Designing an effective network-based intrusion-detecting system for 5G networks⋆ Azamat Imanbayev1,2,†, Ansar Jakupov2,†, Yersultan Valikhan2,† and Roman Odarchenko3,*,† 1 al-Farabi Kazakh National University, 71 al-Farabi ave., 050040 Almaty, Kazakhstan 2 Kazakh-British Technical University, 59 Tole bi str., 050000 Almaty, Kazakhstan 3 National Aviation University, 1 Liubomyra Huzara ave., 03680 Kyiv, Ukraine Abstract The rapid advancement of 5G networks brings unprecedented benefits including higher speeds, lower latency, and the ability to support a massive number of connected devices. These enhancements enable new applications and services across various sectors, such as healthcare, automotive, and smart cities, revolutionizing how these industries operate. Traditional security measures, which were designed for earlier generations of cellular networks, are often inadequate in addressing the sophisticated and dynamic nature of cyber threats targeting 5G networks. This paper presents the design and implementation of a network- based Intrusion Detection System (IDS) specifically tailored for 5G networks to address these new security challenges. The proposed IDS leverages advanced machine learning techniques to analyze network traffic in real time, accurately identifying and mitigating potential security threats. Our research highlights the architectural design of the IDS, its integration within the 5G core network, and its effectiveness in maintaining network security. The IDS is designed to operate in a distributed manner, with components deployed across various network segments to provide comprehensive coverage and timely threat detection. Through extensive testing and evaluation, we demonstrate the IDS’s ability to enhance the security posture of 5G networks, ensuring robust protection against various cyber threats. This includes a detailed examination of the system’s performance metrics, such as detection accuracy, false positive rate, and processing latency, which collectively underscores the system’s efficiency and reliability in real-world 5G environments. Additionally, the research explores the integration of Network Function Virtualization (NFV) to deploy the IDS as a virtual network function within the 5G core. The use of NFV allows for rapid updates and reconfiguration of the IDS in response to evolving security threats, thereby enhancing its adaptability and resilience. By leveraging these technologies, the IDS can continuously learn and improve its detection capabilities, adapting to new attack vectors and strategies. By combining machine learning and NFV technologies, the IDS provides a scalable, flexible, and effective solution for safeguarding the next generation of telecommunications infrastructure. Future work will focus on further refining the IDS algorithms and exploring additional security measures to address emerging threats, ensuring the continuous protection of 5G infrastructures. Keywords 5G network, intrusion detection system, network security, machine learning, real-time analysis, cybersecurity, network traffic analysis, security threats, 5G core network, network function virtualization1 1. Introduction challenges. The architecture of 5G networks, which involves more extensive use of software and virtualization, The advent of 5G technology marks a significant milestone introduces new vectors for cyber-attacks, making them in the evolution of telecommunications, promising more vulnerable to security breaches. enhanced connectivity, reduced latency, and the capability Traditional security measures, which were designed for to support a vast array of IoT devices. The deployment of earlier generations of cellular networks, often fall short in 5G networks is expected to revolutionize various industries, addressing the dynamic and sophisticated nature of cyber including healthcare, automotive, and smart cities, by threats targeting 5G infrastructures. The move from enabling new applications and services that require high- hardware-based security solutions to Software-Defined speed data transfer and real-time communication. Despite Networking (SDN) and Network Function Virtualization these advancements, the increased complexity and (NFV) means that security protocols must evolve to address scalability of 5G networks present substantial security these new environments. The increased reliance on cloud CSDP-2024: Cyber Security and Data Protection, June 30, 2024, Lviv, 0000-0003-3719-4091 (A. Imanbayev); 0009-0002-5950-4177 Ukraine (Y. Valikhan); 0009-0003-4419-4206 (J. Jakupov); 0000-0002-7130-1375 ∗ Corresponding author. (R. Odarchenko) † These authors contributed equally. © 2024 Copyright for this paper by its authors. Use permitted under imanbaevazamat@gmail.com (A. Imanbayev); Creative