5G网络安全研究现状及进展

5G Network Security
——Current Research Situation and Progress
5G

张骞允 Zhang Qianyun

北京航空航天大学 Beihang University
2023年11月6日
 5G网络安全发展现状
1 5G Network Security Development Status

2 5G网络安全关键技术
5G Network Security Key Technologies

3 5G网络安全研究进展
5G Network Security Research Progress

5G与物联网安全
4 5G and the Internet of Things Security

目录
Contents
5G网络安全发展现状 CHAPTER
5G Network Security ONE
Development Status
 5G网络背景 5G network background
随着物联网设备的发展，5G网络业务也从1G-4G的面向个人通信扩展到工业互联网和智慧城市
With the development of IoT devices, 5G network services are also expanding from 1G-4G
personal-oriented communications to industrial Internet and smart cities.

1G 2G 3G 4G 5G

1982 1992 2001 2012 2020

FDM TDMA/GMSK WCDMA/CDMA2000 OFDM CP-OFDM
频分多址技术 时分多址技术 /TDS-CDMA 正交频分多址技术 /DFT-SOFDM
● 5G的用户体验速率提升10倍；频谱效率提升3倍；移动性提升1倍（支持500公里时速的高铁）
● 无线接口延时减少90%，连接时间只有1毫秒；连接密度提升10倍（传感器100万个/平方公里）
● 能效提高100倍；流量密度提高100倍；峰值速率提高30倍（下载高清电影只需3.6秒）
 5G网络背景 5G network background
各国纷纷争夺5G发展先机。2018年12月6日，中国三大运营商频谱划分落定。Countries have been
competing for the first opportunity to develop 5G. On December 6, 2018, the spectrum division of
China's three major operators was finalized.
2016年 2017年 2018年 2019年 2020年 2021年以后
5G技术试验 中国运营商
预商用
启动商用

美国AT&T等
启动商用

5G技术试验 联盟规划
启动商用

5G技术试验
日本DoCoMo

移动获2515MHz-2675MHz与4800MHz-4900MHz频段（2.6GHz/4.9GHz）
启动商用

电信获3400MHz-3500MHz共100MHz带宽的5G试验频率（3.4GHz-3.5GHz）
韩国KT
启动商用
联通获3500MHz-3600MHz共100MHz带宽的5G试验频率（3.5GHz-3.6GHz）
 5G网络背景 5G network background
中国IMT-2020 (5G)推进组全面组织5G工作。我国5G试验阶段划分和目标任务：
China IMT-2020 (5G) Promotion Group comprehensively organizes 5G work. China's 5G test phase
division and target tasks:
中国IMT-2020 (5G)推进组（专家组）

秘书处

5G应用 C-V2X 频谱 无线技术 网络技术 5G试验 ITU 3GPP IEEE 知识产权 国际合作
工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组 工作组

2015年 2016年 2017年 2018年 2019年 2020年

第一部分：5G技术研发试验 第二部分：5G产品研发试验
第二阶段：stage2
第一阶段： stage 1 技术方案验证
第三阶段：stage 3
城市规模组网
关键技术验证 Key validation of technical 系统组网验证
system network validation City-scale networking
technology validation solutions
1. 制定规范指导5G预/商用产品研发 2. 开展单系统、单终端、组网和互操作等测试
Develop specifications to guide 5G pre/commercial Conduct single-system, single-terminal, networking and
product development interoperability testing
3. 开展5G典型应用融合试验 4. 持续支持R16国际标准验证
Carry out 5G typical application convergence tests Ongoing support for R16 international standard validation
 5G网络特点 5G network characteristics
● 支持多样应用和服务 Support for diverse applications and services
● 整合不同的频谱和部署 Consolidate diverse spectrum and deployments
● 实现多样化和增强的关键绩效指标 Achieve diverse and enhanced KPIs

增强的移动宽带 高频段
24GHz以上

关键任务服务 海量物联网 中频段

1GHz-6GHz

低频段
5G 1GHz以下

多样化的服务 多样化的频谱 多样化的应用

可扩展性以满足需求的极端变化 获得最广泛的频谱带宽/类型 从宏观到室内热点支持多种拓扑结构
5G用途及应用场景
5G Uses and Application Scenarios
连接数
使用场景：
高清城市 增强型移动宽带(eMBB)
10-20Gbps级别的网络层数据

物流
急救
虚拟现实 高可靠低时延连接(uRLLC)
最多1ms的延迟体验
2G/3G/4G 10-5误码率的可靠性
社交通信

云办公
车联网 海量连接物联网业务(mMTC)
真实3D
106 links/km2 的连接数
吞吐量
5G关键性能
5G Critical Performance
保证用户数率 用户终端容纳量

≥50Mb/s ≥200亿

物联网终端容量 总体服务可靠性

≥1万亿 ≥99.999%

支持地面交通的 室外终端定位精度
移动速度
≥500km/h ≤1米
 5G网络技术 5G network technology
云
5G核心网：
SDN和NFV 大
SDN/NFV
SDN/NFV 网络切片 数
控制器
控制器 云计算 据
 分
雾节点
雾节点 析
接入网： 与
极化码 人
大规模天线技术 工
毫米波 智
雾/边缘计算
能

5G场景：车联网
 5G网络技术 5G network technology
业务互联网化技术
基于API的业务体系（SBA）/协议互联网化

网络虚拟化技术
业务切片、SDN/NFV、无定型小区、用户中心网
转发面技术
云化通信网络
L3 IP层无连接选路、面向连接的源选路（SR）
（MEC/C-RAN） L2 MAC层帧交换、基于以太网的时延敏感网络（TSN）
L1.5 灵活的以太网交叉连接（FlexE）
光纤传输承载网
时分复用SDH(CPRI)、统计复用、M-OTN/100GE/SPN

