Conference PaperPDF Available

5G Core PFCP Intrusion Detection Dataset

Authors:

Abstract

The rapid evolution of the 5G environments introduces several benefits, such as faster data transfer speeds, lower latency and energy efficiency. However, this situation brings also critical cybersecurity issues, such as the complex and increased attack surface, privacy concerns and the security of the 5G core network functions. Therefore, it is evident that the role of intrusion detection mechanisms empowered with Artificial Intelligence (AI) models is crucial. Therefore, in this paper, we introduce a labelled security dataset called 5GC PFCP Intrusion Detection Dataset. This dataset includes a set of network flow statistics that can be used by AI detection models to recognise cyberattacks against the Packet Forwarding Control Protocol (PFCP). PFCP is used for the N4 interface between the Session Management Function (SMF) and the User Plane Function (UPF) in the 5G core. In particular, four PFCP attacks are investigated in this paper, including the relevant network traffic data in terms of pcap files and the Transmission Control Protocol (TCP)/Internet Protocol (IP) and application-layer statistics. This dataset is already publicly available in IEEE Dataport and Zenodo.
5G Core PFCP Intrusion Detection Dataset
George Amponis†‡, Panagiotis Radoglou-Grammatikis†§, George Nakas,
Sotirios Goudos, Vasileios Argyriou, Thomas Lagkasand Panagiotis Sarigiannidis§
Abstract—The rapid evolution of the 5G environments intro-
duces several benefits, such as faster data transfer speeds, lower
latency and energy efficiency. However, this situation brings also
critical cybersecurity issues, such as the complex and increased
attack surface, privacy concerns and the security of the 5G
core network functions. Therefore, it is evident that the role
of intrusion detection mechanisms empowered with Artificial
Intelligence (AI) models is crucial. Therefore, in this paper, we
introduce a labelled security dataset called 5GC PFCP Intrusion
Detection Dataset. This dataset includes a set of network flow
statistics that can be used by AI detection models to recognise
cyberattacks against the Packet Forwarding Control Protocol
(PFCP). PFCP is used for the N4 interface between the Session
Management Function (SMF) and the User Plane Function
(UPF) in the 5G core. In particular, four PFCP attacks are
investigated in this paper, including the relevant network traffic
data in terms of pcap files and the Transmission Control Protocol
(TCP)/Internet Protocol (IP) and application-layer statistics. This
dataset is already publicly available in IEEE Dataport and
Zenodo.
Index Terms—5G, Artificial Intelligence, Cybersecurity, Intru-
sion Detection, PFCP
I. INTRODUCTION
In today’s communication landscape, there is a growing
demand for secure and reliable connections with high-speed,
high-throughput capabilities between the User Equipment
(UE) and the Data Network (DN). The 5G core architecture,
which follows the 3rd Generation Partnership Project (3GPP)
network specifications, offers faster connectivity, lower la-
tency, higher bit rates, and improved network reliability. This
technology is crucial to support critical applications such as
the Internet of Things (IoT) and industrial use cases targeting
pivotal infrastructures [1], [2]. However, several components
This project has received funding from the European Union’s Horizon
2020 research and innovation programme under grant agreement 952672
(SANCUS).
G. Amponis, P. Radoglou-Grammatikis and G. Nakas are with
K3Y Ltd. Sofia 1612, Bulgaria - E-Mail: {gamponis, pradoglou,
gnakas}@k3y.bg
G. Amponis and T. Lagkas are with the Department of Computer Science,
International Hellenic University, Kavala Campus, 65404, Greece - E-Mail:
{geaboni, tlagkas}@cs.ihu.gr
§P. Radoglou Grammatikis and P. Sarigiannidis are with the De-
partment of Electrical and Computer Engineering, University of West-
ern Macedonia, Kozani 50100, Greece - E-Mail: {pradoglou,
psarigiannidis}@uowm.gr
Sotirios Goudos is with the Department of Physics, Aristotle
University of Thessaloniki, Thessaloniki, 54124, Greece - E-Mail:
{sgoudo}@physics.auth.gr
V. Argyriou is with the Department of Networks and Digital Media,
Kingston University London, Penrhyn Road, Kingston upon Thames, Surrey
KT1 2EE, UK - E-Mail: vasileios.argyriou@kingston.ac.uk
and interfaces of the Next-Generation Radio Access Network
(NG-RAN) and the 5G core itself are vulnerable to attacks,
which can potentially disrupt end-to-end communication ser-
vices.
While a particular emphasis has been given to the security
of NG-RAN, there are not many studies investigating the
security issues of the 5G core. In this paper, we focus on
the security issues of the Packet Forwarding Control Protocol
(PFCP) protocol, which is utilised in the N4 interface between
the Session Management Function (SMF) and the User Plane
Function (UPF) in the 5G core. In particular, based on the
PFCP attacks investigated in our previous work in [3], in
this paper, we introduce a labelled intrusion detection dataset,
called 5GC PFCP Intrusion Detection Dataset, which was
generated in the context of the H2020 SANCUS project,
a collaborative research initiative funded by the European
Union (EU) to enhance the security of 5G networks. This
security dataset can fully support the development of Artificial
Intelligence (AI)-powered Intrusion Detection and Prevention
Systems (IDPS) against these attacks.