Commons License Attribution 4.0 International (CC BY 4.0). ersultan.valihan@gmail.com (Y. Valikhan); ansar.jakupov@gmail.com (J. Jakupov); odarchenko.r.s@ukr.net (R. Odarchenko) CEUR Workshop ceur-ws.org ISSN 1613-0073 90 Proceedings services and edge computing in 5G networks further technologies, the proposed IDS offers a scalable, flexible, complicates the security landscape, as data and applications and effective approach to safeguarding the next generation are distributed across various locations, increasing the of telecommunications infrastructure. potential attack surface. As a response to these challenges, this paper proposes 2. Related works the development of a network-based Intrusion Detection System (IDS) specifically designed for 5G networks. The In the realm of 5G networks, various authors have proposed primary objective of this research is to create an IDS that diverse options for implementing security mechanisms, can efficiently monitor and analyze network traffic, detect with many solutions focusing on the creation of an IDS malicious activities, and respond to potential threats in real using machine learning methods [1]. time. Unlike traditional IDS solutions that may struggle The concept of an IDS is well-established in network with the high throughput and low latency requirements of security design, leading to a wide range of implementation 5G, our proposed system leverages advanced machine options. One notable solution employs the MQTT protocol learning algorithms to enhance its detection capabilities. [2], particularly aimed at devices based on the Cellular Machine learning techniques, particularly those Internet of Things (CIoT) concept [3]. This IDS module is involving anomaly detection, are well-suited to the dynamic integrated as a network function within the 5G virtual environment of 5G networks. These techniques can learn network core, where it analyzes input traffic duplicated from historical data to identify patterns indicative of normal from other network functions via the N4 network interface, and abnormal behavior, allowing the IDS to detect linking the User Plane Function (UPF) and the Access and previously unknown threats. The integration of machine Mobility Management Function (AMF) [4]. learning into the IDS framework enables continuous It is also worth noting that the correct classification of improvement in threat detection, as the system can adapt to attacks is one of the main criteria for ensuring security in new attack methods and strategies. 5G networks. So by the end of 2020, the European Union This study explores the integration of machine learning Agency for Cybersecurity (ENISA) published an updated algorithms into the IDS to enhance its accuracy and report on threats to 5G networks. The report discusses new effectiveness in identifying anomalies and cyber-attacks issues related to the security of networks and various within the 5G environment. We present a detailed analysis processes. It also describes changes in 5G architecture and of the IDS architecture, including its placement within the summarizes information from 5G standardization 5G core network, the data flow between network functions, documents. [5]. and the methods used for real-time traffic analysis. The IDS The authors of this work [6] state that the current is designed to operate in a distributed manner, with security system is not entirely effective, as it often detects components deployed across various network segments to malicious traffic only after or during an attack. This is why provide comprehensive coverage and timely threat detection. self-learning models for cybersecurity will be necessary in Furthermore, the research examines the use of NFV to the future [7]. deploy the IDS as a virtual network function within the 5G Moreover, the use of large volumes of data generated by core. This approach offers several advantages, including 5G networks allows for the identification of abnormal flexibility in deployment, scalability to handle varying network behavior, significantly contributing to the network loads, and ease of integration with existing development of intelligent security mechanisms. The network infrastructure. The use of NFV also allows for rapid development and implementation of intrusion detection and updates and reconfiguration of the IDS in response to prevention approaches based on artificial intelligence are evolving security threats. essential components for ensuring the security of future 5G In addition to the architectural design, we discuss the networks and enhancing existing security systems [8]. implementation of machine learning models for traffic Researchers also present threat models specific to the analysis and threat detection. The models are trained on a 