalid trac ows to saturate the controller resources.12
SDMN DP switches don’t use strong mutual authen-
tication at the DP. erefore, a malicious device can
impersonate a legitimate DP switch and send forged or
faked trac ows to other DP switches. In such a way,
an aacker can exhaust ternary content-addressable
memory of switches and controller resources.12
It’s dicult to identify and separate genuine ow rules
from false rules for data path elements owing to the lack
of intelligence at DP switches.8,9,12 SDMN has less diver-
sity among the DP switches than prior mobile networks.
us, aacks on DP switches can propagate quickly.11
In a multicontroller scenario, several controllers are
used to update the ow tables in DP switches. However,
these controllers might have dierent security levels.
erefore, aackers will target less secure controllers to
jeopardize ow tables in DP switches.12
Attacks on the Communication Channels
SDMN architecture uses two communication chan-
nels—control and data. e control channel transports
control and signaling data between the DP switches and
the controller. e data channel transports customer
data between DP switches.
Attacks on the control channel. Current control pro-
tocols, such as OpenFlow, rely on higher-layer secure
communication mechanisms such as Transport Layer
Security (TLS)/SSL-based communication.7,12 How-
ever, such control channels aren’t secure enough to pro-
vide the required level of robustness and security for the
SDMN control channel. ey’re vulnerable to classic
IP-based aacks, such as IP spoong and reset aacks,
owing to the lack of lower-layer encryption mecha-
nisms.10 Table 5 explains the impact of known TLS/
SSL aacks on the SDMN control channel.
e SDMN control channel requires a strong authen-
tication mechanism to prevent unauthorized access to the
controller. However, the existing TLS/SSL-based authen-
tication system doesn’t fully meet the security require-
ments and was found to be vulnerable to multiple aacks.7
Furthermore, the controller is the default target for many
DoS aackers. However, today’s SDMN control channels
lack proper DoS aack prevention mechanisms.9
Attacks on the data channel. DP trac is unencrypted
in SDMNs. us, the data channel is vulnerable to
aacks such as eavesdropping, DoS, reset, and man-in-
the-middle aacks. During an eavesdropping aack, the
aacker can use the SDN scanner mechanism to collect
ow information by observing trac paerns.11 Later,
this information can be used to perform DoS and reset
aacks. Because today’s SDMN DP doesn’t use integrity
protection mechanisms, a man-in-the-middle aacker
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
www.computer.org/security 43
can alter or destroy data without being noticed by the
network operator. is might result in excessive ow
entries stored in DP switches or excessive ow requests
forwarded to the controller, decreasing the communica-
tion sessions’ quality of service.7
NFV-Specific Vulnerabilities
NFV principles propose decoupling network functions
from proprietary hardware appliances and running
them as soware applications in a cloud environment.
e implementation of mobile network functions (for
instance, MME, HSS, PCRF, AAA) in the cloud intro-
duces vulnerabilities inherent in cloud computing.15
A major security challenge is ensuring trust among
new elements such as virtual machines, virtual sw itches,
hypervisors, controllers, and management modules.10
For instance, network functions now have the potential
to run on any server anywhere in the world. erefore,
network operators need trust mechanisms to ensure
that the code is indeed correct. e introduction of new
elements such as hypervisors creates new aack sur-
faces on mobile networks.15
Usually, mobile network functions are inherently
isolated and protected owing to vendor-specic hard-
ware. However, NFV reduces the isolation of network
functions by running them in a common cloud plat-
form. is will impose a new security management
challenge on mobile networks. Moreover, mobile oper-
ators might not have their own hardware resources to
run network functions. In a common cloud platform,
server errors such as crashes, hangs, and loops might
aect the server’s availability to run the operator’s vir-
tualized network function.15
It’s practically impossible to dene security zones
or perimeters in a way that is managed in current
mobile networks.3 Virtual machines that run virtual-
ized network functions are dispersed across racks and
datacenters and can migrate to other servers for optimi-
zation or maintenance purposes. erefore, the physi-
cal perimeters of network functions become blurred
and uid.
Moreover, dierent vendors might provide cloud
hardware, cloud resource control solutions, hyper-
visors, and virtualized network functions, increasing
Table 5. Known attacks on an OpenFlow control channel.
