Professional Documents
Culture Documents
BÁO CÁO
Đề tài: TOPIC 14
BÁO CÁO
Đề tài: TOPIC 14
2
LIST OF IMAGES SMALL
LIST OF TABLES
Table 1: Organized analysis of the State of the Art for 5G Security ................................. 25
3
CHAPTER I: OVERVIEW OF 5G
4
Figure 1: Formation and development of 5G network
5
With superior data transmission speeds, 5G networks will allow IoT systems to continuously
monitor device health and performance. In the smart factory model (Smart Factory), quick
monitoring and feedback helps the factory to limit defective products and increase productivity.
6
Figure 3: Challenges related to information security
Vulnerable user privacy and safety: the popularity of 5G along with the IoT trend means that every
internet-connected device, micro-transceiver stations are deployed everywhere. Thus, the attacker
can collect and track the exact location of the user, making it easier to capture the user's behavior
and access history. Another problem is that network service providers will have deeper, broader
access to the large amounts of data sent in by users' multiple devices. Thereby, it is possible to
reveal the user's private information or use it for purposes such as advertising, brokerage.
In an interconnected world of things, any threat in the network will have a major impact on the
entire network. Therefore, the higher the dependence on 5G networks, the greater the risk, which
can even cause disaster on a national or international scale. For example, a malfunction in the
remote control can take the life of a patient undergoing surgery; self-driving cars can cause
accidents if connection is lost; smart cities, intelligent transportation systems, factory automation...
can stop working when there is a power outage, internet outage; leaking classified information
puts national security in a critical situation ...
7
CHAPTER II: 5G NETWORK SECURITY SOLUTION – DATA DATA
The two most common encryption methods are symmetric and asymmetric encryption. The names
refer to whether or not the same key is used for encryption and decryption:
8
Symmetric encryption keys: This is also known as private key encryption. The key used to
encode is the same as the one used to decode, making it best for individual users and closed
systems. Otherwise, the key must be sent to the receiver. This increases the risk of
compromise if it's intercepted by a third party, such as a hacker. This method is faster than
the asymmetric method
Asymmetric encryption keys: This type uses two different keys — public and private —
that are linked together mathematically. The keys are essentially large numbers that have
been paired with each other but aren't identical, hence the term asymmetric. The private
key is kept secret by the owner, and the public key is either shared amongst authorized
recipients or made available to the public at large.
Data encrypted with the recipient’s public key can only be decrypted with the corresponding
private key.
Encryption algorithms are used to turn data into ciphertext. An algorithm uses the encryption key
to alter the data in a predictable way so that, even though the encrypted data will appear random,
it can be turned back into plaintext by using the decryption key.
There are several different types of encryption algorithms designed to suit different purposes. New
algorithms are developed when older ones become insecure. Some of the best-known encryption
algorithms include:
o DES encryption
DES stands for Data Encryption Standard. This is a now-outdated symmetric encryption algorithm
not considered suitable for today's uses. Therefore, other encryption algorithms have succeeded
DES.
o 3DES encryption
3DES stands for Triple Data Encryption Standard. This is a symmetric key algorithm, and the word
“triple” is used because data is passed through the original DES algorithm three times during the
encryption process. Triple DES is being slowly phased out but still manages to make a dependable
hardware encryption solution for financial services and other industries.
o AES encryption
AES stands for Advanced Encryption Standard and was developed to update the original DES
algorithm. Some of the more common applications of AES algorithm include messaging apps such
as Signal or WhatsApp and the file archiver program WinZip.
9
o RSA encryption
RSA was the first asymmetric encryption algorithm widely available to the public. RSA is popular
due to its key length and therefore widely used for secure data transmission. RSA stands for Rivest,
Shamir, and Adleman – the surnames of the mathematicians who first described this algorithm.
RSA is considered an asymmetric algorithm due to its use of a pair of keys.
o Twofish encryption
Used in both hardware and software, Twofish is regarded as one of the fastest of its kind. Twofish
is not patented, making it freely available to anyone who wants to use it. As a result, you’ll find it
bundled in encryption programs such as PhotoEncrypt, GPG, and the popular open-source
software TrueCrypt.
o RC4 encryption
Used in WEP and WPA, which are encryption protocols commonly used in wireless routers.
