Mitigating Denial of Service Signaling Threats in 5G Mobile Networks
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021
Mitigating Denial of Service Signaling Threats in
5G Mobile Networks
Raja Ettiane1 , Rachid EL Kouch2
National Institute of Posts and
Telecommunication
Abstract—With the advent of 5th generation (5G) technology, joined to the tremendous number of connected devices will
the mobile paradigm witnesses a tremendous evolution involving entail a number of security flaws, including the problem of
the development of a plethora of new applications and services. Denial of Service (DoS) attacks against the next generation
This enormous technological growth is accompanied with an of radio access network (NG-RAN) signaling control plane,
huge signaling overhead among 5G network elements, especially named signaling threats. The DoS signaling threats were first
with emergence of massive devices connectivity. This heavy
emerged in 3G system [4], [5], [6], [7], involving the signaling
signaling load will certainly be associated with an important
security threats landscape, including denial of service (DoS) attack that exploits the Radio Access Bearer (RAB) allocation/
attacks against the 5G control plane. In this paper, we analyse release procedures to overload 3G entities, specifically the
the performance of a defense mechanism based randomization Radio Network Controller (RNC) entity. By using the well
technique designed to mitigate the impact of DoS signaling attack known network parameter, named inactivity timer T5Ginac ,
in 5G system. Based on massive machine-type communications this attack could be also carried out against the 5G system
(mMTC) traffic pattern, the simulation results show that the to overload the signaling control plane, which can disturb the
proposed randomization mechanism decreases significantly the network functionality giving rise to a productivity loss for
signaling data volume raised from the new 5G Radio Resource network operator.
Control (RRC) model under normal and malicious operating
conditions, which up to 70% while avoiding the unnecessary Several research works have tackled the problem of sig-
resource consumption. naling threats in 3G/4G mobile networks and have proposed
Keywords—5G New Radio (NR) network; Radio Resource detection and defense mechanisms to mitigate the impact of
Control (RRC) state model; Denial of Service (DoS); signaling such attacks [4], [8], [10], but little research efforts have
threats; randomization been dedicated to signaling-based threats in 5G context. A
survey of the 5G security architecture related to the primary
protocols of the control plane signalling was presented in [11],
I. I NTRODUCTION [12]. In [13], the authors have proposed a defence mechanism
to protect the paging protocols against security and privacy
The emergence of the 5G standard was accompanied attacks [14]. The proposed solution aims at securing the 4G/5G
with a phenomenal rise in traffic volumes emanating from devices from unauthorized/fake paging messages by introduc-
various new services and applications. To meet these new ing a new identifier, named P-TMSI, randomizing the paging
challenges, 5G technology has introduced three new classes occasions, and conceiving a symmetric-key based broadcast
of services, namely, the enhanced mobile broadband (eMBB), authentication framework. In [15], the issue of DoS signaling
massive machine-type communications (mMTC) and ultra- attacks in different mobile network generations was outlined,
reliable low latency communications (URLLC) [1]. While including the post-5G technologies. This work provided also
the eMBB services will ensure an enhanced throughput, the some security solutions to protect the 5G system against these
mMTC services will handle massive number of connected threats, involving securing the data information exchange over
devices with stringent energy efficiency and battery autonomy the radio link and make the access more difficult for malicious
constraints, and the URLLC use case will provide low latency parties.
and high reliability services [2]. These new 5G challenging
requirements will certainly increase the complexity of the Unfortunately, these few research works are still not
management procedures designed to handle the rising demand enough to address the damaging 5G signaling threats, involv-
of mobile subscribers. ing the DoS signaling attack tackled in this work. Hence, this
paper extends our defense mechanism proposed in [10], as a
To reduce network signaling complexity and unnecessary preventive solution to defend against DoS signaling attack in
control transmissions, ongoing research works are progressing 3G network, to meet also the problem of signaling threat in 5G
in many fronts with the aim of optimizing the signaling load system. Based on mMTC traffic model, the proposed mitiga-
for a robust and ultra-lean 5G designs. Indeed, a novel radio tion mechanism based randomization technique has shown also
resource control (RRC) inactive state RRCIN ACT IV E have promising results in decreasing the signaling load generated
been introduced for Next Generation of Radio Access Network by the 5G infrastructure under signaling DoS attack while
(NG-RAN) [3] to enhance the energy efficiency, reduce the preventing the unnecessary use of the network resources.