无线接入网
大规模天线、超密集组网、宏微蜂窝混合、上下行解耦、V2V通信

各类终端
智能移动终端、可穿戴设备、网联车、机器人、传感器
与4G相比，5G利用先进无线技术突破改进了核心网架构，支持更多的业务场景、更高的性能指标、更强更灵活的通信安全能力
Compared with 4G, it adopts new advanced wireless technology with breakthrough improvements in core network architecture, supporting
more business scenarios, higher performance indicators, and stronger and more flexible communication security capabilities
 5G网络业务场景与安全需求
5G Network Service Scenarios and Security Requirements
五大安全挑战：Five Security Challenges:
新业务场景New Business Scenarios 新技术&新特征New Technologies & Features 新商业模式New
Business Models 多种接入技术&设备Multiple Access Technologies & Devices 增强的隐私保护需求
Enhanced Privacy Protection Requirements
1 增强型移动宽带(eMBB) 2 高可靠低时延连接(uRLLC) 3 海量连接物联网业务(mMTC)
提供低时延高可靠信息交互能力支持互联实体间高 提供更高连接密度时优化的信令控制能力，支持大规模
提供更高体验速率和更大带宽的接入能力，支持解
度实时、高度精密和高度安全的业务协作 、低成本、低能耗IoT设备的高效接入和管理
析 度 更 高 、 体 验 更 鲜 活 的 多 媒 体 内 容 P ro v i d e
Provide low-latency and high-reliability Provide optimized signaling control capabilities at
higher experience rate and larger bandwidth
information interaction capabilities to higher connection densities to support efficient
access to support higher resolution and more
support highly real-time, highly sophisticated access and management of large-scale, low-cost,
vibrant multimedia contents
and highly secure business collaboration low-energy IoT devices
among interconnected entities

安全需求 security needs 安全需求 security needs 安全需求 security needs

⚫ 更高的安全处理性能 ⚫ 低时延安全算法/协议 ⚫ 轻量化安全
Higher security processing performance Low-latency security algorithms/protocols Lightweight security
⚫ 支持外部网络二次认证 ⚫ 边缘计算安全架构 ⚫ 群组认证
Secondary authentication on external networks Edge computing security architecture Group authentication
⚫ 已知漏洞的修补 ⚫ 隐私、关键数据保护 ⚫ 抗DDoS攻击
Patching of known bugs Privacy, critical data protection Resistant to DDoS attacks
5G网络安全目标及安全能力要求
5G Network Security Objectives and Security Capability Requirements
为垂直行业提供端到端的安全保护，为网络基础设施提供安全保障。
Provide end-to-end security protection for vertical industries and security
for network infrastructure

多层次 多样安全
切片安全 认证管理

统一 按需
安全要求
认证架构 隐私保护

面向业务 开放
安全保护 安全能力

5G安全技术研究 5G安全标准制定 5G安全测试验证

 5G网络安全的威胁来源
Sources of Threats to 5G Cybersecurity
威胁 业务支撑系统/
无线/有线网络 骨干网络 通信服务 经销商/分销商 终端客户
来源 运营支撑系统
●拦截网络流量 ● 拦截/重定向 ● 插入陷门
黑客 ●插入陷门/漏洞 ● 通信拦截 ● 通信劫持
●利用通信协议中的漏洞 网络流量 ● 侦查财务数据
攻击 ●信息窃取 ● 信息窃取 ● 泄露敏感信息
●高级持续攻击 ● 劫持BGP系统 ● 窃取交易秘密

● 身份窃取 ● 出于政治或社 ● 扰乱销售网络 ● 声誉威胁

国家 ● 损坏网络设备
● DDoS攻击 ●身份窃取 会动机而擅自 ● 制造虚假新闻破 ● 社会工程与网络钓鱼
攻击 ● DDoS攻击
● APT攻击 使用通信服务 坏销售网络 ● 数据窃取

●贩卖伪造账户
● 利用网络设备漏洞 ● 劫持基于卫星 ● 隐私侵权 ● 损坏广播密钥 ● 勒索、经济窃取
网络 ●分享账户
● 损坏网络设备 的网络链路 ● 黑市出售窃取 ● 发送阻止销售的 ● 破坏智能设备
犯罪 ●损坏核心应用
● 拦截敏感信息 ● BGP劫持 的移动服务 勒索和恶意软件 ● 开发网络设备漏洞
●欺诈账单系统
● 直接提供敏感 ●创造伪造账户 ●欺诈 ● 欺诈
内部 ● 内容盗版
●直接提供有价值的信息 基础设施路径 ●贩卖员工折扣券 ●贩卖交易秘密 ● 数据外泄
攻击 ● 黑市贩卖服务
（如地理位置）●注入恶意代码 ●贩卖财务数据 ● 倒卖未授权服务
 5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
需要统一的认证框架，以支持多种应用场景的网络接入认证。 A unified authentication framework is
needed to support network access authentication for multiple application scenarios.
无定型小区
Amorphous Community
● 5G宏蜂窝和微蜂窝联合组网，控制面与数据面分离组网，控制面在宏蜂窝， ●
用户面在微蜂窝 5G macrocells and microcells are jointly networked,
with separate control and data planes. The control plane is in the
macrocells and the user plane is in the microcells
● 5G 上 下 行 解 耦 ， 蜂 窝 边 缘 可 采 用 5G 下 行 +4G 上 行 的 异 构 方 式 通 信 5G
uplink and downlink are decoupled, and cellular edge can
communicate in a heterogeneous way with 5G downlink + 4G uplink ●
● 然而，传统4G安全机制没有涉及密集异构组网情景下的安全威胁 However,
security threats in dense heterogeneous networking scenarios are not
addressed by traditional 4G security mechanisms
统一认证框架
Unified Authentication Framework
来自不同网络系统、不同接入技术、不同类型的站点并行/同时接入，如
DDoS 攻 击 可 使 5G 降 维 到 4G/3G 从 而 更 容 易 实 施 攻 击
Parallel/simultaneous access from different network systems,
different access technologies, and different types of sites, e.g.
DDoS attacks can downgrade 5G to 4G/3G thus making it easier to
carry out attacks.
需要采用跨越底层异构、多层无线接入网的统一认证框架，来实现不同应
用场景 下灵 活高效 的双 向的认 证接 入 It needs to adopt a unified
authentication framework across the underlying heterogeneous,
multi-layer radio access network to achieve flexible and efficient
two-way authentication access in different application scenarios.
 5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
SDN安全威胁 NFV安全威胁
应 应用层安全威胁： 1. MANO安全威胁 4. NFV网络安全威胁
用 APP1 APP2 APP3 •假冒控制器 •MANO实体安全威胁 •VNF间通信安全威胁
层 •信息泄露 包括通信内容被篡改、拦截
包 括 遭 受 病 毒 、 蠕 虫 、 、重放
DoS攻击，存储数据被篡 •NFV组网安全威胁
北向接口安全威胁：
SDN 控制器安全威胁： 改、非法访问等
•中间人攻击 包括从外部网络攻击NFV核
北向接口 特有 •DDoS/DoS攻击
•通信内容被篡改、窃听等
•渗透攻击 •MANO 实 体 间 以 及 心区域、低安全级威胁扩散
控 •信息泄露 MANO与传统网管、VNF 到高安全级别
制 SDN控制器 •流表篡改 间的通信安全威胁 5. NFVI安全威胁
层 •安全策略绕行 包括通信内容被篡改或拦 •VM安全威胁
南向接口安全威胁： 南向接口 截等 包括虚拟机被滥用、虚拟机
•中间人攻击
2.VNF安全威胁 逃逸、虚拟机间嗅探、镜像
•通信内容被篡改、窃听等
数据层安全威胁： •篡改/伪造VNF软件包 被篡改或非法访问
•传输协议漏洞 SDN
特有 •流表篡改 •Hypervisor安全威胁
数 •流表项溢出
•非法访问VNF 包 括 通 过 VM 攻 击 ，
据 设备 设备 •DDoS/DoS攻击 •敏感数据泄露 hypervisor，漏洞利用等
设备
层 •信息泄露 3. 管理安全威胁 •硬件安全威胁
SDN管理集中性导致攻击对象高度集中，攻击难度下降 •权限滥用、账号密码盗用 包括服务器遭受DDoS、病
毒等及物理攻击等
SDN management centralization leads to a high concentration of attack targets and reduced attack difficulty
应用层开放性使安全漏洞更易暴露，NFV使传统的防护边界被破坏
Application layer openness makes security vulnerabilities more exposed and NFV disrupts traditional protective boundaries
 5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO)，让第三方实现网络部署、更新和扩容，但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
车联网安全Internet of Vehicles Security 物联网安全 Internet of Things Security

