Professional Documents
Culture Documents
Computer Communications
journal homepage: www.elsevier.com/locate/comcom
1. Introduction key standardization bodies and industry forums which are contribut-
ing significantly to develop the 5G architecture, and specifically the
There is a vast consensus in the industry about the need of build- security aspects of it, such as ITU, ETSI, IETF, NGMN, 5G-PPP, NIST,
ing Fifth Generation (5G) networks inherently secure in the widest GSMA, etc. Some of those focus on specific infrastructure such as
sense [1]. That includes (among others) considerations on privacy, critical infrastructure, and others develop security standards for specific
use cases (e.g. mission critical) [4]. The standardization group that
data confidentiality and overall protection of the network against any
defines end-to-end security aspects in 5G network as a whole is the
kind of cyberattack that can compromise the availability and integrity
SA3 working group of 3GPP.
of its infrastructure, application and services [2]. Not only industry
The 5GS is defined by 3GPP in TS 23.501 [5] as a system con-
actors represented among others by network operators, vendors and
sisting of 5G Access Network (AN), 5G core network and User Equip-
infrastructure providers, but also governments and authorities like Eu-
ment (UE). The system’s architecture is defined as service-based and
ropean Commission are key stakeholders in the deployment of trusted comprises multiple Network Functions (NFs), which will be conse-
5G networks, working nowadays to formalize 5G security regulations quently described in the article as needed, mainly from a security
based on analysis of different risk scenarios [3]. Network security is angle. Within this architecture, the interaction between NFs and NF
the context of this paper, that focuses on the security policies definition services may be represented by point-to-point reference points between
and enforcement in the entire network, so called 5G System (5GS) by any two network functions (e.g., reference point N7 between Policy
the 3rd Generation Partnership (3GPP) standards. There are several Control Function and Session Management Function), providing Service
∗ Corresponding author.
E-mail address: jordi.mongay.batalla@pw.edu.pl (J. Mongay Batalla).
https://doi.org/10.1016/j.comcom.2021.03.024
Received 10 October 2020; Received in revised form 2 March 2021; Accepted 25 March 2021
Available online 29 March 2021
0140-3664/© 2021 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
Based Interfaces (SBI). SBI represents how a set of services is pro- serving different types of services may have indeed different security
vided/exposed by a given NF. The security features and the security requirements and adopt distinct security protocols and mechanisms.
mechanisms for this 5G system, as well as the security procedures Thus, it is a key point to provide different levels of security protections
performed within the network, are specified in the security architecture for differentiated network slices [12]. The security algorithms used for
standardized by 3GPP in TS 33.501 [6]. In addition to these normative encryption of the data could be as well selectively chosen (e.g. 128 bits
standards, there have been other relevant academic research works like key length vs 256) based on the customer profile. E.g. the requirements
5G-ENSURE project under 5G-PPP (5G Infrastructure Public Private from a critical infrastructure in terms of security will differ from a stan-
Partnership) that have contributed to the 5G security architecture, dard enhanced Mobile Broadband slice dedicated to IoT, as proposed
providing a set of security design principles and a set of security in [13]. Our thesis is that, security may be part of the user profile
functions and mechanisms to implement the security controls needed stored in UDR, and PCF shall retrieve those new attributes to apply
to achieve stated security objectives [7]. the corresponding policies in this case in AMF/SMF.
Within the Service Based Architecture (SBA) context [8], the Pol- The article challenges the current security enforcement standardized
icy Control Function (PCF) specified in TS 23.503 [9] is a Network mechanisms and proposes a new dynamic approach driven by the
Function, that constitutes a single and unified framework for defining policy control framework. Thanks to the policy control framework
any type of policies, e.g. for Data Network (DN) access in the net- QoS policies can be enforced in an end to end mode in 5G network.
work, and delivering those to other control plane NFs, e.g., Access Considering security as a quality element of the network, i.e. applying
and Mobility Management Function (AMF) and Session Management the QoS principles to security, the target shall be to achieve an effective
Function (SMF), as relevant per each function [2]. In contrast to the security policies definition and enforcement across the 5G end to
approach followed in previous Mobile Generations, in LTE Policy and end architecture leveraging on the unified policy control framework,
Charging Rules Function, where Policy Control was only bound to QoS and taking advantage as well of the new data analytics function as
and charging aspects [10], the 5GS is based on a unified policy control knowledge base of the network and/or UE.
scheme that allows to build consistent policies covering the entire Obviously in the telco network we still have dedicated security func-
network. At the time of writing (September 2020) Release 16 of the 5G tions such as firewalls, Intrusion Detection Systems (IDS), Distributed
3GPP specification has been recently published. Even though the policy Denial of Services (DDoS) protection systems, etc., that will be managed
control framework has been extended in terms of flexibility, adding by vendor specific management tools. Those security functions are
new use cases such as the SMF selection management related policies, mainly intended to protect the network as a whole, or certain parts of
the QoS control policies requirements and enforcement remains the
it based on their positioning in the network (and limited to that), not
same as in previous Release 15.
