TRƯỜNG ĐẠI HỌC BÁCH KHOA HÀ NỘI

TRƯỜNG ĐIỆN - ĐIỆN TỬ

BÁO CÁO
Đề tài: TOPIC 14

Giảng viên hướng dẫn: T.S Nguyễn Tiến Hòa

Sinh viên thực hiện: Hoàng Thị Thanh Hương - 20221096P
Nguyễn Văn Hà - 20221087P
Nguyễn Anh Quân - 20221107P
Hồ Minh Tường - 20221125P
Lớp: Kỹ Thuật Điện Tử Viễn Thông – Khóa 67

Hà Nội, tháng 4 năm 2023

 TRƯỜNG ĐẠI HỌC BÁCH KHOA HÀ NỘI
TRƯỜNG ĐIỆN - ĐIỆN TỬ

BÁO CÁO
Đề tài: TOPIC 14

Giảng viên hướng dẫn: T.S Nguyễn Tiến Hòa

Sinh viên thực hiện: Hoàng Thị Thanh Hương - 20221096P
Nguyễn Văn Hà - 20221087P
Nguyễn Anh Quân - 20221107P
Hồ Minh Tường - 20221125P
Lớp: Kỹ Thuật Điện Tử Viễn Thông – Khóa 67

Hà Nội, tháng 4 năm 2023

 MỤC LỤC

CHAPTER I: OVERVIEW OF 5G ..................................................................................... 4

1.1 What is encryption? ................................................................................................... 4
1.1.2 Brief about the formation and development of 5G network .............................. 4
1.1.3 How does a wireless 5G network work? ............................................................ 5
1.1.4 Applications that use 5G .................................................................................... 5
1.1.5 Challenges related to information security ......................................................... 6
CHAPTER II: 5G NETWORK SECURITY SOLUTION – DATA DATA ...................... 8
2.1 What is encryption? ............................................................................................... 8
2.1.1 How does encryption work?............................................................................ 8
2.1.2 What are the most common techniques of encryption? .................................. 8
2.1.3 Examples of encryption algorithms ................................................................ 9
2.1.4 Six core benefits of encryption ..................................................................... 10
2.2 Data Encryption in 5G ............................................................................................ 11
2.2.1 Types of encryption used in 5G networks ....................................................... 12
2.2.2 Encryption techniques used in 5G networks ................................................... 12
CHAPTER III: 5G AUTHENTICATION......................................................................... 14
3.1 Introduction............................................................................................................. 14
3.1.1 5G Authentication Framework ......................................................................... 14
3.1.2 5G-AKA .......................................................................................................... 15
3.1.3 EAP-AKA’ ....................................................................................................... 17
3.1.4 EAP-TLS .......................................................................................................... 18
CHAPTER IV: MONITORING AND PREVENTING CYBER ATTACKS IN 5G ....... 19
4.1 Monitoring ............................................................................................................... 19
4.1.1 General Introduction ......................................................................................... 19
4.1.2 Existing monitoring techniques .............................................................. 20
4.1.3 Using monitoring in 5G .................................................................................... 21
4.2 Risk prevention .................................................................................................... 23
4.2.1 Classifying Threats ..................................................................................... 23
1
 4.2.2 Current solutions .......................................................................................... 24
4.3 Advanced network security techniques ................................................................... 25
4.3.1 Security monitoring optimization ..................................................................... 25
4.3.2 Sharing data on network security risk analysis .............................................. 26
4.3.3 Security and Service Level Agreement (SLA) .............................................. 26
REFERENCES CHAPTER ....................................................................................... 28

2
 LIST OF IMAGES SMALL

Figure 1: Formation and development of 5G network ........................................................ 5

Figure 2: Applications using 5G ......................................................................................... 6
Figure 3: Challenges related to information security ......................................................... 7
Figure 4: 5G Authentication Framework .......................................................................... 15
Figure 5: 5G-AKA Authentication Procedure ................................................................... 16

LIST OF TABLES

Table 1: Organized analysis of the State of the Art for 5G Security ................................. 25

3
 CHAPTER I: OVERVIEW OF 5G

1.1 What is encryption?

Before we explain how 5G networks work, you should probably have a clear understanding of
what a 5G network is.
Simply put, 5G network is the 5th generation of broadband with better connectivity enhancement
than 4G. With 5G networks, you get exponentially faster download and upload speeds. Latency or
the time it takes for devices to communicate with the wireless network will also be significantly
reduced.
5G networks are inherently more efficient, handling more connections and faster speeds per user.
5G networks are also designed to operate on more radio frequency (RF) bands, opening up new
possibilities in the ultra-high mmWave (millimeter wave) spectrum for carriers to expand their
network services. However, because 5G is a completely new technology and operates on new
frequencies and systems, 4G phones are not compatible with the new 5G networks.

1.1.2 Brief about the formation and development of 5G network

- 5G networks began to be seriously deployed in 2019, but the foundation for 4G next-generation
networks was laid many years ago. The architecture of the 5G standard was introduced in 2016.
At which point every company and individual involved from both the network side and the
consumer side can start producing 5G standards-compliant devices.
- It is clear that 5G networks have not yet reached the level of "Domination" of the entire market,
not even representing the majority of mobile traffic. But looking back at the history of 4G rollout,
we can see how long it will take. 4G (LTE) was first commercially deployed in 2009 and did not
become operational in the United States until late 2010. It was not until 2013 that 4G became truly
popular in many countries and became dominant compared to 4G. old 3G networks.
- On a similar timeline, we might still think it won't be until late 2022 or even 2023 for 5G networks
to become the "dominant" network in most countries around the world. There are many reasons
similar to 4G, namely that 5G networks face technical hurdles, operating on new spectrum with
new technologies required on both networks and devices – although this also offers a significant
increase in speed compared to the previous generation network.

4
 Figure 1: Formation and development of 5G network

1.1.3 How does a wireless 5G network work?

 Wireless networks consist of “cells” divided into zones that send data over radio waves.
 4G (LTE) technology will provide the foundation for 5G, which is a large, high-power cell
tower for signal transmission..
 The 5G network will be transmitted through a large number of small mobile stations
located in places such as lampposts or rooftops.
 5G networks use many small cells for millimeter wave spectrum. Rely on the spectrum
between 30GHz and 300GHz for high speed.

