Computer Communications 172 (2021) 226–237

Contents lists available at ScienceDirect

Computer Communications
journal homepage: www.elsevier.com/locate/comcom

Security policies definition and enforcement utilizing policy control function

framework in 5G
German Peinado Gomez a , Jordi Mongay Batalla b ,∗, Yoan Miche c , Silke Holtmanns c ,
Constandinos X. Mavromoustakis d , George Mastorakis e , Noman Haider f
a
Nokia, Warsaw, Poland
b
Warsaw University of Technology, Warsaw, Poland
c
Nokia Bell Labs, Espoo, Finland
d University of Nicosia, Nicosia, Cyprus
e Hellenic Mediterranean University, Crete, Greece
f Victoria University, Sydney, Australia

ARTICLE INFO ABSTRACT

Keywords: This research analyses new approaches to security enforcement in fifth generation (5G) architecture from
5G end to end perspective. With the aim of finding a suitable and effective unified schema across the different
Security network domains, it shows that policy control framework may become the cornerstone for the definition and
Security enforcement
enforcement of security policies in new 5G networks. The 5G core network architecture reference model is
Quality of Service
defined as a Service Based Architecture (SBA). The Policy Control Function (PCF) is a Network Function (NF)
Policy control
3GPP
that constitutes, within the SBA architecture, a unique framework for defining any type of policies in the
Service Based Architecture network and delivering those to other control plane NFs. In previous generations the policy control approach
Security policies has been restricted to Quality of Service (QoS) and charging aspects. In contrast, the 5G system is now based
Security analytics on a unified policy control scheme that allows to build consistent policies covering the entire network. By
Security assurance utilizing the unified 5G policy framework we have found an effective security enforcement schema flexible
Slicing to create new security policies, and agile to react to the constantly changing environment, across the end to
end architecture. Within this schema we have defined mechanisms to apply the QoS principles to security use
cases. We have also set up the user plane security enforcement within the session management and established
security policies. Finally we have made proposals to extend the network analytics to security analytics. Our
overall vision is to consider security as a quality element of the network.

1. Introduction
There is a vast consensus in the industry about the need of build-
ing Fifth Generation (5G) networks inherently secure in the widest
sense [1]. That includes (among others) considerations on privacy,
data confidentiality and overall protection of the network against any
kind of cyberattack that can compromise the availability and integrity
of its infrastructure, application and services [2]. Not only industry
actors represented among others by network operators, vendors and
infrastructure providers, but also governments and authorities like Eu-
ropean Commission are key stakeholders in the deployment of trusted
5G networks, working nowadays to formalize 5G security regulations
based on analysis of different risk scenarios [3]. Network security is
the context of this paper, that focuses on the security policies definition
and enforcement in the entire network, so called 5G System (5GS) by
the 3rd Generation Partnership (3GPP) standards. There are several
key standardization bodies and industry forums which are contribut-
ing significantly to develop the 5G architecture, and specifically the
security aspects of it, such as ITU, ETSI, IETF, NGMN, 5G-PPP, NIST,
GSMA, etc. Some of those focus on specific infrastructure such as
critical infrastructure, and others develop security standards for specific
use cases (e.g. mission critical) [4]. The standardization group that
defines end-to-end security aspects in 5G network as a whole is the
SA3 working group of 3GPP.
The 5GS is defined by 3GPP in TS 23.501 [5] as a system con-
sisting of 5G Access Network (AN), 5G core network and User Equip-
ment (UE). The system’s architecture is defined as service-based and
comprises multiple Network Functions (NFs), which will be conse-
quently described in the article as needed, mainly from a security
angle. Within this architecture, the interaction between NFs and NF
services may be represented by point-to-point reference points between
any two network functions (e.g., reference point N7 between Policy
Control Function and Session Management Function), providing Service

∗ Corresponding author.
E-mail address: jordi.mongay.batalla@pw.edu.pl (J. Mongay Batalla).