taking into consideration the individual UE. Not only the capability of
5GS architecture has been lastly enhanced to support network data
detection of a security issue per UE (e.g. individual misbehaving UEs),
analytics services via a new entity named as NWDAF (Network Data
but also the means to apply a countermeasure per UE is currently a
Analytics Function) [11]. It focuses on load level information, service
challenge for existing security mechanisms. Our proposal complements
experience, network performance and abnormal behaviour. The PCF
those mechanisms and enriches the security posture from end to end
could subscribe to notifications of network analytics related to this
network perspective, becoming de facto all network functions of the
kind of information and use it for the calculations and updates of the
5GS in Radio, Transport and Core, active security enforcers controlled
policies, but this is currently not standardized.
by a central element as PCF. It provides as well fine granularity to
Interestingly there are no clear and established links between the
consider security policies per UE, that shall be progressively relevant
new unified policy control framework, the 5G security architecture, and
as new 5G use cases like Ultra Reliable Low Latency Control and
the new enhanced data analytics entity. The outcomes of this research
massive Machine Type of Communications will be deployed [14]. Those
shall help to tie together those three areas. The main objective has been
use cases will require maximum reliability and real time response to
to find an effective security enforcement schema flexible enough to cre-
potential security incidents in particular UEs (e.g. a high precision
ate new security policies, and dynamic enough to react to the constantly
robot in a hospital, or IoT devices part of a critical infrastructure [15]).
changing security environment, across the end to end 5G architecture,
thus avoiding proprietary solutions in the industry. We believe that in It is important that security is integrated and added by design into
3GPP the security enforcement across the entire 5G system shall be the native environment instead of later retrofitting into the networks
discussed at level of Technical Specification Group-Service and System and/or devices [16]. Thus, with our new approach we shall be able
Aspects (TSG-SA). TSG-SA is responsible for the overall architecture to dynamically set up security policies in the network functions across
and service capabilities of systems based on 3GPP specifications and, the entire 5GS, nailing down to the UE level. Those have been the
as such, has a responsibility for cross TSG co-ordination. In this case main reasons to have chosen the QoS/Policy Control framework as a
mainly Working Group 2 (Architecture), Working Group 3 (Security) reference in this environment.
and Working Group 5 (Telecom Management) would be impacted. Finally, we have investigated the potential use of the new network
In the current 5GS architecture the use cases around user plane se- analytics function for security assurance purposes. No doubts that
curity enforcement are oriented and limited to security policies towards the security assurance of the network will require sophisticated and
the NG-RAN (NG Radio Access Network), based on the integrity and/or security specific monitoring tools, such as Security Incident and Event
confidentiality protection activation in the air interface between the Management (SIEM) systems. Nevertheless, our research shows that we
UE and the Base Station. Those security policies can be either part can also obtain relevant information from the network behaviour to
of the subscriber information stored in the Unified Data Repository build security insights. An incident detected by NWDAF or SIEM may
(UDR) and fetched by the Unified Data Management (UDM) function trigger a policy change in the network, managed by PCF. E.g. moving
or, alternatively, configured locally in the SMF. As currently the User a user from a security compromised slice to a quarantine slice.
plane (UP) security policies are globally based, control by local policies The following diagram zooms the policy control function and the
in the SMF may seem a priori sufficient. But, will this approach be interconnection with the NFs proposed for security enforcement and
enough to address new Service Level Agreements, with ever growing assurance. It will be detailed further along the next sections (see Fig. 1).
security clauses?, will it be sufficient to cover upcoming subscriptions The remainder of this paper is organized in the following fashion:
plans related to new security services and functionalities required by Section 2 goes through several key aspects of security enforcement
customers and tenants (e.g. verticals operating a critical infrastructure), in the network. It follows the principles of end to end QoS by de-
who demand different and customized levels of security?. scribing the challenges that the actual 5GS architecture faces in this
We believe that features like integrity protection of the UP shall be field. Section 3 presents our proposals to deal with those challenges,
selectively activated, for instance per slice. In general, network slices utilizing the existing 5GS SBA based architecture and relevant NFs
227
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
228
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
2.3. Challenges to define security policies under policy control framework 2.4. Challenges to introduce security use cases under network analytics
229
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
another security analytics platform looking at the user plane (e.g. SIEM
tools placed in the management plane, IDS systems embedded in UPF,
etc.). Based on a pre-defined security indicator, different policies can Reference Short description
be enforced from the PCF, working de facto as an efficient mitigation point
mechanism in the network: N1 Reference point between UE and AMF to
exchange NAS (Non-Access Stratum) messages
• Set up a new session AMBR; N2 Reference point between 5G-RAN and AMF
• Set up a new UE AMBR. It would be a kind of quarantine for the based on Next Generation Application Part
UE (example: the UE is an active bot of a DDoS attack); N4 Reference point between SMF and UPF to
• Set up a new PDU session with more restrictive security controls manage data sessions at the user plane. N4 is
in the QoS profile. based on PFCP (Packet Forwarding Control
Protocol)
The PCF shall be then the policy decision point, while other
N7 Reference point between SMF and PCF
NFs/parts of the network are the enforcement points. There should be
N11 Reference point between AMF and SMF
as well an interface to management plane for policy administration, and
N23 Reference point between PCF and NWDAF
support of the decision, e.g. to a central security management system.