1.1.4 Applications that use 5G

Not just an application in mobile networks, another application that is very popular today and
thrives in the future also uses 5G that is IoT. Common applications in IoT using 5G:
Self- driving cars:
Self – driving cars are technology that has not really developed yet. Self-driving cars don't just
rely on cameras and sensors, but they need to be able to communicate with each other and with
the infrastructure to come up with a way to handle situations.
Thanks to the 5G network, doctors can operate with robotic arms. When latency is no longer a
barrier, the surgeon's operation will be more accurate when thousands of kilometers away. In
addition, with the 5G network, doctors can examine patients remotely and monitor the patient's
health in real time.
Promoting production in Industry 4.0
In smart factories, robots are taking on a lot of work instead of humans. However, these industrial
robots can take on larger roles, completing more complex tasks when using 5G networks.
Specifically, the Robots can easily adapt to changes without sacrificing productivity by quickly
exchanging data with other devices as well as interactively receiving commands directly from the
commander.

5
 With superior data transmission speeds, 5G networks will allow IoT systems to continuously
monitor device health and performance. In the smart factory model (Smart Factory), quick
monitoring and feedback helps the factory to limit defective products and increase productivity.

Figure 2: Applications using 5G

There are also a number of other outstanding applications such as: Virtual reality games, High-
speed Web browsing, Online conferences, ... etc.

1.1.5 Challenges related to information security

5G technology has many outstanding advantages compared to previous generations of
technology, helping to save energy, providing better internet experiences. However, its influence
as well as other new technology platforms also has many potential security risks. According to
Kaspersky's 5G network technology predictions, the overwhelming increase in the number and
speed of data transmission of devices and software will lead to many threats. Potential risks of 5G
network security that attackers can take advantage of include: stealing, illegal access to data;
control critical services; sabotage the infrastructure; interrupt the connection; affecting information
security, economic and political security.

6
 Figure 3: Challenges related to information security

Security vulnerabilities of telecommunications services and infrastructure: as 5G technology

develops, it leads to the increase of new hardware and software devices as well as new models and
ways of administration. This leads to security holes for bad guys to attack, destroy network
infrastructure, cause disruption, reduce transmission quality; have a great influence on the
economic security and defense of not only one country but also the entire international region.
Attackers can take advantage of security holes to spread malicious code to destroy the system or
exploit DDoS attacks.

Vulnerable user privacy and safety: the popularity of 5G along with the IoT trend means that every
internet-connected device, micro-transceiver stations are deployed everywhere. Thus, the attacker
can collect and track the exact location of the user, making it easier to capture the user's behavior
and access history. Another problem is that network service providers will have deeper, broader
access to the large amounts of data sent in by users' multiple devices. Thereby, it is possible to
reveal the user's private information or use it for purposes such as advertising, brokerage.

In an interconnected world of things, any threat in the network will have a major impact on the
entire network. Therefore, the higher the dependence on 5G networks, the greater the risk, which
can even cause disaster on a national or international scale. For example, a malfunction in the
remote control can take the life of a patient undergoing surgery; self-driving cars can cause
accidents if connection is lost; smart cities, intelligent transportation systems, factory automation...
can stop working when there is a power outage, internet outage; leaking classified information
puts national security in a critical situation ...

7
 CHAPTER II: 5G NETWORK SECURITY SOLUTION – DATA DATA

2.1 What is encryption?

Encryption in cyber security is the conversion of data from a readable format into an encoded
format. Encrypted data can only be read or processed after it's been decrypted. Encryption is the
basic building block of data security. It is the simplest and most important way to ensure a
computer system's information can't be stolen and read by someone who wants to use it for
malicious purposes. Data security encryption is widely used by individual users and large
corporations to protect user information sent between a browser and a server. That information
could include everything from payment data to personal information. Data encryption software,
also known as an encryption algorithm or cipher, is used to develop an encryption scheme that
theoretically can only be broken with large amounts of computing power.
Data encryption is a way of translating data from plaintext (unencrypted) to ciphertext
(encrypted). Users can access encrypted data with an encryption key and decrypted data with a
decryption key.

2.1.1 How does encryption work?

When information or data is shared over the internet, it goes through a series of network devices
worldwide, which form part of the public internet. As data travels through the public internet, there
is a chance it could be compromised or stolen by hackers. To prevent this, users can install specific
software or hardware to ensure the secure transfer of data or information. These processes are
known as encryption in network security
Encryption involves converting human-readable plaintext into incomprehensible text, which is
known as ciphertext. Essentially, this means taking readable data and changing it so that it appears
random. Encryption involves using a cryptographic key, a set of mathematical values both the
sender and recipient agree on. The recipient uses the key to decrypt the data, turning it back into
readable plaintext.
The more complex the cryptographic key, the more secure the encryption – because third parties
are less likely to decrypt it via brute force attacks (i.e. trying random numbers until the correct
combination is guessed).
Encryption is also used to protect passwords. Password encryption methods scramble your
password, so it's unreadable by hackers.

2.1.2 What are the most common techniques of encryption?

The two most common encryption methods are symmetric and asymmetric encryption. The names
refer to whether or not the same key is used for encryption and decryption:

8
  Symmetric encryption keys: This is also known as private key encryption. The key used to
encode is the same as the one used to decode, making it best for individual users and closed
systems. Otherwise, the key must be sent to the receiver. This increases the risk of
compromise if it's intercepted by a third party, such as a hacker. This method is faster than
the asymmetric method
 Asymmetric encryption keys: This type uses two different keys — public and private —
that are linked together mathematically. The keys are essentially large numbers that have
been paired with each other but aren't identical, hence the term asymmetric. The private
key is kept secret by the owner, and the public key is either shared amongst authorized
recipients or made available to the public at large.
Data encrypted with the recipient’s public key can only be decrypted with the corresponding
private key.

2.1.3 Examples of encryption algorithms

Encryption algorithms are used to turn data into ciphertext. An algorithm uses the encryption key
to alter the data in a predictable way so that, even though the encrypted data will appear random,
it can be turned back into plaintext by using the decryption key.

There are several different types of encryption algorithms designed to suit different purposes. New
algorithms are developed when older ones become insecure. Some of the best-known encryption
algorithms include:

o DES encryption

DES stands for Data Encryption Standard. This is a now-outdated symmetric encryption algorithm
not considered suitable for today's uses. Therefore, other encryption algorithms have succeeded
DES.

o 3DES encryption

3DES stands for Triple Data Encryption Standard. This is a symmetric key algorithm, and the word
“triple” is used because data is passed through the original DES algorithm three times during the
encryption process. Triple DES is being slowly phased out but still manages to make a dependable
hardware encryption solution for financial services and other industries.

o AES encryption

AES stands for Advanced Encryption Standard and was developed to update the original DES
algorithm. Some of the more common applications of AES algorithm include messaging apps such
as Signal or WhatsApp and the file archiver program WinZip.