Asymmetric encryption examples include RSA and DSA. Symmetric encryption examples include
RC4 and DES. As well as encryption algorithms, there is also what is known as Common Criteria
(CC):
This is not an encryption standard, but a set of international guidelines for verifying the
product security claims stand up to scrutiny.
CC guidelines were created to provide vendor-neutral, third-party oversight of security
products.
Products under review are submitted voluntarily by vendors, and whole or individual
functionalities are examined.
When a product is evaluated, its features are tested according to a defined set of standards
by product type.
Initially, encryption was outside the scope of Common Criteria but is increasingly being
included within its security standards.
Hackers don't just steal information; they can also alter data to commit fraud. While it is
possible for skilled hackers to alter encrypted data, recipients of the data will be able to detect
the corruption – allowing for a quick response.
10
o Encryption helps organizations adhere to regulations
Many industries – for example, financial services or healthcare providers – have strict
regulations about how consumer data is used and stored. Encryption helps organizations meet
those standards and ensure compliance.
- Elliptic Curve Cryptography (ECC): ECC is a public-key cryptography method that uses
elliptic curves to generate the public and private keys. It is used in 5G networks for key
exchange and authentication.
- Public Key Infrastructure (PKI): PKI is a system that uses public key cryptography to verify
the authenticity of digital certificates. In 5G networks, PKI is used to establish trust between
devices and networks.
- Transport Layer Security (TLS): TLS is a protocol that provides secure communication over a
network. It is used in 5G networks to secure the communication between devices and servers.
- Symmetric Key Encryption: Symmetric key encryption uses the same key for both
encryption and decryption of data. In 5G networks, the most commonly used symmetric
key encryption algorithm is the Advanced Encryption Standard (AES) with a 256-bit key
length.
- Asymmetric Key Encryption: Asymmetric key encryption uses a pair of keys, a public key
for encryption and a private key for decryption. In 5G networks, the most commonly used
asymmetric key encryption algorithm is Elliptic Curve Cryptography (ECC).
- Key Agreement: Key agreement protocols are used to establish a shared secret key between
two parties. In 5G networks, the most commonly used key agreement protocol is the Diffie-
Hellman (DH) key exchange algorithm.
12
- Hashing: Hashing is a technique used to verify the integrity of data. In 5G networks, the
most commonly used hashing algorithm is the Secure Hash Algorithm (SHA).
- Message Authentication Codes (MACs): MACs are used to verify the authenticity of a
message. In 5G networks, the most commonly used MAC algorithm is the HMAC-
SHA256.
- Digital Signatures: Digital signatures are used to verify the authenticity of a message or
document. In 5G networks, the most commonly used digital signature algorithm is the
Elliptic Curve Digital Signature Algorithm (ECDSA).
13
CHAPTER III: 5G AUTHENTICATION
3.1 Introduction
Authentication and key management are fundamental to the security of cellular networks because
they provide mutual authentication between users and the network and derive cryptographic keys
to protect both signaling and user plane data. Each generation of cellular networks always defines
at least one authentication method. For example, 4G defines 4G EPS-AKA, and 5G defines three
authentication methods—5G-AKA, EAP-AKA’, and EAP-TLS.
Service-based architecture (SBA) has been proposed for the 5G core network. Accordingly, new
entities and new service requests have also been defined in 5G. Some of the new entities relevant
to 5G authentication are listed below.
The Security Anchor Function (SEAF) is in a serving network and is a “middleman” during
the authentication process between a UE and its home network. It can reject an
authentication from the UE, but it relies on the UE’s home network to accept the
authentication.
The Authentication Server Function (AUSF) is in a home network and performs
authentication with a UE. It makes the decision on UE authentication, but it relies on
backend service for computing the authentication data and keying materials when 5G-AKA
or EAP-AKA’ is used.
Unified data management (UDM) is an entity that hosts functions related to data
management, such as the Authentication Credential Repository and Processing Function
(ARPF), which selects an authentication method based on subscriber identity and
configured policy and computes the authentication data and keying materials for the AUSF
if needed.