Attack type Trigger and description Impact on SDMN control channel
TCP SYN DDoS A set of attackers sends a succession of TCP SYN
requests to end nodes to consume enough server
resources to make the end nodes unresponsive to
legitimate trac.
Controller or OpenFlow switches
unresponsive to legitimate trac
TCP reset An attacker sends a sequence of TCP reset requests to
end nodes to prematurely reset the communication
session.
Unexpected termination and service quality
reduction of control channel communication
RC4 biases in Transport Layer
Security (TLS)
An attacker can recover the full plaintext when it’s
encrypted repeatedly in the same or several dierent
sessions.
Extraction of information to perform future
attacks and reveal the identity of backhaul
devices
Browser exploit against TLS/SSL An attacker mounts an adaptive chosen plaintext attack
with predictable initialization vectors using cipher block
chaining.
Extraction of information to perform future
attacks and reveal the identity of backhaul
devices
Compression Ratio Infoleak Made
Easy
An attacker discovers session tokens and other secret
information to perform session hijacking on an
authenticated communication session.
Exhausting controller resources by adding
or modifying fake flow requests, including
fake flow rules to exhaust ternary content-
addressable memory of OpenFlow switches,
and jeopardizing the data plane by
destroying the in-flight flow rules
LUCKY 13 An attacker performs a man-in-the-middle attack
to recover plaintext from a cipher block chaining–
encrypted TLS session.
Extracting information to perform future
attacks and reveal the identity of backhaul
devices
POODLE An attacker forces users to change TLS sessions to SSL
3.0 sessions and uses a design flaw in SSL 3.0 that allows
the padding data at the end of a block cipher to be
changed so that the encryption cipher becomes less
secure each time it’s passed.
Disrupting the communication between the
controller and data plane switches
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
44 IEEE Securi ty & Privacy July/August 2016
SECURITY SMORGASBORD
the risk of security threats due to mismatched security
policies, assumptions, and expectations.3
Adapting SDMN concepts brings both security
advantages and disadvantages. Addressing these
security challenges is required before utilizing SDMN
in future telecommunications networks. Imminent
research directions include using SDMN aributes to
not only solve known security issues in legacy telecom-
munications networks but also design secure mecha-
nisms for future mobile networks. It’s also critical to
identify tools that can be used to overcome SDMN-
specic security challenges.
References
1. M. Liyanage, A. Gurtov, and M. Ylianila, Soware
Dened Mobile Networks (SDMN): Beyond LTE Network
Architecture, John Wiley & Sons, 2015.
2. C. Kolias et al., OpenFlow-Enabled Mobile and Wireless
Networks, white paper, Open Networking Foundation, 30
Sept. 2013.
3. H. Hawilo et al., “NFV: State of the Art, Challenges and
Implementation in Next Generation Mobile Networks
(vEPC),IEEE Network, vol. 28, no. 6, 2014, pp. 18–26.
4. J. Costa-Requena et al., “SDN and NFV Integration in
Generalized Mobile Network Architecture,European
Conf. Networks and Communications (EuCNC 15), 2015,
pp. 1–6.
5. J. Cao et al., “A Survey on Security Aspects for LTE and
LTE-A Networks,” IEEE Communications Surveys & Tuto-
rials, vol. 16, no. 1, 2014, pp. 283–302.
6. A.N. Bikos and N. Sklavos, “LTE/SAE Security Issues on
4G Wireless Networks,IEEE Security & Privacy, vol. 11,
no. 2, 2013, pp. 55–62.
7. M. Liyanage, M. Ylianila, and A. Gurtov, “Securing the
Control Channel of Soware-Dened Mobile Networks,”
World of Wireless, Mobile and Multimedia Networks (WoW-
MoM 14), 2014, pp. 1–6.
8. A.Y. Ding et al., “Soware Dened Networking for Secu-
rity Enhancement in Wireless Mobile Networks,” Com-
puter Networks, vol. 66, 2014, pp. 94–101.
9. M. Liyanage et al., “Security for Future Soware Dened
Mobile Networks,9th Int’l Conf. Next Generation Mobile
Applications Services and Technologies (NGMAST 15),
2015, pp. 1–9.
10. M. McBride et al., SDN Security Considerations in the Data
Center, white paper, Open Networking Foundation, 8
Oct. 2013.
