=Paper=
{{Paper
|id=Vol-3800/short2
|storemode=property
|title=Designing an effective network-based intrusion-detecting system for 5G networks (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3800/short2.pdf
|volume=Vol-3800
|authors=Azamat Imanbayev,Ansar Jakupov,Yersultan Valikhan,Roman Odarchenko
|dblpUrl=https://dblp.org/rec/conf/csdp/ImanbayevJVO24
}}
==Designing an effective network-based intrusion-detecting system for 5G networks (short paper)==
https://ceur-ws.org/Vol-3800/short2.pdf
Designing an effective network-based intrusion-detecting
system for 5G networks⋆
Azamat Imanbayev1,2,†, Ansar Jakupov2,†, Yersultan Valikhan2,† and Roman Odarchenko3,*,†
1
al-Farabi Kazakh National University, 71 al-Farabi ave., 050040 Almaty, Kazakhstan
2
Kazakh-British Technical University, 59 Tole bi str., 050000 Almaty, Kazakhstan
3
National Aviation University, 1 Liubomyra Huzara ave., 03680 Kyiv, Ukraine
Abstract
The rapid advancement of 5G networks brings unprecedented benefits including higher speeds, lower
latency, and the ability to support a massive number of connected devices. These enhancements enable new
applications and services across various sectors, such as healthcare, automotive, and smart cities,
revolutionizing how these industries operate. Traditional security measures, which were designed for earlier
generations of cellular networks, are often inadequate in addressing the sophisticated and dynamic nature
of cyber threats targeting 5G networks. This paper presents the design and implementation of a network-
based Intrusion Detection System (IDS) specifically tailored for 5G networks to address these new security
challenges. The proposed IDS leverages advanced machine learning techniques to analyze network traffic in
real time, accurately identifying and mitigating potential security threats. Our research highlights the
architectural design of the IDS, its integration within the 5G core network, and its effectiveness in
maintaining network security. The IDS is designed to operate in a distributed manner, with components
deployed across various network segments to provide comprehensive coverage and timely threat detection.
Through extensive testing and evaluation, we demonstrate the IDS’s ability to enhance the security posture
of 5G networks, ensuring robust protection against various cyber threats. This includes a detailed
examination of the system’s performance metrics, such as detection accuracy, false positive rate, and
processing latency, which collectively underscores the system’s efficiency and reliability in real-world 5G
environments. Additionally, the research explores the integration of Network Function Virtualization (NFV)
to deploy the IDS as a virtual network function within the 5G core. The use of NFV allows for rapid updates
and reconfiguration of the IDS in response to evolving security threats, thereby enhancing its adaptability
and resilience. By leveraging these technologies, the IDS can continuously learn and improve its detection
capabilities, adapting to new attack vectors and strategies. By combining machine learning and NFV
technologies, the IDS provides a scalable, flexible, and effective solution for safeguarding the next generation
of telecommunications infrastructure. Future work will focus on further refining the IDS algorithms and
exploring additional security measures to address emerging threats, ensuring the continuous protection of
5G infrastructures.
Keywords
5G network, intrusion detection system, network security, machine learning, real-time analysis,
cybersecurity, network traffic analysis, security threats, 5G core network, network function virtualization1
1. Introduction challenges. The architecture of 5G networks, which
involves more extensive use of software and virtualization,
The advent of 5G technology marks a significant milestone introduces new vectors for cyber-attacks, making them
in the evolution of telecommunications, promising more vulnerable to security breaches.
enhanced connectivity, reduced latency, and the capability Traditional security measures, which were designed for
to support a vast array of IoT devices. The deployment of earlier generations of cellular networks, often fall short in
5G networks is expected to revolutionize various industries, addressing the dynamic and sophisticated nature of cyber
including healthcare, automotive, and smart cities, by threats targeting 5G infrastructures. The move from
enabling new applications and services that require high- hardware-based security solutions to Software-Defined
speed data transfer and real-time communication. Despite Networking (SDN) and Network Function Virtualization
these advancements, the increased complexity and (NFV) means that security protocols must evolve to address
scalability of 5G networks present substantial security these new environments. The increased reliance on cloud
CSDP-2024: Cyber Security and Data Protection, June 30, 2024, Lviv, 0000-0003-3719-4091 (A. Imanbayev); 0009-0002-5950-4177
Ukraine (Y. Valikhan); 0009-0003-4419-4206 (J. Jakupov); 0000-0002-7130-1375
∗ Corresponding author. (R. Odarchenko)
†
These authors contributed equally.