The Subscription Identifier De-concealing Function (SIDF) decrypts a Subscription
Concealed Identifier (SUCI) to obtain its long-term identity, namely the Subscription
Permanent Identifier (SUPI), e.g., the IMSI. In 5G, a subscriber long-term identity is
always transmitted over the radio interfaces in an encrypted form. More specifically, a
public key-based encryption is used to protect the SUPI. Therefore, only the SIDF has
access to the private key associated with a public key distributed to UEs for encrypting
their SUPIs
14
When EAP (Extensible Authentication Protocol) is used (e.g., EAP-AKA’ or EAP-TLS), EAP
authentication is between the UE (an EAP peer) and the AUSF (an EAP server) through the SEAF
(functioning as an EAP pass-through authenticator).
When authentication is over untrusted, non-3GPP access networks, a new entity, namely the
Non-3GPP Interworking Function (N3IWF), is required to function as a VPN server to allow the
UE to access the 5G core over untrusted, non-3GPP networks through IPsec (IP Security) tunnels.
Several security contexts can be established with one authentication execution, allowing the UE
to move from a 3GPP access network to a non-3GPP network without having to be reauthenticated.
3.1.2 5G-AKA
5G defines new authentication-related services. For example, the AUSF provides authentication
service through Nausf_UEAuthentication, and UDM provides its authentication service through
Nudm_UEAuthentication. For simplicity, generic messages such as Authentication Request and
Authentication Response are used in Figure 4 without referring to the actual authentication service
names. Further, an authentication vector includes a set of data, but only a subset is shown in Figure
4.
In 5G-AKA, the SEAF may start the authentication procedure after receiving any signaling
message from the UE. Note that the UE should send the SEAF a temporary identifier (a 5G-GUTI)
or an encrypted permanent identifier (a SUCI) if a 5G-GUTI has not been allocated by the serving
network for the UE. The SUCI is the encrypted form of the SUPI using the public key of the home
network. Thus, a UE’s permanent identifier, e.g., the IMSI, is never sent in clear text over the radio
networks in 5G. This feature is considered a major security improvement over prior generations
such as 4G.
The SEAF starts authentication by sending an authentication request to the AUSF, which first
verifies that the serving network requesting the authentication service is authorized. Upon success,
the AUSF sends an authentication request to UDM/ARPF. If a SUCI is provided by the AUSF,
then the SIDF will be invoked to decrypt the SUCI to obtain the SUPI, which is further used to
15
select the authentication method configured for the subscriber. In this case, it is 5G-AKA, which
is selected and to be executed.
UDM/ARPF starts 5G-AKA by sending the authentication response to the AUSF with an
authentication vector consisting of an AUTH token, an XRES token, the key KAUSF, and the
SUPI if applicable (e.g., when a SUCI is included in the corresponding authentication request),
among other data.
The AUSF computes a hash of the expected response token (HXRES), stores the KAUSF, and
sends the authentication response to the SEAF, along with the AUTH token and the HXRES. Note
that the SUPI is not sent to the SEAF in this authentication response. It is only sent to the SEAF
after UE authentication succeeds.
The SEAF stores the HXRES and sends the AUTH token in an authentication request to the UE.
The UE validates the AUTH token by using the secret key it shares with the home network. If
validation succeeds, the UE considers the network to be authenticated. The UE continues the
authentication by computing and sending the SEAF a RES token, which is validated by the SEAF.
Upon success, the RES token is further sent by the SEAF to the AUSF for validation. Note that
the AUSF, which is in a home network, makes the final decision on authentication. If the RES
token from the UE is valid, the AUSF computes an anchor key (KSEAF) and sends it to the SEAF,
along with the SUPI if applicable. The AUSF also informs UDM/ARPF of the authentication
results so they can log the events, e.g., for the purpose of auditing.
Upon receiving the KSEAF, the SEAF derives the AMF key (KAMF) (and then deletes the
KSEAF immediately) and sends the KAMF to the co-located Access and Mobility Management
Function (AMF). The AMF will then derive from the KAMF (a) the confidentiality and integrity
keys needed to protect signaling messages between the UE and the AMF and (b) another key,
16
KgNB, which is sent to the Next Generation NodeB (gNB) base station for deriving the keys used
to protect subsequent communication between the UE and the gNB. Note that the UE has the long-
term key, which is the root of the key derivation hierarchy. Thus, the UE can derive all above keys,
resulting a shared set of keys between the UE and the network.
