Skip to content

An O-RAN compliant runtime intrusion detection system (xApp) for layer-3 (L3) celluar attack detection

License

Notifications You must be signed in to change notification settings

5GSEC/5G-Spector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
 
 
 
 
 
 
 
 

Repository files navigation

5G-Spector

DOI

5G-Spector is the first Open Radio Access Network (O-RAN) compliant layer-3 cellular attack detection service. It is based on the revolutionary O-RAN architecture that brings unprecedented programmability that enables stakeholders (e.g., network operators) and researchers to build innovative software-defined services on cellular networks. 5G-Spector is featured in project SE-RAN and an academic publication in the Network and Distributed System Security Symposium 2024 (NDSS 2024). The full paper is available here.

5G-Spector has passed the NDSS'24 artifact evaluation and is awarded all badges (available, functional, and reproduced).

Quick Start

5G-Spector is based on open-sourced 5G and OpenRAN software implementations, in particular the OpenAirInterface (OAI) project. First, you could instantiate and run an OAI-based 5G SA network (with RF simulation or SDRs) from scratch by folllowing our guides: Deploy (O‐RAN Compliant) 5G Network based on OAI. This guide uses an extended version of OAI implemented by us, which supports the communication of O-RAN nRT-RICs and the 5G-Spector components. After you have deployed a 5G network, you may choose from the following to deploy the nRT-RIC and deploy 5G-Spector:

Option 1: O-RAN SC RIC. Please check out this guide! (Recommended)

Option 2: ONOS RIC within the SD-RAN project. Please check out this guide! (NOT Recommended since the ONOS SD-RAN RIC's support is no longer being maintained)

Reproducible Artifact

We have provided a VM-based artifact to run and test 5G-Spector in a simulated LTE network with detailed instructions: 5G‐Spector Artifact in a Simulated LTE Network. It is based on an OAI LTE network and the ONOS SD-RAN RIC.

Architecture

The below image shows the architecture of 5G-Spector's deployment. From a high level, it can be divided into the data plane and control plane based on the SDN concept.

alt text

Data plane

Data Plane involves the user equipment (UE) and Radio Access Network (RAN), and the core network (LTE EPC / 5GC). As shown in the figure, the RAN data plane can be further broken down into different components:

  • Radio Unit (RU) is the typical radio hardware deployed in the front-haul network to handle layer-1 (L1) physical radio signals from surrounding user equipment. It is replaced by either a commodity SDR (e.g., USRP B210) or the OpenAirInterface (OAI) RF emulator (no actual SDR hardware required).
  • Distributed Unit (DU) and Central Unit (CU) are logical components that can be hosted at the edge to handle L2 and L3 functions of the cellular protocol. We use the state-of-the-art open-sourced implementation, OpenAirInterface, as the CU and DU. We further augment the CU and DU with SecSM Agent support that allows them to communicate with the control plane and MobieXpert xApp to report security telemetry, i.e., MobiFlow, to drive security analysis on the control plane.
  • User Equipment (UE) broadly refers to a cellular mobile device subscribed to the operational network. We also use OAI as the UE implementation which supports L1 emulation capability (i.e., no actual hardware required). Alternatively, OAI UE can also run on an SDR over RF. You can also use LTE / 5G compatible COTS smartphones as the UE.
  • Core Network is not shown in the image, and it handles network registration for the UEs. In this demonstration, we use either the OAI 5GC or the ONF's Open Mobile Evolved Core (OMEC) for LTE.

Control Plane

The control layer logic of O-RAN is disaggregated from the data plane based on the SDN principles. It involves the Near-Real-Time RAN Intelligent Controller (nRT-RIC) serves as a proxy for control services and connects to the RAN nodes (i.e., CUs and DUs) via the standard E2 interface. Based on the nRT-RIC's services, xApps can be programmed as “plug-n-play” software on the control plane. We use ONF's ONOS RIC of its Software-Defined RAN (SD-RAN) project as our nRT-RIC.

5G-Spector's analysis capability is powered by the novel security telemetry stream MobiFlow extracted by the MobiFlow Auditor xApp from the RAN data plane. MobiFlow supports sophisticated threat analysis such as the signature-based L3 attack detection within the MobieXpert xApp.

Source Code Dependencies

5G-Spector is dependent on the following source code repositories:

Security-Enhanced OAI RAN

Security-enhanced OAI RAN implementation with RIC agent support to generate MobiFlow telemetry. It is currently dedicated to the ONOS RIC on SD-RAN. We plan to extend its support to other platforms and vendors such as the Flexible RAN Intelligent Controller (FlexRIC). It is licensed under OAI Public License V1.1.

MobiFlow Auditor xApp

The MobiFlow Auditor xApp is an O-RAN compliant xApp aiming to support fine-grained and security-aware statistics monitoring over the RAN data plane, which does not exist in the default O-RAN standard and service models. We abstract such telemetry streams as MobiFlow, a novel security audit trail for holding mobile devices accountable during the link and session setup protocols as they interact with the base station, and interval statistics generated for tracking large-scale patterns of abuse against the base station.

MobieXpert xApp

The MobieXpert xApp functions as an L3 exploit detection engine that allows efficient programming of cellular attack signatures. MobieXpert’s design is based on the Production-Based Expert System Toolset (P-BEST) language, which has been widely used for decades in stateful intrusion detection. With MobieXpert, network operators can program stateful production-based IDS rules for detecting a wide range of cellular L3 attacks.

Video Demonstration

We have provided a pre-recorded video showing 5G-Spector's capability of detecting two over-the-air attacks targeting a real cellular network and devices.

Learn More

Project SE-RAN

Please visit our project website: 5gsec.com. 5G-Spector is featured in the Security-Enhanced RAN (SE-RAN) project sponsored by the NSF's 5G convergence accelerator program.

NDSS'24 Publication

If you have used 5G-Spector to develop a research work or product, please cite our paper:

@inproceedings{5G-Spector:NDSS24,
  title     = {5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service},
  author    = {Wen, Haohuang and Porras, Phillip and Yegneswaran, Vinod and Gehani, Ashish and Lin, Zhiqiang},
  booktitle = {Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS'24)},
  address   = {San Diego, CA},
  month     = {February},
  year      = 2024
}