https://doi.org/10.1016/j.comcom.2021.03.024
Received 10 October 2020; Received in revised form 2 March 2021; Accepted 25 March 2021
Available online 29 March 2021
0140-3664/© 2021 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Based Interfaces (SBI). SBI represents how a set of services is pro-
vided/exposed by a given NF. The security features and the security
mechanisms for this 5G system, as well as the security procedures
performed within the network, are specified in the security architecture
standardized by 3GPP in TS 33.501 [6]. In addition to these normative
standards, there have been other relevant academic research works like
5G-ENSURE project under 5G-PPP (5G Infrastructure Public Private
Partnership) that have contributed to the 5G security architecture,
providing a set of security design principles and a set of security
functions and mechanisms to implement the security controls needed
to achieve stated security objectives [7].
Within the Service Based Architecture (SBA) context [8], the Pol-
icy Control Function (PCF) specified in TS 23.503 [9] is a Network
Function, that constitutes a single and unified framework for defining
any type of policies, e.g. for Data Network (DN) access in the net-
work, and delivering those to other control plane NFs, e.g., Access
and Mobility Management Function (AMF) and Session Management
Function (SMF), as relevant per each function [2]. In contrast to the
approach followed in previous Mobile Generations, in LTE Policy and
Charging Rules Function, where Policy Control was only bound to QoS
and charging aspects [10], the 5GS is based on a unified policy control
scheme that allows to build consistent policies covering the entire
network. At the time of writing (September 2020) Release 16 of the 5G
3GPP specification has been recently published. Even though the policy
control framework has been extended in terms of flexibility, adding
new use cases such as the SMF selection management related policies,
the QoS control policies requirements and enforcement remains the
same as in previous Release 15.
5GS architecture has been lastly enhanced to support network data
analytics services via a new entity named as NWDAF (Network Data
Analytics Function) [11]. It focuses on load level information, service
experience, network performance and abnormal behaviour. The PCF
could subscribe to notifications of network analytics related to this
kind of information and use it for the calculations and updates of the
policies, but this is currently not standardized.
Interestingly there are no clear and established links between the
new unified policy control framework, the 5G security architecture, and
the new enhanced data analytics entity. The outcomes of this research
shall help to tie together those three areas. The main objective has been
to find an effective security enforcement schema flexible enough to cre-
ate new security policies, and dynamic enough to react to the constantly
changing security environment, across the end to end 5G architecture,
thus avoiding proprietary solutions in the industry. We believe that in
3GPP the security enforcement across the entire 5G system shall be
discussed at level of Technical Specification Group-Service and System
Aspects (TSG-SA). TSG-SA is responsible for the overall architecture
and service capabilities of systems based on 3GPP specifications and,
as such, has a responsibility for cross TSG co-ordination. In this case
mainly Working Group 2 (Architecture), Working Group 3 (Security)
and Working Group 5 (Telecom Management) would be impacted.
In the current 5GS architecture the use cases around user plane se-
curity enforcement are oriented and limited to security policies towards
the NG-RAN (NG Radio Access Network), based on the integrity and/or
confidentiality protection activation in the air interface between the
UE and the Base Station. Those security policies can be either part
of the subscriber information stored in the Unified Data Repository
(UDR) and fetched by the Unified Data Management (UDM) function
or, alternatively, configured locally in the SMF. As currently the User
plane (UP) security policies are globally based, control by local policies
in the SMF may seem a priori sufficient. But, will this approach be
enough to address new Service Level Agreements, with ever growing
security clauses?, will it be sufficient to cover upcoming subscriptions
plans related to new security services and functionalities required by
customers and tenants (e.g. verticals operating a critical infrastructure),
who demand different and customized levels of security?.
We believe that features like integrity protection of the UP shall be
selectively activated, for instance per slice. In general, network slices
227
Computer Communications 172 (2021) 226–237
serving different types of services may have indeed different security
requirements and adopt distinct security protocols and mechanisms.
Thus, it is a key point to provide different levels of security protections
for differentiated network slices [12]. The security algorithms used for
encryption of the data could be as well selectively chosen (e.g. 128 bits
key length vs 256) based on the customer profile. E.g. the requirements
from a critical infrastructure in terms of security will differ from a stan-
dard enhanced Mobile Broadband slice dedicated to IoT, as proposed
in [13]. Our thesis is that, security may be part of the user profile
stored in UDR, and PCF shall retrieve those new attributes to apply
the corresponding policies in this case in AMF/SMF.
The article challenges the current security enforcement standardized
mechanisms and proposes a new dynamic approach driven by the
policy control framework. Thanks to the policy control framework
QoS policies can be enforced in an end to end mode in 5G network.
Considering security as a quality element of the network, i.e. applying
the QoS principles to security, the target shall be to achieve an effective
security policies definition and enforcement across the 5G end to
end architecture leveraging on the unified policy control framework,
and taking advantage as well of the new data analytics function as
knowledge base of the network and/or UE.
Obviously in the telco network we still have dedicated security func-
tions such as firewalls, Intrusion Detection Systems (IDS), Distributed
Denial of Services (DDoS) protection systems, etc., that will be managed
by vendor specific management tools. Those security functions are
mainly intended to protect the network as a whole, or certain parts of
it based on their positioning in the network (and limited to that), not
taking into consideration the individual UE. Not only the capability of
detection of a security issue per UE (e.g. individual misbehaving UEs),
but also the means to apply a countermeasure per UE is currently a
challenge for existing security mechanisms. Our proposal complements
those mechanisms and enriches the security posture from end to end
network perspective, becoming de facto all network functions of the
5GS in Radio, Transport and Core, active security enforcers controlled
by a central element as PCF. It provides as well fine granularity to
consider security policies per UE, that shall be progressively relevant
as new 5G use cases like Ultra Reliable Low Latency Control and
massive Machine Type of Communications will be deployed [14]. Those
use cases will require maximum reliability and real time response to
potential security incidents in particular UEs (e.g. a high precision
robot in a hospital, or IoT devices part of a critical infrastructure [15]).
It is important that security is integrated and added by design into
the native environment instead of later retrofitting into the networks
and/or devices [16]. Thus, with our new approach we shall be able
to dynamically set up security policies in the network functions across
the entire 5GS, nailing down to the UE level. Those have been the
main reasons to have chosen the QoS/Policy Control framework as a
reference in this environment.
Finally, we have investigated the potential use of the new network
analytics function for security assurance purposes. No doubts that
the security assurance of the network will require sophisticated and
security specific monitoring tools, such as Security Incident and Event
Management (SIEM) systems. Nevertheless, our research shows that we
can also obtain relevant information from the network behaviour to
build security insights. An incident detected by NWDAF or SIEM may
trigger a policy change in the network, managed by PCF. E.g. moving
a user from a security compromised slice to a quarantine slice.
The following diagram zooms the policy control function and the
interconnection with the NFs proposed for security enforcement and
assurance. It will be detailed further along the next sections (see Fig. 1).
The remainder of this paper is organized in the following fashion:
Section 2 goes through several key aspects of security enforcement
in the network. It follows the principles of end to end QoS by de-
scribing the challenges that the actual 5GS architecture faces in this
field. Section 3 presents our proposals to deal with those challenges,
utilizing the existing 5GS SBA based architecture and relevant NFs
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Fig. 1. PCF schema for security.
Source: Adapted from [9].
(e.g. PCF) with a security approach on the top of existing 3GPP security
architecture (TS 33.501). Here we introduce the use of new security
attributes and flows to solve the flexibility and dynamicity of security
enforcement, which is being required by the different 5G industry
actors and stakeholders. Section 4 introduces the proposed future work,
focused on implementation opportunities of the paper in areas like
security analytics with machine learning, roaming scenarios and/or IoT
use cases. Finally, Section 5 includes concisely the main conclusions of
the paper.
2. Challenges to apply end to end security enforcement in 5G
With the aim to structure the proposals to enable the end to end
security enforcement in the 5G architecture, the security challenges
addressed by this proposal have been grouped under the following four
domains:
- Applying QoS principles for security enforcement
- Session management and user plane
- Policy control
- Network analytics
2.1. Challenges to apply QoS principles to security enforcement
When applying the QoS enforcement basic principles to security
enforcement as per business demands (e.g. generated in vertical mar-
kets), one of the main difficulties is to be able to measure the security