In general, QoS profiles can be dynamically established by the One example of security call flow implemented by this concept is
SMF in the 5G access network. In particular, specific QoS rules can shown in Fig. 4.
be enforced to the UE through Session Management (SM) signalling 1.a NWDAF to PCF: PCF is subscribed to NWDAF notifications. Due
over N1 interface (N1 is the reference point between UE and AMF to to a security incident in the network (e.g. Denial of Service attack) we
exchange Non-Access Stratum messages) from the SMF (via AMF), or found a situation of user data congestion, that is communicated in a
directly on the UPF over N4 (N4 is the reference point between SMF message to PCF via N23 interface (N23 is the reference point between
and UPF to manage data sessions at the user plane. N4 is based on PCF and NWDAF).
Packet Forwarding Control Protocol, PFCP). The SMF indeed manages 1.b. Security Management to PCF: A security management system
QoS flows with rules, associating traffic filters with QoS policies coming has been integrated with PCF via REST API. A security event is reported
from the PCF. The traffic filter set is configured in the UPF and can to PCF.
serve to easily manage security services. For example: 1.c. PCF to UDR (optional): PCF requests a set of data from UDR
via N36 (N36 is the reference point between PCF and UDR). In this use
• Security association identified by a particular Security Parameter case it could be an identifier of a security policy part of the subscription
Index for a particular group of UEs or slice with special security set of policies, to be applied in case of a security incident.
requirements (e.g. crypto-algorithm, key lengths, etc.); 2. PCF to SMF: After policy decision is taken, the PCF has de-
• Detection and dynamic QoS rules like traffic gating can be easily termined that SMF needs updated policy information to mitigate the
applied. security issue, and issues a Npcf_SMPolicyControl_UpdateNotify request
via N7 with an updated policy information about the PDU session, in
The following diagram depicts the concept of applying Security this case set up a new Session AMBR.
rules as part of the QoS policies in the network (see Fig. 3): 3. SMF to PCF: The SMF acknowledges the PCF request
230
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
4.a. SMF to UPF: QoS enforcement based on QoS Enforcement ◦ Priorities of access types (e.g. LTE such as in [19] or 5G)
Rule sent by the SMF is a function offered by UPF. This includes rate the user may use. The proper definition of those priorities
enforcement of session AMBR (received from PCF in SMF in step 2) via can prevent bidding down attacks enforcing the UEs to
N4. connect to more vulnerable networks like 2G, much more
4.b. SMF to UE: Exchange N1 SM signalling (via AMF) with the UE prone to be compromised than 4G or 5G. An attacker
to provide the UE with QoS rule(s), e.g. set up a new UE-AMBR limiting could attempt a bidding down attack by making the UE
the aggregate bit rate that can be expected to be provided across all and the network entities respectively believe that the other
Non-GBR QoS flows of all PDU sessions of a UE. side does not support a security feature, even when both
4.c. SMF to 5G AN: Exchange N2 (N2 is the reference point between sides in fact support that security feature. The Anti-Bidding
5G-RAN and AMF based on Next Generation Application Part) SM down Between Architectures parameter was already spec-
signalling (via AMF) to set QoS parameters in the 5G Access Network, ified in Release 15 in [6], but currently it is not yet really
e.g. reservation of resources for specific type of traffic. effective, because it is meant to protect against bidding
down from future, enhanced security features, down to the
current security features.
3.2. User plane security enforcement and assurance
• Policies transferred from PCF to the UE via AMF:
Our approach for the enforcement of security policies on the UP
◦ User Equipment Route Selection Policy to determine how
traffic is materialized under the policy control umbrella. Acting directly
to route egress traffic (PDU selection policies). A new
on the AMF and on the SMF control network functions, the PCF shall
PDU session could be triggered in a case of a security
reach the UE, Radio Access Network (RAN) and the UPF to apply those
incident (e.g. malware detection in the UE), i.e. a kind
policies directly on the UP.
of ‘quarantine’ PDU with special policies across the data
path, or even a PDU terminated in a secure DN with special
3.2.1. Security policies enforcement via AMF security services (e.g. scrubbing centre).
There are two types of policies for access and mobility managed
and enforced by the AMF, dictated by PCF and stored in UDR, that The concept of Local Area Data Network (LADN) in 5G, used for
can support security use cases without major changes in the policies Multi-access Edge Computing in 5G, supports the implementation of
definition: the measures described above [20]. LADN enforces restrictions on PDU
sessions available/authorized only in a set of locations known as LADN
• Policies transferred from PCF to AMF: service areas. The LADN service area is configured in the AMF on a
per DNN basis, and the AMF provides the UE with information on the
◦ Service area restrictions: ‘Tracking Area’ (TA) is a logi- LADN service area.