9
 o RSA encryption

RSA was the first asymmetric encryption algorithm widely available to the public. RSA is popular
due to its key length and therefore widely used for secure data transmission. RSA stands for Rivest,
Shamir, and Adleman – the surnames of the mathematicians who first described this algorithm.
RSA is considered an asymmetric algorithm due to its use of a pair of keys.

o Twofish encryption

Used in both hardware and software, Twofish is regarded as one of the fastest of its kind. Twofish
is not patented, making it freely available to anyone who wants to use it. As a result, you’ll find it
bundled in encryption programs such as PhotoEncrypt, GPG, and the popular open-source
software TrueCrypt.

o RC4 encryption

Used in WEP and WPA, which are encryption protocols commonly used in wireless routers.

Asymmetric encryption examples include RSA and DSA. Symmetric encryption examples include
RC4 and DES. As well as encryption algorithms, there is also what is known as Common Criteria
(CC):

 This is not an encryption standard, but a set of international guidelines for verifying the
product security claims stand up to scrutiny.
 CC guidelines were created to provide vendor-neutral, third-party oversight of security
products.
 Products under review are submitted voluntarily by vendors, and whole or individual
functionalities are examined.
 When a product is evaluated, its features are tested according to a defined set of standards
by product type.
 Initially, encryption was outside the scope of Common Criteria but is increasingly being
included within its security standards.

2.1.4 Six core benefits of encryption

o Encryption helps maintain data integrity

Hackers don't just steal information; they can also alter data to commit fraud. While it is
possible for skilled hackers to alter encrypted data, recipients of the data will be able to detect
the corruption – allowing for a quick response.

10
 o Encryption helps organizations adhere to regulations

Many industries – for example, financial services or healthcare providers – have strict
regulations about how consumer data is used and stored. Encryption helps organizations meet
those standards and ensure compliance.

- Encryption protects data across devices

Most of us use multiple devices in our day-to-day lives, and transferring data from device to
device can carry risks. Encryption technology helps protect data across devices, even during
transfer. Additional security measures like advanced authentication help to deter unauthorized
users.

- Encryption helps when moving data to cloud storage

More and more users and organizations are storing their data in the cloud, which means cloud
security is essential. Encrypted storage helps to maintain the privacy of that data. Users should
ensure that data is encrypted in-flight, while in use, and at rest in storage.

- Encryption helps organizations secure offices

Many organizations have remote offices, especially post-pandemic. This can pose
cybersecurity risks as data is being accessed from several different locations – encryption helps
guard against theft or accidental loss of data.

- Data encryption protects intellectual property

Digital rights management systems encrypt data at rest — in this case, intellectual property
such as songs or software—to prevent reverse engineering and unauthorized use or
reproduction of copyrighted material.

2.2 Data Encryption in 5G

Data encryption is an important aspect of security in 5G networks. 5G networks use advanced
encryption methods to protect data transmissions between devices and networks. The most
common encryption method used in 5G networks is the Advanced Encryption Standard (AES)
with a 256-bit key length. This encryption method is considered to be highly secure and is used in
many other applications that require strong encryption. In addition to AES, 5G networks also use
other encryption methods such as Elliptic Curve Cryptography (ECC) for key exchange and
authentication, and Transport Layer Security (TLS) for secure communication between devices
and servers. To ensure the security of data in 5G networks, it is important to use strong encryption
algorithms, implement secure key exchange protocols, and enforce strict access control policies.
Additionally, regular security audits and vulnerability assessments can help identify and address
potential security threats in the network.
11
2.2.1 Types of encryption used in 5G networks
- Advanced Encryption Standard (AES): AES is a widely-used encryption standard that uses a
symmetric encryption algorithm with a key length of 128, 192, or 256 bits. In 5G networks,
AES with a 256-bit key length is the most commonly used encryption type.

- Elliptic Curve Cryptography (ECC): ECC is a public-key cryptography method that uses
elliptic curves to generate the public and private keys. It is used in 5G networks for key
exchange and authentication.

- Public Key Infrastructure (PKI): PKI is a system that uses public key cryptography to verify
the authenticity of digital certificates. In 5G networks, PKI is used to establish trust between
devices and networks.

- Transport Layer Security (TLS): TLS is a protocol that provides secure communication over a
network. It is used in 5G networks to secure the communication between devices and servers.

- Post-Quantum Cryptography (PQC): PQC is a cryptographic method that is designed to be

resistant to attacks from quantum computers. As quantum computing becomes more advanced,
PQC is expected to become more widely used in 5G networks.

 Overall, 5G networks use a combination of symmetric and asymmetric encryption

methods to provide strong security for data transmissions

2.2.2 Encryption techniques used in 5G networks

There are several encryption techniques used in 5G networks to protect data transmissions
between devices and networks. These techniques include:

- Symmetric Key Encryption: Symmetric key encryption uses the same key for both
encryption and decryption of data. In 5G networks, the most commonly used symmetric
key encryption algorithm is the Advanced Encryption Standard (AES) with a 256-bit key
length.

- Asymmetric Key Encryption: Asymmetric key encryption uses a pair of keys, a public key
for encryption and a private key for decryption. In 5G networks, the most commonly used
asymmetric key encryption algorithm is Elliptic Curve Cryptography (ECC).
- Key Agreement: Key agreement protocols are used to establish a shared secret key between
two parties. In 5G networks, the most commonly used key agreement protocol is the Diffie-
Hellman (DH) key exchange algorithm.

12
- Hashing: Hashing is a technique used to verify the integrity of data. In 5G networks, the
most commonly used hashing algorithm is the Secure Hash Algorithm (SHA).

- Message Authentication Codes (MACs): MACs are used to verify the authenticity of a
message. In 5G networks, the most commonly used MAC algorithm is the HMAC-
SHA256.

- Digital Signatures: Digital signatures are used to verify the authenticity of a message or
document. In 5G networks, the most commonly used digital signature algorithm is the
Elliptic Curve Digital Signature Algorithm (ECDSA).

 Overall, 5G networks use a combination of symmetric and asymmetric encryption

techniques, key agreement protocols, hashing, MACs, and digital signatures to provide
strong security for data transmissions. These techniques are designed to prevent
unauthorized access, interception, and tampering of data in the network.