latency and optimize the signaling load through optimizing the
idle-to-connected state transition. Even if the new 5G RRC The rest of the paper begins with a background section
model was developed to meet the huge signaling overhead giving an overview of the new 5G RRC state model, and
handled by the cellular paradigm, the short inactivity timers highlighting some security flaws of this novel RRC three-
www.ijacsa.thesai.org 88 | P a g e(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021
state model. The section three analyses the 5G DoS signaling
attack detection mechanism based randomization technique. Establish connec!on
This section presents first an overview on related works, then,
it outlines the traffic model used for the performance evaluation RRC
IDLE
of the detection framework, which is introduced at a later stage. Connected
Release connec!on
Still in the same section, the simulation results are carried
out to evaluate the effectiveness of the randomization based Suspend
detection solution in defending against DoS signaling attack Release connec!on
in 5G mobile network. Finally, the section four concludes the connec!on Resume
paper. RRC connec!on
Connected
Inac!ve
II. BACKGROUND
In cellular systems, wireless communications between the Fig. 1. 5G RRC State Machine Model.
devices and the network are carried out using the RRC protocol
that is responsible for allocating and releasing the necessary
radio resources. The signaling load produced by these resource
of the inactivity timer to trigger frequent resource allocation
allocation and release procedures will increase tremendously,
and release procedures, thus causing a peak of signaling load
specifically with the great variety of applications based on
that can not be properly sustained by the mobile infrastruc-
burst traffic (e.g., mMTC use case), which could disturb the
ture. Adversely, the second attack scenario aims to consume
proper functioning of the mobile networks infrastructures.
abusively the NG-RAN radio resources by maintaining a set
As depicted in Fig. 1, in 5G system, a new RRC state,
of compromised devices in the RRCCON N ECT ED state for
named RRCIN ACT IV E , is introduced to meet the challenge
a considerable period of time leading to a network resource
of signaling overhead, battery life and latency. This novel
starvation. There are other security risks threatening the NG-
RRCIN ACT IV E state is designed to reduce the latency by
RAN infrastructure, involving, the integration with the existing
minimizing the signaling exchange triggered by the transition
vulnerable systems, namely, Internet and 4G network, the
to RRC connected state RRCCON N ECT ED among the 5G
immaturity of the 5G production process and maintenance
infrastructure, which would be relevant for many smartphone
procedures, and the overgrowth of the 5G components. These
applications that transmit small data on a frequent basis. This
security flaws could amplify the risk of breaking down the
new state will also allow devices to conserve their batteries life
confidentiality, integrity, and availability of network elements,
by reducing the signaling load generated by the idle-connected
and giving rise to more attack vectors against 5G system.
states transitions. Indeed, in the RRCIN ACT IV E state, the
Therefore, developing a robust a defense system that can
device stores the RRC context (Access Stratum (AS) context)
protect the 5G system against such security threats, will be
and maintains the core network (CN) connection established,
a serious challenge for mobile service providers.