5G-AKA differs from 4G EPS-AKA in primarily the following areas:
Entities involved in the authentication are different because of the new service-based
architecture in 5G. Particularly, the SIDF is new; it does not exist in 4G.
The UE always uses the public key of the home network to encrypt the UE permanent
identity before it is sent to a 5G network. In 4G, the UE always sends its permanent
identifier in clear text to the network, allowing it to be stolen by either a malicious network
(e.g., a faked base station) or a passive adversary over the radio links (if communication
over radio links is not protected).
The home network (e.g., the AUSF) makes the final decision on UE authentication in 5G.
In addition, results of UE authentication are also sent to UDM to be logged. In 4G, a home
network is consulted during authentication only to generate authentication vectors; it does
not make decisions on the authentication results.
Key hierarchy is longer in 5G than in 4G because 5G introduces two intermediate keys,
KAUSF and KAMF (see Figure 5). Note: KSEAF is the anchor key in 5G, equivalent to
KASME in 4G.
3.1.3 EAP-AKA’
EAP-AKA’ [1] is another authentication method supported in 5G. It is also a challenge-and-
response protocol based on a cryptographic key shared between a UE and its home network. It
accomplishes the same level of security properties as 5G-AKA, e.g., mutual authentication
between the UE and the network. Because it is based on EAP [2], its message flows differ from
those of 5G-AKA. Note that EAP messages are encapsulated in NAS messages between the UE
and the SEAF and in 5G service messages between the SEAF and the AUSF. Other differences
between 5G-AKA and EAP-AKA’ are as follows.
The role of the SEAF in authentication differs slightly. In EAP-AKA’, EAP message
exchanges are between the UE and the AUSF through the SEAF, which transparently
forwards the EAP messages without being involved in any authentication decision. In 5G-
AKA, the SEAF also verifies the authentication response from the UE and may take action
if the verification fails, albeit such action has not yet been defined in 3GPP TS 33.501[4].
Key derivation differs slightly. In 5G-AKA, the KAUSF is computed by UDM/ARPF and
sent to the AUSF. In EAP-AKA’, the AUSF derives the KAUSF itself in part based on the
keying materials received from UDM/ARPF. More specifically, the AUSF derives an
Extended Master Session Key (EMSK) based on the keying materials received from UDM
according to EAP and then uses the first 256 bits of the EMSK as the KAUSF.
17
3.1.4 EAP-TLS
EAP-TLS[3] is defined in 5G for subscriber authentication in limited use cases such as private
networks and IoT environments. When selected as the authentication method by UDM/ARPF,
EAP-TLS is performed between the UE and the AUSF through the SEAF, which functions as a
transparent EAP authenticator by forwarding EAP-TLS messages back and forth between the UE
and the AUSF. To accomplish mutual authentication, both the UE and the AUSF can verify each
other’s certificate or a pre-shared key (PSK) if it has been established in a prior Transport Layer
Security (TLS) handshaking or out of band. At the end of EAP-TLS, an EMSK is derived, and the
first 256 bits of the EMSK is used as the KAUSF. As in 5G-AKA and EAP-AKA’, the KAUSF is
used to derive the KSEAF, which is further used to derive other keying materials (see Figure 5)
needed to protect communication between the UE and the network.
EAP-TLS fundamentally differs from 5G-AKA and EAP-AKA’ in its trust establishment
between a UE and the network, i.e., it uses a different a trust model. In EAP-TLS, mutual
authentication between a UE and a 5G network is obtained primarily based on the mutual trust of
their public key certificates, acknowledging that TLS with a PSK is possible but is rarely used
except for session resumption. In AKA-based methods, such trust is based solely on a symmetric
key shared between a UE and the network.
