Applying AI to Protect 5G Control Traffic
ETSI Security Week 2019 Antonio Pastor
Telefonica I+D I 19.06.2019
2
Machine Learning can be applied in situations where it is very challenging (=impossible) to define rules by hand
Identify an attack from normal traffic
Identify illegal actions from odd users.
Discern well elaborated spear phishing from business email
Non classified binary signature is benign or part of a malware
Network attacks Fraud
Spam Malware
AI as a valuable resource for cybersecurity..and when to use it
3
Machine learning examples for cybersecurity
• E.g. ClassificationThe new data is classified into known categories according to certain features.Examples: Malware traffic identification, attack types classification
• Supervised learningThe correct classes of the training data are known (labels)
• E.g RegressionThe knowledge from existing data is utilized to have an idea of the new data.Examples: Fraud, predict attacks
4
Machine learning examples for cybersecurity
• E.g: Clusteringclassification but without information about the classes..Examples: Anomaly detection (Forensic analysis, behavior analytics, etc.),
• UnsupervisedThe correct classes of the training data are not known (no labels)Goal: Discover structure in the data
• E.g: Association rule learningLearn events that appear together.Examples: Alert correlation, IDS
5
Machine learning examples for cybersecurity
• E.g Generative modelsSimulate the actual data (not the decisions)..Examples: Test an application for Injection vulnerabilities. Mutation of binaries
• Reinforcement LearningAllows to learn behavior based on feedback from the environment
http://www.lherranz.org/2018/08/07/imagetranslation/
6
• What we found in our networksEndpoint security is not always available ( e.g. IoT, close proprietary systems, unmaintained servers)
Zero-day attacks, including variations from already known ones
Network services are also target (DNS, VoIP, radio core,…)
• What we expect from AIA solution that can evolve with attacks
Solve problems beyond human capabilities
• What we use:Network traffic information and related data
AI applied to network traffic.. A familiar environment
7
Lack of visibility in all layers
But network protocols have evolved..and the future is encrypted
GPON, 3/4/5G Radio,..MacSec,…IPSec,…DTLS, TLSv1.3, ESNI,…QUIC, SSH, PGP, JWT, DoH / DoT
The evildoers know it
Fortinet quarterly threat landscape report Q32018
Google transparency report HTTPS
TLS easiest than ever (e.g. Let’s encrypt)
Malware spreading (droppers, exploits, C&C, cryptomining)
Application layer attacks over HTTPS (XSS,CSRF,..)
DoT (DNS over TLS)Domain blocking, e.g. IWFDGADoS
Laye
r 2 to
7
Telemetry.moziilla.org via f5.com
8
5G is coming
Non Stand Alone focus on radio evolution. Security will be incrementalStand Alone will change 5G Core, especially the signalling plane. Security highly impacted
New 5GCore based 5G-AKANFV/SDN adoptionNetwork slicingNew SBA architectureInteroperation 4G <-> 5GBackhaul & IPX encryption
EPC based EPS AKAeNB<-> gNB securityBackhaul encryption
Stand AloneNon Stand Alone
IPSec IPSec/TLS
AI can help
9
5G Service Based Architecture (Internal)From P2P
to SBI
MAP/CAP/WIN
TCAP
SCCP
M3UA
SCTP/IP
Ethernet
S6a,S6d,S13,Gy
DIAMETER
SCTP/IP
Ethernet
Rx. Gx,S9
SIGTRAN DIAMETER
N
TLS
TCP/IP
Ethernet
JSON/HTTP/2
HTTP/2Visibility
Complexity
Complexity
Visibility
10
5G Service Based Architecture (Roaming)
AMF
AUSF
vSEPP hSEPP
AMF
AUSF
IPXNetwork
N32-c: HTTP2 + TLS
+JWS1 +JWS2IPX1 IPX2
N32-f: HTTP2 +JWE
JWE
JWS1
JWS2
JSON
• SBA traffic will be encrypted at different levels (TLS or JWE) by SEPP in roaming scenarios (alone or combined)
• SEPP highly exposed, no more walled gardeno SEPP can be a VNF and attacks affect NFVI
• IPX network provider has limited security visibility
Visibility
Complexity
11
Current security technologies
Tailored to legacy protocols & architectureFirewalls and ACLsIPX specific application gatewaysEPC nodes security application
(SS7 screening ,DIAMETER filtering, etc.)