● 车 联 网 中 有 汽 车 到 汽 车 之 间 的 通 信 （ V2V ） ， 也 有 移 动 边 缘 通 信
There is Vehicle-to-Vehicle communication (V2V) in the IoV, as
well as mobile edge communication
● 车联网要求空口时延低于1ms，而传统的认证和加密流程等协议未考
虑超高可靠低时延通信场景 IoV requires air interface latency to be
less than 1ms, while traditional protocols such as authentication
and encryption processes do not take into account ultra-high
reliability and low latency communication scenarios
● 车与车之间也可以不经过网络进行通信，这时需要车与车之间交互认
证 Vehicles can also communicate with each other without
going through the network, which requires vehicle-to-vehicle
interaction and authentication
● 通常的物联网终端资源受限，网络环境复杂，海量连接，易受到攻击
Typical IoT terminals have limited resources, complex network
environments, massive connections, and are vulnerable to attacks
● 每个设备的每条消息都需要单独认证，若终端信令请求超过网络处理能
力，则会触发信令风暴 Each message from each device needs to be
individually authenticated, and a signaling storm will be triggered
if the terminal signaling request exceeds the network's
processing capacity
● mMTC 需 要 有 群 组 认 证 机 制 ； 需 要 采 用 轻 量 化 的 安 全 机 制 ， 需 要 抗
DDOS 攻 击 机 制 ， 防 止 被 劫 持 mMTC requires a group
authentication mechanism; it needs to adopt a lightweight
security mechanism and an anti-DDOS attack mechanism to
prevent hijacking
 5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO)，让第三方实现网络部署、更新和扩容，但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
边缘计算 Edge Computing 网络切片 Network Slicing

● 部署在边缘的MEC设备更容易暴露给外部攻击者，被攻击的边
缘计算设备风险延展至网络基础设施 MEC devices deployed
at the edge are more easily exposed to external
attackers, and the risk of attacked edge computing
devices extends to the network infrastructure.
● 数据分布在网络边缘，造成数据控制能力减弱 Data is
distributed at the edge of the network, resulting in
weaker data control
● 打破了内容安全集中式监管形态，内容监管难度加大 Breaking
the centralised regulatory shape of content security,
making it harder to regulate content
● 若未采取恰当的安全隔离机制，当某个网络切片受到恶意攻击，
则拥有该切片访问权限的攻击者可以借此切片为基点，攻击其他
目 标 切 片 ， 导致 被 攻 击的 目 标 切片 无 法 提 供 正常 的 服 务 If
proper security isolation mechanisms are not adopted,
when a network slice is maliciously attacked, attackers
with access rights to that slice can use it as a base to
attack other target slices, resulting in the attacked target
slice being unable to provide normal services.
 5G网络的安全风险和挑战
Security Risks and Challenges in 5G Networks
5G开放了管理和编排能力(MAMO)，让第三方实现网络部署、更新和扩容，但带来一系列安全问题
5G opens up management and orchestration (MAMO) capabilities to allow third parties to enable
network deployment, updating and scaling, but raises a number of security concerns
网络能力开放 Open Network Capabilities 智能终端安全Smart Terminal Security

● 隐私信息从封闭平台共享到开放平台，数据泄露风险增大，共享数
据安全监管难度增大 Privacy information is shared from closed
to open platforms, increasing the risk of data leakage and the
difficulty of monitoring the security of shared data
● 若在开放授权过程中出现信任问题，则恶意第三方将通过获得的网
络操控能力对网络发起攻击，API攻击、DDOS攻击、Worm恶意软
件攻击等规模更大且更频繁 If there is a trust issue during the
open authorization process, malicious third parties will launch
attacks on the network through the acquired network
manipulation capabilities. API attacks, DDOS attacks, Worm
malware attacks, etc. will be larger in scale and more
frequent.
● 通用要求：用户与信令数据的机密性保护、签约凭证的安全存储与处
理 、 用 户 隐 私 保 护 等 General requirements: confidentiality
protection of user and signaling data, secure storage and
handling of contracted certificate, user privacy protection, etc.
● 特殊要求：对uRLLC的终端需要支持高安全高可靠的安全机制；对
mMTC终端，需要支持轻量级的安全算法和协议；对于一些特殊行业
，需要专用的安全芯片，定制操作系统和特定的应用商店 Special
requirements: uRLLC terminals need to support high-security
and high-reliability security mechanisms; mMTC terminals need
to support lightweight security algorithms and protocols; for
some special industries, dedicated security chips, customized
operating systems and specific application stores are required.
5G网络安全关键技术 CHAPTER
5G Network TWO
Security Key
Technologies
 5G网络接入安全 5G Network Access Security
多媒体
NEF NRF PCF UDM AF
/视频
Multimedia 基站Base
/Video Stations
AUSF AMF SMF
物联网
IoT Primary authentication
WiFi
Secondary authentication
UPF DN
车联网
IoV 定置网Fixed nets
用户设备User Equipment 接入网络Access Network 核心网络Core Network 外部数据网络External DN
● 认证协议Authentication Protocol：使用EAP-AKA’ 实现统一 ● 隐私保护Privacy Protection： USIM卡增加运营商设定的公钥，
框架下的双向认证支持非3GPP的接入；使用5G-AKA增强归属网 首次附着网络使用公钥加密IMSI，解决初始接入身份泄露问题
络控制 ● 信令保护Signaling Protection：提供空口和NAS层信令的加密和
● 二次认证Two-factor Authentication：借助于第三方提供认证 完整性保护
服务 ● 用户面保护User Plane Protection：按需提供空口和/或UE到核
● 认证扩展Authentication Extensions：适应于IoT的群组认证； 心网之间的用户面加密和完整性保护
适应于车联网的点对点快速认证等 ● 密钥管理体系Key Management System：支持层次化的密钥派
● 密码算法Cryptographic Algorithm：支持主流的加密和完整性 生机制，认证机制变化切片引入、用户面完整性等需要新的密钥
保护算法，例如AES，Snow-3G，ZUC
5G网络控制面、用户面、信令加密
5G Network Control Plane, User Plane, Signaling Encryption
5G的加密技术支持层次化的密钥派生机制、动态认证机制、切片引入技术、用户面完整性验证等
Cryptography for 5G supports hierarchical key derivation mechanisms, dynamic authentication
mechanisms, slicing introduction techniques, user-plane integrity verification, etc.