The proposed dataset is available in IEEE Dataport and
Zenodo and can support the development of IDPS that adopt
Machine Learning (ML) and Deep Learning (DL) methods.
We construct this dataset by following the methodological
framework of A. Gharib et al. [4]. Therefore, our dataset is
characterised by eleven main attributes: (a) Complete Network
Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d)
Complete Interaction, (e) Complete Capture, (f) Available
Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature
Set and (j) Metadata. Therefore, the contributions of this paper
are summarised as follows:
5G Core Testbed and PFCP Attacks: A virtualised
5G environment was implemented in order to investigate
PFCP attacks against the 5G core. Four PFCP-related at-
tacks are examined, targeting the communication between
SMF and UPF.
5GC PFCP Intrusion Detection Dataset: Based on the
previous PFCP attacks, a new labelled security dataset is
implemented and shared publicly in order to support the
development of AI solutions for intrusion detection. This
dataset is available in IEEE Dataport1and Zenodo 2.
Based on the previous remarks, the rest of this paper is
organised as follows. Section II discusses the 5G testbed and
1https://ieee-dataport.org/documents/5gc-pfcp-intrusion-detection-dataset-0
2https://zenodo.org/record/7888347#.ZFejbNJBxhE
This is a preprint version of the paper entitled "5G Core PFCP Intrusion Detection Dataset". The paper was presented in the context of 2023 12th International Conference on Modern Circuits and Systems
Technologies (MOCAST). The original paper is available in IEEE Xplore: https://ieeexplore.ieee.org/document/10176693
Citation: G. Amponis, P. Radoglou-Grammatikis, G. Nakas, S. Goudos, V. Argyriou, T. Lagkas, and P. Sarigiannidis, "5G core PFCP Intrusion Detection Dataset", 2023 12th International Conference on Modern
Circuits and Systems Technologies (MOCAST), Athens, Greece, 2023, pp. 1-4, doi: 10.1109/MOCAST57943.2023.10176693.
the relevant attacks used to compose the 5GC PFCP Intrusion
Detection Dataset. Section III provides the structure of the
dataset. Section IV summarises the features and the balanced
files that can be utilised by ML and DL methods. Finally,
section V gives the concluding remarks of the paper.
II. 5G TES TBE D AN D PFCP ATTACKS
As depicted in Fig. 1, an experimental 5G testbed was
used to develop the 5GC PFCP Intrusion Detection Dataset,
including the following 5G network functions: Network Slice
Selection Function (NSSF), the Network Exposure Function
(NEF), the Network Repository Function (NRF), the Policy
Control Function (PCF), the User Data Management (UDM),
the Access and Mobility Management Function (AF), the
Authentication Server Function (AUSF), the Access Manage-
ment Function (AMF), SMF and UPF. Moreover, a virtualised
UE, a virtualised gNodeB (gNb) and an attacker instance
impersonating a maliciously instantiated SMF were used to
generate the dataset. This testbed was implemented, utilising
Open5GS as the cellular core [5], and UERANSIM as NG-
RAN. Thus, the following PFCP attacks were emulated in a
coordinated manner in order to construct the dataset.
PFCP Session Establishment DoS Attack: The aim of this
attack is to exhaust the resources of the UPF by inundating
it with genuine Session Establishment Requests and Heartbeat
Requests. This could potentially hinder the 5G core’s ability to
create new Protocol Data Unit (PDU) sessions between clients
and DN. The attack is executed on the N4 interface and could
affect the intermediate interfaces as well. To evade detection,
a unique Session ID (SEID) is generated for every session
establishment request.
PFCP Session Deletion DoS Attack: The goal of this attack
is to disconnect a specific UE from the DN. The script focuses
on PDU sessions between clients and DN in such a way that
only the DN is disconnected, while the UE remains connected
to the NG-RAN or the Core network. The attack is executed
on the N4 interface, and its impact is noticeable on the N6
interface. The only way to restore the connection of an affected
UE is to re-initiate the session, either by restarting the session
or entering the coverage area of another gNb. In such cases,
a new SEID is assigned to the UE’s PDU session, rendering
the attack ineffective.
PFCP Session Modification Flood attack (DROP Apply
Action Field Flags): The objective of this attack is to in-
validate packet handling rules for a specific session, leading
to the disassociation of a targeted UE from the DN. When
successful, the Forwarding Action Rule (FAR) rules that
contain the base station’s Tunnel Endpoint Identifier (TEID)
and IP address are removed from the UPF. This action cuts off
the General Packet Radio Service (GPRS) Tunneling Protocol
(GTP) tunnel for the subscriber’s downlink data, depriving
them of internet connectivity. However, the GPRS Tunneling
Protocol - User Plane (GTP-U) tunnel can be restored by
transmitting the necessary data to the UPF. Similar to other
PFCP-based attacks, this script focuses on the PDU sessions
between the clients and the DN in such a way that only the
DN is disconnected, and the UE remains connected to the 5G
RAN or the Core network. The attack is executed on the N4
interface and may affect the N6 interface.