and any detected traffic activity will trigger the transition to
RRCCON N ECT ED state through a resume procedure using
only three signaling messages instead of seven messages used III. 5G D O S S IGNALING D ETECTION M ECHANISM BASED
in the switching process from the idle state (RRCIDLE ) to R ANDOMIZATION T ECHNIQUE
the connected state in 4G system [16]. The transitions be- In this paper, we will evaluate the proposed detection mech-
tween RRCCON N ECT ED and RRCIN ACT IV E states occur anism based randomization approach regarding the DoS signal-
transparently to the CN. indeed, the CN network may carry ing attack exploiting the new 5G RRC three-state machine by
any downlink traffic to the RAN entity so that the state analyzing the decreased signaling overhead ratio DSOR and
transition from RRCIN ACT IV E to RRCCON N ECT ED does the network resource occupation time ratio ROTR related to
not involve any CN signaling exchange. As illustrated in Fig. NG-RAN RRC handling process regarding different statistical
1, the new 5G RRC state model involves three states, namely, distributions, namely, Gaussian, Log-normal and Exponential
RRCIDLE , RRCCON N ECT ED and RRCIN ACT IV E . In this distributions. To carry out the performance evaluation of the
RRC three-state model, the transition from RRCIDLE to proposed detection framework within 5G system, we will
RRCCON N ECT ED will primarily occur during the first UE use the mMTC massive sensors traffic pattern [18] as 5G
attaches to the network or as a fallback to a new RRC con- networks are expected to handle an significant amount of
nection. Hence, this transition will hardly arise when compared mMTC communications.
to the transition from RRCIN ACT IV E to RRCCON N ECT ED ,
and with the shorter inactivity timeouts managing this later A. Related Works
transition [17], the signaling load remains important even if
the number of exchanged signaling messages related to the To consolidate the security perimeter against signaling at-
5G RRC three-state transitions is reduced by introducing the tacks in mobile networks, several protection mechanisms have
RRCIN ACT IV E state, specifically when the 5G NG-RAN been proposed in the literature review, specifically, for 3G and
network is under a DoS signaling attack. indeed, a malicious 4G networks. Among these defense solutions, a randomization
exploiting of this inactivity timeout will give arise to two method applied to some configuration parameters, like the
DoS attack scenarios. The first scenario is similar to the channel inactivity timeout, has been proposed in [8], [9], [10],
signaling attack tackled in [20], which aims at affecting and to increase the difficulty of hacking the value of such extremely
compromising an important number of MTC devices, and vital network settings. According to [8], the randomization
forcing them to send periodic burst packets after the expiration technique attributes the same random inactivity timeout to
www.ijacsa.thesai.org 89 | P a g e(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021
all UEs handled by the same 3G Radio Network Controller For the exponential case, we use a modified exponential
(RNC) regardless of the traffic volume handled by these distribution (weighted by a factor w), the λ are computed as:
UEs. The randomization approach proposed in [8] presented
1
q
some drawbacks related to a rise in resource consumption T5Gi nac 2
=T5Gi nac ×w; w= TR
(1)
due to system configuration that becomes dynamic and no λ
longer optimal, leading to an unbalanced resource consumption
among different traffic patterns. Hence, [10] has proposed
an enhanced randomization based detection framework to For the log-normal distribution, the µ and the σ are
cope with the DoS signaling attacks in 3G system while computed as follows:
optimizing the resulting resource consumption as well. Indeed,
this improved randomization technique deployed an additional 2
concept of classifying the devices according to the traffic µ=log( √ T5Gi nac 2 )
TR +T5Gi nac
volume periodically received by the 3G control plane over the q (2)
σ= log( TR 2 + 1)
corresponding measurement reports. In 5G context, the ran- T5G naci
domization approach has been used to defend against paging
message hijacking attack [13]. Indeed, this solution aims at
randomizing the paging occasion, which consists on changing
the paging occasion after every paging cycle regardless of Where:
whether the 5G device received any paging message in that
paging cycle. Such an approach, however, depletes rapidly the
available P-TMSI values, and requires that the device and the
TR =a ∗ T5Gi nac (3)
base-station should be accurately synchronized.
The weighted parameter a is set so that the available inactivity
B. Traffic Modeling: mMTC use Case timers remain in the interval [1s 10s] defined for 5G standard.
mMTC communications connect a plenty of devices con-
strained by cost and energy considerations. mMTC can be D. Analysis and Results
used for monitoring and area-covering measurements through To evaluate the performance of the proposed detection
sensor and actuator deployments. This 5G traffic use case is mechanism, we will analyze two metrics, namely, the DSOR
usually modeled using the 3GPP bursty traffic FTP model related to the promotion state transition to RRCCON N ECT ED ,
3 [18], which is based on Bursty traffic with a fixed-size and the ROTR which refers to the ration of time period that
packet following a Poisson arrival process with rate λ, packet device remains inactive in RRCCON N ECT ED state in normal
inter-arrival time fD,mM T C (t) and packet size fY,mM T C (t). case (T5Ginac is static) regarding the resource occupation time
According to [18], the number of mMTC devices is about related to randomized T5Ginac .