11. S. Shin and G. Gu, “Aacking Soware-Dened Net-
works: A First Feasibility Study,Proc. 2nd ACM SIG-
COMM Workshop on Hot Topics in Soware Dened
Networking (HotSDN 13), 2013, pp. 165–166.
12. S. Sco-Hayward, G. O’Callaghan, and S. Sezer, “SDN
Security: A Survey,IEEE SDN for Future Networks and
Services (SDN4FNS 13), 2013, pp. 1–7.
13. Z. Durumeric et al., “e Maer of Heartbleed,AC M
Internet Measurement Conf. (IMC 14), 2014, pp. 475–488.
14. E. Al-Shaer and S. Al-Haj, “FlowChecker: Conguration
Analysis and Verication of Federated Openow Infra-
structure,3rd ACM Workshop Assurable and Usable Secu-
rity Conguration (SafeCong 10), 2010, pp. 37–44.
15. M. Tsugawa, A. Matsunaga, and J.A. Fortes, “Cloud Com-
puting Security: What Changes with Soware-Dened
Networking?,Secure Cloud Computing, Springer, 2014,
pp. 77–93.
Madhusanka Liyanage is a project manager at the Cen-
tre for Wireless Communications, University of Oulu.
His research interests include on soware-dened
network (SDN), mobile network, and virtual net-
work security. Liyanage received an MEng in telecom-
munications engineering from the Asian Institute of
Technology, ailand. Contact him at madhusanka@
ee.oulu..
Ahmed Bux Abro is a solutions architect at VMware and
a technologist, strategist, and contributor for multi-
ple technology fronts. His research interests include
SDN, cloud, and 5G security. Abro received an MS in
computer science from the University of Sindh. Con-
tact him at aabro@vmware.com.
Mika Ylianttila is a professor at the Centre for Wireless
Communications, University of Oulu. His research
interests include networking, decentralized (peer-
to-peer) systems, mobility management, and content
distribution. Ylianila received a Dr. Tech in telecom-
munications from University of Oulu. Contact him at
mika.ylianila@oulu..
Andrei Gurtov is an associate professor at Linköping
University and an adjunct professor at Aalto Univer-
sity, University of Helsinki, and University of Oulu.
He also works in ITMO University’s SCA Research
Lab. His research interests include Internet protocols,
peer-to-peer communication, industrial Internet, and
wireless and sensor network security. Gurtov received
a PhD in computer science from the University of
Helsinki. Contact him at gurtov@acm.org.
Selected CS articles and columns are also available for ee
at hp://ComputingNow.computer.org.
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
q
q
M
M
q
q
M
M
q
M
THEWORLD’S NEWSSTAND
®
Previous Page |Contents |Zoom in |Zoom out |Front Cover |Search Issue |Next Page
IEEE
PRIVACY
&
SECURITY
______
_________
_____________
______________
__________
... These attacks have morphed into Software Defined Networks (SDN), Network Function Virtualization (NFV) and cloud computing in the 5G. Insecure SDN features include OpenFlow, centralized network administration (prone to DoS attacks), core and backhaul, edge device vulnerabilities, and open APIs [6], [7]. Research communities are starting to focus on security vulnerabilities in B5G communication using advanced networking, AI/ML, and linked intelligence technologies that power the B5G vision. ...
... Studies including [13], [21]- [26], elaborate on the importance of AI and its trends in B5G, and the challenges it brings to future communication technologies. Previous surveys such as [6], [27]- [31] highlight the dynamics of security aspects in a range of B5G enabling technologies such as IoT, RAN and edge computing, while [8], [29], [32], [33] focus entirely on the security threats and potential defenses that would improve the trust in AI/ML methods used in B5G. ...
Preprint
Full-text available
With the advent of 5G commercialization, the need for more reliable, faster, and intelligent telecommunication systems are envisaged for the next generation beyond 5G (B5G) radio access technologies. Artificial Intelligence (AI) and Machine Learning (ML) are not just immensely popular in the service layer applications but also have been proposed as essential enablers in many aspects of B5G networks, from IoT devices and edge computing to cloud-based infrastructures. However, most of the existing surveys in B5G security focus on the performance of AI/ML models and their accuracy, but they often overlook the accountability and trustworthiness of the models' decisions. Explainable AI (XAI) methods are promising techniques that would allow system developers to identify the internal workings of AI/ML black-box models. The goal of using XAI in the security domain of B5G is to allow the decision-making processes of the security of systems to be transparent and comprehensible to stakeholders making the systems accountable for automated actions. In every facet of the forthcoming B5G era, including B5G technologies such as RAN, zero-touch network management, E2E slicing, this survey emphasizes the role of XAI in them and the use cases that the general users would ultimately enjoy. Furthermore, we presented the lessons learned from recent efforts and future research directions on top of the currently conducted projects involving XAI.