PFCP Session Modification Flood attack (DUPL Apply
Action Field Flag): The aim of this attack is to utilise the
DUPL flag in the Apply Action field to compel the UPF
to replicate rules for the session, generating multiple paths
for the same data from a single source. This can result in
undefined behaviour in the N6 interface and/or cause traffic
to be duplicated during transmission to the DN. Additionally,
this attack may be part of a larger scheme to carry out a
Distributed Denial of Service (DDoS) attack against hosts
within the DN, while also overwhelming the UPF’s resources
to forward outgoing packets to external hosts outside the 5G
core. By amplifying the number of transmitted packets per
active user, a malicious entity can create an almost passive
attack vector that can be effortlessly scaled to impact the traffic
of numerous subscribers, exponentially draining the packet
handling resources of the UPF.
The attacks were performed in the following order: First, on
Wednesday, October 5, 2022, the PFCP Session Establishment
DoS Attack was performed for four hours. Continuing, on
Thursday, October 13, 2022, the PFCP Session Deletion DoS
Attack was performed for four hours. Then, on Tuesday,
November 01, 2022, the PFCP Session Modification DoS
Attack with the DROP flag was performed for four hours.
Finally, on Tuesday, November 22, 2022, the PFCP Session
Modification DoS Attack with a DUPL flag in the Apply
Action Field Flag was performed for four hours.
III. DATAS ET STRUCTURE
The previous PFCP attacks were carried out using se-
curity tools, such as scapy,pcap-splitter,editcap
and CICFlowMeter. Each attack is provided by a 7z/zip
file that contains the network traffic and flow statistics for
each entity involved. Specifically, each 7z/zip file includes (a)
pcap files for each entity, (b) Transmission Control Proto-
col (TCP)/Internet Protocol (IP) network flow statistics in a
Comma-Separated Values (CSV) format, and (c) PFCP flow
statistics for each entity, utilising different timeout values (such
as 15, 20, 60, 120, and 240 seconds). The TCP/IP network flow
statistics were generated using CICFlowMeter, while the
PFCP flow statistics were produced using a Custom PFCP
Flow Generator.
Based on the aforementioned remarks, the dataset consists
of the following 7z/zip files:
Balanced PFCP APP Layer.7z/zip: It includes the bal-
anced CSV files from CICFlowMeter that may be used
to train ML and DL algorithms. Each folder includes
a different subfolder for the corresponding flow timeout
values used by the Custom PFCP Flow Generator.
Balanced TCP-IP Layer.7z/zip: It includes the balanced
CSV files from the Custom PFCP Flow Generator that
may be used to train ML and DL algorithms. Each folder
includes a different sub-folder for the corresponding flow
timeout values used by CICFlowMeter.
NSSF NEF NRF PCF UDM AF
AUSF AMF UPF DN
5G Core
RAN
Xn
N1: UE - AMF
N2: gNB - AMF
N3: gNB - UPF
N4: SMF - UPF
N5: PCF - AF
N6: UPF - DN
N7: SMF - PCF
N8: AMF - UDM
N9: UPF - UPF
N10: SMF -UDM
N11: AMF - SMF
N12: AUSF - AMF
N13: AUSF - UDM
N14: AMF - AMF
N15: AMF PCF
N22: AMF - NSSF
PDU Session
NG
N1 N2 N3
N4
N5
N6
N7 N9N8
N10
N11
N12
N13 N14
N15N22
SMF
Figure 1. 5G Testbed used to generate 5GC PFCP Intrusion Detection Dataset
PFCP Session Deletion DoS Attack.7z/zip: It includes
the pcap files and CSV files related to the PFCP Session
Deletion Denial of Service (DoS) Attack.
PFCP Session Establishment DoS Attack.7z/zip: It
includes the pcap files and CSV files related to the PFCP
Session Establishment Flood DoS Attack.
PFCP Session Modification DoS Attack.7z/zip: It in-
cludes the pcap files and CSV files related to the PFCP
Session Modification DoS Attack.