Assume traffic visibilityNetwork Monitoring (SIEMs)DPIs and probes (non encryption)
CC BY: https://wellcomecollection.org/works/xzb5zfc6
12
New security risk in 5G
Legacy Core will be expanded, not replaced. (Mix of protocols)
Core network functions (NFs) exposed over distributed NFVI/cloud
Secure multiple micro-services per slice and multiple slices
Attacks from Application Functions and SBI interfaces exposed
Roaming attacks over HTTPS
hSEPP vSEPP1IPXvSEPP1vSEPP1vSEPP
vSEPP1vSEPP1vSEPP1
AF
..and opportunities for AI
https://arxiv.org/ftp/arxiv/papers/1703/1703.04676.pdf
attacks
13
Leverage AI to protect 5G Core
The vision of SPIDER is to deliver a next-generation cyber range platform for the telecom domain and 5G, offering cybersecurity emulation, training and investment decision support
Deploy ad-hoc emulation scenarios for current and realistic SBA services.
SPIDER: a cyberSecurity Platform for vIrtualiseD 5G cybEr Range services
5G Control plane use case:Based on cybersecurity tools and machine learning, SPIDER will be evaluated in testing novel technologies to protect from different attacks the 5G core.
SPIDER is part of Horizon 2020 research and innovation programme
14
Telefonica Mouseworld*
ObjectiveCapacity to generate synthetic traffic and label it Build an environment that allows to evaluate Machine Learning (ML) concepts in a controlled wayUsing configurable mixes of synthetic and real traffic
FunctionalityScenario definition and creation based on NFV/SDNGeneration of different traffic classes, e.g.:
§ Web services based on TLS§ Malware § Cyberattacks tools
Traffic capture§ Pcap, Netflow, Tstat
Experiment MonitoringDataset labelling and storageTesting ML models using DeepAugur smart trafficanalysers (STA)☨
..The dataset laboratory for AI
Client attacker
HoneyNet
Network Infrastructure
Monitoring Interface
VNFProbe
Labelled DataSet
Supervised ML training
Classification
Client synthetic traffic
Cloud
Video
Browser
OSS Monitoring dashboard
Internal Servers
WebServer
CloudFile
Provider
VNFs
…
…
… Cloud
Video
Browser
DataSet AnomaliesUnsupervisedML training
VNFLabelling
Videostream
WebServer
Videostream
Videostream
CloudFile
Provider
CloudFile
Provider
WebServer
Traffic generators Module
Dataset Collectors Module Train & Validate ModuleLabel Module
Launcher
*https://doi.org/10.1145/3230833.3233283☨https://www.eitdigital.eu/fileadmin/files/2018/factsheets/digital-infrastructure/Deep-Augur_FactSheet_.pdf
Consumeror
producerrole NF
ML datasetCollection
Research activities envisioned for 5G control traffic
VNFattack
VNFattackxNF
VNFProbe
Mgmt.Network
SignalingNetwork
5GC internal SBA type traffic characterization. E.g: NRF⟷AMF, AMF ⟷AUSF,AF ⟷NEF
xNF
VNFattack
VNFattack
VNFsattack
VNFProbe
Mgmt.Network
SignalingNetwork
Cyberattacks over SBI
SEPPVNF
Probe
Mgmt.Network
SignalingNetwork
IPX
VNFattack
VNFattackHTTPSnoise
xNF
Roaming attacks
VNFattack
VNFattackxNF
VNFsattack
Insights over encrypted SBI traffic:Classify signalling traffic and types of messages
Performance impacts on slices by monitoring the physical network traffic
Identify attacks by detecting signalling traffic anomalies
Detects attacks to underlying application servers
Use AI to mimic attacker:Fuzzing attacks
Generative Adversarial Networks (GAN)
VNFattack
VNFattack
VNFsClient
VNFProbe
OSS
Mgmt.Network
SignallingNetwork
MouseworldLogical Network Experiments
VNFattack
VNFattack
VNFsServer
MANO+SDN
SBI
Scenarios AI use cases