... e question of how to increase network throughput, decrease network delay, and implement flexible scheduling to solve the traffic optimization problem of the data center network has become urgent due to the increase in traffic volume, the number of application deployments, and the increased requirements for service quality. OpenFlow, an SDN technology that has recently emerged, has created a new opportunity to address this issue [6]. A new network architecture called SDN divides network control and forwarding tasks. ...
Article
Full-text available
This paper constructs a SDN network traffic prediction model based on speech recognition and applies it to the educational information optimization platform. By analyzing the influencing factors of SDN network equipment, communication links, and network traffic, this paper constructs the initial index set of SDN network traffic situation. In the data plane of SDN, the queue management algorithm is used to control the flow. On this basis, an IRS mechanism is proposed based on the advantages of SDN centralized control and the difference of transmission performance requirements between large and small streams. For the transmission of large traffic, IRS adopts greedy routing and multipath routing based on the remaining bandwidth to make the traffic evenly distributed in the network, and IRS adds the scheduling strategy based on IP addressing to avoid packet disorder. Simulation results show that the effectiveness of this algorithm can reach 95.67% at the highest, and the MSE convergence is 0.0021 at the lowest. At the same time, this method completes the quantitative evaluation of SDN network traffic situation, effectively solves the problem that SDN traffic situation labels cannot be determined, and opens a new vision of global state observation for SDN network management. This research can provide some technical support for the educational information optimization platform.
... Security concerns linked to 5G communication issuesBotnetA botnet is a form of malware capable of exploiting a series of computers connected to the internet.Denial-of-service Attack DDoS attacks can be carried out using a botnet to monitor many infected UEs in the type of Signals Propagation and HSS overload.TLS/SSL Attacks Attack assaults are vulnerable to SDN-based TLS or SSL contact.Overview of 5G & Beyond SecurityOne of the most important 5G traffic speeds is URLLC (Ultra-Reliable Low Latency Communication)[87]. ...
Article
Full-text available
Network security is a crucial concern when it comes to computation, concerns like threats can have high consequences, and critical information will be shared with unauthorized persons. This paper presents a detailed survey on Fifth Generation (5G) and security aspect. This is more predictable since the core technology; the synonymous approach is possible with Fifth Generation (5G) and Beyond Technologies though with limited access. Many incidents have shown that the possibility of a hacked wireless network, not just impacts privacy and security worries, but also hinders the diverse dynamics of the ecosystem. Security attacks have grown in frequency and severity throughout the near past, making detection mechanisms harder.
... The security protocol in the application layer, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is used to secure the communication channel in the SDN-based 5G core network. The network has known TCP/IP security threats such as TCP sequence number attack, TCP session hijacking, SYN flooding, IP spoofing, eavesdropping attacks, TCP reset attacks [51]. Consequently, the use of an IP security mechanism that combines with a multilayer security mechanism is necessary. ...
Article
Full-text available
In recent years, 5G networks and services become progressively popular among telecommunication providers. Simultaneously, the growth in the usage and deployment of smartphone platforms and mobile applications have been seen as phenomenal. Therefore, this paper discusses the current state of the art of 5G technology in the merger of unconditional security requirements referred to as Quantum Cryptography. The various domain of Quantum Cryptography is illustrated including the protocols available, their functionality and previous implementation in real networks. This paper further identifies research gaps covering critical aspects of how Quantum Cryptography can be realized and effectively utilized in 5G networks. These include improving the current technique in Quantum Cryptography through efficient key distribution and message sharing between users in 5G networks.