IV. FEATUR ES A ND BALANCED FIL ES
Table I
APP LI CATI ON LAYE R PFCP FLOW STATISTICS FEATUR ES
Feature Description
flow ID Flow identifier
source IP Source IP address
destination IP Destination IP address
source port Source port number
destination port Destination port number
protocol Network layer protocol
duration Length of time flow was active
fwd packets Number of forward packets
bwd packets Number of backward packets
PFCPHeartbeatRequest counter Number of PFCP Heartbeat Request messages
PFCPHeartbeatResponse counter Number of PFCP Heartbeat Response messages
PFCPPFDManagementRequest counter Number of PFCP PFD Management Request messages
PFCPPFDManagementResponse counter Number of PFCP PFD Management Response messages
PFCPAssociationSetupRequest counter Number of PFCP Association Setup Request messages
PFCPAssociationSetupResponse counter Number of PFCP Association Setup Response messages
PFCPAssociationUpdateRequest counter Number of PFCP Association Update Request messages
PFCPAssociationUpdateResponse counter Number of PFCP Association Update Response messages
PFCPAssociationReleaseRequest counter Number of PFCP Association Release Request messages
PFCPAssociationReleaseResponse counter Number of PFCP Association Release Response messages
PFCPVersionNotSupportedResponse counter Number of PFCP Version Not Supported Response messages
PFCPNodeReportRequest counter Number of PFCP Node Report Request messages
PFCPNodeReportResponse counter Number of PFCP Node Report Response messages
PFCPSessionSetDeletionRequest counter Number of PFCP Session Set Deletion Request messages
PFCPSessionSetDeletionResponse counter Number of PFCP Session Set Deletion Response messages
PFCPSessionEstablishmentRequest counter Number of PFCP Session Establishment Request messages
PFCPSessionEstablishmentResponse counter Number of PFCP Session Establishment Response messages
PFCPSessionModificationRequest counter Number of PFCP Session Modification Request messages
PFCPSessionModificationResponse counter Number of PFCP Session Modification Response messages
PFCPSessionDeletionRequest counter Number of PFCP Session Deletion Request messages
PFCPSessionDeletionResponse counter Number of PFCP Session Deletion Response messages
PFCPSessionReportRequest counter Number of PFCP Session Report Request messages
PFCPSessionReportResponse counter Number of PFCP Session Report Response messages
Downlink counter Number of downlink packets
Uplink counter Number of uplink packets
Bidirectional traffic counter Number of bidirectional traffic packets
Label Flow label (e.g. benign or malicious)
Two balanced versions of the dataset have been created for
the TCP/IP flow statistics generated by CICFlowMeter (Ta-
ble II) and the PFCP flow statistics produced by the Custom
PFCP Flow Generator (Table I). Each version is bal-
anced. Therefore, they contain an equal number of samples for
each of the classes. The five classes and their labels are avail-
able in Table III. The two balanced versions are summarised
by the files Balanced_PFCP_APP_Layer.7z/zip and
Balanced_TCP-IP_Layer.7z/zip. The first file con-
tains the PFCP flow statistics, while the second file includes
the TCP/IP flow statistics. Each file also contains a set of sub-
folders for each flow timeout value. In particular, five values
were used: 15s, 20s, 60s, 120s, and 240s. In addition, there
are two sub-subfolders, namely Training and Testing.
Each of these sub-subfolders contains a .csv file named
Training_X.csv and Testing_X.csv, where X is the
flow timeout value. The split ratio is: 70% - 30%, for the
training and testing processes, respectively. In addition, the
splitting is stratified, meaning that the same percentage of
samples of each class are present in each training and testing
dataset. The number of flows per each flow timeout value for
Balanced_TCP-IP_Layer.7z/zip are presented in Ta-
ble IV, while the number of flows for each flow timeout value
for Balanced_PFCP_APP_Layer.7z/zip are provided
in Table V.
V. CONCLUSIONS
The communication points in the 5G core can lead to
various security weaknesses that are investigated by both
academia and industry. In this paper, we present the 5GC
PFCP Intrusion Detection Dataset, which was generated in the
context of the H2020 SANCUS project. This security dataset
is publicly available in IEEE Dataport and Zenodo and can be
utilised for the development of AI-powered intrusion detection
and prevention mechanisms. It includes the network traffic data
(i.e., pcap files) and labelled TCP/IP and PFCP flow statistics
related to four PFCP cyberattacks, namely (a) PFCP Session
Establishment DoS Attack, (b) PFCP Session Deletion DoS
Attack, (c) PFCP Session Modification Flood attack (DROP
Apply Action Field Flags) and (d) PFCP Session Modification
Flood attack (DUPL Apply Action Field Flag).