25000 per cell, in this paper, we will simulate the traffic pattern
related to NmMTC connected devices. Using the traffic model SL(N ) − SL(R)
parameters described in Table I, we will first simulate the DSOR = (4)
mMTC signaling load generated by the new 5G RRC state SL(N )
handling under a different DoS signaling attack scenarios in
accordance with various T5Ginac , namely, 1 s, 2 s and 3 s. TRO (N ) − TRO (R)
ROTR = (5)
Then, we will evaluate the DSOR and ROTR metrics to TRO (N )
demonstrates the effectiveness of the proposed defense solution
in mitigating the DoS signaling attack in 5G system. Where:
SL: Signaling Load (in number of signaling messages)
TABLE I. M MTC SIMULATION PARAMETERS
TRO : Resource Consumption Time
NmMTC Ts Tinac fY,mM T C (t) fD,mM T C (t)
R: Randomization
1000 7200 s 1 s, 2 s, and 3 s 125 B 1s N : Normal case
By periodically launching a DoS signaling attack using
C. Detection Framework different numbers of compromised mMTC devices (10%, 25%
For the mMTC traffic model, we have a well known and 50% of the total number of simulated devices NmMTC ) ev-
behaviour of devices, which transmit the same amount of ery T5Ginac (attack period), we will first evaluate the generated
data fY,mM T C during a defined transmission time period signaling load when no defense mechanism is implemented for
fD,mM T C , so the data traffic classification is meaningless in different inactivity timeouts, namely, 1s, 2s and 3s. From the
this case. To this end, we will use the randomisation techniques simulation results depicted in Fig.2, Fig. 3 and Fig. 4, we
as follows: can infer that the mMTC traffic pattern gives rise to a larger
signaling load for the smaller inactivity timers even in case
For the Gaussian distributions, µ is set to T5Ginac , and σ when no DoS signaling attack is initiated. The high amount of
=TR . signaling traffic for the small value of inactivity timer (T5Ginac
=1s) can be justified by the fact that the mMTC traffic pattern
www.ijacsa.thesai.org 90 | P a g e(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021
4
x 10
is a Poisson distribution with a mean inter arrival rate λmM T C 6.5
about one packet per second, thus, a higher T5Ginac (superior
to 1s) means less state transitions between RRCIN ACT IV E
and RRCCON N ECT ED states and then less signaling load. 6
No a!ack
10% of compromised devices
5
x 10 25% of compromised devices
Number of signaling messages
5.2 50% of compromised devices
5.5
5
4.8 No a!ack
Number of signalng messages
10% of compromised devices 5
25% of compromised devices
4.6
50% of compromised devices
4.4
4.5
4.2
4
4
20 40 60 80 100 120
3.8 Time (min)
3.6 Fig. 4. New 5G RRC Model Signaling Overhead under a DoS Signaling
Attack for T5Ginac = 3s.
3.4
20 40 60 80 100 120
Time (min)
0.75
Fig. 2. New 5G RRC Model Signaling Overhead under a DoS Signaling
Attack for T5Ginac = 1s.
0.7
DSO using randomiza!on techniques (in %)
5 0.65
x 10
1.8
0.6 Normal distribu!o n
Lognormal distribu!o n
1.7 Exponen!al distribu!o n
No a!ack 0.55
10% of compromised devices
25% of compromised devices
50% of compromised devices
1.6
Number of signaling messages
0.5
0.45
1.5
0.4
20 40 60 80 100 120
1.4 Time (min)
Fig. 5. Decreased Signaling Overhead using Randomization Techniques for
1.3 50% of Compromised mMTC Devices: T5Ginac = 1s.