Chapter
Sixth‐generation (6G) is envisaged to rely on the advancements of Artificial Intelligence and data analytics to provide personalized and fully automated seamless communication services. However, this may lead to several security and privacy issues and concerns. This chapter discusses the security threat landscape of future 6G networks. In the fifth‐generation (5G) architecture, security and privacy threats are caused at access, backhaul, and core networks. Cyberware and critical infrastructure threats, network functions virtualization and software‐defined networking‐related threats, and cloud computing‐related threats are the most common security issues in 5G. The chapter discusses the security considerations, 6G security vision, and the potential security Key Performance Indicators. It describes the security landscape for the envisioned 6G architecture which is classified into four key areas such as functional architecture, edge intelligence and cloudification, specialized subnetworks, and network management and orchestration.
Article
Full-text available
Today’s advancements in wireless communication technologies have resulted in a tremendous volume of data being generated. Most of our information is part of a widespread network that connects various devices across the globe. The capabilities of electronic devices are also increasing day by day, which leads to more generation and sharing of information. Similarly, as mobile network topologies become more diverse and complicated, the incidence of security breaches has increased. It has hampered the uptake of smart mobile apps and services, which has been accentuated by the large variety of platforms that provide data, storage, computation, and application services to end-users. It becomes necessary in such scenarios to protect data and check its use and misuse. According to the research, an artificial intelligence-based security model should assure the secrecy, integrity, and authenticity of the system, its equipment, and the protocols that control the network, independent of its generation, in order to deal with such a complicated network. The open difficulties that mobile networks still face, such as unauthorised network scanning, fraud links, and so on, have been thoroughly examined. Numerous ML and DL techniques that can be utilised to create a secure environment, as well as various cyber security threats, are discussed. We address the necessity to develop new approaches to provide high security of electronic data in mobile networks because the possibilities for increasing mobile network security are inexhaustible.
Book
Full-text available
This book describes the concept of a Software Defined Mobile Network (SDMN), which will impact the network architecture of current LTE (3GPP) networks. SDN will also open up new opportunities for traffic, resource and mobility management, as well as impose new challenges on network security. Therefore, the book addresses the main affected areas such as traffic, resource and mobility management, virtualized traffics transportation, network management, network security and techno economic concepts. Moreover, a complete introduction to SDN and SDMN concepts. Furthermore, the reader will be introduced to cutting-edge knowledge in areas such as network virtualization, as well as SDN concepts relevant to next generation mobile networks. Finally, by the end of the book the reader will be familiar with the feasibility and opportunities of SDMN concepts, and will be able to evaluate the limits of performance and scalability of these new technologies while applying them to mobile broadb and networks.
Article
Full-text available
The main drivers for the mobile core network evolution is to serve the future challenges and set the way to 5G networks with need for high capacity and low latency. Different technologies such as Network Functions Virtualization (NFV) and Software Defined Networking (SDN) are being considered to address the future needs of 5G networks. However, future applications such as Internet of Things (IoT), video services and others still unveiled will have different requirements, which emphasize the need for the dynamic scalability of the network functionality. The means for efficient network resource operability seems to be even more important than the future network element costs. This paper provides the analysis of different technologies such as SDN and NFV that offer different architectural options to address the needs of 5G networks. The options under consideration in this paper may differ mainly in the extent of what SDN principles are applied to mobile specific functions or to transport network functions only.
Conference Paper
Full-text available
The Heartbleed vulnerability took the Internet by surprise in April 2014. The vulnerability, one of the most consequential since the advent of the commercial Internet, allowed attackers to remotely read protected memory from an estimated 24--55% of popular HTTPS sites. In this work, we perform a comprehensive, measurement-based analysis of the vulnerability's impact, including (1) tracking the vulnerable population, (2) monitoring patching behavior over time, (3) assessing the impact on the HTTPS certificate ecosystem, and (4) exposing real attacks that attempted to exploit the bug. Furthermore, we conduct a large-scale vulnerability notification experiment involving 150,000 hosts and observe a nearly 50% increase in patching by notified hosts. Drawing upon these analyses, we discuss what went well and what went poorly, in an effort to understand how the technical community can respond more effectively to such events in the future.