Such a fundamental difference is significant in that EAP-TLS removes the need to store a large
number of long-term keys in the home network (e.g., in UDM), thus reducing operational risks in
the life cycle of symmetric key management. On the other hand, EAP-TLS introduces new
overhead in certificate management, such as certificate issuance and revocation.
18
CHAPTER IV: MONITORING AND PREVENTING CYBER ATTACKS IN 5G
4.1 Monitoring
4.1.1 General Introduction
- Network monitoring is an important network management tool for mobile networks. Its
significance has increased with the continuous growth of network traffic and the adoption of
virtualization. A monitoring system collects network statistics, access traffic, application and user
profiles, as well as flow patterns at different time intervals and levels of detail to evaluate the
network status for various management tasks such as application identification, anomaly detection,
network investigation, load balancing, traffic engineering, SLA enforcement, QoS/QoE, and
network maintenance. Therefore, a network monitoring system must be capable of monitoring the
network and traffic flows at different levels of detail and to obtain measurable data such as
aggregation level, time interval, bandwidth utilization, and accuracy.
- Traditionally, network monitoring systems are deployed at specific locations within a mobile
network to monitor data at network borders or at ingress/egress points
- Similarly, many security monitoring systems are currently based on interfaces and physical
systems. However, as mobile networks evolve and network management and security become
more complex, the monitoring systems used today will not be able to support flexible changing
structures and increasingly new technologies such as cloud networks and virtual environments.
These challenges become more severe for wireless networks because radio channels are
susceptible to interference and access networks are vulnerable to interruption on important links,
MAC abuse, and flooding attacks [4].
- One of the important transitions in 5G networks is the use of two new concepts: Network
Function Virtualization (NFV) and Software-Defined Networking (SDN) [5-6]. SDN separates
network control from data forwarding devices and allows programming capability by providing a
programmable interface to the network devices. The control plane is centralized in high-end
servers with the ability to program multiple network devices at runtime. The SDN control plane
has better global visibility and control over packets traversing the network. Since the network is
controlled from centralized controllers and the network components have programmable
interfaces, network monitoring is elevated to a higher level of efficiency, cost, and complexity.
NFV is an ETSI standardized architecture for separating network functions from hardware. NFV
means that network functions will run as a service on commercial off-the-shelf hardware.
- On the one hand, the limitations of the previous monitoring system for secure wireless networks
can be overcome by introducing a new monitoring architecture based on SDN and NFV. On the
other hand, the use of SDN and NFV presents new challenges for monitoring and detecting
network failures. This chapter investigates the challenges posed by SDN and NFV in 5G networks
and how 5G operators need to address them by using effective network monitoring solutions.
Additionally, I emphasize the new opportunities that will help achieve efficient SDN and NFV-
based 5G network monitoring.
19
4.1.2 Existing monitoring techniques
There are various network monitoring techniques with different levels of capabilities that exist
in today's network management space [5]. First, there is the routing-based monitoring protocol that
allows for the collection of information provided by network elements (NEs):
Simple Network Management Protocol (SNMP): for managing NEs and higher-level
information regarding resource usage (e.g., monitoring router and switch bandwidth
usage, device information such as memory usage, CPU load, etc.);
Remote Monitoring (RMON): for exchanging network monitoring data;
Netflow or sFlow: for collecting information on IP network flows and bandwidth
utilization.
These protocols are mostly dedicated to performance analysis and network management, but they
are also used for detecting some security issues, such as NetFlow. Current networks are also using
packet sniffing, Deep Packet Inspection (DPI), Deep Flow Inspection (DFI), virus scanners,
malware detection, and other techniques to analyze network packet headers, complete packets, or
packet payloads.
These are used by NIDS (Network Intrusion Detection System), IDPS (Intrusion Detection and
Prevention System), firewalls, antivirus scanning devices, content filtering devices, and when
combined with various methods (e.g., statistics, machine learning, behavior analysis, and pattern
matching), to detect security violations (i.e., passive security devices) or to prevent/block detected
security issues (i.e., active security devices).