cal concept of an area where a user can move around
without updating the mobility management node. The net- 3.2.2. Security policies enforcement via SMF
work allocates a list with one or more TAs to the user. SMF is responsible for the signalling required to control a PDU ses-
The service area restrictions policy consists of either an sion (via N4 signalling), and to set the user plane handling within this
allowed area, or a non-allowed area. Our proposal is to PDU session (selection of the User Plane Functions (UPF) supporting the
establish different security levels per service area using PDU session). Therefore, SMF controls the functions supported by UPF,
certain thresholds to determine whether the user is entitled including Security related functionalities like firewalling, throttling,
to move or not to a higher security service area. Example: (D)DoS protection, GPRS Tunnelling Protocol (GTP) inspection (new
sensitive geographical areas hosting critical infrastructure Inter PLMN UP Security in Release 16), etc. Besides that, it controls
may restrict the access to users generating a Subscription the policy enforcement, i.e. the interaction with the PCF to get the
Concealed Identifier (SUCI) using ‘null schema’ (i.e. non policy rules and apply them into the UPF directly or into other parts of
protected subscriber permanent identifier) in order to pre- the network like NG-RAN via the AMF. Thus, our proposal is that the
vent for example the impact of rogue base stations or security controls embedded in UPF can be managed by security policies
tracking/eavesdropping type of attacks, or on the other in PCF.
side allowing the access only to those users supporting UP Furthermore, this new concept shall enable user plane security
integrity protection in the air interface. enforcement policies (confidentiality and integrity protection) in the
231
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
air interface (i.e. between UE and 5G-AN) be managed in the PCF from multiple sources), PCF can react to changes in the established
(instead of being locally configured in the SMF as today), which shall Security Service Level Agreements querying UDR, applying new secu-
retrieve them from UDR, as storage of policy profiles with predefined rity policies, enforcing the establishment of new more secure PDUs,
security policies. Therefore, those policies shall be part of the dynamic i.e. mitigating the security issue which triggered the action.
PCC Rules dedicated to user plane security, and potentially extended to For example, as per detection of a fake base station in a certain
other domains and UP interfaces like N6 (reference point between UPF area network, or simply looking at certain critical area from the point
and packet data networks based on, e.g., IP or Ethernet transport), N3 of view of security (e.g. airports, critical infrastructure sites, etc.) , the
(reference point between 5G-RAN and UPF based on GPRS Tunnelling PCF shall enforce integrity protection to the relevant UEs/group of UEs
Protocol User Plane, GTPv1-U) and N9 (reference point between two attached to the base stations in this network geographical area. Other
UPF to transmit user plane data. It is also based on GTPv1-U). constraints can also build valid use cases (e.g. UEs attached to a critical
slice). The policy of the UEs shall be updated from ‘Not Needed’ to
3.2.3. UP security enforcement use cases ‘Preferred’ or ‘Required’. Within the overall flow process of the PDU
Same as SGi-LAN for LTE, N6-LAN for 5G concept shall allow PCF establishment in bold we introduce the calls to be executed to provide
to configure UPF for security service function chaining towards data the described dynamic enforcement of security policies from the PCF,
networks. see Fig. 5.
TS 33.501 states that the transport of user data over N3 shall be in-
tegrity, confidentiality and replay-protected. The required mechanism 3.2.4. Security assurance
is IPSec ESP and IKEv2 certificate-based authentication. However, the Once the PDU session has been established with security attributes
use of cryptographic solutions to protect N3 is an operator’s decision. (e.g. ciphering of a particular service flow, integrity protection, access
These types of solutions in the near future could be selectively deployed control policies, etc.), allowing the security enforcement in an extended
based on the security level offered to a group of users, slices and/or sense in the network, there are two key aspects still worth to be consid-
tenants, depending on the requirements and criticality of the service or ered, i.e. the security data collection and closed loops automation. To
infrastructure. For example, private networks serving critical infrastruc- introduce them an analogy with Charging function (CHF) is used (see
ture (e.g. utilities), or vehicular ad hoc networks (VANETs) [21], will Fig. 6).
certainly require full protection of the communications between radio Usage data collection may be used for charging purposes, gathering
stations and core, even in addition to the security mechanisms applied statistics and monitoring the overall network usage and UE behaviour.
at application level. The proposal here is to include the cryptographic The CHF informs the PCF when the user has crossed some thresholds
solution activation in N3 as part of the PCC rule to be enforced on the (e.g. spending limits), and consequently the PCF considers this info to
gNB (via AMF) and the Security Gateway part of the UPF system (via apply dynamically related policies to the user session, e.g. restriction of
SMF). The enforcement shall create a new IPSec tunnel or allocate the the QoS for a given PDU session, redirection to an operator Web Page
PDU to an existing IPSec tunnel. (captive portal), etc. The proposal here consists of enriching the data
The same concept is applicable to the security mechanisms applied collection with security relevant data from the embedded security fea-
to N9 for certain use cases such as the interconnection with another tures in the UPF. The SMF would be responsible to collect such enriched
operator. In this context GTP inspection or IPSec [22] are already data from the UPF and to transfer it to a central security management
standardized, but not the enforcement via PCF as part of a ‘Security’ system, where this data is stored, contextualized and correlated with se-
SLA. curity information collected from various security dedicated platforms
Moreover, with relevant data consumed from new Analytics func- in the network, e.g. firewall logs, security telemetry, IDS logs, etc.