REFERENCES
[1] P. Radoglou-Grammatikis, P. Sarigiannidis, C. Dalamagkas, Y. Spyridis,
T. Lagkas, G. Efstathopoulos, A. Sesis, I. L. Pavon, R. T. Burgos,
R. Diaz, A. Sarigiannidis, D. Papamartzivanos, S. A. Menesidou,
G. Ledakis, A. Pasias, T. Kotsiopoulos, A. Drosou, O. Mavropoulos,
Table II
TCP/IP NET WOR K FLO W STATIS TIC S - FE ATU RE S
Feature Description
Flow ID ID of the flow
Src IP Source IP address
Src Port Source TCP/UDP port
Dst IP Destination IP address
Dst Port Destination TCP/UDP port
Protocol Protocol related to the flow
Timestamp Flow timestamp
Flow Duration Duration of the flow in Microseconds
Tot Fwd Pkts Total packets in forward direction
Tot Bwd Pkts Total packets in backward direction
TotLen Fwd Pkts Total size of packets in forward direction
TotLen Bwd Pkts Total size of packets in backward direction
Fwd Pkt Len Max Maximum size of packet in forward direction
Fwd Pkt Len Min Minimum size of packet in forward direction
Fwd Pkt Len Mean Mean size of packet in forward direction
Fwd Pkt Len Std Standard deviation size of packet in forward direction
Bwd Pkt Len Max Maximum size of packet in backward direction
Bwd Pkt Len Min Minimum size of packet in backward direction
Bwd Pkt Len Mean Mean size of packet in backward direction
Bwd Pkt Len Std Standard deviation size of packet in backward direction
Flow Byts/s Number of flow bytes per second
Flow Pkts/s Number of flow packets per second
Flow IAT Mean Mean time between two packets sent in the flow
Flow IAT Std Standard deviation time between two packets sent in the flow
Flow IAT Max Maximum time between two packets sent in the flow
Flow IAT Min Minimum time between two packets sent in the flow
Fwd IAT Tot Total time between two packets sent in the forward direction
Fwd IAT Mean Mean time between two packets sent in the forward direction
Fwd IAT Std Standard deviation time between two packets sent in the forward direction
Fwd IAT Max Maximum time between two packets sent in the forward direction
Fwd IAT Min Minimum time between two packets sent in the forward direction
Bwd IAT Tot Total time between two packets sent in the backward direction
Bwd IAT Mean Mean time between two packets sent in the backward direction
Bwd IAT Std Standard deviation time between two packets sent in the backward direction
Bwd IAT Max Maximum time between two packets sent in the backward direction
Bwd IAT Min Minimum time between two packets sent in the backward direction
Fwd PSH Flags Number of Forward PSH flags
Bwd PSH Flags Number of Backward PSH flags
Fwd URG Flags Number of Forward URG flags
Bwd URG Flags Number of Backward URG flags
Fwd Header Len Length of Forward header
Bwd Header Len Length of Backward header
Fwd Pkts/s Number of Forward packets per second
Bwd Pkts/s Number of Backward packets per second
Pkt Len Min Minimum packet length
Pkt Len Max Maximum packet length
Pkt Len Mean Mean packet length
Pkt Len Std Standard deviation of packet length
Pkt Len Var Variance of packet length
FIN Flag Cnt Number of FIN flags
SYN Flag Cnt Number of SYN flags
RST Flag Cnt Number of RST flags
PSH Flag Cnt Number of PSH flags
ACK Flag Cnt Number of ACK flags
URG Flag Cnt Number of URG flags
CWE Flag Count Number of CWE flags
ECE Flag Cnt Number of ECE flags
Down/Up Ratio Down/Up ratio
Pkt Size Avg Average packet size
Fwd Seg Size Avg Average Forward segment size
Bwd Seg Size Avg Average Backward segment size
Fwd Byts/b Avg Average Forward bytes per bit
Fwd Pkts/b Avg Average Forward packets per bit
Fwd Blk Rate Avg Average Forward block rate
Bwd Byts/b Avg Average Backward bytes per bit
Bwd Pkts/b Avg Average Backward packets per bit
Bwd Blk Rate Avg Average Backward block rate
Subflow Fwd Pkts Number of Forward subflow packets
Subflow Fwd Byts Number of Forward subflow bytes
Subflow Bwd Pkts Number of Backward subflow packets
Subflow Bwd Byts Number of Backward subflow bytes
Init Fwd Win Byts Initial Forward window bytes
Init Bwd Win Byts Initial Backward window bytes
Fwd Act Data Pkts Number of Forward active data packets
Fwd Seg Size Min Minimum Forward segment size
Active Mean Mean active time
Active Std Standard deviation of active time
Active Max Maximum active time
Active Min Minimum active time
Idle Mean Mean idle time
Idle Std Standard deviation of idle time
Idle Max Maximum idle time
Idle Min Minimum idle time
Label Label
A. C. Subirachs, P. P. Sola, J. L. Dom´
ınguez-Garc´
ıa, M. Escalante,
M. M. Alberto, B. Caracuel, F. Ramos, V. Gkioulos, S. Katsikas,
Table III
CLA SS ES O F THE 5GC PFCP IN TR US IO N DET EC TI ON DATASE T
Class Label
Normal flow Normal
PFCP Session Establishment Flood attack flow Mal Estab
PFCP Session Deletion Flood attack flow Mal Del
PFCP Session Modification Flood attack (DROP Apply Action Field Flags) flow Mal Mod
PFCP Session Modification Flood attack (DUPL Apply Action Field Flag) flow Mal Mod2
Table IV
NUM BE R OF T HE TCP/IP FLO WS (G EN ER ATED B Y CICFLOW MET ER )FO R
TH E DI FFE REN T FLO W TI ME OU T VALU ES I N TH E BAL AN CE D FIL ES
Training
Timeout Normal Mal Estab Mal Del Mal Mod Mal Mod2
15s 1439 1440 1440 1440 1440
20s 1439 1440 1440 1440 1440
60s 485 485 485 485 485
120s 260 261 260 260 261
240s 133 134 133 134 134
Testing
Timeout Normal Mal Estab Mal Del Mal Mod Mal Mod2
15s 618 617 617 617 617
20s 618 617 617 617 617
60s 208 208 208 208 208
120s 112 111 112 112 111
240s 58 57 58 57 57
Table V
NUM BE R OF T HE PFCP FLO WS (G EN ER ATED B Y CUS TO M PFCP FLOW
GEN ER ATOR)F OR T HE D IFF ER EN T FLO W TI ME OU T VALUE S IN T HE
BAL AN CE D FIL ES
Training
Timeout Normal Mal Estab Mal Del Mal Mod Mal Mod2
15s 1103 1104 1104 1104 1104
20s 666 667 666 666 667
60s 222 223 222 223 223
120s 110 111 110 111 111
240s 68 69 68 69 69
Testing
Timeout Normal Mal Estab Mal Del Mal Mod Mal Mod2
15s 474 473 473 473 473
20s 286 285 286 286 285
60s 96 95 96 95 95
120s 48 47 48 47 47
240s 30 29 30 29 29
H. C. Bolstad, D.-E. Archer, N. Paunovic, R. Gallart, T. Rokkas, and
A. Arce, “SDN-Based Resilient Smart Grid: The SDN-microSENSE
Architecture,” Digital, vol. 1, no. 4, pp. 173–187, 2021. [Online].