5G ecosystem. In their studies, they develop an attack tree diverse dataset of network traffic, including both benign analysis methodology for examining service-oriented 5G and malicious flows, to ensure robust performance across architectures and conduct detailed vulnerability assessments, different scenarios. We also address the challenges focusing on network function virtualization [9]. associated with data collection and labeling, as well as the This article [10] proposes an intelligent identification strategies employed to mitigate these issues. system based on a programmable 5G architecture. In their Finally, we present the results of extensive testing and study, the primary models are the Random Forest and the k- evaluation of the proposed IDS. The evaluation includes Nearest Neighbors method. Additionally, they incorporated performance metrics such as detection accuracy, false boosting into their model, which provides excellent positive rate, and processing latency, demonstrating the classification performance on their dataset. system’s effectiveness in real-world 5G environments. The On the other hand, if we return to security threats, this findings indicate that our IDS can significantly enhance the approach focuses on detecting and mitigating DOS/DDOS security posture of 5G networks, providing robust attacks [11]. This solution leverages a substantial set of protection against a wide range of cyber threats. training data and methodologies previously used in 4G This research aims to contribute to the development of network security [12]. Specific implementations emphasize secure and resilient 5G networks by providing a the internal architecture of the IDS module, utilizing comprehensive solution for network-based intrusion machine learning algorithms and neural networks. For detection. By leveraging machine learning and NFV instance, one solution employs a convolutional neural 91 network algorithm to detect suspicious traffic, achieving an related to the security of networks and various processes. It accuracy of over 94% [1]. also describes changes in 5G architecture and summarizes This paper proposes an optimal scheme for an IDS information from 5G standardization documents. [14]. module based on Software-Defined Networks (SDN) for The authors of this work [15] state that the current various types of devices, utilizing machine learning security system is not entirely effective, as it often detects methods for enhanced detection capabilities. malicious traffic only after or during an attack. This is why One of the most promising approaches involves self-learning models for cybersecurity will be necessary in leveraging machine learning and artificial intelligence the future [16]. techniques to detect anomalies in 5G networks [1]. By Moreover, the use of large volumes of data generated by analyzing large volumes of network traffic data in real time, 5G networks allows for the identification of abnormal these systems can identify suspicious behavior patterns network behavior, significantly contributing to the indicative of potential security breaches. Additionally, deep development of intelligent security mechanisms. The learning models trained on extensive datasets enable development and implementation of intrusion detection and Network Intrusion Detection (NID) systems to adapt to and prevention approaches based on artificial intelligence are learn from emerging threats, thereby improving detection essential components for ensuring the security of future 5G accuracy and reducing false positives [1]. networks and enhancing existing security systems [17]. The integration of SDN and NFV technologies has Researchers also present threat models specific to the significantly enhanced the deployment and scalability of 5G ecosystem. In their studies, they develop an attack tree NID systems in 5G environments. SDN separates network analysis methodology for examining service-oriented 5G management from data forwarding functions, facilitating architectures and conduct detailed vulnerability assessments, dynamic traffic analysis and policy enforcement. focusing on network function virtualization [18]. Meanwhile, NFV allows for the seamless creation of NID This article [19] proposes an intelligent identification instances within virtualized network functions, promoting system based on a programmable 5G architecture. The flexibility and efficiency. advantages and similarities of this work with ours lie in the Moreover, advances in hardware acceleration, such as fact that they also classify traffic. In their study, the primary FPGA-based packet processing and dedicated network models are the Random Forest and the k-Nearest Neighbors processors, have empowered NID systems to meet the method. Additionally, they incorporated boosting into their stringent performance requirements of 5G networks model, which provides excellent classification performance without compromising detection capabilities. These on their dataset. hardware solutions enable high-speed packet inspection Similar approaches are described in [20–21]. and deep analysis with minimal impact on network latency and throughput. 