characteristics in a similar way as QoS is quantified in the network.
QoS profile is well defined as the set of QoS parameters applied to
a QoS flow (QoS flow is the finest granularity of QoS differentiation
in a Packet Data Unit (PDU) session). Such parameterization is quan-
titative, i.e. it can be measured with numerical digits. For example,
the 5G QoS Identifier is a parameter represented by a scalar used as a
reference to 5G QoS characteristics like scheduling, weights, admission
thresholds, etc. There are even pre-configured standardized values. But,
how should a security profile be built in the 5G architecture, and how
could a quantitative security parameterization in terms of integrity pro-
tection, confidentiality protection, access control or malware detection
among others, could be established? Our proposition to solve this issue
is presented in Section 3.1.
228
Computer Communications 172 (2021) 226–237
2.2. Challenges at session management level to enforce security controls
Upon reception of a UE request for a new PDU session the SMF
manages the entire lifecycle of the session. Today the PDU request
does not include any security parameter or attribute as in the case
of QoS (e.g. number of supported packet filters for a signalled QoS
rule), thus a priori it is not possible for a UE to request specific 5G
UP security services, i.e. ‘secure’ PDUs. Mission critical governmental
applications may require special security provisions in the PDU session
between UE and a Data Network, like strong cyphering algorithms or
longer encryption keys in certain service flows supported by certain
Data Radio Bearers (DRB).
The SMF determines at PDU session establishment a UP security
enforcement information for the user plane of a PDU session based on
subscriber information from UDM, UP security policy locally configured
per DNN and/or slice in the SMF and/or the maximum supported data
rate per UE for integrity protection per DRB. The local security config-
uration in SMF has been considered sufficient for globally applicable
and static policies. The question is whether such static approach will
be still valid for upcoming use cases, where subscription plans can be
related with security added value services and corresponding tenants
(e.g. owner of a critical infrastructure) requiring different levels of
security (e.g. per slice) and the ability to react to security incidents.
Those use cases will require scalability, flexibility and dynamicity in
the policy management and configuration beyond the local approach as
today. Furthermore, the security enforcement information just indicates
whether UP integrity and confidentiality protection need to be applied
in NG-RAN network area, and only for 3GPP type of access. The
extension of the UP security enforcement from NG-RAN to transport
and core network areas up to the target DN is today a challenge, i.e. the
end to end security enforcement approach across the entire connectivity
provided by the PDU session.
The following Fig. 2 represents the current UP security enforcement
and the current caveats:
Reference Short description
point
N2 Reference point between 5G-RAN and AMF
based on Next Generation Application Part
N3 Reference point between 5G-RAN and UPF
based on GTPv1-U (GPRS Tunnelling Protocol
User Plane)
N4 Reference point between SMF and UPF to
manage data sessions at the user plane. N4 is
based on PFCP (Packet Forwarding Control
Protocol)
N6 Reference point between UPF and packet data
networks. It can, e.g. transport IP and Ethernet
packets
N9 Reference point between two UPF to transmit
user plane data. It is based on GTPv1-U
N11 Reference point between AMF and SMF
Once the PDU session is established, the current characterization
of the session (i.e. PDU session information) is limited to a few in-
formation elements mainly related to QoS (e.g. QoS Flow Identifier,
Reflective QoS Indicator), and there are no security attributes triggering
mitigation actions in case of a security incident at PDU level. For
example, applications dealing with secret classified data may require
special security provisions in the Packet Data Unit (PDU) session be-
tween UE and a Data Network, like strong cyphering algorithms or
longer encryption keys in certain service flows supported by certain
Data Radio Bearers (DRB). In Section 3.2 we will develop a framework
to provide security attributes for incidents at the PDU level.
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Fig. 2. UP security enforcement.
2.3. Challenges to define security policies under policy control framework
While it may seem laborious to define security policies per subscrip-
tion, it is not different from doing this for QoS. It can be expected, that
both security and QoS policies are not really individual, but the same
policies will be applied to large group of subscriptions, e.g. per slice.
According to [9] the Policy and Charging Control rule (PCC rule)
comprises the information that is required to enable the user plane de-
tection, the policy control and proper charging for a service data flow.
Two different types of PCC rules exist: dynamic rules and predefined
rules. The dynamic PCC rules are provisioned by the PCF to the SMF,
while the predefined PCC rules are configured into the SMF. When a
dynamic PCC rule and a predefined PCC rule have the same precedence,
the dynamic PCC rules take precedence. The targets of the policies are:
• PDU sessions
• Service Data Flows (SDF). Set of PDUs (within a PDU session)
identified by traffic filters
Whether PCF control is applied to a PDU session is defined by SMF
policies based on the DNN and/or slice. If there is no PCF control, then
local policies-based rules are set up in SMF.
The PCC rule definition includes the service data flow detection
mechanism (i.e. filters, application template), charging related Informa-
tion Elements (IE) and policy control related IEs (e.g. Gating, QoS, bit
rates, etc.). A service data flow filter contains information for matching
user plane packets for IP PDU traffic or Ethernet PDU traffic. The
service data flow template information within an activated PCC rule is
applied by the SMF to instruct the UPF to identify the packets belonging
to a particular service data flow.
A key challenge is the proper definition of security information
elements as part of the PCC Rule. Currently the PCC rules as defined
in [9] do not include explicitly such parameters, nor as part of the
service data flow detection to be able to identify security events, either
as part of the policy control actions.
Moreover, SMF sends PCF information of the status of the PDU
session (e.g. access type, roaming, IP address, etc.), thus the PCF can
dynamically react based on certain triggers to change the policies
accordingly. The definition of security triggers is crucial, as it affects
not only the security status of the network, but the overall QoS and SLA
of the network (e.g. DDoS attack). The challenge is to create those se-
curity triggers (e.g. recently discovered security vulnerabilities, frauds,
attacks, access violation, etc.), part of the detection filters configured
in UPF or other specific security probes, with the strategic aim of
including security assurance aspects in the overall service assurance of
the network.
The question is now, how to make security part of the PCC decision
making process of the PCF? We provide a proposal in Section 3.3.
229
Computer Communications 172 (2021) 226–237
2.4. Challenges to introduce security use cases under network analytics
NGMN in [17] indicated that the 5G system should be able to
access, monitor and process various pieces of information in order to
optimize its operation, and in particular the service and application
characteristics, so that operator policy/control can be enforced in a
timely manner to optimize traffic flows. Although it also mentions the
need of enhancing the user and service experience via data analytics, it
does not explicitly associate data analytics with security. It rather refers
to security as one of the key connection attributes to be managed and
controlled in a programmable and switchable manner depending on the
use cases and policies defined by the operator.
Network Data Analytics function (NWADF) appears in Release 15
as part of the SBA architecture [11], and in Release 16 it has been
extended to non-slice-specific analytics, with a few security related use
cases around DoS detection. There can be multiple NWDAFs specialized
in different types of analytics, identified by analytics ID Information
Element (IE). This IE is used to identify the type of supported analytics
that NWDAF can generate. The NWDAF interacts with different entities
for different purposes, such as data collection based on subscription to
events provided by different network functions, retrieval information
from data repositories and NFs, and on demand provision of analytics
to different kind of consumers. Currently the data collection feature
permits NWDAF to retrieve data mainly from control plane sources
for slices or groups of UEs, but it is not yet specified how to collect
user plane security related data from UPF, that is indeed currently
limited to traffic volumes and data rates. Just measurements and trace
data are collected by Operation, Administration and Management sys-
tems, which can be shared to NWADF via Management Service. For
security analytics purposes information about malware, botnets, pro-
tocol anomalies, etc., collected from the user plane traffic analysis via
for example security probes (e.g. IDS embedded in UPF) or malware
sandboxes as proposed by [18], would be very useful to enhance the
network analytics with new security use cases.
The analytics information provides a valuable knowledge basis
around the load level of a network slice, service experience, network
performance, mobility, QoS, UE behaviour, etc. Within the scope of this
article three basic questions are posed: how relevant security informa-
tion can be derived from that analytics knowledge basis, what specific
new security parameters could be monitored and further analyzed in
NWADF and how the PCF can make use of such information to set up
and enforce security policies in the end to end 5G architecture.
3. Proposed approach to security enforcement in 5G
The concept of considering security as a dimension of QoS in the
networks is commonly accepted since many years by the telecommu-
nications industry. However, from enforcement perspective the im-
plementation of security policies and QoS parameters in the network
differ widely in mobile networks so far. This is because, until the
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237