Network monitoring solutions come in various variations, depending on what they measure and
how they collect data:
a) Active Probing: is an approach that focuses on data collection services based on aggregate
measurements, namely ICMP Echo requests, HTTP GET requests, or specially crafted
packets. Typically, these measurements attempt to analyze network attributes that cannot
be captured from purely passive measurements and are considered the only way to measure
service availability.
b) Device polling: an approach that focuses on the device as the center, querying devices
usually using SNMP (Simple Network Management Protocol), collecting information
about interface status, traffic flow, device load, CPU, etc.
c) Flow Collection: a solution for collecting traffic information from network devices such as
routers/switches. Here, access traffic can be aggregated into flows using, for example,
Cisco Netflow, and stored on disk for analysis later. Flow data is easier to analyze and
process than packet data, but provides less detailed information.
d) Packet analysis: typically involves using a SPAN port from a switch or network tap and
extracting information from individual packets, including payload information through
DPI (Deep Packet Inspection).
e) Log analysis: is a solution for collecting data generated by systems, usually in the form of
log files (e.g. system logs), and presenting a query interface to correlate events across
different types of systems, such as routers, web servers, load balancers.
20
Combining the aforementioned sources of information, I have developed what is known as
Security Information and Event Management (SIEM) technology. SIEM provides both Security
Information Management (SIM) and Security Event Management (SEM). The SIEM technology
aggregates event data generated by security devices, network infrastructure, systems, and
applications. The primary data source is log data, but SIEM technology can also process other
types of data such as NetFlow and Deep Packet Inspection (DPI). Event data is correlated with
contextual information about users, assets, threats, and vulnerabilities. The data is normalized so
that events, data, and contextual information from different sources can be correlated and analyzed
for specific purposes such as monitoring network security events, user activity monitoring, and
compliance reporting. This technology provides real-time security monitoring capabilities,
historical/trend analysis, and other support for incident investigation (e.g., forensics) and
compliance reporting.
Future 5G networks will support a tremendous amount of devices with various capabilities and
intelligences (e.g., mobile phones, tablets, IoT devices, tactile internet, and autonomous vehicles).
This requires automated management and security services to ensure security and integrity. This
will also lead to high processing and signaling costs and therefore require new cost-effective
adaptive security strategies. For this reason, there needs to be a clear view of what is happening in
the network, what devices are being used, and how they are being used. Monitoring is the tool to
understand network traffic and how services and applications are being used; allowing for
improvement and automated security assurance.
Existing security solutions (e.g., SIEM, IDS, IPS, firewall) need to be adjusted and controlled
accurately because they are mainly designed for physical systems and boundaries and do not allow
for detailed analysis tailored to the needs of SDN and NFV-based 5G network management. The
lack of display and control capabilities over internal virtual networks created along with the
heterogeneity of devices used make many security applications ineffective.
21
On one hand, the impact of virtualization on these technologies needs to be assessed. For
example, security applications need to be able to monitor virtual connections. Virtualization can
help isolate systems, but it can also be used to introduce malicious techniques exploiting software
vulnerabilities or introduce stealthy intrusions that are difficult to detect. For instance,
virtualization creates boundaries that can be breached by exploiting vulnerabilities and bugs in the
virtualization code (e.g., hypervisors); and the entire system becomes a file that can be easily stolen
or replaced.
On the other hand, security technologies need to cope with a constantly changing landscape and
the trade-off between monitoring costs and related risks. In this regard, virtualization, as well as
SDN, create conditions for changes that make security applications need to keep up with these
dynamic features.
The SIEM-type solutions are necessary to achieve awareness of status and security.
If an incident occurs, the system should be able to identify the source, recover, and protect against
future incidents. It is important to verify that everything leaving the system is recorded. Network
managers have centralized control over the network and need to properly record and process all
changes. Log analysis and event correlation in SDN will quickly become a "big data" issue. There
is also a need for tools that can address all legal requirements and compliance.
With SDN, it is possible to create network monitoring applications that collect information and
make decisions based on a comprehensive view of the entire network. This allows event correlation
to be centralized on the network controller and enables new ways to minimize network errors.
22
Inhomogeneity: analyzing control traffic flows and user plane across different network
domains and the new interface between SDMN and existing networks, and identifying
related flows in different network domains.
Dynamism: changes in virtualized networks and applications become easier and more
frequent.