© 2024 Copyright for this paper by its authors. Use permitted under
imanbaevazamat@gmail.com (A. Imanbayev); Creative Commons License Attribution 4.0 International (CC BY 4.0).
ersultan.valihan@gmail.com (Y. Valikhan); ansar.jakupov@gmail.com
(J. Jakupov); odarchenko.r.s@ukr.net (R. Odarchenko)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
90
Proceedings
�services and edge computing in 5G networks further technologies, the proposed IDS offers a scalable, flexible,
complicates the security landscape, as data and applications and effective approach to safeguarding the next generation
are distributed across various locations, increasing the of telecommunications infrastructure.
potential attack surface.
As a response to these challenges, this paper proposes 2. Related works
the development of a network-based Intrusion Detection
System (IDS) specifically designed for 5G networks. The In the realm of 5G networks, various authors have proposed
primary objective of this research is to create an IDS that diverse options for implementing security mechanisms,
can efficiently monitor and analyze network traffic, detect with many solutions focusing on the creation of an IDS
malicious activities, and respond to potential threats in real using machine learning methods [1].
time. Unlike traditional IDS solutions that may struggle The concept of an IDS is well-established in network
with the high throughput and low latency requirements of security design, leading to a wide range of implementation
5G, our proposed system leverages advanced machine options. One notable solution employs the MQTT protocol
learning algorithms to enhance its detection capabilities. [2], particularly aimed at devices based on the Cellular
Machine learning techniques, particularly those Internet of Things (CIoT) concept [3]. This IDS module is
involving anomaly detection, are well-suited to the dynamic integrated as a network function within the 5G virtual
environment of 5G networks. These techniques can learn network core, where it analyzes input traffic duplicated
from historical data to identify patterns indicative of normal from other network functions via the N4 network interface,
and abnormal behavior, allowing the IDS to detect linking the User Plane Function (UPF) and the Access and
previously unknown threats. The integration of machine Mobility Management Function (AMF) [4].
learning into the IDS framework enables continuous It is also worth noting that the correct classification of
improvement in threat detection, as the system can adapt to attacks is one of the main criteria for ensuring security in
new attack methods and strategies. 5G networks. So by the end of 2020, the European Union
This study explores the integration of machine learning Agency for Cybersecurity (ENISA) published an updated
algorithms into the IDS to enhance its accuracy and report on threats to 5G networks. The report discusses new
effectiveness in identifying anomalies and cyber-attacks issues related to the security of networks and various
within the 5G environment. We present a detailed analysis processes. It also describes changes in 5G architecture and
of the IDS architecture, including its placement within the summarizes information from 5G standardization
5G core network, the data flow between network functions, documents. [5].
and the methods used for real-time traffic analysis. The IDS The authors of this work [6] state that the current
is designed to operate in a distributed manner, with security system is not entirely effective, as it often detects
components deployed across various network segments to malicious traffic only after or during an attack. This is why
provide comprehensive coverage and timely threat detection. self-learning models for cybersecurity will be necessary in
Furthermore, the research examines the use of NFV to the future [7].
deploy the IDS as a virtual network function within the 5G Moreover, the use of large volumes of data generated by
core. This approach offers several advantages, including 5G networks allows for the identification of abnormal
flexibility in deployment, scalability to handle varying network behavior, significantly contributing to the
network loads, and ease of integration with existing development of intelligent security mechanisms. The
network infrastructure. The use of NFV also allows for rapid development and implementation of intrusion detection and
updates and reconfiguration of the IDS in response to prevention approaches based on artificial intelligence are
evolving security threats. essential components for ensuring the security of future 5G
In addition to the architectural design, we discuss the networks and enhancing existing security systems [8].