arrival of 5G, security has been regarded as an add-on only, whereas

QoS represents the key measurement parameter of the network. In 5G
security must be considered as part of the overall architecture and built
into it from the start.
In 5G the PCF provides a single framework for defining any type
of policies in the network and for delivering related policy rules to the
other control plane network functions as relevant per each function.
With the perspective of near future, when subscription plans demanded
by the tenants will require to include security clauses, i.e. security as an
essential part of the SLAs as today it occurs with QoS, we propose new
approaches to security enforcement taking advantage of the unified
policy control paradigm in 5G.
The following sections address the main challenges presented in
chapter 2, establishing the pillars of a new security enforcement schema
in the entire 5G architecture.

3.1. Application of QoS policies to security use cases

Each PDU session is associated with a per session – Aggregate

Maximum Bit Rate (AMBR). The session-AMBR limits the aggregate bit
rate that can be expected to be provided across all Non-Guaranteed Bit
Rate (GBR) QoS flows for a specific PDU Session. At UE level, each UE
is associated with a per UE-AMBR. The UE-AMBR limits the aggregate
bit rate expected to be provided across all Non-GBR QoS flows of a UE.
Our proposal is that those QoS policies could be applied restrictively
and dynamically from the PCF into the network at the reception of
security events or incidents, which may be created in NWDAF or Fig. 3. Applying QoS rules for security.

another security analytics platform looking at the user plane (e.g. SIEM
tools placed in the management plane, IDS systems embedded in UPF,
etc.). Based on a pre-defined security indicator, different policies can Reference Short description
be enforced from the PCF, working de facto as an efficient mitigation point
mechanism in the network: N1 Reference point between UE and AMF to
exchange NAS (Non-Access Stratum) messages
• Set up a new session AMBR; N2 Reference point between 5G-RAN and AMF
• Set up a new UE AMBR. It would be a kind of quarantine for the based on Next Generation Application Part
UE (example: the UE is an active bot of a DDoS attack); N4 Reference point between SMF and UPF to
• Set up a new PDU session with more restrictive security controls manage data sessions at the user plane. N4 is
in the QoS profile. based on PFCP (Packet Forwarding Control
Protocol)
The PCF shall be then the policy decision point, while other
N7 Reference point between SMF and PCF
NFs/parts of the network are the enforcement points. There should be
N11 Reference point between AMF and SMF
as well an interface to management plane for policy administration, and
N23 Reference point between PCF and NWDAF
support of the decision, e.g. to a central security management system.
In general, QoS profiles can be dynamically established by the One example of security call flow implemented by this concept is
SMF in the 5G access network. In particular, specific QoS rules can shown in Fig. 4.
be enforced to the UE through Session Management (SM) signalling 1.a NWDAF to PCF: PCF is subscribed to NWDAF notifications. Due
over N1 interface (N1 is the reference point between UE and AMF to to a security incident in the network (e.g. Denial of Service attack) we
exchange Non-Access Stratum messages) from the SMF (via AMF), or found a situation of user data congestion, that is communicated in a
directly on the UPF over N4 (N4 is the reference point between SMF message to PCF via N23 interface (N23 is the reference point between
and UPF to manage data sessions at the user plane. N4 is based on PCF and NWDAF).
Packet Forwarding Control Protocol, PFCP). The SMF indeed manages 1.b. Security Management to PCF: A security management system
QoS flows with rules, associating traffic filters with QoS policies coming has been integrated with PCF via REST API. A security event is reported
from the PCF. The traffic filter set is configured in the UPF and can to PCF.
serve to easily manage security services. For example: 1.c. PCF to UDR (optional): PCF requests a set of data from UDR
via N36 (N36 is the reference point between PCF and UDR). In this use
• Security association identified by a particular Security Parameter case it could be an identifier of a security policy part of the subscription
Index for a particular group of UEs or slice with special security set of policies, to be applied in case of a security incident.
requirements (e.g. crypto-algorithm, key lengths, etc.); 2. PCF to SMF: After policy decision is taken, the PCF has de-
• Detection and dynamic QoS rules like traffic gating can be easily termined that SMF needs updated policy information to mitigate the
applied. security issue, and issues a Npcf_SMPolicyControl_UpdateNotify request
via N7 with an updated policy information about the PDU session, in
The following diagram depicts the concept of applying Security this case set up a new Session AMBR.
rules as part of the QoS policies in the network (see Fig. 3): 3. SMF to PCF: The SMF acknowledges the PCF request