tions like NWDAF, or databases like Unstructured Data Storage Func- That security management system shall be responsible for creating
tion storing session data, or security events received from UPF or security incidents, and trigger actions on the PCF and/or SMF, e.g. in-
other specific security analytics platforms (which can correlate events forming the PCF that certain Security SLAs have been crossed, redirect
232
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
• When SMF receives the PCC Rule, the SMF can take the actions
to reconfigure the UP of the PDU. One of those actions can
be to update the UPF with new steering rules, for example to
forward certain suspicious traffic to local data centres (e.g. Mobile
Edge Computing (MEC)) with the aim of containing a potential
security breach in small controlled area of the network. The
concept of MEC is to facilitate the deployment of UPFs at the
edge of the network, closer to the UE for key and sometimes
critical applications (e.g. Ultra Reliable Low Level Latency use
cases, caching, stadiums, etc.). As a response to an incident the
Application Function (AF) can make a request to 5G Core (i.e. PCF
or via Network Exposure function (NEF)) to steer the traffic of
a group of UEs, or even a complete slice, to a UPF located
in the edge, where security functions such as DDoS protection,
scrubbing centres, IDS/IPS, etc., can be deployed as containment
mechanisms.
AFs interact with the 3GPP core network to provide services such as
application influence on traffic routing, access to NEF and interaction
with policy framework (through reference point N5), i.e. it requests
dynamic policies. AFs are today identified as MEC orchestration appli-
cations, or IP Multimedia System (IMS). The proposal here is to extend
the scope of AFs to security applications:
the user traffic to for example a scrubbing centre or dedicated security PCC Rules connects the SDF templates (either a list of service data
DNs, etc. flow filters or an application identifier that references the correspond-
ing application detection filter) with the possible actions on the traffic,
Reference Short description i.e. the policy enforcement. Taking the current actions proposed by
point 3GPP as a basis, focused on pure QoS actions, we propose to extend and
apply those actions for security purposes as summarized in Table 1.
N4 Reference point between SMF and UPF to In [9] the table 6.3.1 lists the information contained in a PCC rule,
manage data sessions at the user plane. N4 is
including the information name, the description and whether PCF may
based on PFCP (Packet Forwarding Control
modify this information in a dynamic PCC rule which is active in the
Protocol)
SMF. The latter is key for security assurance purposes.
N7 Reference point between SMF and PCF
The Table 2 shows an extract from the referred table 6.3.1 in [9],
where the relevant information elements used for our security purposes
In 5G UPF assumes the role of Traffic Detection Function in 4G have been selected and commented. The grey shadow in Table 2
Evolved Packet Core, i.e. Packet inspection (e.g. application detection and consecutive tables shows added elements in comparison to the
based on service data flow), thus it can enforce the PCF policies. standard. At the end a new category named as ‘Security’ has been
Indeed, the technology implementing UPFs integrates more and more introduced with two information elements referred to the security
security functionalities like firewall or Carrier Grade Network Address policies existing today in the user plane, but currently managed locally
Translation. in the SMF and limited to the access network. Our contribution is to
5G Core allows the PCF to coordinate between connectivity related make them part of the PCC rule structure:
policies sent to the UE and policies sent to the network, that could be Looking at the PDU level, PCF can control as well different param-
deployed in UPF for user plane, e.g. a security policy in L7 firewall eters of a PDU session and among them the conditions upon which
embedded in UPF for a certain service towards a particular user. The the SMF shall fetch new policies from the PDU session (policy control
following two use cases illustrate this concept: request triggers). Those conditions are important to define security
enforcement use cases. I.e. if the condition is a security trigger (e.g. in-
• According to [9] one of the functionalities supported by the cident, overload, exceeding thresholds, etc.), then PCC security rules
PCF for the SMF selection management for a PDU session is to are to be communicated from the PCF to the SMF and be enforced in
provide a policy to the AMF to contact PCF for performing DNN UPF and/or 5G-access network. The purpose of the PDU session related
replacement of specific DNNs. A trigger for such a replacement policy information is to provide policy and charging control related
action could be a compromised DNN due to a security incident, information that is applicable to a single monitoring key or the whole
reported to PCF via NWADF due to an overload of a particular PDU session respectively. The PCF may provide PDU session related
DN or Slice (e.g. DDoS attack). policy information to the SMF together with PCC rules or separately.
233
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
Table 1
PCC rules - Security.
PCC–QoS PCC–Security
Gating control (discarding traffic upon PCF Control) Personal firewall with policies managed upon PCF control
Discard traffic not matching SDF template of any active Personal firewall (last rule: ‘drop any—any’)
PCC rule
Monitoring the amount of traffic DDoS detection
Steering the traffic towards service functions at N6 on Security functions such as firewalls, Application Layer
the DN, or to different N6 interfaces of the same DN Gateways, malware protection, content filtering, Network
(identified as Data Network Access Identifier (DNAI)) Address Translation, etc., shall be managed by Software
Defined Networks (SDN) in a service chaining architecture.