Available: https://www.mdpi.com/2673-6470/1/4/13
[2] G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, S. Ouzounidis,
M. Zevgara, I. Moscholios, S. Goudos, and P. Sarigiannidis, “Towards se-
curing next-generation networks: Attacking 5g core/ran testbed, in 2022
Panhellenic Conference on Electronics & Telecommunications (PACET),
2022, pp. 1–4.
[3] G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, W. Mallouli,
A. Cavalli, D. Klonidis, E. Markakis, and P. Sarigiannidis, “Threatening
the 5g core via pfcp dos attacks: the case of blocking uav
communications,” EURASIP Journal on Wireless Communications and
Networking, vol. 2022, no. 1, p. 124, Dec 2022. [Online]. Available:
https://doi.org/10.1186/s13638-022-02204-5
[4] A. Gharib, I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “An eval-
uation framework for intrusion detection dataset, in 2016 International
Conference on Information Science and Security (ICISS). IEEE, 2016,
pp. 1–6.
[5] P. Kiri Taksande, P. Jha, A. Karandikar, and P. Chaporkar, “Open5G:
A Software-Defined Networking Protocol for 5G Multi-RAT Wireless
Networks,” in 2020 IEEE Wireless Communications and Networking
Conference Workshops (WCNCW), 2020, pp. 1–6.
... This setup improves network efficiency by decreasing latency and increasing bandwidth consumption, thus improving the performance of 5G services closer to end users. Therefore, the PFCP connection is established between the UPF on the edge server and the SMF on the central cloud to provide efficient session management and data forwarding in the 5G network architecture [117]. This connection allows the UPF to communicate with the SMF, exchanging control messages and session-related information that is required for dynamic session creation, modification, and release. ...
Article
Full-text available
In various industries, including Agriculture, the application of the Fifth Generation (5G) of wireless technology has led to significant advancement. One of the most intriguing aspects of 5G technology is the potential to reduce latency for Internet of Things (IoT) applications, especially for latency-sensitive smart farming applications such as fire detection. The data generated by IoT devices such as sensors, cameras, and actuators in intelligent farming applications are growing exponentially. Traditional methods of processing and storing IoT data usually include cloud data centres, which are often far from data sources, resulting in multiple network hops that increase latency. To this end, the existing network infrastructures struggle to cope with increasing traffic and meet the stringent low-latency requirements of various real-time environmental monitoring IoT applications. To solve this problem, Edge Computing (EC) emerged as a solution. Edge technology allows the deployment of 5G Core (5GC) network functions close to the data-generating IoT sensors. This method allows data processing to be performed near the sensor, thereby reducing latency. As a result, this paper proposed an efficient architecture to minimise latency in 5G networks by moving the User Plane Function (UPF) node to the edge of the network closer to users using the Control and User Plane Separation (CUPS) strategy. Furthermore, this paper further proposed Software-Defined Networking (SDN) based backhaul. This backhaul was configured to use the Open Network Operating System (ONOS) controller, which has been customised with a distributed core to improve throughput, latency, and scalability. Using SDN in the 5G backhaul network allows operators to create dynamic, scalable, and efficient networks capable of serving a diverse variety of services and applications with varying performance needs. The results of the experiment conducted on the Third Generation Partnership Project (3GPP) compliant 5G testbed demonstrated that the proposed architecture reduced the average Round Time Trip (RTT) by 60.7% while improving the throughput by approximately 40.48%. This significant reduction in latency and improvement in throughput paves the way for the implementation of real-world 5G applications, particularly in latency-sensitive sectors like smart agriculture. Agricultural operations will benefit from faster data processing and communication, enabling real-time monitoring, and precision irrigation, ultimately leading to increased efficiency.