13
 CHAPTER III: 5G AUTHENTICATION

3.1 Introduction
Authentication and key management are fundamental to the security of cellular networks because
they provide mutual authentication between users and the network and derive cryptographic keys
to protect both signaling and user plane data. Each generation of cellular networks always defines
at least one authentication method. For example, 4G defines 4G EPS-AKA, and 5G defines three
authentication methods—5G-AKA, EAP-AKA’, and EAP-TLS.
Service-based architecture (SBA) has been proposed for the 5G core network. Accordingly, new
entities and new service requests have also been defined in 5G. Some of the new entities relevant
to 5G authentication are listed below.

 The Security Anchor Function (SEAF) is in a serving network and is a “middleman” during
the authentication process between a UE and its home network. It can reject an
authentication from the UE, but it relies on the UE’s home network to accept the
authentication.
 The Authentication Server Function (AUSF) is in a home network and performs
authentication with a UE. It makes the decision on UE authentication, but it relies on
backend service for computing the authentication data and keying materials when 5G-AKA
or EAP-AKA’ is used.
 Unified data management (UDM) is an entity that hosts functions related to data
management, such as the Authentication Credential Repository and Processing Function
(ARPF), which selects an authentication method based on subscriber identity and
configured policy and computes the authentication data and keying materials for the AUSF
if needed.
 The Subscription Identifier De-concealing Function (SIDF) decrypts a Subscription
Concealed Identifier (SUCI) to obtain its long-term identity, namely the Subscription
Permanent Identifier (SUPI), e.g., the IMSI. In 5G, a subscriber long-term identity is
always transmitted over the radio interfaces in an encrypted form. More specifically, a
public key-based encryption is used to protect the SUPI. Therefore, only the SIDF has
access to the private key associated with a public key distributed to UEs for encrypting
their SUPIs

3.1.1 5G Authentication Framework

A unified authentication framework has been defined to make 5G authentication both open (e.g.,
with the support of EAP) and access-network agnostic (e.g., supporting both 3GGP access
networks and non-3GPP access networks such as Wi-Fi and cable networks) (see Figure 3).

14
 When EAP (Extensible Authentication Protocol) is used (e.g., EAP-AKA’ or EAP-TLS), EAP
authentication is between the UE (an EAP peer) and the AUSF (an EAP server) through the SEAF
(functioning as an EAP pass-through authenticator).
When authentication is over untrusted, non-3GPP access networks, a new entity, namely the
Non-3GPP Interworking Function (N3IWF), is required to function as a VPN server to allow the
UE to access the 5G core over untrusted, non-3GPP networks through IPsec (IP Security) tunnels.
Several security contexts can be established with one authentication execution, allowing the UE
to move from a 3GPP access network to a non-3GPP network without having to be reauthenticated.

Figure 4: 5G Authentication Framework

3.1.2 5G-AKA
5G defines new authentication-related services. For example, the AUSF provides authentication
service through Nausf_UEAuthentication, and UDM provides its authentication service through
Nudm_UEAuthentication. For simplicity, generic messages such as Authentication Request and
Authentication Response are used in Figure 4 without referring to the actual authentication service
names. Further, an authentication vector includes a set of data, but only a subset is shown in Figure
4.
In 5G-AKA, the SEAF may start the authentication procedure after receiving any signaling
message from the UE. Note that the UE should send the SEAF a temporary identifier (a 5G-GUTI)
or an encrypted permanent identifier (a SUCI) if a 5G-GUTI has not been allocated by the serving
network for the UE. The SUCI is the encrypted form of the SUPI using the public key of the home
network. Thus, a UE’s permanent identifier, e.g., the IMSI, is never sent in clear text over the radio
networks in 5G. This feature is considered a major security improvement over prior generations
such as 4G.
The SEAF starts authentication by sending an authentication request to the AUSF, which first
verifies that the serving network requesting the authentication service is authorized. Upon success,
the AUSF sends an authentication request to UDM/ARPF. If a SUCI is provided by the AUSF,
then the SIDF will be invoked to decrypt the SUCI to obtain the SUPI, which is further used to

15
select the authentication method configured for the subscriber. In this case, it is 5G-AKA, which
is selected and to be executed.
UDM/ARPF starts 5G-AKA by sending the authentication response to the AUSF with an
authentication vector consisting of an AUTH token, an XRES token, the key KAUSF, and the
SUPI if applicable (e.g., when a SUCI is included in the corresponding authentication request),
among other data.
The AUSF computes a hash of the expected response token (HXRES), stores the KAUSF, and
sends the authentication response to the SEAF, along with the AUTH token and the HXRES. Note
that the SUPI is not sent to the SEAF in this authentication response. It is only sent to the SEAF
after UE authentication succeeds.

Figure 5: 5G-AKA Authentication Procedure

The SEAF stores the HXRES and sends the AUTH token in an authentication request to the UE.
The UE validates the AUTH token by using the secret key it shares with the home network. If
validation succeeds, the UE considers the network to be authenticated. The UE continues the
authentication by computing and sending the SEAF a RES token, which is validated by the SEAF.
Upon success, the RES token is further sent by the SEAF to the AUSF for validation. Note that
the AUSF, which is in a home network, makes the final decision on authentication. If the RES
token from the UE is valid, the AUSF computes an anchor key (KSEAF) and sends it to the SEAF,
along with the SUPI if applicable. The AUSF also informs UDM/ARPF of the authentication
results so they can log the events, e.g., for the purpose of auditing.
Upon receiving the KSEAF, the SEAF derives the AMF key (KAMF) (and then deletes the
KSEAF immediately) and sends the KAMF to the co-located Access and Mobility Management
Function (AMF). The AMF will then derive from the KAMF (a) the confidentiality and integrity
keys needed to protect signaling messages between the UE and the AMF and (b) another key,

16
KgNB, which is sent to the Next Generation NodeB (gNB) base station for deriving the keys used
to protect subsequent communication between the UE and the gNB. Note that the UE has the long-
term key, which is the root of the key derivation hierarchy. Thus, the UE can derive all above keys,
resulting a shared set of keys between the UE and the network.
5G-AKA differs from 4G EPS-AKA in primarily the following areas:
 Entities involved in the authentication are different because of the new service-based
architecture in 5G. Particularly, the SIDF is new; it does not exist in 4G.
 The UE always uses the public key of the home network to encrypt the UE permanent
identity before it is sent to a 5G network. In 4G, the UE always sends its permanent
identifier in clear text to the network, allowing it to be stolen by either a malicious network
(e.g., a faked base station) or a passive adversary over the radio links (if communication
over radio links is not protected).
 The home network (e.g., the AUSF) makes the final decision on UE authentication in 5G.
In addition, results of UE authentication are also sent to UDM to be logged. In 4G, a home
network is consulted during authentication only to generate authentication vectors; it does
not make decisions on the authentication results.
 Key hierarchy is longer in 5G than in 4G because 5G introduces two intermediate keys,
KAUSF and KAMF (see Figure 5). Note: KSEAF is the anchor key in 5G, equivalent to
KASME in 4G.