3. Internal and external design By incorporating these advanced techniques and technologies, the proposed IDS scheme aims to provide a of the network-based intrusion robust, scalable, and efficient security solution for 5G networks. detection system for 5G In the field of 5G security, one of the first significant The objective of this research is to design a network-based studies was initiated by the European Union. For instance, intrusion detection system for 5G networks to monitor in the second half of 2019, the Network and Information outgoing traffic, identify and capture potential impacts in Security Directive (NIS) released a report evaluating the real time, and classify them using data analysis. risks of 5G mobile networks [16]. Subsequently, the group We need a set of input data to continue working with published an important document on a toolkit for mitigating our module. That is, all traffic coming from the network of cybersecurity risks in 5G networks [13]. nodes (gNodeB) will be sent for processing to the virtual By the end of 2020, the European Union Agency for network functions of the 5G core (Evolved Packet Core), Cybersecurity (ENISA) published an updated report on where we will have the IDS module. (Fig. 1) threats to 5G networks. The report discusses new issues Figure 1: 5G Core network with IDS 92 So, since the IDS module will be located inside the 5G take into account factors such as load potential, network core as a network function, the first step will be to accessibility, and location. Fig. 2 shows an example diagram register it as a network function in a special Network of how network function registration would occur. Function Repository (NRF). The NRF function, in turn, can Figure 2: Registration between IDS and NRF According to Fig. 1, the UPF function will be responsible for It’s essential to highlight that the IDS module will receive forwarding incoming traffic to the IDS function. So that input data through duplication from the UPF function, data packets can be duplicated and forwarded to IDS using streamlining its integration into the system. This approach UPF, it has been connected to this function. Due to this IDS avoids creating unnecessary dependencies between the IDS can take the necessary actions to analyze and detect as the data recipient and the UPF as the data sender. potential attacks in real time. The IDS function will also In essence, the implementation of the IDS module serves as have connectivity through SBI with features such as AMF a new feature that enhances the existing functionality and SMF for quick response and detection when suspicious without introducing complexities or dependencies. This traffic arrives. streamlined integration process ensures seamless operation If the traffic is classified as an attack, it becomes and facilitates the system’s scalability and fault tolerance. necessary to apply certain measures to alert and partially It is also important to note the importance of prevent the attack. This issue in the module will be dealt monitoring for timely response from those responsible for with by a function that will notify other network functions the stability of the system where data is exchanged. For that can communicate with each other using the SBI these purposes, the module will include the collection of (Service-based interface) interface via the HTTP/2 protocol metrics on the volume of incoming traffic, classification, (Fig. 1). and prediction of a network attack (Fig. 3). Given the anticipated high load of the system, driven by The primary functionality of the IDS module is to numerous connected devices and a substantial influx of receive input traffic, process it, and transmit it to a service data, scalability and fault tolerance are paramount that will analyze the traffic to identify potential security considerations in its design. Introducing a new network threats and, if necessary, classify the threat type. function into an established 5G core implementation necessitates a careful examination of its impact. Figure 3: Internal scheme of IDS Once our IDS was able to measure the distance in front of it, In this context, the UE stops storing location or routing the problem of alerting other network functions residing on information for the UE, so the UE becomes available to the the common bus would be solved. We need this to pre- AMF. However, some parts of