1.2
20 40 60 80 100 120
Time (min) context, specifically for the Exponential and Log-normal dis-
Fig. 3. New 5G RRC Model Signaling Overhead under a DoS Signaling tributions. Hence, the randomization approach remains very
Attack for T5Ginac = 2s. promising solution to be considered in mitigating the signaling
threats in new mobile network generations. First, this technique
offers a preventive framework that can avoid the occurrence
Regarding the two simulated metrics DSOR and ROTR , of such attacks or at least mitigate their impact. Secondly
the performance evaluation of the randomisation based detec- and from a hardware perspective, the proposed randomized
tion mechanism has shown promising results in mitigating the approach needs simply some low-complexity software updates
impact of DoS signaling attack against the novel 5G RRC in only some network entities.
three-state model. As illustrated in Fig. 5 and Fig. 6, the three
simulated distributions, namely Gaussian, Log-normal and ex-
ponential functions reduce considerably the signaling overhead IV. C ONCLUSION
and the unnecessary resource consumption, which reach 70%
In this paper, we have extended our detection mechanism
and 65%, respectively for the exponential distribution with
based randomization technique to defend against DoS signal-
T5Ginac = 1s and 50% of compromised mMTC devices. We
ing attack emerged in the new 5G RRC three-state model. The
have choose to evaluate our detection mechanism regarding
proposed solution has shown promising results in mitigating
the T5Ginac = 1s, due to the large volume of signaling
the impact of these signaling threats in 3G system, and we
load generated by using this smaller inactivity timer, which
have demonstrated through simulation based on mMTC traffic
constitute the most devastating attack scenario, specifically by
pattern, the effectiveness of our detection framework regarding
compromising 50% of total mMTC devices.
the 5G system as well. Indeed, for an inactivity timeout
As outlined in Table II, the randomization technique has equal to 1 s and 50% of compromised mMTC device, the
shown better results in 5G context when compared to 3G three simulated randomisation methods decrease significantly
www.ijacsa.thesai.org 91 | P a g e(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 2, 2021
0.7
[4] Lee, P. P., Bu, T., & Woo, T. (2007, May). On the detection of signaling
DoS attacks on 3G wireless networks. In IEEE INFOCOM 2007-26th
0.65 IEEE International Conference on Computer Communications (pp. 1289-
1297). IEEE.
ROR using randomiza!on techniques (in %)
0.6 [5] Kambourakis, G., Kolias, C., Gritzalis, S., & Hyuk-Park, J. (2009, June).
Signaling-oriented DoS attacks in UMTS networks. In International Con-
ference on Information Security and Assurance (pp. 280-289). Springer,
0.55
Berlin, Heidelberg.
[6] Pavloski, M. (2018, February). Signalling attacks in mobile telephony. In
0.5 Normal distribu!o n International ISCIS Security Workshop (pp. 130-141). Springer, Cham.
Lognormal distribu!o n
Exponen!al distribu!o n
[7] Abdelrahman, O. H., & Gelenbe, E. (2014, June). Signalling storms
0.45
in 3G mobile networks. In 2014 IEEE international conference on
communications (ICC) (pp. 1017-1022). IEEE.
[8] Wu, Z., Zhou, X., & Yang, F. (2010, September). Defending against
0.4
DoS attacks on 3G cellular networks via randomization method. In 2010
International Conference on Educational and Information Technology
0.35 (Vol. 1, pp. V1-504). IEEE.
20 40 60 80 100 120
Time (min) [9] Chandra, M., Kumar, N., Gupta, R., Kumar, S., Chaurasia, V. K., &
Srivastav, V. (2011, April). Protection from paging and signaling attack
Fig. 6. Resource Consumption Ratio using Randomization Techniques for in 3G CDMA networks. In 2011 International Conference on Emerging
50% of Compromised mMTC Devices: T5Ginac = 1s. Trends in Networks and Computer Communications (ETNCC) (pp. 406-
410). IEEE.
[10] Ettiane, R., Chaoub, A., & Elkouch, R. (2016, October). Enhanced
TABLE II. R ANDOMIZATION BASED D ETECTION F RAMEWORK : 5G VS 3G traffic classification design through a randomized approach for more
P ERFORMANCE C OMPARISON secure 3G mobile networks. In 2016 International Conference on Wire-
less Networks and Mobile Communications (WINCOM) (pp. 116-121).