implementation of machine learning models for traffic Researchers also present threat models specific to the
analysis and threat detection. The models are trained on a 5G ecosystem. In their studies, they develop an attack tree
diverse dataset of network traffic, including both benign analysis methodology for examining service-oriented 5G
and malicious flows, to ensure robust performance across architectures and conduct detailed vulnerability assessments,
different scenarios. We also address the challenges focusing on network function virtualization [9].
associated with data collection and labeling, as well as the This article [10] proposes an intelligent identification
strategies employed to mitigate these issues. system based on a programmable 5G architecture. In their
Finally, we present the results of extensive testing and study, the primary models are the Random Forest and the k-
evaluation of the proposed IDS. The evaluation includes Nearest Neighbors method. Additionally, they incorporated
performance metrics such as detection accuracy, false boosting into their model, which provides excellent
positive rate, and processing latency, demonstrating the classification performance on their dataset.
system’s effectiveness in real-world 5G environments. The On the other hand, if we return to security threats, this
findings indicate that our IDS can significantly enhance the approach focuses on detecting and mitigating DOS/DDOS
security posture of 5G networks, providing robust attacks [11]. This solution leverages a substantial set of
protection against a wide range of cyber threats. training data and methodologies previously used in 4G
This research aims to contribute to the development of network security [12]. Specific implementations emphasize
secure and resilient 5G networks by providing a the internal architecture of the IDS module, utilizing
comprehensive solution for network-based intrusion machine learning algorithms and neural networks. For
detection. By leveraging machine learning and NFV instance, one solution employs a convolutional neural
91
�network algorithm to detect suspicious traffic, achieving an related to the security of networks and various processes. It
accuracy of over 94% [1]. also describes changes in 5G architecture and summarizes
This paper proposes an optimal scheme for an IDS information from 5G standardization documents. [14].
module based on Software-Defined Networks (SDN) for The authors of this work [15] state that the current
various types of devices, utilizing machine learning security system is not entirely effective, as it often detects
methods for enhanced detection capabilities. malicious traffic only after or during an attack. This is why
One of the most promising approaches involves self-learning models for cybersecurity will be necessary in
leveraging machine learning and artificial intelligence the future [16].
techniques to detect anomalies in 5G networks [1]. By Moreover, the use of large volumes of data generated by
analyzing large volumes of network traffic data in real time, 5G networks allows for the identification of abnormal
these systems can identify suspicious behavior patterns network behavior, significantly contributing to the
indicative of potential security breaches. Additionally, deep development of intelligent security mechanisms. The
learning models trained on extensive datasets enable development and implementation of intrusion detection and
Network Intrusion Detection (NID) systems to adapt to and prevention approaches based on artificial intelligence are
learn from emerging threats, thereby improving detection essential components for ensuring the security of future 5G
accuracy and reducing false positives [1]. networks and enhancing existing security systems [17].
The integration of SDN and NFV technologies has Researchers also present threat models specific to the
significantly enhanced the deployment and scalability of 5G ecosystem. In their studies, they develop an attack tree
NID systems in 5G environments. SDN separates network analysis methodology for examining service-oriented 5G
management from data forwarding functions, facilitating architectures and conduct detailed vulnerability assessments,
dynamic traffic analysis and policy enforcement. focusing on network function virtualization [18].
Meanwhile, NFV allows for the seamless creation of NID This article [19] proposes an intelligent identification
instances within virtualized network functions, promoting system based on a programmable 5G architecture. The
flexibility and efficiency. advantages and similarities of this work with ours lie in the
Moreover, advances in hardware acceleration, such as fact that they also classify traffic. In their study, the primary
FPGA-based packet processing and dedicated network models are the Random Forest and the k-Nearest Neighbors
processors, have empowered NID systems to meet the method. Additionally, they incorporated boosting into their
stringent performance requirements of 5G networks model, which provides excellent classification performance
without compromising detection capabilities. These on their dataset.
hardware solutions enable high-speed packet inspection Similar approaches are described in [20–21].