230
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Fig. 4. Applying QoS policies to security.
4.a. SMF to UPF: QoS enforcement based on QoS Enforcement
Rule sent by the SMF is a function offered by UPF. This includes rate
enforcement of session AMBR (received from PCF in SMF in step 2) via
N4.
4.b. SMF to UE: Exchange N1 SM signalling (via AMF) with the UE
to provide the UE with QoS rule(s), e.g. set up a new UE-AMBR limiting
the aggregate bit rate that can be expected to be provided across all
Non-GBR QoS flows of all PDU sessions of a UE.
4.c. SMF to 5G AN: Exchange N2 (N2 is the reference point between
5G-RAN and AMF based on Next Generation Application Part) SM
signalling (via AMF) to set QoS parameters in the 5G Access Network,
e.g. reservation of resources for specific type of traffic.
3.2. User plane security enforcement and assurance
Our approach for the enforcement of security policies on the UP
traffic is materialized under the policy control umbrella. Acting directly
on the AMF and on the SMF control network functions, the PCF shall
reach the UE, Radio Access Network (RAN) and the UPF to apply those
policies directly on the UP.
3.2.1. Security policies enforcement via AMF
There are two types of policies for access and mobility managed
and enforced by the AMF, dictated by PCF and stored in UDR, that
can support security use cases without major changes in the policies
definition:
• Policies transferred from PCF to AMF:
◦ Service area restrictions: ‘Tracking Area’ (TA) is a logi-
cal concept of an area where a user can move around
without updating the mobility management node. The net-
work allocates a list with one or more TAs to the user.
The service area restrictions policy consists of either an
allowed area, or a non-allowed area. Our proposal is to
establish different security levels per service area using
certain thresholds to determine whether the user is entitled
to move or not to a higher security service area. Example:
sensitive geographical areas hosting critical infrastructure
may restrict the access to users generating a Subscription
Concealed Identifier (SUCI) using ‘null schema’ (i.e. non
protected subscriber permanent identifier) in order to pre-
vent for example the impact of rogue base stations or
tracking/eavesdropping type of attacks, or on the other
side allowing the access only to those users supporting UP
integrity protection in the air interface.
231
Computer Communications 172 (2021) 226–237
◦ Priorities of access types (e.g. LTE such as in [19] or 5G)
the user may use. The proper definition of those priorities
can prevent bidding down attacks enforcing the UEs to
connect to more vulnerable networks like 2G, much more
prone to be compromised than 4G or 5G. An attacker
could attempt a bidding down attack by making the UE
and the network entities respectively believe that the other
side does not support a security feature, even when both
sides in fact support that security feature. The Anti-Bidding
down Between Architectures parameter was already spec-
ified in Release 15 in [6], but currently it is not yet really
effective, because it is meant to protect against bidding
down from future, enhanced security features, down to the
current security features.
• Policies transferred from PCF to the UE via AMF:
◦ User Equipment Route Selection Policy to determine how
to route egress traffic (PDU selection policies). A new
PDU session could be triggered in a case of a security
incident (e.g. malware detection in the UE), i.e. a kind
of ‘quarantine’ PDU with special policies across the data
path, or even a PDU terminated in a secure DN with special
security services (e.g. scrubbing centre).
The concept of Local Area Data Network (LADN) in 5G, used for
Multi-access Edge Computing in 5G, supports the implementation of
the measures described above [20]. LADN enforces restrictions on PDU
sessions available/authorized only in a set of locations known as LADN
service areas. The LADN service area is configured in the AMF on a
per DNN basis, and the AMF provides the UE with information on the
LADN service area.
3.2.2. Security policies enforcement via SMF
SMF is responsible for the signalling required to control a PDU ses-
sion (via N4 signalling), and to set the user plane handling within this
PDU session (selection of the User Plane Functions (UPF) supporting the
PDU session). Therefore, SMF controls the functions supported by UPF,
including Security related functionalities like firewalling, throttling,
(D)DoS protection, GPRS Tunnelling Protocol (GTP) inspection (new
Inter PLMN UP Security in Release 16), etc. Besides that, it controls
the policy enforcement, i.e. the interaction with the PCF to get the
policy rules and apply them into the UPF directly or into other parts of
the network like NG-RAN via the AMF. Thus, our proposal is that the
security controls embedded in UPF can be managed by security policies
in PCF.
Furthermore, this new concept shall enable user plane security
enforcement policies (confidentiality and integrity protection) in the
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Fig. 5. PDU establishment with security policies in PCF.
air interface (i.e. between UE and 5G-AN) be managed in the PCF
(instead of being locally configured in the SMF as today), which shall
retrieve them from UDR, as storage of policy profiles with predefined
security policies. Therefore, those policies shall be part of the dynamic
PCC Rules dedicated to user plane security, and potentially extended to
other domains and UP interfaces like N6 (reference point between UPF
and packet data networks based on, e.g., IP or Ethernet transport), N3
(reference point between 5G-RAN and UPF based on GPRS Tunnelling
Protocol User Plane, GTPv1-U) and N9 (reference point between two
UPF to transmit user plane data. It is also based on GTPv1-U).
3.2.3. UP security enforcement use cases
Same as SGi-LAN for LTE, N6-LAN for 5G concept shall allow PCF
to configure UPF for security service function chaining towards data
networks.
TS 33.501 states that the transport of user data over N3 shall be in-
tegrity, confidentiality and replay-protected. The required mechanism
is IPSec ESP and IKEv2 certificate-based authentication. However, the
use of cryptographic solutions to protect N3 is an operator’s decision.
These types of solutions in the near future could be selectively deployed
based on the security level offered to a group of users, slices and/or
tenants, depending on the requirements and criticality of the service or
infrastructure. For example, private networks serving critical infrastruc-
ture (e.g. utilities), or vehicular ad hoc networks (VANETs) [21], will
certainly require full protection of the communications between radio
stations and core, even in addition to the security mechanisms applied
at application level. The proposal here is to include the cryptographic
solution activation in N3 as part of the PCC rule to be enforced on the
gNB (via AMF) and the Security Gateway part of the UPF system (via
SMF). The enforcement shall create a new IPSec tunnel or allocate the
PDU to an existing IPSec tunnel.
The same concept is applicable to the security mechanisms applied
to N9 for certain use cases such as the interconnection with another
operator. In this context GTP inspection or IPSec [22] are already
standardized, but not the enforcement via PCF as part of a ‘Security’
SLA.
Moreover, with relevant data consumed from new Analytics func-
tions like NWDAF, or databases like Unstructured Data Storage Func-
tion storing session data, or security events received from UPF or
other specific security analytics platforms (which can correlate events
232
Computer Communications 172 (2021) 226–237
from multiple sources), PCF can react to changes in the established
Security Service Level Agreements querying UDR, applying new secu-
rity policies, enforcing the establishment of new more secure PDUs,
i.e. mitigating the security issue which triggered the action.
For example, as per detection of a fake base station in a certain
area network, or simply looking at certain critical area from the point