... Further analysis of the LSTM model could also consider a variety of different PFCP attack scenarios. In the work of [20], [21] PFCP attack simulation is discussed which can be used to generate the input data for evaluating the model detection capability beyond the session modification attack presented in this paper. ...
Article
Fifth-generation telecommunication networks (5G) will offer a range of new services and support an array of new use cases beyond traditional mobile networking. This is achieved in part by a renovated core network architecture that adopts a suite of new technologies. As new service capabilities emerge so do the security threats that pose a significant risk to consumer electronic devices that use 5G services. Among these are signaling attacks which can potentially disrupt services and expose private user data. In this article a Machine Learning (ML) model is proposed as a potential solution for detecting malicious signaling flows by way of anomaly detection in signaling traffic. A Long Short Term Memory (LSTM) network is utilized to predict traffic patterns and detect anomalous signaling associated with the Packet Forward Control Protocol (PFCP) attack. The model is trained using a dataset of benign service interactions and tested on a dataset containing simulated PFCP signaling attacks. Based on this approach the LSTM model can identify anomalous packets with 95% accuracy for the given PFCP attack scenario
... For the evaluation of 5G-FUZZ, the 5GC Intrusion Detection Dataset [7] is used, while also a set of The Total Variation Distance (TVD) metric (Equation 4) computes the similarity of a real data and a synthetic data column in terms of the column shapes. ...
Conference Paper
Full-text available
The evolution of fifth-generation (5G) networks represents a significant technological leap towards a seamless and advanced user experience, allowing hyperconnected use cases with faster data transfer, lower latency and better connectivity for a wide range of mobile devices. In particular, a key element of 5G is the 5G Core (5GC) which follows a service-based architecture, enabling network slicing and improved Quality of Service (QoS). However, despite the benefits of 5GC, it also creates important security and privacy concerns. First, 5GC can combine heterogeneous technologies that can increase the growing attack surface. On the other hand, 5G handles a vast amount of sensitive data that may reflect an attractive goal for potential cyberattackers. Based on the previous remarks, in this paper, we introduce 5G-Fuzz. 5G-Fuzz is a smart fuzzer which takes full advantage of historical data in order to fuzz and target the Packet Forwarding Control Protocol (PFCP) communications between the Session Management Function (SMF) and User Plane Function (UPF). For this purpose, two PFCP attacks are used. In contrast to conventional fuzzers, 5G-Fuzz adopts two Generative Adversarial Networks (GANs) in order to identify and generate the appropriate values of Session Endpoint Identifier (SEID) and sequence number (seq) utilised in the PFCP sessions, thus accelerating the PFCP attacks. Finally, 5G-Fuzz composes and replays the malicious PFCP packets against UPF.
Conference Paper
Full-text available
The progression of fifth-generation (5G) networks provides multiple advantages, such as faster speed, reduced latency and increased capacity. Towards these advancements, it is clear that 5G Core (5GC) represents the heart of a 5G network, providing a variety of new network services such as Ultra-reliable low-latency communication (URLLC) and Massive machine-type communication (mMTC). However, despite the various benefits, 5GC is prone to several cyberthreats that can result in catastrophic effects. In this paper, an Intrusion Detection System (IDS) for 5GC is introduced. The proposed IDS called 5GCIDS adopts Artificial Intelligence (AI) methods in order to detect potential cyberattacks against Packet Forwarding Control Protocol (PFCP), which is utilised for the N4 interface between Session Management Function (SMF) andUser Plane Function (UPF). For the detection process, both Transmission Control Protocol (TCP)/Internet Protocol (IP) flow statistics and application-layer PFCP flow statistics are used. In the second case, we provide a bidirectional flow statistics generator called PFCPFlowMeter. Finally, the detection outcomes are explained as local and global explanations with the TreeSHAP method. The evaluation results demonstrate the efficiency of the proposed IDS.
Article
TCP (Transmission Control Protocol), is a reliable connection oriented end-to-end protocol. It contains within itself, mechanisms for ensuring reliability by requiring the receiver to acknowledge the segments that it receives. The network is not perfect and a small percentage of packets are lost enroute, either due to network error or due to the fact that there is congestion in the network and the routers are dropping packets. TCP ensures reliability by starting a timer whenever it sends a segment. If it does not receive an acknowledgement from the receiver within the ‘time-out’ interval then it retransmits the segment. In this paper a review of various TCP is carried out. There are a number of TCP variants for application in the management of network efficiency in terms of network congestion and transmission efficiency. These variants include: - TCP Tahoe, TCP Reno, TCP New Reno, TCP Vegas, TCP SACK, TCP FACK, TCP Asym, TCP RBP, Full TCP and TCP CUBIC. Therefore, the main objective of this paper is to study the tcp types on the network performance variances. All have different features and advantages but with maximal throughput as main objective, which are termed as the clones of TCP, have been incorporated into TCP/IP protocol for handling congestion efficiently in different network scenarios.