Confidentiality/integrity protection keys for the control plane

Confidentiality/integrity protection keys for the user plane

Protecting keys for signaling and messaging on the wireless communication side

Keys that support non-3GPP access

Keys to secure network slicing communications

Keys that support for post LTE-compatible

 5G网络认证协议
5G Network Authentication Protocol
灵活多样的身份管理Flexible and diverse identity management
身份凭证的产生、发放、撤销等生命周期管理

身份管理
Identity
Management

降维攻击 认证协议 使用EAP-AKA实现统一框架下的双

研 究 隐 私 保 护 机 制 Research Dimensionality Authentication 向 认 证 ， 支 持 非 3GPP 的 接 入 Two-
on privacy protection Attack Protocol way authentication in a unified
mechanisms 防 止 在 5G 网 络 framework using EAP-AKA to
被降维到LTE时泄露用户隐私 support non-3GPP access，使用
5G-AKA增强归属网络控制，并可借
采用非对称安全凭证的管理机 管理机制 认证扩展 助第三方的二次认证提供认证服务
制Management mechanism Management Authentication 使用群组认证技术Use of group
using asymmetric security Mechanism Extensions authentication techniques，支
certificates，对物联网中密钥 持对海量物联网设备的连接，支
分发流程下放到网络边缘的各 持车辆网V2V快速认证
个认证节点，从而有效防止对
集中认证中心的信令冲击
 5G网络智能移动终端
5G Network Smart Mobile Terminal
根据3GPP对终端安全的通用要求，研究不同应用终端的安全技术。 According to 3GPP's general
requirements for terminal security, research on security technology for different
application terminals. eMBB终端安全要求 mMTC终端安全要求
● 可信执行环境 ● 轻量级安全算法和协议
● 操作系统安全增强 ● 设备身份安全保护
● 高速加解密处理 ● 抗物理攻击
● 用户隐私信息保护 ● 低功耗、低成本实现
3GPP对终端安全的通用要求
●用户与信令数据的机密性保护
●用户与信令数据的完整性保护
●签约凭证的安全存储与处理
●用户隐私保护
uRLLC终端安全要求 高安全终端的要求
● 高安全、高可靠安全机制 ● 专用安全芯片
● 支持超低延迟的安全硬件 ● 定制操作系统
● 无网络时的相互认证 ● 特定应用商店
● 外围接口安全 ● 强制远程管控
 5G网络切片及安全管理
5G Network Slicing and Security Management
不同业务需归属于不同切片，不同切片采用不同的安全措施和算法，实现各切片安全隔离
Different services need to belong to different slices, and different slices adopt different security
measures and algorithms to achieve the security isolation of each slice.
各种需求的应用与服务 Applications and services for every need
虚拟网平台 API APP驱动的API
APP-driven APIs 云平台Cloud Platform
Virtual Network Platform 切片控制器 控制面
服务特定可编程 control plane 网络管理与协同
Network management and collaboration

用户设备 无线接入网 移动分组 （切片产生/终止/

Wireless Access 云Cloud
UE 核心网
超高移动性业务 Network Mobile Packet 管理/搭配拓扑/协
Ultra-High Mobility Operations切片A Slice A Core Network
超低时延高可靠业务Ultra-low latency 切片B Slice B 议和网络功能）
and high reliability services Slice generation/termination
超宽带业务 切片C Slice C /management/ pairing of topologies
Ultra-broadband services /protocols and network functions

物理/逻辑转换抽象

物理设施 用户设备UE 计算与存储资源 数据中心Data Center

Computing and Storage Resources
Physical Mobile Forward Transport System Mobile Backhaul System