Conference Paper
Full-text available
5G constitutes the next revolution in mobile communications. It is expected to deliver ultra-fast, ultra-reliable network access supporting a massive increase of data traffic and connected nodes. Different technologies are emerging to address the requirements of future mobile networks, such as Software Defined Networking (SDN), Network Function Virtualization (NFV) and cloud computing concepts. In this paper, we introduce the security challenges these new technologies are facing, inherent to the new telecommunication paradigm. We also present a multitier approach to secure Software Defined Mobile Network (SDMN) by tackling security at different levels to protect the network itself and its users. First, we secure the communication channels between network elements by leveraging Host Identity Protocol (HIP) and IPSec tunnelling. Then, we restrict the unwanted access to the mobile backhaul network with policy based communications. It also protects the backhaul devices from source address spoofing and Denial of Service (DoS) attacks. Finally, we leverage Software Defined Monitoring (SDM) and data collection to detect, prevent and react to security threats.
Conference Paper
Full-text available
The main drivers for the mobile core network evolution is to serve the future challenges and set the way to 5G networks with need for high capacity and low latency. Different technologies such as Network Functions Virtualization (NFV) and Software Defined Networking (SDN) are being considered to address the future needs of 5G networks. However, future applications such as Internet of Things (IoT), video services and others still unveiled will have different requirements, which emphasize the need for the dynamic scalability of the network functionality. The means for efficient network resource operability seems to be even more important than the future network element costs. This paper provides the analysis of different technologies such as SDN and NFV that offer different architectural options to address the needs of 5G networks. The options under consideration in this paper may differ mainly in the extent of what SDN principles are applied to mobile specific functions or to transport network functions only.
Book
Full-text available
This book describes the concept of a Software Defined Mobile Network (SDMN), which will impact the network architecture of current LTE (3GPP) networks. SDN will also open up new opportunities for traffic, resource and mobility management, as well as impose new challenges on network security. Therefore, the book addresses the main affected areas such as traffic, resource and mobility management, virtualized traffics transportation, network management, network security and techno economic concepts. Moreover, a complete introduction to SDN and SDMN concepts. Furthermore, the reader will be introduced to cutting-edge knowledge in areas such as network virtualization, as well as SDN concepts relevant to next generation mobile networks. Finally, by the end of the book the reader will be familiar with the feasibility and opportunities of SDMN concepts, and will be able to evaluate the limits of performance and scalability of these new technologies while applying them to mobile broadband networks
Article
Full-text available
As mobile network users look forward to the connectivity speeds of 5G networks, service providers are facing challenges in complying with connectivity demands without substantial financial investments. Network Function Virtualization (NFV) is introduced as a new methodology that offers a way out of this bottleneck. NFV is poised to change the core structure of telecommunications infrastructure to be more cost-efficient. In this paper, we introduce a Network Function Virtualization framework, and discuss the challenges and requirements of its use in mobile networks. In particular, an NFV framework in the virtual environment is proposed. Moreover, in order to reduce signaling traffic and achieve better performance, this paper proposes a criterion to bundle multiple functions of virtualized evolved packet-core in a single physical device or a group of adjacent devices. The analysis shows that the proposed grouping can reduce the network control traffic by 70 percent.
Chapter
Broadly construed, Software-Defined Networking (SDN) refers to the use of a standards-based open architecture and its supporting open source and open interfaces technologies to enable the deployment, management, and operation of networks. While traditional network management relies on vendor-specific hardware, protocols, and software, SDN systems are architected to have well-defined control and data planes offering flexible management interfaces. The enhanced control enabled by SDN opens opportunities for better cloud security engineering. At the same time, new vulnerabilities are potentially exposed as new technologies are introduced. This chapter discusses how SDN impacts cloud security, and potential risks that need to be addressed when SDN is deployed within and across clouds.
Article
In recent years we have seen a fast change in the networking industry: leading by the Software Defined Networking (SDN) paradigm that separates the control plane from the data plane to enable programmability and centralized control of the network infrastructure, the SDN design not only simplifies the network management but also accelerates the innovation speed of deploying advanced network applications. Meanwhile, the landscape of the wireless and mobile industry is changing dramatically as well. Given the advance of wireless technologies such as 4G and WiFi offering a pervasive Internet access, the traffic growth from the smartphone-alike devices has placed an increasing strain on the mobile network infrastructure and infringed the profit. Since the demand is increasing together with the growth of mobile users, the incumbent legacy infrastructure is already calling for an upgrade to overcome its existing limitations in terms of network management and security. In this paper, we advocate that the way forward is to integrate SDN and fully utilize its feature to solve the problem. As the security issue has raise serious concern in the networking community recently, we focus on the security aspect and investigate how to enhance the security with SDN for the wireless mobile networks.