and deep analysis with minimal impact on network latency
and throughput. 3. Internal and external design
By incorporating these advanced techniques and
technologies, the proposed IDS scheme aims to provide a
of the network-based intrusion
robust, scalable, and efficient security solution for 5G networks. detection system for 5G
In the field of 5G security, one of the first significant The objective of this research is to design a network-based
studies was initiated by the European Union. For instance, intrusion detection system for 5G networks to monitor
in the second half of 2019, the Network and Information outgoing traffic, identify and capture potential impacts in
Security Directive (NIS) released a report evaluating the real time, and classify them using data analysis.
risks of 5G mobile networks [16]. Subsequently, the group We need a set of input data to continue working with
published an important document on a toolkit for mitigating our module. That is, all traffic coming from the network of
cybersecurity risks in 5G networks [13]. nodes (gNodeB) will be sent for processing to the virtual
By the end of 2020, the European Union Agency for network functions of the 5G core (Evolved Packet Core),
Cybersecurity (ENISA) published an updated report on where we will have the IDS module. (Fig. 1)
threats to 5G networks. The report discusses new issues
Figure 1: 5G Core network with IDS
92
�So, since the IDS module will be located inside the 5G take into account factors such as load potential,
network core as a network function, the first step will be to accessibility, and location. Fig. 2 shows an example diagram
register it as a network function in a special Network of how network function registration would occur.
Function Repository (NRF). The NRF function, in turn, can
Figure 2: Registration between IDS and NRF
According to Fig. 1, the UPF function will be responsible for It’s essential to highlight that the IDS module will receive
forwarding incoming traffic to the IDS function. So that input data through duplication from the UPF function,
data packets can be duplicated and forwarded to IDS using streamlining its integration into the system. This approach
UPF, it has been connected to this function. Due to this IDS avoids creating unnecessary dependencies between the IDS
can take the necessary actions to analyze and detect as the data recipient and the UPF as the data sender.
potential attacks in real time. The IDS function will also In essence, the implementation of the IDS module serves as
have connectivity through SBI with features such as AMF a new feature that enhances the existing functionality
and SMF for quick response and detection when suspicious without introducing complexities or dependencies. This
traffic arrives. streamlined integration process ensures seamless operation
If the traffic is classified as an attack, it becomes and facilitates the system’s scalability and fault tolerance.
necessary to apply certain measures to alert and partially It is also important to note the importance of
prevent the attack. This issue in the module will be dealt monitoring for timely response from those responsible for
with by a function that will notify other network functions the stability of the system where data is exchanged. For
that can communicate with each other using the SBI these purposes, the module will include the collection of
(Service-based interface) interface via the HTTP/2 protocol metrics on the volume of incoming traffic, classification,
(Fig. 1). and prediction of a network attack (Fig. 3).
Given the anticipated high load of the system, driven by The primary functionality of the IDS module is to
numerous connected devices and a substantial influx of receive input traffic, process it, and transmit it to a service
data, scalability and fault tolerance are paramount that will analyze the traffic to identify potential security
considerations in its design. Introducing a new network threats and, if necessary, classify the threat type.
function into an established 5G core implementation
necessitates a careful examination of its impact.
Figure 3: Internal scheme of IDS
Once our IDS was able to measure the distance in front of it, In this context, the UE stops storing location or routing
the problem of alerting other network functions residing on information for the UE, so the UE becomes available to the
the common bus would be solved. We need this to pre- AMF. However, some parts of the UE context may still be
suppress network traffic. Through SBI interfaces, messages stored in the UE and AMF, for example to avoid
will be sent with changes in the data where the attack comes authentication procedures during registration of each
from and the classification of the threat. It is expected that the procedure.
Session Management Function (SMF), upon receiving such an These measures will be very useful in the
alert from our IDS module, will automatically remove the implementation of another security module in 5G networks,
attacker’s resources and terminate the established PDU the main goal of which will be to prevent any threat (IPS).
session.
The AMF performs the registration blocking procedure
and sets the registration state to RM-DEREGISTERED for
the device user (UE).