Facility 无线接入技术 移动前传系统 网络资源 移动回传系统 传送网

Wireless Access Technology Network Resources Transport Network
 5G网络切片运营支撑系统
5G Network Slicing Operation Support System
编排器为数据中心、核心网、接入网、终端及物联网提供编排服务，并决定在何处部署安全机制和安全策略
The orchestrator provides orchestration services for data centers, core networks, access networks,
terminals and the IoT, and determines where to deploy security mechanisms and policies
1. 资源管理和虚拟网络生命周期管理 Resource management
and virtual network lifecycle management
• 应用结束时，切片生命周期结束 End of slice lifecycle at the
end of the application
2. 安全态势管理与监测预警 Security situation management,
monitoring and early warning
• 利用各类安全探针，采用标准化的安全设备统一管控接口对安
全事件上报 ，以 深度学习 手段 进行监测 Various types of
security probes, standardized security equipment unified
management and control interface are used for security
event reporting, monitoring by means of deep learning
3. 安 全 策 略 智 能 生 成 与 下 发 Intelligent generation and
delivery of security policies
• 根据安全威胁智能化生成相关安全策略调整，并将这些安全策略下发到各个安全设备中，从而构建起一个安全的
防护体系 Intelligently generate relevant security policy adjustments based on security threats, and
distribute these security policies to each security device, so as to build a secure protection system
5G网络安全研究进展 CHAPTER
5G Network Security THREE
Research Progress
5G网络安全标准——5G安全标准国际发展现状
5G Network Security Standards - Status of International Development of 5G Security Standards
标准组织 工作组 重点研究领域 主要成果
standards
workgroup key research areas main results
organization
安全架构、RAN安全、认证机制、
Service and System 用户隐私、网络切片 TR 33.899: Study on the security aspects of the next
generation system;
3GPP Aspects Security Security architecture, RAN security,
TS 33.501: Security architecture and procedures for 5G
Group (SA3) Authentication mechanisms, System V15.2.0 (2018-09)
User privacy, Network slicing
安全架构、用户隐私、认证机制
5GPP Security WG Security architecture, User privacy, 5G PPP Security Landscape (White Paper)
Authentication mechanisms
5G security recommendations:
5G Security Group 用户隐私、网络切片、MEC安全 Package 1: Access Network Improvement / Anti-DDoS
NGMN (NGMN P1 WS1 5G User privacy, network slicing, Attacks
Security Group) MEC security Package 2: Networking slicing
Package 3: MEC/Low Latency/User Experience
EIST GS NFV-SEC 010：Issues and needs
安全体系结构、NFV安全性、 EIST GS NFV-SEC 013 ： Security management and
ETSI TC CYBER, ETSI MEC安全、隐私 monitoring
ETSI
NFV SEC WG Security architecture, NFV Security, EIST GS NFV-SEC 006：Reflections on the safety field
MEC security, privacy and regulation
EIST GS MEC 009
5G网络安全防护框架——3GPP TS 33.401标准
5G Network Security Protection Framework – 3GPP TS 33.401 Standard
比4G增加了非3GPP接入、切片和虚拟网元安全、网络开放接口安全和安全管理等安全实体
Added security entities over 4G such as non-3GPP access, slicing and virtual network element security,
network open interface security and security management
5G网络安全标准——3GPP TS 33.501标准 V15.2.0
5G Network Security Standard – 3GPP TS 33.501 Standard V15.2.0
该标准对5G中的接入认证和密钥生成流程进行了详细的定义和介绍
The standard defines and describes in detail the access authentication and key generation
processes in 5G
安全架构对比 Security Architecture Comparison
4G安全架构（选项 3） 基于NGC的5G安全架构选项
4G security architecture (option 3) NGC-based 5G security architecture options
(IV) 应用层 (IV) 应用层
用户应用 供应商应用 用户应用 供应商应用

(I)
(III) (I) (I) 归属层 (I) (I) 归属层
USIM HE /服务层 (III) USIM (V)
HE /服务层
(II)
(I) (I) (II) (I)
SN ME SN
(I) (II) 传输层 (I) 3GPP AN 传输层
ME AN (I) (II)
(I) non-3GPP AN

3GPP TS 33.401 Chapter 4 3GPP TS 33.501 Chapter 4

安全架构包括一些安全特性组，以应对特定的威胁并满足特定 There is only one difference:
的安全目标。A security architecture consists of groups of ●5G独立组网中“基于服务的架构安全域(V)”
security features that address specific threats and meet "Service-based Architecture Security Domain (V)" in 5G
specific security objectives.
Independent Networking
USIM：用户SIM卡 SN：服务网络 ME：移动设备 HE：归属地环境 AN：接入网络
安全特性组 Security Feature Groups

1
2
3
4
5
核心网域 核心网控制平面
Core Network 网络切片 用户数据
Domain 选择 网络存储库 策略控制 管理 应用程序
其他运营商
NSSF NRF PCF UDM AF 安全边缘
N32
防护代理
Nnssf Nnrf Npcf Nudm Naf
SEPP
Nausf Namf Nsmf Nnef
Nnef 应用程序/应用程序平台
AUSF AMF SMF
NEF （如MEC，即移动边缘计算）
认证 接入和移 会话管理
动性管理 网络功能公开 N4
非3GPP接入 非3GPP N2
互通功能 服务器
N4
N2
数据网
无线接入网 N3 N6
（NG-RAN） 用户面功能 用户面功能 （Data Network）
User Plane Function User Plane Function

N1 核心网用户平面

用户设备 ⚫ 为了利用虚拟化，5G核心网的控制平面（CP）采用了SBA，即每个CP网络功能（NF）都将其能力公开为“服务”。
（UE） To take advantage of virtualization, the control plane of the 5G core network adopts a Service Based Architecture, where each CP
Network Function exposes its capabilities as a "service".
⚫ 系统流程被描述为一系列NF服务调用，其中所有CP NF之间的交互都被抽象化。
The system flow is described as a series of NF service invocations, where interactions between all CP NFs are abstracted (e.g., Request-
Response, Subscription-Notify).
⚫ 安全边缘防护代理为公共陆地移动网（PLMN）运营商之间的交互提供防护。
The Secure Edge Protection Agent provides protection for interactions between Public Land Mobile Network operators.
 统一身份认证 Unified Authentication
支持第三方认证
统一身份认证认证框架 Support third-party authentication
Unified authentication framework • Secondary authentication
• Network credentials with UICC and non-UICC • Support operation between UE, SMF, UPF and third-party
AAA authentication servers
support
• Same authentication entity (AMF/AUSF/UDM)
for both 3GPP access and n3GPP access AKA Cert …… AKA Cert ……
身份认证协议
EAP EAP
Authentication protocol
• 5G NR (New RAN) Access: 5G AKA or EAP-AKA’ NAS NAS
• n3GPP Access: EAP-AKA' or 5G AKA AUSF/
UE AMF
• Enterprise scenario：EAP-TLS UDM
身份认证协议选择
Authentication protocol selection
• UDM selects authentication protocols based on
user subscriptions

EAP framework for 5G

 5G网络架构的密钥层次 Key Hierarchy for 5G Network Architecture
Seed Key Temporary Key Seed Key Temporary
Key
KAUSF
KSEAF KRRCint KAUSF
KSEAF
KAMF KRRCenc KAMF
KgNB, NH KUPint KgNB, NH
KUPenc
UICC AMF/AUSF HSS/UDM

用户设备 user equipment 接入网络 access network 核心网络 core network

⚫ 移动网络采用单向分层密钥管理架构。 ⚫ 种子密钥由UICC和网络端的HSS/UDM中的管理者配置，可以安全
One-way hierarchical key management architecture for mobile networks. 地保护其免受任何其他实体（包括网络供应商在内）未经授权访问。
⚫ 种子密钥是最高的，用于生成直接子层密钥𝐾𝑎𝑢𝑠𝑓 。 The seed key is configured by the administrator of the HSS/UDM on
The seed key is the highest and is used to generate the direct sublayer key the UICC and network ends and can be secured against unauthorized
⚫ 种子密钥不能用于直接获取𝐾𝑔𝑁𝐵 ，无法跨网络层次生成密钥。 access by any other entity, including the network provider.
Seed key cannot be used to obtain 𝐾𝑔𝑁𝐵 directly and cannot generate keys across ⚫ 接入网络仅从核心网络获取临时密钥，而不能用于派生种子密钥
network hierarchies. The access network only obtains temporary keys from the core
⚫ 箭头单向表示，底层密钥不能用于获取更高层的密钥 network and cannot be used to derive seed keys.
The one-way arrow indicates that the underlying key cannot be used to obtain a
higher-level key.
安全增强：用户平面完整性保护
Security enhancement: user plane integrity protection