of view of security (e.g. airports, critical infrastructure sites, etc.) , the
PCF shall enforce integrity protection to the relevant UEs/group of UEs
attached to the base stations in this network geographical area. Other
constraints can also build valid use cases (e.g. UEs attached to a critical
slice). The policy of the UEs shall be updated from ‘Not Needed’ to
‘Preferred’ or ‘Required’. Within the overall flow process of the PDU
establishment in bold we introduce the calls to be executed to provide
the described dynamic enforcement of security policies from the PCF,
see Fig. 5.
3.2.4. Security assurance
Once the PDU session has been established with security attributes
(e.g. ciphering of a particular service flow, integrity protection, access
control policies, etc.), allowing the security enforcement in an extended
sense in the network, there are two key aspects still worth to be consid-
ered, i.e. the security data collection and closed loops automation. To
introduce them an analogy with Charging function (CHF) is used (see
Fig. 6).
Usage data collection may be used for charging purposes, gathering
statistics and monitoring the overall network usage and UE behaviour.
The CHF informs the PCF when the user has crossed some thresholds
(e.g. spending limits), and consequently the PCF considers this info to
apply dynamically related policies to the user session, e.g. restriction of
the QoS for a given PDU session, redirection to an operator Web Page
(captive portal), etc. The proposal here consists of enriching the data
collection with security relevant data from the embedded security fea-
tures in the UPF. The SMF would be responsible to collect such enriched
data from the UPF and to transfer it to a central security management
system, where this data is stored, contextualized and correlated with se-
curity information collected from various security dedicated platforms
in the network, e.g. firewall logs, security telemetry, IDS logs, etc.
That security management system shall be responsible for creating
security incidents, and trigger actions on the PCF and/or SMF, e.g. in-
forming the PCF that certain Security SLAs have been crossed, redirect
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Fig. 6. Security data collection and close loops.
the user traffic to for example a scrubbing centre or dedicated security
DNs, etc.
Reference Short description
point
N4 Reference point between SMF and UPF to
manage data sessions at the user plane. N4 is
based on PFCP (Packet Forwarding Control
Protocol)
N7 Reference point between SMF and PCF
In 5G UPF assumes the role of Traffic Detection Function in 4G
Evolved Packet Core, i.e. Packet inspection (e.g. application detection
based on service data flow), thus it can enforce the PCF policies.
Indeed, the technology implementing UPFs integrates more and more
security functionalities like firewall or Carrier Grade Network Address
Translation.
5G Core allows the PCF to coordinate between connectivity related
policies sent to the UE and policies sent to the network, that could be
deployed in UPF for user plane, e.g. a security policy in L7 firewall
embedded in UPF for a certain service towards a particular user. The
following two use cases illustrate this concept:
• According to [9] one of the functionalities supported by the
PCF for the SMF selection management for a PDU session is to
provide a policy to the AMF to contact PCF for performing DNN
replacement of specific DNNs. A trigger for such a replacement
action could be a compromised DNN due to a security incident,
reported to PCF via NWADF due to an overload of a particular
DN or Slice (e.g. DDoS attack).
233
Computer Communications 172 (2021) 226–237
• When SMF receives the PCC Rule, the SMF can take the actions
to reconfigure the UP of the PDU. One of those actions can
be to update the UPF with new steering rules, for example to
forward certain suspicious traffic to local data centres (e.g. Mobile
Edge Computing (MEC)) with the aim of containing a potential
security breach in small controlled area of the network. The
concept of MEC is to facilitate the deployment of UPFs at the
edge of the network, closer to the UE for key and sometimes
critical applications (e.g. Ultra Reliable Low Level Latency use
cases, caching, stadiums, etc.). As a response to an incident the
Application Function (AF) can make a request to 5G Core (i.e. PCF
or via Network Exposure function (NEF)) to steer the traffic of
a group of UEs, or even a complete slice, to a UPF located
in the edge, where security functions such as DDoS protection,
scrubbing centres, IDS/IPS, etc., can be deployed as containment
mechanisms.
AFs interact with the 3GPP core network to provide services such as
application influence on traffic routing, access to NEF and interaction
with policy framework (through reference point N5), i.e. it requests
dynamic policies. AFs are today identified as MEC orchestration appli-
cations, or IP Multimedia System (IMS). The proposal here is to extend
the scope of AFs to security applications:
• Influence on traffic routing as a mitigation security mechanism.
Example: BGP injection and changes of routes in case of a de-
tected attack (e.g. DDoS)
• Access to 5G core network via NEF. Example: 3rd parties security
companies offering threat intelligence feeds
• Interaction with policy framework. Example policies changes due
to unpredicted security events or feeding with new SDF filter rules
due to new threat signatures.
3.3. Establishing security policies as part of PCC rules
PCC Rules connects the SDF templates (either a list of service data
flow filters or an application identifier that references the correspond-
ing application detection filter) with the possible actions on the traffic,
i.e. the policy enforcement. Taking the current actions proposed by
3GPP as a basis, focused on pure QoS actions, we propose to extend and
apply those actions for security purposes as summarized in Table 1.
In [9] the table 6.3.1 lists the information contained in a PCC rule,
including the information name, the description and whether PCF may
modify this information in a dynamic PCC rule which is active in the
SMF. The latter is key for security assurance purposes.
The Table 2 shows an extract from the referred table 6.3.1 in [9],
where the relevant information elements used for our security purposes
have been selected and commented. The grey shadow in Table 2
and consecutive tables shows added elements in comparison to the
standard. At the end a new category named as ‘Security’ has been
introduced with two information elements referred to the security
policies existing today in the user plane, but currently managed locally
in the SMF and limited to the access network. Our contribution is to
make them part of the PCC rule structure:
Looking at the PDU level, PCF can control as well different param-
eters of a PDU session and among them the conditions upon which
the SMF shall fetch new policies from the PDU session (policy control
request triggers). Those conditions are important to define security
enforcement use cases. I.e. if the condition is a security trigger (e.g. in-
cident, overload, exceeding thresholds, etc.), then PCC security rules
are to be communicated from the PCF to the SMF and be enforced in
UPF and/or 5G-access network. The purpose of the PDU session related
policy information is to provide policy and charging control related
information that is applicable to a single monitoring key or the whole
PDU session respectively. The PCF may provide PDU session related
policy information to the SMF together with PCC rules or separately.
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Table 1
PCC rules - Security.
PCC–QoS
Gating control (discarding traffic upon PCF Control)
Discard traffic not matching SDF template of any active
PCC rule
Monitoring the amount of traffic
Steering the traffic towards service functions at N6 on
the DN, or to different N6 interfaces of the same DN
(identified as Data Network Access Identifier (DNAI))
Towards 5G-AN: to apply relevant user plane security
(integrity protection)
In [9] the Table 6.4-1 includes the PDU session related policy informa-
