Mobiflow is a novel Security Audit Trail for holding mobile devices accountable during the link and session setup protocols as they interact with the base station and an interval statistics generated for tracking large-scale patterns of abuse against the base station. And its from this input stream we are currently developing new 5G-IDS xApps for live malicious SDR detection.
You can't defend what you can't see
To design and develop security services atop O-RAN, one must first address the visibility problem. More concretely, the security services (e.g., intrusion detection and anomaly detection xApps) at the control plane must be able to access desired data telemetry that monitors the data plane.
The existing reference E2 Service Models (E2SMs) in the O-RAN specification, namely Key Performance Measurement (KPM), RAN Control (RC), and Network Interface (NI), are insufficient to support sophisticated security services for two main reasons. First, these E2SMs are simply not designed to drive security analytics. The existing E2SMs collect coarse-grained telemetry from the network which is insufficient to conduct fine-grained security analysis
MobiFlow-enabled security Services
(1) Intrusion Detection System: 5G-Spector is a stateful rule-based expert system developed as an xApp that focuses on the detection of L3 exploits by analyzing the security-relevant state transitions of 5G’s Layer-3 RRC and NAS protocols. We will also extend MobiFlow to extract additional RAN features for other protocols
and new attacks.
(2) Anomaly Detection System: MobiFlow can be generalized to identify anomalous behavioral patterns, temporal triggers, or degenerate performance statistics among devices and base stations, such as for detecting network misconfigurations, fault patterns, or diagnosing unknown rogue UE patterns. In the past, such anomaly detection systems were built within the (smartphone) UEs or the networks. Embedding MobiFlow in the CU/DU offers a novel direction for such an application.
(3) Machine Learning System for Security: MobiFlow can drive machine learning (ML) models and techniques, such as deep learning frameworks. By collecting abundant datasets (e.g., from real-world testbeds) on MobiFlow, various ML models can be trained for novel security tasks, such as malicious UE classifica- tion and abnormal traffic pattern detection. In this regard, we have the expertise in using Variational Autoencoders (VAEs) to model the actions of the P4/SDN for anomaly detection in 5G mobile core from our prior work in traditional SDNs, and for microservice security analysis.
Where to learn more
Haohuang Wen, Phillip Porras, Vinod Yegneswaran, and Zhiqiang Lin, "A fine-grained telemetry stream for security services in 5G open radio access networks," in Proceedings of the 1st International Workshop on Emerging Topics in Wireless (EmergingWireless '22) [paper link]
What is 5G-Spector: An Overview of a security-focused O-RAN compliant CU/DU services module that implements a new security audit service called MobiFlow