Researchers have identified a wide range of 5G protocol-level exploits that can be mounted by sophisticated adversaries using low-cost SDRs. These attacks can impose a spectrum of impacts on devices and base stations, including serious privacy violations, confidentiality and integrity attacks, denials of service, device geo-tracking, and an emerging class of novel traffic insertion exploits. Unfortunately, to date, there are no existing services within current mobile infrastructures that will identify the breadth of these attacks at runtime.
An O-RAN Runtime IDS for Malicious SDR Detection
We are developing a new data-plane security service for 5G SD-RANs that will enable control plane (xApp) security services to counter the breadth of known SDR-based adversarial models. The project will introduce an E2 service module (E2SM), called SECSM, into various open source 5G SD-RAN reference implementations. SECSM will produce a new E2T event stream called Mobiflow, capturing the necessary user equipment to gNodeB (UE-to-gNB) connection-state. We will also introduce a new 5G-IDS xApp called MobiExpert that uses mobiflow to detect malicious UEs and SDR-based exploits.
SECSM: The SECSM is a new O-RAN compliant service model that integrates into the SD-RAN Control Unit, and from here, it extracts the key security relevant RCC/NAS state transitions and security-relevant base-station statistics. Think of The SECSM as a security-focused audit stream generator that tracks mobile device link and session setups, and it provides interval statistics useful for detecting flooding, error burst, and other traffic stats from within the base station. We refer to the telemetry format produced by the SECSM MobiFlow.
Mobiflow: Mobiflow is a novel Security Audit Trail for holding mobile devices accountable during the link and session setup protocols as they interact with the base station and an interval statistics generated for tracking large-scale patterns of abuse against the base station. And its from this input stream we are currently developing new 5G-IDS xApps for live malicious SDR detection.
SECSM and Mobiflow can drive a lot more analytics than signature engines. Our intention is to expand its features and uses cases for driving security focused machine learning algorithms after our base signature engine is complete.
MobiExpert xApp: We are developing a high-performance expert system that will operate as an xApp inside the SD-RAN control Plan. The expert system is based of on PBEST, which was actually employed to create the very first stateful signature engine called MIDAS, or the Multics Intrusion Detection and Alert System back in 1988, and it has been used continually as a powerful engine for stateful signature analysis.
5G Layer-3 Threat Coverage
The base set of 5G exploit methods detectable using SECSM, Mobiflow, and the PBEST 5G-IDS xApp
Where to learn more
Haohuang Wen, Phillip Porras, Vinod Yegneswaran, Ashish Gehani, and Zhiqiang Lin, "5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service". In the Network and Distributed System Security Symposium (NDSS) 2024
What is 5G-Spector: An Overview of a security-focused O-RAN compliant CU/DU services module that implements a new security audit service called MobiFlow
5G-Spector demo: A live demonstration of 5G-Spector deployed on a experimental testbed, showing the real-time detection of two live RF attacks.
https://github.com/OSUSecLab/5G-Spector (Coming soon)