Those functions can be activated through a pre-defined
subscription plan, or as a reactive action when facing a
security incident, or as prevention/mitigation of (D)DoS
attacks.
Towards 5G-AN: to apply relevant user plane security Extended to other network segments like N2 and N3 with
(integrity protection) technologies like IPSec or DTLS
In [9] the Table 6.4-1 includes the PDU session related policy informa- of Exception IDs is specified in [11], e.g. ‘unexpected UE location’,
tion. The Table 3 is an extract of it, that focuses on the usage monitoring ‘suspicion of DDoS attack’, ‘wrong destination address’, etc. The table
control related information, where two new monitoring keys have been 6.7.5.3-3 of the standard provides examples of policies and actions to
proposed for (D)DoS attacks detection. mitigate the risks, e.g. ‘extension of Service Area restriction’, ‘release
Finally, the PCF shall instruct as well the SMF on which applications the PDU session’, ‘updates the packet filter/QoS’, etc.
to detect. Upon receiving the report from SMF, the PCF may make As described in Section 2.4 of the present document, the challenge is
policy decisions and send updated or new PCC rules to the SMF. The that at user plane level the communication description per application
same process shall be applied to security, provided that specific security is limited to the traffic volume and data rates of this communication,
analytics in the network are able to define an attack (e.g. communica- what is relevant for security incidents related to volumetric type of
tion between the bot and command and control centre), or characterize attacks (e.g. flooding, overload, DoS, etc.). Changes or anomalies in
security incident profiles (e.g. intent of breaking an access control the statistics or predictions, for example the periodicity of the UE
firewall rule using in the communication not valid ports for a specified communications, duration of the communications or certain traffic
protocol), thus the security signature can be created, as any other characterization (e.g. unusual ports, suspicious DNN, other useful in-
application signature, and the corresponding PCC rule shall be applied. formation, etc.), volumes Upload/Download (average and variance)
may indicate a security event or incident. At user plane level, the new
3.4. Security analytics implemented in NWDAF proposal consists of that, on the top of volumes, changes and anomalies,
the NWDAF could directly collect real Security events (facts) from the
The NWDAF provides information that can contribute significantly UPF, thanks to user plane security inspection functionalities attached or
to the PCC decision making process performed by PCF. Nevertheless, embedded in it. This security information may be consumed by active
analytics information is currently limited to the slice specific network NFs like PCF to update dynamically the PCC rules for a particular UE
status, for example load level information. I.e., it is not required to be of group of UEs, change a PDU or even take actions at slice level if
aware of subscribers using the slice, but it works at network slice level. required.
Our proposal is to extend the load level information adding security
contextual information (e.g. events, attacks, vulnerabilities, etc.). It 4. Future work
would require the feed of the security functions implemented separately
or as part of the standardized network functions, such as UPF with Three areas for further research are proposed in the context of
embedded firewall capabilities, into NWDAF or intermediate dedicated implementation of the security enforcement tenets presented in the
security analytics platform. paper:
The standard TS 23.288 [11] opens the possibility to different types
- specific security analytics supported by machine learning algo-
of NWDAFs, specialized in different types of analytics, identified by
rithms
analytics ID information element.
- roaming scenarios, including local break out
The PCF can consume this information via N23 interface. Some
- applicability to IoT use cases
of the that information can already provide very useful information
for the security analysis and further enforcement as described in the The practical implementation of the new network security principles
previous sections. Table 7.1-2 of [11] shows the analytics information discussed in the paper in areas like the measurement of the security
provided by NWDAF service. We have added a column to this table with levels, the definition of security profiles per group of users or slices,
the security information that potentially could be extracted towards as well as advanced security analytics with the correlation of multiple
other security analytics functions for further analysis or directly to PCF factors and parameters in the network, are certainly areas of future
framework for application of specific security PCC rules (see Table 4). research being supported by technologies like Artificial Intelligence
Particularly interesting for security analytics is the abnormal be- (IA)/Machine Learning (ML) [23,24]. The deployed security analytics
haviour related network data analytics captured by NWDAF. The PCF solutions will need to cope with continuously evolving attacks, new
may subscribe to notifications of network analytics related to ‘abnormal protocols frequently encrypted and quite complex and distributed en-
behaviour’ using the Nnwdaf_AnalyticsSubscription_Subscribe service vironment. Thus, ML can support in getting the insights over encrypted
operation, with the aim of anticipating and detecting a security issue, traffic (e.g. SBI interfaces, detecting anomalies, even mimic attacks.
triggering a new security policy or updating an existing one for the In a similar line of reasoning 5G Americas in [25] concludes that
particular UE or group of UEs. This data includes the Analytics ID for the level of complexity introduced by 5G, preconfigured security
(‘abnormal behaviour’), the target of analytics reporting ‘SUPI’, ‘Inter- mechanisms may need to be supplemented with dynamic security
nal Group Id’ and the analytics filter including the list of Exceptions measures where the defence mechanisms are instantiated and deployed
IDs and per each Exception ID a possible threshold. The current list by AI-based systems as responses to sophisticated attacks. It goes
234
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
Table 2
PCC rule: Security aspects and new security information elements.
further and states that, when detection is ‘embedded’ into switches one operator network to another, but also highly possible that security
and routers network, nodes themselves becomes 5G security sensors, services are not updated frequently on per UE basis. Hence operators
enhancing the effectiveness of overall defences. In comparison, our re- need to share upfront security policies and some level of subscriber
search moves forward on this approach, reaching not only the switches service information [26]. Currently the security policies established
and routers of the network, but also the radio and core, providing not between peers are configured statically and locally based on contractual
only the detection capabilities but a coordinated security enforcement SLAs, whereas the new 5G services shall create a very dynamic and
framework. unpredictable environment, that requires a new security framework.