DNS spoofing may tamper with 4G Integrity protection added to 5G user

user data in lab scenarios plane to prevent tampering

1.Valid server
2. Tampering to a NAS：Confidentiality and Integrity
malicious server
3.Malicious
RRC：
server
4. Connecting to Confidentiality
malicious servers and Integrity

UP：
malicious
Confidentiality
UE relay eNodeB CN and Integrity
⚫ 该漏洞源自缺乏针对LTE用户平面的完整性保护
The vulnerability stems from the lack of integrity protection for the LTE
user plane. 5GC
⚫ 只有实验室条件中的特定情况可以实施漏洞攻击，商业4G网络仍然
可以抵御此类攻击 UE gNB CN
The vulnerability can only be exploited under certain circumstances in
lab conditions. Commercial 4G networks are still resistant to such attacks.
安全增强：IMSI保护
Security Enhancement: IMSI Protection

New solutions for user ID protection

⚫ 通用集成电路卡中存储的公钥用于对空口中的用户永久标识符（SUPI）进行加密，获得用户隐藏标识符（SUCI）
The public key stored in the UICC is used to encrypt the SUPI in the air port to obtain the SUCI.
⚫ 5G无线接入网无法获得用户设备的永久标识
Permanent identification of the user device is not available for 5G radio access networks

4G: IMSI is transmitted in plaintext 5G: SUPI is encrypted and hidden

IMSI：International Mobile Subscriber Identity SUCI：Subscription Concealed Identifier SUPI：Subscription Permanent Identifier
IPsec/TLS确保NE(网元)间和NF(网络功能)间的安全
IPsec/TLS ensures security between Network Elements and Network Functions

3GPP 网元间的安全性 5GC网络功能之间的安全性

Security between 3GPP network elements Security between 5GC network functions
5GC控制平面

NEF NRF UDM PCF UDR

基于
IPsec 端口
Application 的服
HTTP
务
可信域 不可信域 可信域 TLS AMF SMF AUSF NSSF
TCP

IP
⚫ IPsec用在3GPP网元之间保证安全性 L2

IPsec is used to ensure security between 3GPP

network elements ⚫ HTTPS用在5GC功能间保证安全性
− IPsec加密和验证可确保机密性和数据传输的完整性 HTTPS is used to ensure security between 5GC functions
IPsec encryption and authentication ensures − TLS用于加密和完整性保护
confidentiality and integrity of data transmission TLS for encryption and integrity protection
− IPsec认证确保数据源的真实性 − 通过TLS进行双向身份验证可防止伪造的NF访问网络
IPsec authentication ensures the authenticity of the Two-way authentication via TLS prevents forged NFs from
data source accessing the network
PLMNs之间的端到端（E2E）安全
End-to-end security between PLMNs
⚫ 安全边缘防护代理（SEPPs） 位于PLMN（网络）边界，保护 PLMN 间交互的控制信令，可消减SS7类攻击的风险。
Secure Edge Protection Proxies (SEPPs) are located at the PLMN boundary and protect the control
signaling for interactions between PLMNs, mitigating the risk of SS7-type attacks.
⚫SEPPs 通过如下两种方式在PLMN之间建立端到端的安全连接
SEPPs establish an end-to-end secure connection between PLMNs by either：
−TLS (only for scenarios where there is no IPX entity between SEPPs)
−or by using the JOSE application layer security protection mechanism

N32 Application Layer Security

Protection Mechanism
 R-16之后：为垂直行业进行优化
After R-16: optimized for vertical industries

2018年 2019年 2020年

R16 R17+

下一步安全目标：Next security goals:

● URLLC的低延迟安全机制 ●mMTC的轻量级安全机制
Low Latency Security Mechanisms for URLLC Lightweight Security for mMTC
− 优化安全机制以满足更高数据速率的要求 − 可以匹配极低的数据速率传输的轻量级安全机制
Optimized security mechanisms for higher data rates Lightweight security mechanism that can match
very low data rate transmissions
− 优化安全功能以减少处理延迟
− 最大地减少了与安全相关的bit位开销
Optimized security features to reduce processing
latency Minimizes bit overhead associated with security
 5G R16 概述 5G R16 Overview
5G R16依旧沿用之前的5G安全框架，并做出了相应改进。
5G R16 continues to follow the previous 5G security framework and makes improvements.

1、 EvolutionImprovement
2、 Empowering
3、 Security of the architecture
Vertical Industries
⚫R-16
⚫UE wireless
⚫For does notcapability
redundant affect theis5G
PDU sessions, security
sent URLLC
after AS architecture
enhances defined
security isthe use ofprior
activated andtoconnectivity
R-15 security
user-facing issues
policies
are under discussion
⚫Convergence
⚫AKMAscale
⚫Small of wireline
has data
entered
transfer andCLOT
a normative
in wireless
phase extends
is based
where 5Gkey
onthe application
NAS/AS structure boundaries,
securityandas basic
definedR16 onlyhave
processes
in R15 considers non-roaming, security
been defined
⚫Theaddition
⚫In
framework
basicdefined in R15
conclusion
to EAP-AKA', has
on UP notistypes
other
IP changed
that the
of protocols
application canofbe
theused
UP in
IP stand-alone
architecturalprivate
approach
networks
in R15 is the basis for
⚫
⚫R16
The defines
optionsIAB node
2\4\5\7 supports
slice UE’s functionality, and the F1 interface utilizes IPsec
authentication
 eV2X标准化进程 eV2X Standardization process

Proposer：LG
Participants：LG，IDDC，华为，Ericsson爱立信，Nokia诺基亚
⚫Work already done in the standard:
✓ A separate TS is established.
✓ Proposes requirements for defense against linkability and
traceability attacks on the 2nd layer and follows the LTE V2X
solution.
⚫Research Progress:
✓ Aspects to be considered when switching between PC5 and Uu:
security of multicast, security of broadcast, security of UE
service authorization and deregistration, and handling of user-
plane security policies.
✓ The security of eV2X unicast messages on PC5 and solutions
#3, #8, #19, #12, #16 is the basis for the above normative work.
 集成接入回传标准化进程 IAB Standardization process