3.1.3 EAP-AKA’
EAP-AKA’ [1] is another authentication method supported in 5G. It is also a challenge-and-
response protocol based on a cryptographic key shared between a UE and its home network. It
accomplishes the same level of security properties as 5G-AKA, e.g., mutual authentication
between the UE and the network. Because it is based on EAP [2], its message flows differ from
those of 5G-AKA. Note that EAP messages are encapsulated in NAS messages between the UE
and the SEAF and in 5G service messages between the SEAF and the AUSF. Other differences
between 5G-AKA and EAP-AKA’ are as follows.
 The role of the SEAF in authentication differs slightly. In EAP-AKA’, EAP message
exchanges are between the UE and the AUSF through the SEAF, which transparently
forwards the EAP messages without being involved in any authentication decision. In 5G-
AKA, the SEAF also verifies the authentication response from the UE and may take action
if the verification fails, albeit such action has not yet been defined in 3GPP TS 33.501[4].
 Key derivation differs slightly. In 5G-AKA, the KAUSF is computed by UDM/ARPF and
sent to the AUSF. In EAP-AKA’, the AUSF derives the KAUSF itself in part based on the
keying materials received from UDM/ARPF. More specifically, the AUSF derives an
Extended Master Session Key (EMSK) based on the keying materials received from UDM
according to EAP and then uses the first 256 bits of the EMSK as the KAUSF.

17
3.1.4 EAP-TLS
EAP-TLS[3] is defined in 5G for subscriber authentication in limited use cases such as private
networks and IoT environments. When selected as the authentication method by UDM/ARPF,
EAP-TLS is performed between the UE and the AUSF through the SEAF, which functions as a
transparent EAP authenticator by forwarding EAP-TLS messages back and forth between the UE
and the AUSF. To accomplish mutual authentication, both the UE and the AUSF can verify each
other’s certificate or a pre-shared key (PSK) if it has been established in a prior Transport Layer
Security (TLS) handshaking or out of band. At the end of EAP-TLS, an EMSK is derived, and the
first 256 bits of the EMSK is used as the KAUSF. As in 5G-AKA and EAP-AKA’, the KAUSF is
used to derive the KSEAF, which is further used to derive other keying materials (see Figure 5)
needed to protect communication between the UE and the network.
EAP-TLS fundamentally differs from 5G-AKA and EAP-AKA’ in its trust establishment
between a UE and the network, i.e., it uses a different a trust model. In EAP-TLS, mutual
authentication between a UE and a 5G network is obtained primarily based on the mutual trust of
their public key certificates, acknowledging that TLS with a PSK is possible but is rarely used
except for session resumption. In AKA-based methods, such trust is based solely on a symmetric
key shared between a UE and the network.
Such a fundamental difference is significant in that EAP-TLS removes the need to store a large
number of long-term keys in the home network (e.g., in UDM), thus reducing operational risks in
the life cycle of symmetric key management. On the other hand, EAP-TLS introduces new
overhead in certificate management, such as certificate issuance and revocation.

18
CHAPTER IV: MONITORING AND PREVENTING CYBER ATTACKS IN 5G

4.1 Monitoring
4.1.1 General Introduction
- Network monitoring is an important network management tool for mobile networks. Its
significance has increased with the continuous growth of network traffic and the adoption of
virtualization. A monitoring system collects network statistics, access traffic, application and user
profiles, as well as flow patterns at different time intervals and levels of detail to evaluate the
network status for various management tasks such as application identification, anomaly detection,
network investigation, load balancing, traffic engineering, SLA enforcement, QoS/QoE, and
network maintenance. Therefore, a network monitoring system must be capable of monitoring the
network and traffic flows at different levels of detail and to obtain measurable data such as
aggregation level, time interval, bandwidth utilization, and accuracy.
- Traditionally, network monitoring systems are deployed at specific locations within a mobile
network to monitor data at network borders or at ingress/egress points
- Similarly, many security monitoring systems are currently based on interfaces and physical
systems. However, as mobile networks evolve and network management and security become
more complex, the monitoring systems used today will not be able to support flexible changing
structures and increasingly new technologies such as cloud networks and virtual environments.
These challenges become more severe for wireless networks because radio channels are
susceptible to interference and access networks are vulnerable to interruption on important links,
MAC abuse, and flooding attacks [4].
- One of the important transitions in 5G networks is the use of two new concepts: Network
Function Virtualization (NFV) and Software-Defined Networking (SDN) [5-6]. SDN separates
network control from data forwarding devices and allows programming capability by providing a
programmable interface to the network devices. The control plane is centralized in high-end
servers with the ability to program multiple network devices at runtime. The SDN control plane
has better global visibility and control over packets traversing the network. Since the network is
controlled from centralized controllers and the network components have programmable
interfaces, network monitoring is elevated to a higher level of efficiency, cost, and complexity.
NFV is an ETSI standardized architecture for separating network functions from hardware. NFV
means that network functions will run as a service on commercial off-the-shelf hardware.
- On the one hand, the limitations of the previous monitoring system for secure wireless networks
can be overcome by introducing a new monitoring architecture based on SDN and NFV. On the
other hand, the use of SDN and NFV presents new challenges for monitoring and detecting
network failures. This chapter investigates the challenges posed by SDN and NFV in 5G networks
and how 5G operators need to address them by using effective network monitoring solutions.
Additionally, I emphasize the new opportunities that will help achieve efficient SDN and NFV-
based 5G network monitoring.