For further study we propose as well to address the security en- Finally, even though the proposed security enforcement schema
forcement in local breakout roaming scenarios. Certainly, there shall be is in principle agnostic to the type of UE attached the network, the
a consistency in UE level security policies when the user moves from applicability to IoT should be considered for further studies. As pointed
235
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
Table 3
PDU Session related ’Security’ policy information.
Table 4
Security insights on the analytics information provided by NWDAF.
out by Shancang Li et al. in [27], many resource constrained IoT Release 17 of 5G 3GPP standard is primarily about expanding the
devices are deployed, in which privacy and security have emerged as ecosystem that can take advantage of 5G, by adding features to provide
difficult challenges because the devices have not been designed to have the full range of functionality required by new industry segments like
effective security features. To cope with those challenges a wide range Industrial IoT.
of technologies are being developed, mainly focused on alleviating
the burden of security mechanisms implemented in the device, such 5. Conclusion
as lightweight encryption new protocols. Those technologies shall be
standardized and accordingly supported in the Core network, where The 5G services are much more flexible than in previous genera-
those new required security controls and policies can be enforced in tions. Much of this is due to the new QoS model of the 5G system
an end-to-end approach, as proposed in this paper. Indeed, the new architecture. Such flexibility shall be a key requirement for security as
236
G. Peinado Gomez, J. Mongay Batalla, Y. Miche et al. Computer Communications 172 (2021) 226–237
well, considering security as a crucial factor in the quality of the entire [7] G. Arfaoui, P. Bisson, R. Blom, R. Borgaonkar, H. Englund, E. Flix, F. Klaedtke,
network. To support each use case in an optimal way, security concepts P.K. Nakarmi, M. Nslund, P. OHanlon, J. Papay, J. Suomalainen, M. Surridge,
J.P. Wary, A. Zahariev, A security architecture for 5G networks, IEEE Access 6
will also need to be more flexible. For example, security mechanisms
(22) (2018) 466–479.
used for ultra-low latency, mission-critical applications may not be [8] J. Mongay Batalla, G. Mastorakis, C.X. Mavromoustakis, C. Dobre, N. Chil-
suitable in massive Internet of Things (IoT) deployments where mobile amkurti, S. Schaeckeler, Network Services Chaining in 5G vision (guest editorial),
devices are inexpensive sensors that have a very limited energy budget IEEE Commun. Mag. (2017) http://dx.doi.org/10.1109/MCOM.2017.8114559.
and transmit data only occasionally. [9] 3GPP TS 23.503: Technical Specification Policy and Charging Control Framework
for the 5G System; Stage 2.
Deep diving in the domain of the 5G network architecture, one [10] Mojtaba Houshmand, Policy and Charging Rules Function (PCRF) in LTE EPC
of the issues is the security enforcement from an end to end per- Core Network Technology, 2016, available at https://www.netmanias.com/
spective, i.e. in the new 5G radio access network, transport and core, en/post/techdocs/10997/lte-pcrf/policy-and-charging-rules-function-pcrf-in-lte-
especially in the dynamics of new services and technologies in 5G as epc-core-network-technology.
[11] 3GPP TS 23.288: Technical Specification Architecture enhancements for 5G
described above. Our main target has been to find an effective security
System to support network data analytics services (Release 16).
enforcement schema flexible to create new security policies, and agile [12] J. Cao, et al., A survey on security aspects for 3GPP 5G networks, IEEE Commun.
to react to the constantly changing environment, across the end to Surv. Tutor. 22 (1) (2020) 170–195.
end architecture, with the vision of considering security as a quality [13] Igor Bisio, Chiara Garibotto, Fabio Lavagetto, Andrea Sciarrone, Performance
element of the network. When researching on the overall 5G network evaluation of application layer joint coding solutions for video transmissions
between mobile devices over the internet of things, Comput. Commun. 118 (C)
architecture and the policy control framework, we found the use of (2018) 50–59.
the latter rational not only for QoS, but also for security. Using the [14] S.A.A. Shah, E. Ahmed, M. Imran, S. Zeadally, 5G for vehicular communications,
unified policy control framework of 5G our contribution consisted in: IEEE Commun. Mag. 56 (1) (2018) 111–117.