23
The classification of threats can be grouped according to the location of the target being
exploited in the 5G system. Based on these criteria, the classification of threats can be classified
as follows:
Core Network Threats: These threats are related to the components of the Core Network,
including SDN, NFV, Slicing, and MANO. Most belong to the categories of "Unauthorized
Operation/Abuse" (NAA) and "Eavesdropping/Interception/Impersonation" (EIH);
General Threats: These are threats that commonly affect any IT/Telecom system or
network. General threats are important to address as they help identify and shape specific
threats for 5G. For example, many specific threats to 5G may lead to network service
disruption, commonly defined as Denial of Service (DoS) threats;
Physical Infrastructure Threats: These are threats related to the basic IT infrastructure
supporting the network. Most belong to the categories of "Physical Attacks" (PA),
"Damage or Loss of Equipment" (DAM), "Equipment Failure or Malfunction" (FM),
"Power Outages" (OUT), and "Disasters" (DIS);
Access Network Threats: These threats are related to 5G Radio Access Technology (RAT),
Radio Access Network (RAN), and non-3GPP access technologies. They include threats
related to wireless transmission and wireless media. Most threats fall into the HIJ category;
Multi-Edge Computing Threats: These threats are related to components at the edge of the
network. Most belong to the categories of NAA and HIJ;
Virtualization Threats: These threats are related to virtualizing IT infrastructure, networks,
and basic functions;
SDN Threats;
This refers to threats related to SDN functions present throughout the entire 5G infrastructure,
including both optical and IP transport networks.
24
Table 1: Organized analysis of the State of the Art for 5G Security
The 5G network and beyond have plans to support three specific use cases: high-speed mobile
broadband (eMBB), massive machine-type communications (mMTC), and ultra-reliable and low-
latency communications (URLLC). By introducing breakthrough concepts such as SDN and NFV
to the telecommunications network, it promises to integrate information and communication
technology into the general infrastructure by connecting mobile and fixed access networks [10].
I summarize into three main axes below to optimize security monitoring in such 5G networks:
25
addressing it will eliminate some alerts. Combining detection with root cause analysis in
an SDN/NFV environment remains a significant challenge.
I outline three main trends that will help optimize security monitoring:
26
One of the main objectives of 5G technology based on the SDN/NFV model is to provide
services that guarantee a certain level of quality (including reliability, availability, performance,
security, privacy, etc.). Poor performance or lack of resilience in these services has been identified
as major obstacles to the deployment of 5G networks. These guarantees are generally reflected in
the Service Level Agreement (SLA) signed by the customer and the service provider or between
different parties and lessees. SLAs are formal contracts that record the features of the services
provided and the relevant quality expectations, called Service Level Objectives (SLOs).
Furthermore, they clearly consider the responsibility, obligation, service cost, and penalties in case
of agreement violation.
A security SLA is a subset of the global SLA that addresses security commitments and
compliance for both parties, including, in the case of 5G networks [18], aspects related to both
infrastructure and provided services (e.g., infrastructure security, resilience control, data
protection).
These SLAs are usually written in natural language (often using strict legal terms). Despite
strong concern for security and current standardization efforts, security-oriented SLAs (SSLA) are
still a long way from being applied. The format shared for security SLAs includes representing
security attributes and ensuring security. Creating a machine-readable format for security SLAs
(e.g. SPECS XML SLA Framework58) is a challenging task that could be very useful in
development and deployment stages to ensure that deployed 5G services comply with designated
security requirements. Such security-oriented SLAs could also serve as input for adaptive security
monitoring solutions and automatically assess the security of deployed 5G services and detect any
potential violations during runtime.
The automation feature in managing security SLAs can increase business opportunities for 5G
service providers and operators while effectively managing their customer's expectations. Service
providers and operators are constantly compared and evaluated against competing organizations
that their customers work with. One way to stand out from all other organizations is to provide
excellent customer service supported by robust SSLAs that can be easily verified. Additionally, if
machine-readable, they will allow for clear and measurable principles to be specified for accurate
verification and improve responsiveness to potential security incidents.