19
4.1.2 Existing monitoring techniques
There are various network monitoring techniques with different levels of capabilities that exist
in today's network management space [5]. First, there is the routing-based monitoring protocol that
allows for the collection of information provided by network elements (NEs):
 Simple Network Management Protocol (SNMP): for managing NEs and higher-level
information regarding resource usage (e.g., monitoring router and switch bandwidth
usage, device information such as memory usage, CPU load, etc.);
 Remote Monitoring (RMON): for exchanging network monitoring data;
 Netflow or sFlow: for collecting information on IP network flows and bandwidth
utilization.
These protocols are mostly dedicated to performance analysis and network management, but they
are also used for detecting some security issues, such as NetFlow. Current networks are also using
packet sniffing, Deep Packet Inspection (DPI), Deep Flow Inspection (DFI), virus scanners,
malware detection, and other techniques to analyze network packet headers, complete packets, or
packet payloads.
These are used by NIDS (Network Intrusion Detection System), IDPS (Intrusion Detection and
Prevention System), firewalls, antivirus scanning devices, content filtering devices, and when
combined with various methods (e.g., statistics, machine learning, behavior analysis, and pattern
matching), to detect security violations (i.e., passive security devices) or to prevent/block detected
security issues (i.e., active security devices).
Network monitoring solutions come in various variations, depending on what they measure and
how they collect data:

a) Active Probing: is an approach that focuses on data collection services based on aggregate
measurements, namely ICMP Echo requests, HTTP GET requests, or specially crafted
packets. Typically, these measurements attempt to analyze network attributes that cannot
be captured from purely passive measurements and are considered the only way to measure
service availability.
b) Device polling: an approach that focuses on the device as the center, querying devices
usually using SNMP (Simple Network Management Protocol), collecting information
about interface status, traffic flow, device load, CPU, etc.
c) Flow Collection: a solution for collecting traffic information from network devices such as
routers/switches. Here, access traffic can be aggregated into flows using, for example,
Cisco Netflow, and stored on disk for analysis later. Flow data is easier to analyze and
process than packet data, but provides less detailed information.
d) Packet analysis: typically involves using a SPAN port from a switch or network tap and
extracting information from individual packets, including payload information through
DPI (Deep Packet Inspection).
e) Log analysis: is a solution for collecting data generated by systems, usually in the form of
log files (e.g. system logs), and presenting a query interface to correlate events across
different types of systems, such as routers, web servers, load balancers.

20
 Combining the aforementioned sources of information, I have developed what is known as
Security Information and Event Management (SIEM) technology. SIEM provides both Security
Information Management (SIM) and Security Event Management (SEM). The SIEM technology
aggregates event data generated by security devices, network infrastructure, systems, and
applications. The primary data source is log data, but SIEM technology can also process other
types of data such as NetFlow and Deep Packet Inspection (DPI). Event data is correlated with
contextual information about users, assets, threats, and vulnerabilities. The data is normalized so
that events, data, and contextual information from different sources can be correlated and analyzed
for specific purposes such as monitoring network security events, user activity monitoring, and
compliance reporting. This technology provides real-time security monitoring capabilities,
historical/trend analysis, and other support for incident investigation (e.g., forensics) and
compliance reporting.

4.1.3 Using monitoring in 5G

The network performance and security monitoring can be considered as additional entities.
Monitoring can provide the necessary knowledge to evaluate and thus ensure both network
QoS/QoE (Quality of Service/Quality of Experience) and security. Network monitoring is essential
to verify and authenticate SLA, manage performance (QoS) and user experience (QoE),
troubleshoot, evaluate optimization, and resource utilization. Detecting and preventing security
breaches will improve performance, for example, it can prevent Denial of Service (DoS) attacks.
In the context of 5G, monitoring mechanisms need to be reconsidered to meet the requirements
posed by virtualization and benefit from the flexibility provided by SDN and NFV to achieve the
best balance between cost, reliability, and quality.

Future 5G networks will support a tremendous amount of devices with various capabilities and
intelligences (e.g., mobile phones, tablets, IoT devices, tactile internet, and autonomous vehicles).
This requires automated management and security services to ensure security and integrity. This
will also lead to high processing and signaling costs and therefore require new cost-effective
adaptive security strategies. For this reason, there needs to be a clear view of what is happening in
the network, what devices are being used, and how they are being used. Monitoring is the tool to
understand network traffic and how services and applications are being used; allowing for
improvement and automated security assurance.

Existing security solutions (e.g., SIEM, IDS, IPS, firewall) need to be adjusted and controlled
accurately because they are mainly designed for physical systems and boundaries and do not allow
for detailed analysis tailored to the needs of SDN and NFV-based 5G network management. The
lack of display and control capabilities over internal virtual networks created along with the
heterogeneity of devices used make many security applications ineffective.

21
 On one hand, the impact of virtualization on these technologies needs to be assessed. For
example, security applications need to be able to monitor virtual connections. Virtualization can
help isolate systems, but it can also be used to introduce malicious techniques exploiting software
vulnerabilities or introduce stealthy intrusions that are difficult to detect. For instance,
virtualization creates boundaries that can be breached by exploiting vulnerabilities and bugs in the
virtualization code (e.g., hypervisors); and the entire system becomes a file that can be easily stolen
or replaced.

On the other hand, security technologies need to cope with a constantly changing landscape and
the trade-off between monitoring costs and related risks. In this regard, virtualization, as well as
SDN, create conditions for changes that make security applications need to keep up with these
dynamic features.

The SIEM-type solutions are necessary to achieve awareness of status and security.
If an incident occurs, the system should be able to identify the source, recover, and protect against
future incidents. It is important to verify that everything leaving the system is recorded. Network
managers have centralized control over the network and need to properly record and process all
changes. Log analysis and event correlation in SDN will quickly become a "big data" issue. There
is also a need for tools that can address all legal requirements and compliance.

With SDN, it is possible to create network monitoring applications that collect information and
make decisions based on a comprehensive view of the entire network. This allows event correlation
to be centralized on the network controller and enables new ways to minimize network errors.

To design an effective monitoring system in a 5G network, improvements are needed in the

following main areas [5]:

 Information extraction: Understanding how to handle virtualization to collect information

about flow traffic, profiles, and attributes through extracted protocol metadata,
measurement, data mining, and machine learning techniques;
 Scalability and Performance issues: The design of the monitoring architecture and the
placement of observation points need to be performed in a way that ensures scalability, and
different monitoring use cases need to be studied to achieve the best balance between
performance, cost, and completeness of results. Furthermore, packet pre-processing
technologies and hardware acceleration need to be integrated and controlled by
applications and functions to obtain high optimization solutions.

22
  Inhomogeneity: analyzing control traffic flows and user plane across different network
domains and the new interface between SDMN and existing networks, and identifying
related flows in different network domains.
 Dynamism: changes in virtualized networks and applications become easier and more
frequent.

The monitoring solutions need to be adaptive to these changes.