Proposer：Samsung
Participants：华为、 Ericsson 、Samsung、QC、Orange、AT&T
⚫Progress on standardization:
✓ The IAB-node is referred to as the IAB-UE, which will
support encryption, integrity protection and replay
protection, as well as mutual authentication for NAS
signaling and RRC signaling.
✓ The IAB integration process consists of three phases:
✓ IAB-UE end establish
✓ BH RLC channel establish and route update
✓ IAB-DU side establish
✓ The IAB-UE function shall act as a UE and reuse the UE
process
 超高可靠低时延标准化进程 URLLC Standardization process

Proposer：华为
Participants：华为、 Ericsson 、QC、Nokia
⚫Standardization process: 80%
✓ Redundant user plane paths based on dual connectivity:
✓ The network (UDM and/or SMF) shall ensure the same UP security policy settings.
✓ The MN shall ensure that the first and redundant PDU sessions have the same user plane security
activation status.
✓ The “Preferred” option is not allowed and the MN shall forward the UP security policy to the SN.
✓ Allow the “Preferred” option , the MN shall make the decision on UP cryptographic protection and
integrity protection, and then the MN shall provide the user plane security activation state to the SN.
✓ Redundant transport on N3/N9 interfaces:
✓ NDS/IP multiplexing
 行业局域网标准化进程 Vertical LAN Standardization process

Proposer：Nokia
Participants：华为、 Ericsson 、QC、Nokia、Orange
⚫Summary of the report:
✓ Annex l in TS 33.501 applies to non-public
networks (NPN)
✓ NPNs means Standalone Non-Public Networks
(SNPNs) that may use authentication methods other
than AKA-based authentication methods.
✓ When the EAP authentication method is selected
instead of the EAP-AKA' authentication method the
UE and the network will use the EAP method
credentials in the authentication;
✓ Two new appendices in 5G LAN and TSN were
agreed.
 AKMA标准化进程 AKMA Standardization process

Proposer： CMCC、TS 33.535

AKMA network model and key hierarchy
Participants：CMCC、华为、 Ericsson 、QC、
Nokia
⚫Progress on standardization:
✓ Adding requirements and functional
descriptions.
✓ Define AKMA network model and key
hierarchy.
✓ Introduce overall AKMA steps.
✓ Key timeframe: anchor key indirectly
determined; application key directly
determined.
✓ 𝐾𝑎𝑢𝑠𝑓 will be reused to generate AKMA keys
5G Release 17标准安全工作规划
5G Release 17 standard security work planning

User
5MBS Prose MEC
Plane

TV

UPF DN

多播组播业务 D2D设备直连通信 多接入边缘计算 用户面数据完整性保护

安全问题 安全问题 安全问题 针对4/5/7组网场景
Multicast service D2D device direct Multi-Access Edge User-plane data integrity
security issues connection communication Computing Security protection for 4/5/7
security issues Issues networking scenarios
3GPP SA3中的R17安全工作
R17 security work in 3GPP SA3

Unmanned AeriaI system eNPN

⚫ Qualcomm is the researcher ⚫ Ericsson is the researcher

⚫ Unmanned Aircraft Systems ⚫ Authentication, UE Admission,
(UAS) Safety Remote Configuration

eNA User Concent

⚫ China Mobile is the researcher ⚫ Huawei is the researcher

⚫ Detecting network attacks and ⚫ Provide users with 3GPP content
abnormal events supported by security services while complying
NWDAF with user privacy norms
 5G与物联网安全 CHAPTER
Internet of Things FOUR
Security
5G in IoT
 Why IoT is growing

Miniaturized and low-cost Entrepreneurial culture drives

hardware devices innovation

Increasing wireless Development of industrial

networks, devices, nodes IoT automation

Enhanced cloud storage and Society, economy, environment,

processing capabilities and lifestyle drive development
 What’s IoT
The Internet of Things (IoT) describes the network of physical objects—“things”—
that are embedded with sensors, software, and other technologies for the purpose of
connecting and exchanging data with other devices and systems over the internet.

The Internet of Things is a network that

connect s an y i t em t o t he Int ernet for
information exchange and communication by
using information collection devices such as
RFID, sensors, infrared sensors, GPS, laser
scanners, etc., according to an agreed protocol,
in order to achieve intelligent identification,
p o si t i on i n g, t r a ck i ng, m o ni t o ri n g a n d
management.
Three-layer Framework for IoT
According to the process of sensing, transmission and processing of information
by IoT, it is divided into three layers of structure, i.e. sensing layer, network layer
and application layer.
The application layer intelligently processes data and information
Application from users to realize control of objects and complete information
layer exchange between things and objects and people and objects.

The network layer transmits the sensed object information reliably

Network to the user through the existing communication and interconnection
layer networks to realize the information transmission.

The sensing layer uses sensing devices to achieve recognition of

Sensing objects at any time and at any location to complete the collection of
layer information.
 Sensing Layer
The sensing layer allows for the collection of real-time data from a
variety of sources, including temperature, humidity, motion, and light,
among others.

RFID readers and tags Environmental sensors Infrared sensors

Wearable sensors Smart meters GPS receivers

 Network Layer
The network layer in IoT refers to the communication infrastructure that
enables the exchange of data between IoT devices and applications. The
primary goal of the network layer is to provide connectivity between
devices, and enable the devices to transmit and receive data reliably and
securely.

Local Area Networks (LANs) Cloud Networks

Satellite
networks

Wide Area Networks (WANs)

 Application Layer
The application layer in IoT refers to the software and services that
enable users to interact with IoT devices and analyze the data collected
by these devices. The application layer provides the interface between the
user and the IoT system, allowing users to monitor, control, and automate
various aspects of their environment.

Device Management Data Management and Analytics

This refers to the software and services used to
manage IoT devices. It includes device provisioning,
configuration, and monitoring.
Device management software enables users to
monitor the health of their devices, update
firmware, and manage security settings.
This refers to the software and services used to
collect, store, and analyze data from IoT devices.
Data management and analytics software enable
users to visualize and analyze data collected from
IoT devices, identify patterns and trends, and make
informed decisions based on this data.
IoT Security
The security of the Internet of Things (IoT)
is a complex and rapidly evolving topic. As IoT
devices and networks become more prevalent in
our daily lives, there is a growing concern about
the potential security risks they pose. Some of
the key challenges in securing IoT systems
include the large number of connected
devices, the wide range of technologies
involved, and the lack of standardization in
security practices.
 The Scope of IoT Security
➢ Privacy extends from people to things:
◆ In the IoT environment, the privacy of people and things needs to be protected on
the same level. With the increasing automation capability and autonomous
intelligence of “things”, the issues of unauthorized identification, tracking
behavior, identity, and responsibility of things will become our key
considerations.
➢ Security of information carried by things:
◆ Information is distributed and overlaid on billions of “things” and is updated,
transferred and transformed in real time.
◆ We need to improve the security mechanisms such as confidentiality management
and access control of IoT information.
 The Scope of IoT Security
➢ Information collection, transmission and security in sensing networks:
◆ The sensing nodes are multi-source heterogeneous, and they have simple functions
and small loads without being able to have complex security protection capabilities.
◆ Sensing networks are diverse, and there are no specific standards for data
transmission and messaging to provide a uniform security protection system.
➢ Transmission and information security of core network:
◆ The core network has relatively complete security protection, but the large number
of nodes in the IoT and the large amount of data sent can cause network congestion.
◆ The security architecture of existing communication networks is not applicable to
IoT. For the IoT, a security architecture suitable for sensing information transmission
and application should be established.
 The Characteristics of IoT Security