Randomization ap-
IEEE.
3G system [10] 5G system
proach [11] Jover, R. P., & Marojevic, V. (2019). Security and protocol exploit
DSOR ROTR DSOR ROTR analysis of the 5G specifications. IEEE Access, (Vol.7, pp. 24956-24963).
(%) (%) (%) (%) [12] Khan, R., Kumar, P., Jayakody, D. N. K., & Liyanage, M. (2019). A
Gaussian Survey on Security and Privacy of 5G Technologies: Potential Solutions,
46.53 55.99 52 40
distribution Recent Advancements, and Future Directions. IEEE Communications
log-normal distribu- Surveys & Tutorials, 22,(Vol.1, pp. 196-248).
42.27 10.98 64 54
tion
[13] Singla, A., Hussain, S. R., Chowdhury, O., Bertino, E., & Li, N. (2020).
Exponential distri-
31.91 13.12 70 64 Protecting the 4G and 5G cellular paging protocols against security and
bution
privacy attacks. Proceedings on Privacy Enhancing Technologies, 2020,
(Vol.1, pp.126-142).
[14] Hussain, S. R., Echeverria, M., Chowdhury, O., Li, N., & Bertino, E.
the signaling load while avoiding the unnecessary network (2019, February). Privacy Attacks to the 4G and 5G Cellular Paging
resource use. For the exponential distribution, the decreased Protocols Using Side Channel Information. In NDSS (Vol. 19, pp. 24-
signaling load is up to 70%, and the resource consumption ratio 27).
is around 65%, which constitutes an significant enhancement [15] Ahmad, I., Shahabuddin, S., Kumar, T., Okwuibe, J., Gurtov, A., &
of network performances concerning the signaling overhead Ylianttila, M. (2019). Security for 5G and beyond. IEEE Communica-
tions Surveys & Tutorials, 21, (Vol.4, pp. 3682-3722)
and the resource starvation raised from the new 5G designs,
[16] SILVA, D.,MILDH, G., PAUL, S-B., MAGNUS, S.,& ALEXANDER,
specifically when the network is under a DoS signaling attack. V.(19 June 2019). Meeting 5G latency requirements WITH INACTIVE
Our future work revolves around deeper analysis of new STATE. ERICSSON TECHNOLOGY REVIEW.
emerging signaling threats in the next generation (NG) of [17] 4G-5G Interworking RAN-level and CN-level Interworking. White
mobile systems, and new proposals to build a robust detection Paper, June 2017
mechanisms to defend against the signaling attacks. [18] 5G PPP use cases and performance evaluation models. White
Paper, v1.0, 2016. [retrieved: 2017-07-28].[Online]. Available:
https://5g-ppp.eu/wp- content/uploads/2014/02/5G-PPP- use-cases-
R EFERENCES and-performance- evaluation-modeling v1.0.pdf
[1] ITU-R, “IMT vision-framework and overall objectives of the future [19] 3rd Generation Partnership Project; Technical Specification Group Ra-
development of IMT for 2020 and beyond,” Recommendation M.2083-0, dio Access Network; Study on Licensed-Assisted Access to Unlicensed
September 2015. Spectrum;(Release 13)
[2] 3GPP, “3GPP TSG RAN WG1 Meeting 87,” November 2016. [20] Ettiane, R., Chaoub, A., & Elkouch, R. (2018, May). Robust detection
[3] Da Silva, I. L., Mildh, G., Säily, M., & Hailu, S. (2016, May). A novel of signaling DDoS threats for more secure machine type communications
state model for 5G radio access networks. In 2016 IEEE International in next generation mobile networks. In 2018 19th IEEE Mediterranean
Conference on Communications Workshops (ICC) (pp. 632-637). IEEE. Electrotechnical Conference (MELECON) (pp. 62-67). IEEE.
www.ijacsa.thesai.org 92 | P a g eYou can also read