4.2 Risk prevention

4.2.1 Classifying Threats
The following list presents a general classification of threats targeting 5G systems. This list is
based on ENISA's classification of threats to 5G networks [7]:

 Eavesdropping/Interception/Hijacking (EIH): This type of threat is defined as "actions

aimed at listening, disrupting or taking control of third-party communication information
without consent";
 Damage (DAM): This type of threat is defined as intentional actions aimed at causing
"destruction, damage or deformation to assets or humans and resulting in malfunction or
decreased utility";
 Disaster (DIS): This type of threat is defined as "a sudden accident or natural disaster
causing significant damage or loss of life";
 Physical Attack (PA): This type of threat is defined as "actions aimed at destroying,
damaging, altering, disabling, stealing or unauthorized access to physical assets such as
infrastructure, hardware or connections";
 Power Outage (OUT): This type of threat is defined as "an unexpected disruption of service
or reduced quality below the required level.";
 Failure or Malfunction (FM): This type of threat is defined as "insufficient partial or entire
operation of an asset (hardware or software)";
 Illicit Activity/Abuse (NAA): This type of threat is defined as "purposeful actions against
ICT systems, infrastructure and networks through malicious acts with the purpose of
stealing, altering or destroying a specific target.”
 Unintentional Damage (UD): This type of threat is defined as unintentional actions that
cause "destruction, damage or deformation to assets or humans and resulting in
malfunction or decreased utility";
 Legal (LEG): This type of threat is defined as "third-party legal actions (under contract or
other forms) aimed at preventing actions or compensating for damages based on current
laws

23
 The classification of threats can be grouped according to the location of the target being
exploited in the 5G system. Based on these criteria, the classification of threats can be classified
as follows:

 Core Network Threats: These threats are related to the components of the Core Network,
including SDN, NFV, Slicing, and MANO. Most belong to the categories of "Unauthorized
Operation/Abuse" (NAA) and "Eavesdropping/Interception/Impersonation" (EIH);
 General Threats: These are threats that commonly affect any IT/Telecom system or
network. General threats are important to address as they help identify and shape specific
threats for 5G. For example, many specific threats to 5G may lead to network service
disruption, commonly defined as Denial of Service (DoS) threats;
 Physical Infrastructure Threats: These are threats related to the basic IT infrastructure
supporting the network. Most belong to the categories of "Physical Attacks" (PA),
"Damage or Loss of Equipment" (DAM), "Equipment Failure or Malfunction" (FM),
"Power Outages" (OUT), and "Disasters" (DIS);
 Access Network Threats: These threats are related to 5G Radio Access Technology (RAT),
Radio Access Network (RAN), and non-3GPP access technologies. They include threats
related to wireless transmission and wireless media. Most threats fall into the HIJ category;
 Multi-Edge Computing Threats: These threats are related to components at the edge of the
network. Most belong to the categories of NAA and HIJ;
 Virtualization Threats: These threats are related to virtualizing IT infrastructure, networks,
and basic functions;
 SDN Threats;
This refers to threats related to SDN functions present throughout the entire 5G infrastructure,
including both optical and IP transport networks.

4.2.2 Current solutions

In this section, I present the state of the art of current security solutions in 5G, most of which can
be applied to future networks that are software-defined, cognitive, and service-based. The
solutions/plans are organized into three groups, specifically Infrastructure/Platform,
Management/Automation, and Service/Vertical level. The description of the State of the Art
(SotA) is optimized for the INSPIRE-5Gplus scope for the sake of brevity. In other words, the
SotA description is not mutually exclusive or comprehensive. Furthermore, to provide a highly
detailed description of the relevant tasks and solutions, I summarize my approach to handling the
multidimensional security of 5G in Table 3.

24
 Table 1: Organized analysis of the State of the Art for 5G Security

4.3 Advanced network security techniques

4.3.1 Security monitoring optimization

The 5G network and beyond have plans to support three specific use cases: high-speed mobile
broadband (eMBB), massive machine-type communications (mMTC), and ultra-reliable and low-
latency communications (URLLC). By introducing breakthrough concepts such as SDN and NFV
to the telecommunications network, it promises to integrate information and communication
technology into the general infrastructure by connecting mobile and fixed access networks [10].
I summarize into three main axes below to optimize security monitoring in such 5G networks:

 Resource utilization optimization: 5G will significantly increase the number of devices

connected to the internet, generating a massive amount of data. Ensuring clear security
monitoring requires significant resources. Therefore, the number of screens and their
resource utilization must be strictly reduced. This can be considered a prerequisite for other
optimizations.
 Deployment and distribution optimization: New technologies, such as SDN/NFV and
anything in the form of a service, enable significant time and cost reduction in security
deployment and distribution (SaaS). When security-related risks or errors are identified,
new releases can be quickly tested and implemented through a fully automated continuous
integration/continuous deployment (CI/CD) process. SaaS optimization also depends on
awareness of location, content adjustment, and caching.
 Incident resolution optimization: Traditional security incident alerts are prioritized by
severity levels such as critical, high, medium, and low. However, this does not determine
what should be resolved first. Identifying the root cause of the incident is essential, as

25
 addressing it will eliminate some alerts. Combining detection with root cause analysis in
an SDN/NFV environment remains a significant challenge.
I outline three main trends that will help optimize security monitoring:

 Network programmability: Network devices such as routers or switches can be

programmed to meet reactive requirements and security monitoring. They can be used to
detect anomalies early as well as to classify and optimize network traffic [11];
 AI-based security: Analysis for advanced security operations using ML/AI to develop
intelligent security capabilities that can accurately detect threats. Fast big data technologies
can help monitor real-time security by collecting and analyzing vast amounts of
information [12];
 Unreliable model: The concept of multilayer allows different network layers to share the
same infrastructure, including non-homogeneous devices from untrusted suppliers. A UE
may even belong to different slices depending on the application running on it. Monitoring
security in such a network must be reliably zero: everything inside or outside the network
perimeter must be verified. The distrust model, with the principle of "never trust, always
verify," addresses all threats, not just easily expressed ones.

4.3.2 Sharing data on network security risk analysis

ENISA has recommended creating 5G Cyber Threat Intelligence (CTI) and fostering
collaboration among relevant parties as a basis for future knowledge gathering and dissemination
in the field of 5G threat analysis [8]. Softwareization, programmability, AI, large-scale IoT, etc.
all introduce new vulnerabilities, which become even more critical with the expected increase in
bandwidth and the emergence of new critical applications. Sharing CTI is necessary, as well as
improving the use of automated CTI, to prevent and effectively respond to these new threats. These
topics have not been studied in the context of 5G until recently.
To collect CTI, various methods and techniques can be employed, including honeypots and
deception technology [13]; darknet or network telescope [14]; social engineering and darknet
exploitation [15]; intelligence sharing [16] and SIEMs (security information and event
management systems) [17] [19]. These different techniques need to be reconsidered and adjusted
to capture CTI when considering the requirements and architecture of 5G networks and other
networks.
To share CTI, the most common form is the STIX l standard (promoted by [9] to describe
ENISA56 threat intelligence) and the TAXII57 protocol.