93
�4. Development of a model tested for binary classification, compare the obtained
results, and choose the best model.
for a network-based intrusion One of the first problems we encountered was the lack
detection system for 5G of necessary data; there are practically no open datasets
with malicious traffic on the 5G network available on the
Dataset Internet, which made our research difficult in terms of
In this study, models were created and evaluated that testing on various data. However, students from the
are capable of identifying malicious traffic. In this section, American University provided access to generated 5G
we will introduce the dataset, and the models that were attack traffic, on which our model was built.
Figure 4: Traffic collection
Fig. 4 illustrates the process of collecting data on malicious Processing files containing the required traffic data requires
traffic. The set of files containing malicious traffic consists approximately 96 gigabytes of RAM and a couple of hours
of 10 types, each generated by attacking specific parts of the for each file. However, by using the sniff() function, we
core. For example, the AMF attack type is conducted by reduced the data processing workload, avoiding the need to
requesting information from one of the core blocks. The store every data packet in memory.
issue is that this attack appears benign from the inside. Model
Non-malicious traffic was collected from YouTube video Fig. 5 represents a methodological scheme describing
views, conferences in Microsoft Teams, website visits, and the overall pipeline of the conducted work. The data
file downloads and uploads. In total, the dataset consists of preprocessing process involves several stages.
120,000 unique records, approximately 100,000 of which are
normal traffic and 20,000 are malicious.
Figure 5: Methodology
The first stage includes data integrity verification, where it library—hashlib. The output provides a result indicating
is necessary to ensure that the traffic indeed utilizes hash whether the encoding matches or not.
encoding. For this verification, we use the built-in Python
94
�As mentioned earlier, the number of unique records with The outcome was testing various machine learning models
normal traffic is five times greater than the number of for binary classification. These models include
records with malicious traffic. To address issues with RandomForestClassifier, LogisticRegression, DecisionTree,
uneven class distribution, we utilized random generation and SupportVectorMachine.
methods such as RandomOverSampler to augment the data. Results
The next stage involved translating our encodings into We tested 4 development paths and arrived at the
a computer-understandable language. We used the following results.
HashingVectorizer library for vectorizing our records, To evaluate and compare our models, we will use the
which will be required for model training. following metrics: F1—score, and accuracy.
Figure 6: Accuracy comparison
In the figure above, we can observe that among the models, our needs the best. However, let’s take a look at other
there is a favorite in terms of prediction accuracy based on metrics as well.
the overall metric. We could conclude that this model suits
Figure 7: F1-score comparison
If we now look at the comparison of our metrics, namely Table 1
accuracy and F1-score, the conclusions are not F1 comparison for each class.
straightforward. The impact of class imbalance greatly Model
affects the logistic regression model, as its F1 score is much Class
RFC LR DT SVM
lower than that of the other models, despite our efforts to
attack 0.87 0.66 0.80 0.86
balance the classes. Due to the similarity of the generated normal 0.96 0.99 0.94 0.96
values, the model struggles to correctly identify the attack
class.
If we go further and look at what values we have for Based on all the aforementioned metrics and indicators, we
each class, then it becomes more and more clear. can say that the Random Forest model performs the best in
binary classification of these classes. However, the SVM
95
�model is only a few points behind, meaning we can use the [11] G. Iashvili, et al., Intrusion Detection System for 5G
SVM model with an error only 0.01 higher. Nevertheless, it with a Focus on DOS/DDOS Attacks, in: 11th IEEE
is worth noting that the SVM model takes significantly more International Conference on Intelligent Data
time to train, which leads us to prefer the RFC model. Acquisition and Advanced Computing Systems:
Technology and Applications (2021) 861–864. doi:
5. Conclusions 10.1109/IDAACS53288.2021.9661021.
[12] S. Park, et al., Threats and Countermeasures on a 4G
In conclusion, the implementation of a robust network- Mobile Network, Eighth International Conference on
based IDS is imperative for the security and integrity of 5G Innovative Mobile and Internet Services in Ubiquitous
networks. Our proposed IDS, which leverages advanced Computing (2014) 538–541. doi: 10.1109/IMIS.2014.79.