the UE context may still be suppress network traffic. Through SBI interfaces, messages stored in the UE and AMF, for example to avoid will be sent with changes in the data where the attack comes authentication procedures during registration of each from and the classification of the threat. It is expected that the procedure. Session Management Function (SMF), upon receiving such an These measures will be very useful in the alert from our IDS module, will automatically remove the implementation of another security module in 5G networks, attacker’s resources and terminate the established PDU the main goal of which will be to prevent any threat (IPS). session. The AMF performs the registration blocking procedure and sets the registration state to RM-DEREGISTERED for the device user (UE). 93 4. Development of a model tested for binary classification, compare the obtained results, and choose the best model. for a network-based intrusion One of the first problems we encountered was the lack detection system for 5G of necessary data; there are practically no open datasets with malicious traffic on the 5G network available on the Dataset Internet, which made our research difficult in terms of In this study, models were created and evaluated that testing on various data. However, students from the are capable of identifying malicious traffic. In this section, American University provided access to generated 5G we will introduce the dataset, and the models that were attack traffic, on which our model was built. Figure 4: Traffic collection Fig. 4 illustrates the process of collecting data on malicious Processing files containing the required traffic data requires traffic. The set of files containing malicious traffic consists approximately 96 gigabytes of RAM and a couple of hours of 10 types, each generated by attacking specific parts of the for each file. However, by using the sniff() function, we core. For example, the AMF attack type is conducted by reduced the data processing workload, avoiding the need to requesting information from one of the core blocks. The store every data packet in memory. issue is that this attack appears benign from the inside. Model Non-malicious traffic was collected from YouTube video Fig. 5 represents a methodological scheme describing views, conferences in Microsoft Teams, website visits, and the overall pipeline of the conducted work. The data file downloads and uploads. In total, the dataset consists of preprocessing process involves several stages. 120,000 unique records, approximately 100,000 of which are normal traffic and 20,000 are malicious. Figure 5: Methodology The first stage includes data integrity verification, where it library—hashlib. The output provides a result indicating is necessary to ensure that the traffic indeed utilizes hash whether the encoding matches or not. encoding. For this verification, we use the built-in Python 94 As mentioned earlier, the number of unique records with The outcome was testing various machine learning models normal traffic is five times greater than the number of for binary classification. These models include records with malicious traffic. To address issues with RandomForestClassifier, LogisticRegression, DecisionTree, uneven class distribution, we utilized random generation and SupportVectorMachine. methods such as RandomOverSampler to augment the data. Results The next stage involved translating our encodings into We tested 4 development paths and arrived at the a computer-understandable language. We used the following results. HashingVectorizer library for vectorizing our records, To evaluate and compare our models, we will use the which will be required for model training. following metrics: F1—score, and accuracy. Figure 6: Accuracy comparison In the figure above, we can observe that among the models, our needs the best. However, let’s take a look at other there is a favorite in terms of prediction accuracy based on metrics as well. the overall metric. We could conclude that this model suits Figure 7: F1-score comparison If we now look at the comparison of our metrics, namely Table 1 accuracy and F1-score, the conclusions are not F1 comparison for each class. straightforward. The impact of class imbalance greatly Model affects the logistic regression model, as its F1 score is much Class RFC LR DT SVM lower than that of the other models, despite our efforts to attack 0.87 0.66 0.80 0.86 balance the classes. Due to the similarity of the generated normal 0.96 0.99 0.94 0.96 values, the model struggles to correctly identify the attack class. If we go further and look at what values we have for Based on all the aforementioned metrics and indicators, we each class, then it becomes more and more clear. can say that the Random Forest