4.3.3 Security and Service Level Agreement (SLA)

26
 One of the main objectives of 5G technology based on the SDN/NFV model is to provide
services that guarantee a certain level of quality (including reliability, availability, performance,
security, privacy, etc.). Poor performance or lack of resilience in these services has been identified
as major obstacles to the deployment of 5G networks. These guarantees are generally reflected in
the Service Level Agreement (SLA) signed by the customer and the service provider or between
different parties and lessees. SLAs are formal contracts that record the features of the services
provided and the relevant quality expectations, called Service Level Objectives (SLOs).
Furthermore, they clearly consider the responsibility, obligation, service cost, and penalties in case
of agreement violation.
A security SLA is a subset of the global SLA that addresses security commitments and
compliance for both parties, including, in the case of 5G networks [18], aspects related to both
infrastructure and provided services (e.g., infrastructure security, resilience control, data
protection).
These SLAs are usually written in natural language (often using strict legal terms). Despite
strong concern for security and current standardization efforts, security-oriented SLAs (SSLA) are
still a long way from being applied. The format shared for security SLAs includes representing
security attributes and ensuring security. Creating a machine-readable format for security SLAs
(e.g. SPECS XML SLA Framework58) is a challenging task that could be very useful in
development and deployment stages to ensure that deployed 5G services comply with designated
security requirements. Such security-oriented SLAs could also serve as input for adaptive security
monitoring solutions and automatically assess the security of deployed 5G services and detect any
potential violations during runtime.
The automation feature in managing security SLAs can increase business opportunities for 5G
service providers and operators while effectively managing their customer's expectations. Service
providers and operators are constantly compared and evaluated against competing organizations
that their customers work with. One way to stand out from all other organizations is to provide
excellent customer service supported by robust SSLAs that can be easily verified. Additionally, if
machine-readable, they will allow for clear and measurable principles to be specified for accurate
verification and improve responsiveness to potential security incidents.

27
 REFERENCES CHAPTER

[1] Internet Engineering Task Force, “Improved Extensible Authentication Protocol Method for
3rd Generation Authentication and Key Agreement (EAP-AKA'),” Request for Comments (RFC)
5448 (May 2009).
[2] Internet Engineering Task Force, “Extensible Authentication Protocol (EAP),” Request for
Comments (RFC) 3748 (June 2004).
[3] Internet Engineering Task Force, “The EAP-TLS Authentication Protocol,” Request for
Comments (RFC) 5216 (March 2008)
[4]Bernardo, D. V., & Chua, B. B. (2015, March). Introduction and analysis of SDN and
NFV security architecture (SN-SECA). In 2015 IEEE 29th international conference on
advanced information networking and applications (pp. 796-801). IEEE.
[5]Lal, S., Taleb, T., & Dutta, A. (2017). NFV: Security threats and best practices. IEEE
Communications Magazine, 55(8), 211-217.
[6]Hu, Z., Wang, M., Yan, X., Yin, Y., & Luo, Z. (2015, February). A comprehensive
security architecture for SDN. In 2015 18th International Conference on Intelligence in
Next Generation Networks (pp. 30-37). IEEE.
[7]ETSI GS MEC, ETSI GS MEC 002 V2.1.1 (2018-10) ; Multi-access Edge Computing
(MEC); Phase 2: Use Cases and Requirements. ETSI, 2018.
[8]S. Spinoso, M. Virgilio, et al. Formal Verification of Virtual Network Function
Graphs in an SP- DevOps Context. ESOCC 2015. Lecture Notes in Computer Science,
vol. 9306, 2015. Springer,Cham
[9]M. Flittner, J. M. Scheuermann, R. Bauer. ChainGuard: Controller-independent
Verification of Service Function Chaining in Cloud Computing. In Proc. of the
Conference on NFV and SDN (NFV-SDN), Nov. 2017.
[10]5G PPP SN Working Group, “Vision on Software Networks and 5G,” 2017.
[11]F. Paolucci, F. Civerchia, A. Sgambelluri, A. Giorgetti, F. Cugini, and P. Castoldi,
“P4 Edge Node Enabling Stateful Traffic Engineering And Cyber Security,” J. Opt.
Commun. Netw., vol. 11, no. 1,pp. A84–A95, 2019.
[12]5G PPP Security Work Group, “5G PPP Phase 1 Security Landscape,” 2017.
[13]Daniel Fraunholz, Simon Duque Antón, Christoph Lipps, Daniel Reti, Daniel

28
Krohmer, Frederic Pohl, Matthias Tammen, Hans Dieter Schotten: Demystifying
Deception Technology: A Survey. CoRR abs/1804.06196 (2018)
[14]Samuel Oswald Hunter, Barry Irwin, Etienne Stalmans: Real-time distributed
malicious traffic monitoring for honeypots and network telescopes. ISSA 2013: 1-9
[15]Eric Nunes, Ahmad Diab, Andrew T. Gunn, Ericsson Marin, Vineet Mishra, Vivin
Paliath, John Robertson, Jana Shakarian, Amanda Thart, Paulo Shakarian: Darknet and
deepnet mining for proactive cybersecurity threat intelligence. ISI 2016: 7-12
[16]Thomas D. Wagner, Khaled Mahbub, Esther Palomar, Ali E. Abdallah: Cyber threat
intelligence sharing: Survey and research directions. Comput. Secur. 87 (2019)
[17]Marcello Cinque, Domenico Cotroneo, Antonio Pecchia: Challenges and Directions
in Security Information and Event Management (SIEM). ISSRE Workshops 2018: 95-
99
[18]E. Kapassa, M. Touloupou, D. Kyriazis, “SLAs in 5G: A Complete Framework
Facilitating VNF- and NS- Tailored SLAs Management”, 32nd IEEE International
Conference on Advanced Information Networking and Applications Workshops
(AINA), Krakow, Poland, 2018.
[19]Fabio Martinelli, Oleksii Osliak, Andrea Saracino: Towards General Scheme for
Data Sharing Agreements Empowering Privacy-Preserving Data Analysis of Structured
CTI.CyberICPS/SECPRE@ESORICS 2018: 192-212

29