27
REFERENCES CHAPTER
[1] Internet Engineering Task Force, “Improved Extensible Authentication Protocol Method for
3rd Generation Authentication and Key Agreement (EAP-AKA'),” Request for Comments (RFC)
5448 (May 2009).
[2] Internet Engineering Task Force, “Extensible Authentication Protocol (EAP),” Request for
Comments (RFC) 3748 (June 2004).
[3] Internet Engineering Task Force, “The EAP-TLS Authentication Protocol,” Request for
Comments (RFC) 5216 (March 2008)
[4]Bernardo, D. V., & Chua, B. B. (2015, March). Introduction and analysis of SDN and
NFV security architecture (SN-SECA). In 2015 IEEE 29th international conference on
advanced information networking and applications (pp. 796-801). IEEE.
[5]Lal, S., Taleb, T., & Dutta, A. (2017). NFV: Security threats and best practices. IEEE
Communications Magazine, 55(8), 211-217.
[6]Hu, Z., Wang, M., Yan, X., Yin, Y., & Luo, Z. (2015, February). A comprehensive
security architecture for SDN. In 2015 18th International Conference on Intelligence in
Next Generation Networks (pp. 30-37). IEEE.
[7]ETSI GS MEC, ETSI GS MEC 002 V2.1.1 (2018-10) ; Multi-access Edge Computing
(MEC); Phase 2: Use Cases and Requirements. ETSI, 2018.
[8]S. Spinoso, M. Virgilio, et al. Formal Verification of Virtual Network Function
Graphs in an SP- DevOps Context. ESOCC 2015. Lecture Notes in Computer Science,
vol. 9306, 2015. Springer,Cham
[9]M. Flittner, J. M. Scheuermann, R. Bauer. ChainGuard: Controller-independent
Verification of Service Function Chaining in Cloud Computing. In Proc. of the
Conference on NFV and SDN (NFV-SDN), Nov. 2017.
[10]5G PPP SN Working Group, “Vision on Software Networks and 5G,” 2017.
[11]F. Paolucci, F. Civerchia, A. Sgambelluri, A. Giorgetti, F. Cugini, and P. Castoldi,
“P4 Edge Node Enabling Stateful Traffic Engineering And Cyber Security,” J. Opt.
Commun. Netw., vol. 11, no. 1,pp. A84–A95, 2019.
[12]5G PPP Security Work Group, “5G PPP Phase 1 Security Landscape,” 2017.
[13]Daniel Fraunholz, Simon Duque Antón, Christoph Lipps, Daniel Reti, Daniel
28
Krohmer, Frederic Pohl, Matthias Tammen, Hans Dieter Schotten: Demystifying
Deception Technology: A Survey. CoRR abs/1804.06196 (2018)
[14]Samuel Oswald Hunter, Barry Irwin, Etienne Stalmans: Real-time distributed
malicious traffic monitoring for honeypots and network telescopes. ISSA 2013: 1-9
[15]Eric Nunes, Ahmad Diab, Andrew T. Gunn, Ericsson Marin, Vineet Mishra, Vivin
Paliath, John Robertson, Jana Shakarian, Amanda Thart, Paulo Shakarian: Darknet and
deepnet mining for proactive cybersecurity threat intelligence. ISI 2016: 7-12
[16]Thomas D. Wagner, Khaled Mahbub, Esther Palomar, Ali E. Abdallah: Cyber threat
intelligence sharing: Survey and research directions. Comput. Secur. 87 (2019)
[17]Marcello Cinque, Domenico Cotroneo, Antonio Pecchia: Challenges and Directions
in Security Information and Event Management (SIEM). ISSRE Workshops 2018: 95-
99
[18]E. Kapassa, M. Touloupou, D. Kyriazis, “SLAs in 5G: A Complete Framework
Facilitating VNF- and NS- Tailored SLAs Management”, 32nd IEEE International
Conference on Advanced Information Networking and Applications Workshops
(AINA), Krakow, Poland, 2018.
[19]Fabio Martinelli, Oleksii Osliak, Andrea Saracino: Towards General Scheme for
Data Sharing Agreements Empowering Privacy-Preserving Data Analysis of Structured
CTI.CyberICPS/SECPRE@ESORICS 2018: 192-212
29