machine learning techniques, has proven effective in real- [13] NIS cooperation group, The Heat Is Online. EU
time detection and mitigation of security threats. The Coordinated Risk Assessment of the Cybersecurity of
integration of this IDS within the 5G core network not only 5G Networks (2019). URL: https://digital-
enhances its security capabilities but also ensures minimal strategy.ec.europa.eu/en/news/eu-wide-coordinated-
disruption to network performance. The research findings risk-assessment-5g-networks-security
demonstrate that the IDS can adapt to the evolving threat [14] N. C. Group, The Heat Is Online. Cybersecurity of 5G
landscape, providing a scalable and efficient solution for Networks EU Toolbox of Risk Mitigating Measures
protecting 5G networks. Future work will focus on further (2020).
refining the IDS algorithms and exploring additional [15] ENISA, The Heat Is Online. Threat Landscape for 5G
security measures to address emerging threats, ensuring the Networks Report (2020). URL:
continuous protection of 5G infrastructures. https://www.enisa.europa.eu/publications/enisa-
threat-landscape-report-for-5g-networks
References [16] Y. Siriwardhana, et al., Robust and Resilient Federated
[1] S. Gnanasivam, D. Tveter, N. Dinh, Performance Learning for Securing Future Networks, Joint
Evaluation of Network Intrusion Detection Using European Conference on Networks and
Machine Learning, IEEE (2024). Communications and 6G Summit (EuCNC/6G
[2] T. Le, et al., 5G-IoT-IDS: Intrusion Detection System Summit) (2022) 351–356.
for CIoT as Network Function in 5G Core Network, in: [17] Y. Siriwardhana, et al., AI and 6G Security:
IEEE Global Communications Conference (2023) Opportunities and Challenges, Joint European
4773–4778, doi: 10.1109/GLOBECOM5 Conference on Networks and Communications and
4140.2023.10437158. 6G Summit (EuCNC/6G Summit), IEEE (2021) 616–
[3] T. Moges, et al., Cellular Internet of Things: Use cases, 621.
technologies, and future work, Internet of Things 24 [18] R. Santos, et al., Machine Learning Algorithms to
(2023). doi: 10.1016/j.iot.2023.100910. detect DDoS Attacks in SDN, Concurrency and
[4] A. Imanbayev, et al., Research of Machine Learning Computation: Practice and Experience 32(16) (2020).
Algorithms for the Development of Intrusion [19] R. Na, et al., 5G Mobile Network Slicing for THz
Detection Systems in 5G Mobile Networks and Services, in: IEEE 2nd 5G World Forum (5GWF) (2019).
Beyond, Sensors 22 (2022) 9957. doi: [20] O. Solomentsev, et al., Data Processing in Case of
10.3390/s22249957. Radio Equipment Reliability Parameters Monitoring,
[5] ENISA, The Heat Is Online. Threat Landscape for 5G Proceedings - 2018 Advances in Wireless and Optical
Networks Report (2020). URL: Communications, RTUWO (2018) 219–222.
https://www.enisa.europa.eu/publications/enisa- [21] O. Solomentsev, et al., Signal processing in case of
threat-landscape-report-for-5g-networks radio equipment technical state deterioration, in:
[6] Y. Siriwardhana, et al., Robust and Resilient Federated Signal Processing Symposium, SPSympo (2015).
Learning for Securing Future Networks, Joint
European Conference on Networks and
Communications and 6G Summit (EuCNC/6G
Summit) (2022) 351–356.
[7] Y. Siriwardhana, et al., AI and 6G Security:
Opportunities and Challenges, Joint European
Conference on Networks and Communications and
6G Summit (EuCNC/6G Summit), IEEE (2021) 616–
621.
[8] R. Santos, et al., Machine Learning Algorithms to
detect DDoS Attacks in SDN, Concurrency and
Computation: Practice and Experience 32(16) (2020).
[9] R. Na, et al., 5G Mobile Network Slicing for THz
Services, IEEE 2nd 5G World Forum (5GWF) (2019).
[10] J. Li, Z. Zhao, R. Li, Machine Learning-Based IDS for
Software-Defined 5G Network, IET Networks 7 (2017)
53–60.
96