Physical security
Lifecycle management
IoT devices may be physically vulnerable to
Heterogeneity
attacks, such as tampering or theft.
IoT devices may have a long lifecycle and may
be difficult to update or replace, making it
IoT systems consist of a variety of different
challenging to maintain their security over time.
devices and platforms
Scalabilitythat have different
security requirements and capabilities.
IoT systems are designed to be scalable, which
means that security measures must be able to
Connectivity
adapt and scale along with the system.
Complexity IoT devices are connected to the internet and
other networks,Datamaking
privacythem vulnerable to
IoT systems are complex and often have multiple cyber attacks.
layers of hardware and software components, IoT devices collect and transmit sensitive data,
making it difficult to secure all aspects. such as personal and financial information, which
must be protected from unauthorized access.
 IoT Security Incidents
Hackers demonstrated that WannaCry ransomware Several U.S. government
they could take control of a infected thousands of agencies were hacked via a
Jeep Cherokee remotely computers worldwide, software update from
through its internet-connected including some IoT devices, SolarWinds. Hackers can
entertainment system. encrypting their files and exploit a vulnerability in the
demanding ransom software supply chain.
payments.
2010 2016 2017.9 2021

2015 2017.5 2020

The Stuxnet worm targeted
industrial control systems
and caused physical damage
to nuclear centrifuges in Iran.
A malware named Mirai
infected IoT devices to create
a botnet and launch DDoS
attacks, disrupting services
for millions of users.
A vulnerability in Bluetooth- Hackers were able to access
enabled devices that could over 150,000 Verkada
allow attackers to take security cameras and could
control of them without any view live video feeds.
user interaction.
Anatomy of an IoT Attack
IoT Attacks——Dolphin Attack
 Threats at the Sensing Layer
The sensing layer consists of sensors that typically have limited
processing power and storage capacity, which increases the risk of
security problems and attacks.
Node capture: Node capture allows an attacker not only to obtain encryption keys and protocol
state, but also to clone and redistribute malicious nodes across the network, potentially
compromising the security of the entire network.
Denial of service (DoS) attacks: In this attack, a large number of
requests are sent to an IoT device or network with the aim of
overwhelming it and causing it to crash or stop responding.
Replay attacks: An attacker maliciously or fraudulently resends valid
transmission data to disrupt the normal operation of an IoT device or to
gain access to sensitive information.
Electromagnetic attacks: I n t h i s t yp e o f a t ta c k , attackers use
electromagnetic waves to interfere with IoT devices or systems, causing
malfunctions or other issues.
 IoT Sensing Layer Security
⚫ Hardware security
➢ The hardware should have the security
capability against hardware removal. The
terminal should have the warning
capability if it detects that it is being
illegally removed. There should also be a
connection timeout check mechanism and
automatic interface locking mechanism.
Because of the large number of terminals,
most of them are unattended. The exposed
hardware interfaces are easy to be directly
exploited by attackers.
➢ …
⚫ Access authentication security
➢ The terminal should have a two-way
access authentication and identification
mechanism for the console. The terminal
should be able to identify the identity of
the person giving the command (e.g.,
black and white list), and the access
system should be able to terminate the
current session with the perceptual layer
access entity to be accessed when the
identification response exceeds the
specified time limit.
➢…
 Threats at the Network Layer
The network layer is responsible for the transmission of data from the
sensing layer to the application layer, mainly for data routing and data
analysis.
Man-in-the-middle (MITM) attacks: In Eavesdropping attacks: This type of
this type of attack, the attacker intercepts passive attack allows an intruder to
the communication between two devices eavesdrop on private communications
and can eavesdrop, modify, or inject over a communications link. The intruder
malicious data into the conversation. can extract useful information.
 IoT Network Layer Security
⚫ Secure routing
➢ Adding intrusion tolerance strategies to
routing can improve the security of the IoT.
➢ Use the multi-path routing method to
defend against selective forwarding attacks.
The use of multipath routing allows nodes
to dynamically select the next hop of a
packet, which can further reduce the
intruder's plan to control the data flow.
➢ Add security level strategy in routing
design to resist wormhole attack and trap
attack.
➢ …
⚫ High-speed transmission network security
➢ To ensure the security of the whole
communication link from the terminal to the
management platform, the IoT security
gateway needs to provide a full encrypted
communication link from the terminal to the
system unified management platform by
establishing a virtual private network for IoT.
➢ The IoT security gateway needs to implement
behavior control after terminal access, so as
to prevent counterfeit terminals, abnormal
terminals and other devices from attacking
the business platform after accessing the
unified management platform of the system.
➢ …
 Threats at the Application Layer
The application layer can calculate, process and mine knowledge
from the data collected in the perception layer to achieve real-time
control, precise management and scientific decision-making of the
physical world.
Data Accessibility and Authentication: Each
Privacy Protection: As sensing nodes are mostly
application may have many users, implying
unattended, they collect a lot of private data
different permissions and access controls, and
from users in certain IoT applications, and this
fake or illegal users can have a significant
private data is vulnerable to leakage.
impact on the availability of the entire system.
 IoT Application Layer Security
⚫ Cloud security
➢ Cloud storage system has a stronger data
security approach than traditional storage
methods. Cloud storage data is
distributed. Only very small blocks of
data are stored on each storage device,
and stealing data from a particular device
does not get the complete video data.
➢ The clustered and distributed nature of the
cloud storage system guarantees that no
data will be lost due to instability of the
device.
➢ …
⚫ Privacy protection
➢ Among the technical means, the security of
personal information can be increased
through authentication technology,
authorization technology, etc., and it also
increases the difficulty for criminals to
eavesdrop information.
➢ In the management means, the form of
managing network equipment data
information should be adopted. Some
information protection codes should be
added to the system program to improve the
security index of the system.
➢ …