model performs the best in binary classification of these classes. However, the SVM 95 model is only a few points behind, meaning we can use the [11] G. Iashvili, et al., Intrusion Detection System for 5G SVM model with an error only 0.01 higher. Nevertheless, it with a Focus on DOS/DDOS Attacks, in: 11th IEEE is worth noting that the SVM model takes significantly more International Conference on Intelligent Data time to train, which leads us to prefer the RFC model. Acquisition and Advanced Computing Systems: Technology and Applications (2021) 861–864. doi: 5. Conclusions 10.1109/IDAACS53288.2021.9661021. [12] S. Park, et al., Threats and Countermeasures on a 4G In conclusion, the implementation of a robust network- Mobile Network, Eighth International Conference on based IDS is imperative for the security and integrity of 5G Innovative Mobile and Internet Services in Ubiquitous networks. Our proposed IDS, which leverages advanced Computing (2014) 538–541. doi: 10.1109/IMIS.2014.79. machine learning techniques, has proven effective in real- [13] NIS cooperation group, The Heat Is Online. EU time detection and mitigation of security threats. The Coordinated Risk Assessment of the Cybersecurity of integration of this IDS within the 5G core network not only 5G Networks (2019). URL: https://digital- enhances its security capabilities but also ensures minimal strategy.ec.europa.eu/en/news/eu-wide-coordinated- disruption to network performance. The research findings risk-assessment-5g-networks-security demonstrate that the IDS can adapt to the evolving threat [14] N. C. Group, The Heat Is Online. Cybersecurity of 5G landscape, providing a scalable and efficient solution for Networks EU Toolbox of Risk Mitigating Measures protecting 5G networks. Future work will focus on further (2020). refining the IDS algorithms and exploring additional [15] ENISA, The Heat Is Online. Threat Landscape for 5G security measures to address emerging threats, ensuring the Networks Report (2020). URL: continuous protection of 5G infrastructures. https://www.enisa.europa.eu/publications/enisa- threat-landscape-report-for-5g-networks References [16] Y. Siriwardhana, et al., Robust and Resilient Federated [1] S. Gnanasivam, D. Tveter, N. Dinh, Performance Learning for Securing Future Networks, Joint Evaluation of Network Intrusion Detection Using European Conference on Networks and Machine Learning, IEEE (2024). Communications and 6G Summit (EuCNC/6G [2] T. Le, et al., 5G-IoT-IDS: Intrusion Detection System Summit) (2022) 351–356. for CIoT as Network Function in 5G Core Network, in: [17] Y. Siriwardhana, et al., AI and 6G Security: IEEE Global Communications Conference (2023) Opportunities and Challenges, Joint European 4773–4778, doi: 10.1109/GLOBECOM5 Conference on Networks and Communications and 4140.2023.10437158. 6G Summit (EuCNC/6G Summit), IEEE (2021) 616– [3] T. Moges, et al., Cellular Internet of Things: Use cases, 621. technologies, and future work, Internet of Things 24 [18] R. Santos, et al., Machine Learning Algorithms to (2023). doi: 10.1016/j.iot.2023.100910. detect DDoS Attacks in SDN, Concurrency and [4] A. Imanbayev, et al., Research of Machine Learning Computation: Practice and Experience 32(16) (2020). Algorithms for the Development of Intrusion [19] R. Na, et al., 5G Mobile Network Slicing for THz Detection Systems in 5G Mobile Networks and Services, in: IEEE 2nd 5G World Forum (5GWF) (2019). Beyond, Sensors 22 (2022) 9957. doi: [20] O. Solomentsev, et al., Data Processing in Case of 10.3390/s22249957. Radio Equipment Reliability Parameters Monitoring, [5] ENISA, The Heat Is Online. Threat Landscape for 5G Proceedings - 2018 Advances in Wireless and Optical Networks Report (2020). URL: Communications, RTUWO (2018) 219–222. https://www.enisa.europa.eu/publications/enisa- [21] O. Solomentsev, et al., Signal processing in case of threat-landscape-report-for-5g-networks radio equipment technical state deterioration, in: [6] Y. Siriwardhana, et al., Robust and Resilient Federated Signal Processing Symposium, SPSympo (2015). Learning for Securing Future Networks, Joint European Conference on Networks and Communications and 6G Summit (EuCNC/6G Summit) (2022) 351–356. [7] Y. Siriwardhana, et al., AI and 6G Security: Opportunities and Challenges, Joint European Conference on Networks and Communications and 6G Summit (EuCNC/6G Summit), IEEE (2021) 616– 621. [8] R. Santos, et al., Machine Learning Algorithms to detect DDoS Attacks in SDN, Concurrency and Computation: Practice and Experience 32(16) (2020). [9] R. Na, et al., 5G Mobile Network Slicing for THz Services, IEEE 2nd 5G World Forum (5GWF) (2019). [10] J. Li, Z. Zhao, R. Li, Machine Learning-Based IDS for Software-Defined 5G Network, IET Networks 7 (2017) 53–60. 96