Article
To ensure Energy Efficiency (EE) and better Quality of service (QoS), it is necessary to analyze the energy saving possibilities for low resource utilization in the current networks caused by rigorous QoS requirements and implementing EE approach in the planned model for performance improvement. Distributed Denial of Service (DDoS) attacks aim to exhaust the network’s processing and communication capacity by saturating it with packets and generating malicious traffic. There are numerous advantages that make Digital Twin (DT) and Intrusion Detection technique (ID) an effective remedy for a range of (fifth generation) 5G problems. A DDoS attack must be immediately detected and stopped before a legitimate user can access the target of the attacker for the 5G network to provide an efficient energy service. Although they clearly show promise in assisting with the creation and implementation of the challenging 5G environment, Digital Twins is still a relatively new technology for 5G networks but will increase EE. In this research, a thorough examination of the materials was carried out to identify the most cutting-edge DT and ID methods. The purpose of this study was to comprehend the problems with Energy Efficiency, the need for DT, and the methods for dealing with large-scale attack by DDoS on Energy Efficient networks. Only 94 of the 1555 articles produced by the procedure were determined to be relevant using inclusion and exclusion criteria. The outcome demonstrates that in 5G networks, DT, and its fundamental approaches, like QoS and DDoS attack mitigation, can be used to regulate the network’s Energy Efficiency. Numerous practical applications focusing on 5G Systems use their own principles. The effectiveness of these strategies was evaluated using several assessment criteria, including DT, Intrusion Detection, QoS, Energy Efficiency, and 5G Systems. Each study issue is thoroughly explained, along with typical methods, advantages, disadvantages, and performance metrics. Energy economy, network reliability, privacy, and cost reduction are all considerably increased by the implementation of intrusion detection technology in 5G systems. The decision is supported by the technology’s demonstrated efficacy, scalability, real-time detection capacities, low error level, and personalized learning attributes, all of which contribute to the long-term viability of 5G networks as an entire system.
Article
Full-text available
The modern communications landscape requires reliable, high-speed, high-throughput and secure links and sessions between user equipment instances and the data network. The 5G core implements the newly defined 3GPP network architecture enabling faster connectivity, low latency, higher bit rates and network reliability. The full potential of this set of networks will support a set of critical Internet of things (IoT) and industrial use cases. Nevertheless, several components and interfaces of the next-generation radio access network (NG-RAN) have proven to be vulnerable to attacks that can potentially obstruct the network’s capability to provide reliable end-to-end communication services. Various inherent security flaws and protocol-specific weaknesses have also been identified within the 5G core itself. However, little to no research has gone into testing and exposing said core-related weaknesses, contrary to those concerning the NG-RAN. In this paper, we investigate, describe, develop, implement and finally test a set of attacks on the Packet Forwarding Control Protocol (PFCP) inside the 5G core. We find that, by transmitting unauthorised session control packets, we were able to disrupt established 5G tunnels without disrupting subscribers’ connectivity to the NG-RAN, thus hindering the detection of said attacks. We evaluate the identified PFCP attacks in a drone-based scenario involving 5G tunnelling between two swarms.
Conference Paper
Full-text available
As the networking and communications landscape moves towards 5G and an increasing number of users are already accessing the Internet over 5G systems at an increasing pace, security issues rise and the corresponding vulnerabilities are in need of being addressed. The work presented in this paper constitutes an attempt at addressing the issue of training defenders capable of tackling cyberattacks and detection systems capable of timely notifying of security events. The key contribution of this paper is the proposal of a fully containerized testbed, incorporating a 5G cellular core, a radio access network (RAN), a set of potentially vulnerable hosts, and the appropriate entry points as interfaces. Attackers and defenders alike, can perform attacks or implement defensive measures correspondingly, without needing to exit the established sandbox. The developed testbed and emulation framework is envisaged to pave the path towards facilitating the generation of realistic datasets containing malicious traffic captured over 5G tunnels for enhancing the security of next generation networks.
Article
Full-text available
The technological leap of smart technologies and the Internet of Things has advanced the conventional model of the electrical power and energy systems into a new digital era, widely known as the Smart Grid. The advent of Smart Grids provides multiple benefits, such as self-monitoring, self-healing and pervasive control. However, it also raises crucial cybersecurity and privacy concerns that can lead to devastating consequences, including cascading effects with other critical infrastructures or even fatal accidents. This paper introduces a novel architecture, which will increase the Smart Grid resiliency, taking full advantage of the Software-Defined Networking (SDN) technology. The proposed architecture called SDN-microSENSE architecture consists of three main tiers: (a) Risk assessment, (b) intrusion detection and correlation and (c) self-healing. The first tier is responsible for evaluating dynamically the risk level of each Smart Grid asset. The second tier undertakes to detect and correlate security events and, finally, the last tier mitigates the potential threats, ensuring in parallel the normal operation of the Smart Grid. It is noteworthy that all tiers of the SDN-microSENSE architecture interact with the SDN controller either for detecting or mitigating intrusions.