tion. The Table 3 is an extract of it, that focuses on the usage monitoring
control related information, where two new monitoring keys have been
proposed for (D)DoS attacks detection.
Finally, the PCF shall instruct as well the SMF on which applications
to detect. Upon receiving the report from SMF, the PCF may make
policy decisions and send updated or new PCC rules to the SMF. The
same process shall be applied to security, provided that specific security
analytics in the network are able to define an attack (e.g. communica-
tion between the bot and command and control centre), or characterize
security incident profiles (e.g. intent of breaking an access control
firewall rule using in the communication not valid ports for a specified
protocol), thus the security signature can be created, as any other
application signature, and the corresponding PCC rule shall be applied.
3.4. Security analytics implemented in NWDAF
The NWDAF provides information that can contribute significantly
to the PCC decision making process performed by PCF. Nevertheless,
analytics information is currently limited to the slice specific network
status, for example load level information. I.e., it is not required to be
aware of subscribers using the slice, but it works at network slice level.
Our proposal is to extend the load level information adding security
contextual information (e.g. events, attacks, vulnerabilities, etc.). It
would require the feed of the security functions implemented separately
or as part of the standardized network functions, such as UPF with
embedded firewall capabilities, into NWDAF or intermediate dedicated
security analytics platform.
The standard TS 23.288 [11] opens the possibility to different types
of NWDAFs, specialized in different types of analytics, identified by
analytics ID information element.
The PCF can consume this information via N23 interface. Some
of the that information can already provide very useful information
for the security analysis and further enforcement as described in the
previous sections. Table 7.1-2 of [11] shows the analytics information
provided by NWDAF service. We have added a column to this table with
the security information that potentially could be extracted towards
other security analytics functions for further analysis or directly to PCF
framework for application of specific security PCC rules (see Table 4).
Particularly interesting for security analytics is the abnormal be-
haviour related network data analytics captured by NWDAF. The PCF
may subscribe to notifications of network analytics related to ‘abnormal
behaviour’ using the Nnwdaf_AnalyticsSubscription_Subscribe service
operation, with the aim of anticipating and detecting a security issue,
triggering a new security policy or updating an existing one for the
particular UE or group of UEs. This data includes the Analytics ID
(‘abnormal behaviour’), the target of analytics reporting ‘SUPI’, ‘Inter-
nal Group Id’ and the analytics filter including the list of Exceptions
IDs and per each Exception ID a possible threshold. The current list
234
Computer Communications 172 (2021) 226–237
PCC–Security
Personal firewall with policies managed upon PCF control
Personal firewall (last rule: ‘drop any—any’)
DDoS detection
Security functions such as firewalls, Application Layer
Gateways, malware protection, content filtering, Network
Address Translation, etc., shall be managed by Software
Defined Networks (SDN) in a service chaining architecture.
Those functions can be activated through a pre-defined
subscription plan, or as a reactive action when facing a
security incident, or as prevention/mitigation of (D)DoS
attacks.
Extended to other network segments like N2 and N3 with
technologies like IPSec or DTLS
of Exception IDs is specified in [11], e.g. ‘unexpected UE location’,
‘suspicion of DDoS attack’, ‘wrong destination address’, etc. The table
6.7.5.3-3 of the standard provides examples of policies and actions to
mitigate the risks, e.g. ‘extension of Service Area restriction’, ‘release
the PDU session’, ‘updates the packet filter/QoS’, etc.
As described in Section 2.4 of the present document, the challenge is
that at user plane level the communication description per application
is limited to the traffic volume and data rates of this communication,
what is relevant for security incidents related to volumetric type of
attacks (e.g. flooding, overload, DoS, etc.). Changes or anomalies in
the statistics or predictions, for example the periodicity of the UE
communications, duration of the communications or certain traffic
characterization (e.g. unusual ports, suspicious DNN, other useful in-
formation, etc.), volumes Upload/Download (average and variance)
may indicate a security event or incident. At user plane level, the new
proposal consists of that, on the top of volumes, changes and anomalies,
the NWDAF could directly collect real Security events (facts) from the
UPF, thanks to user plane security inspection functionalities attached or
embedded in it. This security information may be consumed by active
NFs like PCF to update dynamically the PCC rules for a particular UE
of group of UEs, change a PDU or even take actions at slice level if
required.
4. Future work
Three areas for further research are proposed in the context of
implementation of the security enforcement tenets presented in the
paper:
- specific security analytics supported by machine learning algo-
rithms
- roaming scenarios, including local break out
- applicability to IoT use cases
The practical implementation of the new network security principles
discussed in the paper in areas like the measurement of the security
levels, the definition of security profiles per group of users or slices,
as well as advanced security analytics with the correlation of multiple
factors and parameters in the network, are certainly areas of future
research being supported by technologies like Artificial Intelligence
(IA)/Machine Learning (ML) [23,24]. The deployed security analytics
solutions will need to cope with continuously evolving attacks, new
protocols frequently encrypted and quite complex and distributed en-
vironment. Thus, ML can support in getting the insights over encrypted
traffic (e.g. SBI interfaces, detecting anomalies, even mimic attacks.
In a similar line of reasoning 5G Americas in [25] concludes that
for the level of complexity introduced by 5G, preconfigured security
mechanisms may need to be supplemented with dynamic security
measures where the defence mechanisms are instantiated and deployed
by AI-based systems as responses to sophisticated attacks. It goes
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
Table 2
PCC rule: Security aspects and new security information elements.
further and states that, when detection is ‘embedded’ into switches
and routers network, nodes themselves becomes 5G security sensors,
enhancing the effectiveness of overall defences. In comparison, our re-
search moves forward on this approach, reaching not only the switches
and routers of the network, but also the radio and core, providing not
only the detection capabilities but a coordinated security enforcement
framework.
For further study we propose as well to address the security en-
forcement in local breakout roaming scenarios. Certainly, there shall be
a consistency in UE level security policies when the user moves from
235
Computer Communications 172 (2021) 226–237
one operator network to another, but also highly possible that security
services are not updated frequently on per UE basis. Hence operators
need to share upfront security policies and some level of subscriber
service information [26]. Currently the security policies established
between peers are configured statically and locally based on contractual
SLAs, whereas the new 5G services shall create a very dynamic and
unpredictable environment, that requires a new security framework.
Finally, even though the proposed security enforcement schema
is in principle agnostic to the type of UE attached the network, the
applicability to IoT should be considered for further studies. As pointed
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237