(1) The definition of mechanisms to apply the QoS principles to security [15] Z. Belghazi, N. Benamar, A. Addaim, C.A. Kerrache, Secure WiFi-direct using
key exchange for IoT device-to-device communications in a smart environment,
use cases, (2) the establishment of user plane security enforcement
Future Internet. 11 (12) (2019) 251.
flows within the session management, (3) the definition of new Security [16] 5G Explained, in: Jyrki T.J. Pentinnen (Ed.), Security and Deployment of
policies as part of the PCC Rules and (4) proposals to extend the Advanced Mobile Communications, Wiley, 2019.
Network Analytics to Security Analytics. [17] Alliance, NGMN, NGMN 5G white paper, Next Generation Mobile Networks,
White paper, 2015, available at https://www.ngmn.org/5g-whitel-paper/5g-
white-paper.html.
Declaration of competing interest
[18] Ayrat Khalimov, Sofiane Benahmed, Rasheed Hussain, S.M. Ahsan Kazmi, Alma
Oracevic, Fatima Hussain, Farhan Ahmad, Chaker Abdelaziz Kerrache, Container-
The authors declare that they have no known competing finan- based sandboxes for malware analysis: A compromise worth considering, in:
cial interests or personal relationships that could have appeared to Proceedings of the 12th IEEE/ACM International Conference on Utility and Cloud
Computing (UCC ’19), Association for Computing Machinery, New York, NY,
influence the work reported in this paper.
USA, 2019, pp. 219–227, http://dx.doi.org/10.1145/3344341.3368810.
[19] G. Araniti, I. Bisio, M. De Sanctis, F. Rinaldi, A. Sciarrone, Joint coding
Acknowledgements and multicast subgrouping over satellite-eMBMS networks, IEEE J. Sel. Areas
Commun. 36 (5) (2018) 1004–1016.
This work was funded by the POB Research Centre for Artificial [20] W. Rafique, L. Qi, I. Yaqoob, M. Imran, R. u. Rasool, W. Dou, Complementing
IoT services through software defined networking and edge computing: A
Intelligence and Robotics of Warsaw University of Technology, Poland
comprehensive survey, IEEE Commun. Surv. Tutor. 22 (3) (2020) 1761–1804.
within the Excellence Initiative Program—Research University (ID-UB). [21] R. Hussain, et al., Secure and privacy-aware incentives-based witness service
in social internet of vehicles clouds, IEEE Internet Things J. 5 (4) (2018)
References 2441–2448, http://dx.doi.org/10.1109/JIOT.2018.2847249.
[22] 3GPP TS 33.210: Technical Specification Network Domain Security (NDS); IP
network layer security.
[1] L.U. Khan, I. Yaqoob, M. Imran, Z. Han, C.S. Hong, 6G wireless systems:
[23] Antonio Pastor (Telefonica I+D), Applying AI to Protect 5G Control Traffic,
A vision, architectural elements, and future directions, IEEE Access 8 (2020)
ETSI Security week 2019, available at: https://docbox.etsi.org/Workshop/2019/
147029-147044.
201906_ETSISECURITYWEEK/1906_AI_SECURITY/S02_AI_ATTACK_DEFENSE/AI_
[2] Devaki Chandramouli, Rainer Liebhart, Juho Pirskanen (Eds.), 5G for the
PROTECT_5G_CONTRL_TRAFFIC_TELEFONICA.pdf.
Connected World, first ed., Wiley, 2019.
[24] George Mastorakis, Constandinos X. Mavromoustakis, Jordi Mongay Batalla,
[3] J. Mongay Batalla, E. Andrukiewicz, G. Peinado Gomez, P. Sapiecha, C.X.
Evangelos Pallis, Convergence of Artificial Intelligence and the Internet of Things,
Mavromoustakis, G. Mastorakis, J. Zurek, M. Imran, Security risk assessment
Springer Eds., ISBN: 978-3-030-44906-3, 2020.
for 5G networks - national perspective, IEEE Wirel. Commun. (2020) http:
[25] 5G Americas, The evolution of 5G in security, 2019, available at
//dx.doi.org/10.1109/MWC.001.1900524.
https://www.5gamericas.org/wp-content/uploads/2019/08/5G-Security-White-
[4] Di Yin Yang, Xia Song, Xiaoming Dong, Gunasekaran Manogaran, George
Paper_8.15.pdf.
Mastorakis, Constandinos X. Mavromoustakis, Jordi Mongay Batalla, Security
[26] Ijaz Ahmad, Shahriar Shahabuddin, Tanesh Kumar, Jude Okwuibe, Andrei
situation assessment for massive MIMO systems for 5G communications, Future
Gurtov, Mika Ylianttila, Security for 5G and beyond, IEEE Commun. Surv. Tutor.
Gener. Comput. Syst. (2019) http://dx.doi.org/10.1016/j.future.2019.03.036.
(2019) http://dx.doi.org/10.1109/COMST.2019.2916180.
[5] 3GPP TS 23.501: Technical Specification System Architecture for the 5G System;
[27] S. Li, H. Song, M. Iqbal, Privacy and security for resource-constrained IoT devices
Stage 2.
and networks: Research challenges and opportunities, Sensors 19 (8) (2019)
[6] 3GPP TS 33.501: Technical Specification Security architecture and procedures
1935.
for 5G system (Release 16).
237