Table 3
PDU Session related ’Security’ policy information.

Table 4
Security insights on the analytics information provided by NWDAF.

out by Shancang Li et al. in [27], many resource constrained IoT
devices are deployed, in which privacy and security have emerged as
difficult challenges because the devices have not been designed to have
effective security features. To cope with those challenges a wide range
of technologies are being developed, mainly focused on alleviating
the burden of security mechanisms implemented in the device, such
as lightweight encryption new protocols. Those technologies shall be
standardized and accordingly supported in the Core network, where
those new required security controls and policies can be enforced in
an end-to-end approach, as proposed in this paper. Indeed, the new
Release 17 of 5G 3GPP standard is primarily about expanding the
ecosystem that can take advantage of 5G, by adding features to provide
the full range of functionality required by new industry segments like
Industrial IoT.
5. Conclusion
The 5G services are much more flexible than in previous genera-
tions. Much of this is due to the new QoS model of the 5G system
architecture. Such flexibility shall be a key requirement for security as

236
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al.
well, considering security as a crucial factor in the quality of the entire
network. To support each use case in an optimal way, security concepts
will also need to be more flexible. For example, security mechanisms
used for ultra-low latency, mission-critical applications may not be
suitable in massive Internet of Things (IoT) deployments where mobile
devices are inexpensive sensors that have a very limited energy budget
and transmit data only occasionally.
Deep diving in the domain of the 5G network architecture, one
of the issues is the security enforcement from an end to end per-
spective, i.e. in the new 5G radio access network, transport and core,
especially in the dynamics of new services and technologies in 5G as
described above. Our main target has been to find an effective security
enforcement schema flexible to create new security policies, and agile
to react to the constantly changing environment, across the end to
end architecture, with the vision of considering security as a quality
element of the network. When researching on the overall 5G network
architecture and the policy control framework, we found the use of
the latter rational not only for QoS, but also for security. Using the
unified policy control framework of 5G our contribution consisted in:
(1) The definition of mechanisms to apply the QoS principles to security
use cases, (2) the establishment of user plane security enforcement
flows within the session management, (3) the definition of new Security
policies as part of the PCC Rules and (4) proposals to extend the
Network Analytics to Security Analytics.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgements
This work was funded by the POB Research Centre for Artificial
Intelligence and Robotics of Warsaw University of Technology, Poland
within the Excellence Initiative Program—Research University (ID-UB).
References
[1] L.U. Khan, I. Yaqoob, M. Imran, Z. Han, C.S. Hong, 6G wireless systems:
A vision, architectural elements, and future directions, IEEE Access 8 (2020)
147029-147044.
[2] Devaki Chandramouli, Rainer Liebhart, Juho Pirskanen (Eds.), 5G for the
Connected World, first ed., Wiley, 2019.
[3] J. Mongay Batalla, E. Andrukiewicz, G. Peinado Gomez, P. Sapiecha, C.X.
Mavromoustakis, G. Mastorakis, J. Zurek, M. Imran, Security risk assessment
for 5G networks - national perspective, IEEE Wirel. Commun. (2020) http:
//dx.doi.org/10.1109/MWC.001.1900524.
[4] Di Yin Yang, Xia Song, Xiaoming Dong, Gunasekaran Manogaran, George
Mastorakis, Constandinos X. Mavromoustakis, Jordi Mongay Batalla, Security
situation assessment for massive MIMO systems for 5G communications, Future
Gener. Comput. Syst. (2019) http://dx.doi.org/10.1016/j.future.2019.03.036.
[5] 3GPP TS 23.501: Technical Specification System Architecture for the 5G System;
Stage 2.
[6] 3GPP TS 33.501: Technical Specification Security architecture and procedures
for 5G system (Release 16).
237
Computer Communications 172 (2021) 226–237
[7] G. Arfaoui, P. Bisson, R. Blom, R. Borgaonkar, H. Englund, E. Flix, F. Klaedtke,
P.K. Nakarmi, M. Nslund, P. OHanlon, J. Papay, J. Suomalainen, M. Surridge,
J.P. Wary, A. Zahariev, A security architecture for 5G networks, IEEE Access 6
(22) (2018) 466–479.
[8] J. Mongay Batalla, G. Mastorakis, C.X. Mavromoustakis, C. Dobre, N. Chil-
amkurti, S. Schaeckeler, Network Services Chaining in 5G vision (guest editorial),
IEEE Commun. Mag. (2017) http://dx.doi.org/10.1109/MCOM.2017.8114559.
[9] 3GPP TS 23.503: Technical Specification Policy and Charging Control Framework
for the 5G System; Stage 2.
[10] Mojtaba Houshmand, Policy and Charging Rules Function (PCRF) in LTE EPC
Core Network Technology, 2016, available at https://www.netmanias.com/
en/post/techdocs/10997/lte-pcrf/policy-and-charging-rules-function-pcrf-in-lte-
epc-core-network-technology.
[11] 3GPP TS 23.288: Technical Specification Architecture enhancements for 5G
System to support network data analytics services (Release 16).
[12] J. Cao, et al., A survey on security aspects for 3GPP 5G networks, IEEE Commun.
Surv. Tutor. 22 (1) (2020) 170–195.
[13] Igor Bisio, Chiara Garibotto, Fabio Lavagetto, Andrea Sciarrone, Performance
evaluation of application layer joint coding solutions for video transmissions
between mobile devices over the internet of things, Comput. Commun. 118 (C)
(2018) 50–59.
[14] S.A.A. Shah, E. Ahmed, M. Imran, S. Zeadally, 5G for vehicular communications,
IEEE Commun. Mag. 56 (1) (2018) 111–117.
[15] Z. Belghazi, N. Benamar, A. Addaim, C.A. Kerrache, Secure WiFi-direct using
key exchange for IoT device-to-device communications in a smart environment,
Future Internet. 11 (12) (2019) 251.
[16] 5G Explained, in: Jyrki T.J. Pentinnen (Ed.), Security and Deployment of
Advanced Mobile Communications, Wiley, 2019.
[17] Alliance, NGMN, NGMN 5G white paper, Next Generation Mobile Networks,
White paper, 2015, available at https://www.ngmn.org/5g-whitel-paper/5g-
white-paper.html.
[18] Ayrat Khalimov, Sofiane Benahmed, Rasheed Hussain, S.M. Ahsan Kazmi, Alma
Oracevic, Fatima Hussain, Farhan Ahmad, Chaker Abdelaziz Kerrache, Container-
based sandboxes for malware analysis: A compromise worth considering, in:
Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud
Computing (UCC ’19), Association for Computing Machinery, New York, NY,
USA, 2019, pp. 219–227, http://dx.doi.org/10.1145/3344341.3368810.
[19] G. Araniti, I. Bisio, M. De Sanctis, F. Rinaldi, A. Sciarrone, Joint coding
and multicast subgrouping over satellite-eMBMS networks, IEEE J. Sel. Areas
Commun. 36 (5) (2018) 1004–1016.
[20] W. Rafique, L. Qi, I. Yaqoob, M. Imran, R. u. Rasool, W. Dou, Complementing
IoT services through software defined networking and edge computing: A
comprehensive survey, IEEE Commun. Surv. Tutor. 22 (3) (2020) 1761–1804.
[21] R. Hussain, et al., Secure and privacy-aware incentives-based witness service
in social internet of vehicles clouds, IEEE Internet Things J. 5 (4) (2018)
2441–2448, http://dx.doi.org/10.1109/JIOT.2018.2847249.
[22] 3GPP TS 33.210: Technical Specification Network Domain Security (NDS); IP
network layer security.
[23] Antonio Pastor (Telefonica I+D), Applying AI to Protect 5G Control Traffic,
ETSI Security week 2019, available at: https://docbox.etsi.org/Workshop/2019/
201906_ETSISECURITYWEEK/1906_AI_SECURITY/S02_AI_ATTACK_DEFENSE/AI_
PROTECT_5G_CONTRL_TRAFFIC_TELEFONICA.pdf.
[24] George Mastorakis, Constandinos X. Mavromoustakis, Jordi Mongay Batalla,
Evangelos Pallis, Convergence of Artificial Intelligence and the Internet of Things,
Springer Eds., ISBN: 978-3-030-44906-3, 2020.
[25] 5G Americas, The evolution of 5G in security, 2019, available at
https://www.5gamericas.org/wp-content/uploads/2019/08/5G-Security-White-
Paper_8.15.pdf.
[26] Ijaz Ahmad, Shahriar Shahabuddin, Tanesh Kumar, Jude Okwuibe, Andrei
Gurtov, Mika Ylianttila, Security for 5G and beyond, IEEE Commun. Surv. Tutor.
(2019) http://dx.doi.org/10.1109/COMST.2019.2916180.
[27] S. Li, H. Song, M. Iqbal, Privacy and security for resource-constrained IoT devices
and networks: Research challenges and opportunities, Sensors 19 (8) (2019)
1935.