Applying AI to Protect 5G Control Traffic

ETSI Security Week 2019 Antonio Pastor

Telefonica I+D I 19.06.2019

2

Machine Learning can be applied in situations where it is very challenging (=impossible) to define rules by hand

Identify an attack from normal traffic

Identify illegal actions from odd users.

Discern well elaborated spear phishing from business email

Non classified binary signature is benign or part of a malware

Network attacks Fraud

Spam Malware

AI as a valuable resource for cybersecurity..and when to use it

3

Machine learning examples for cybersecurity

• E.g. ClassificationThe new data is classified into known categories according to certain features.Examples: Malware traffic identification, attack types classification

• Supervised learningThe correct classes of the training data are known (labels)

• E.g RegressionThe knowledge from existing data is utilized to have an idea of the new data.Examples: Fraud, predict attacks

4

Machine learning examples for cybersecurity

• E.g: Clusteringclassification but without information about the classes..Examples: Anomaly detection (Forensic analysis, behavior analytics, etc.),

• UnsupervisedThe correct classes of the training data are not known (no labels)Goal: Discover structure in the data

• E.g: Association rule learningLearn events that appear together.Examples: Alert correlation, IDS

5

Machine learning examples for cybersecurity

• E.g Generative modelsSimulate the actual data (not the decisions)..Examples: Test an application for Injection vulnerabilities. Mutation of binaries

• Reinforcement LearningAllows to learn behavior based on feedback from the environment

http://www.lherranz.org/2018/08/07/imagetranslation/

6

• What we found in our networksEndpoint security is not always available ( e.g. IoT, close proprietary systems, unmaintained servers)

Zero-day attacks, including variations from already known ones

Network services are also target (DNS, VoIP, radio core,…)

• What we expect from AIA solution that can evolve with attacks

Solve problems beyond human capabilities

• What we use:Network traffic information and related data

AI applied to network traffic.. A familiar environment

7

Lack of visibility in all layers

But network protocols have evolved..and the future is encrypted

GPON, 3/4/5G Radio,..MacSec,…IPSec,…DTLS, TLSv1.3, ESNI,…QUIC, SSH, PGP, JWT, DoH / DoT

The evildoers know it

Fortinet quarterly threat landscape report Q32018

Google transparency report HTTPS

TLS easiest than ever (e.g. Let’s encrypt)

Malware spreading (droppers, exploits, C&C, cryptomining)

Application layer attacks over HTTPS (XSS,CSRF,..)

DoT (DNS over TLS)Domain blocking, e.g. IWFDGADoS

Laye

r 2 to

7

Telemetry.moziilla.org via f5.com

8

5G is coming

Non Stand Alone focus on radio evolution. Security will be incrementalStand Alone will change 5G Core, especially the signalling plane. Security highly impacted

New 5GCore based 5G-AKANFV/SDN adoptionNetwork slicingNew SBA architectureInteroperation 4G <-> 5GBackhaul & IPX encryption

EPC based EPS AKAeNB<-> gNB securityBackhaul encryption

Stand AloneNon Stand Alone

IPSec IPSec/TLS

AI can help

9

5G Service Based Architecture (Internal)From P2P

to SBI

MAP/CAP/WIN

TCAP

SCCP

M3UA

SCTP/IP

Ethernet

S6a,S6d,S13,Gy

DIAMETER

SCTP/IP

Ethernet

Rx. Gx,S9

SIGTRAN DIAMETER

N

TLS

TCP/IP

Ethernet

JSON/HTTP/2

HTTP/2Visibility

Complexity

Complexity

Visibility

10

5G Service Based Architecture (Roaming)

AMF

AUSF

vSEPP hSEPP

AMF

AUSF

IPXNetwork

N32-c: HTTP2 + TLS

+JWS1 +JWS2IPX1 IPX2

N32-f: HTTP2 +JWE

JWE

JWS1

JWS2

JSON

• SBA traffic will be encrypted at different levels (TLS or JWE) by SEPP in roaming scenarios (alone or combined)

• SEPP highly exposed, no more walled gardeno SEPP can be a VNF and attacks affect NFVI

• IPX network provider has limited security visibility

Visibility

Complexity

11

Current security technologies

Tailored to legacy protocols & architectureFirewalls and ACLsIPX specific application gatewaysEPC nodes security application

(SS7 screening ,DIAMETER filtering, etc.)

Assume traffic visibilityNetwork Monitoring (SIEMs)DPIs and probes (non encryption)

CC BY: https://wellcomecollection.org/works/xzb5zfc6

12

New security risk in 5G

Legacy Core will be expanded, not replaced. (Mix of protocols)

Core network functions (NFs) exposed over distributed NFVI/cloud

Secure multiple micro-services per slice and multiple slices

Attacks from Application Functions and SBI interfaces exposed

Roaming attacks over HTTPS

hSEPP vSEPP1IPXvSEPP1vSEPP1vSEPP

vSEPP1vSEPP1vSEPP1

AF

..and opportunities for AI

https://arxiv.org/ftp/arxiv/papers/1703/1703.04676.pdf

attacks

13

Leverage AI to protect 5G Core

The vision of SPIDER is to deliver a next-generation cyber range platform for the telecom domain and 5G, offering cybersecurity emulation, training and investment decision support

Deploy ad-hoc emulation scenarios for current and realistic SBA services.

SPIDER: a cyberSecurity Platform for vIrtualiseD 5G cybEr Range services

5G Control plane use case:Based on cybersecurity tools and machine learning, SPIDER will be evaluated in testing novel technologies to protect from different attacks the 5G core.

SPIDER is part of Horizon 2020 research and innovation programme

14

Telefonica Mouseworld*

ObjectiveCapacity to generate synthetic traffic and label it Build an environment that allows to evaluate Machine Learning (ML) concepts in a controlled wayUsing configurable mixes of synthetic and real traffic

FunctionalityScenario definition and creation based on NFV/SDNGeneration of different traffic classes, e.g.:

§ Web services based on TLS§ Malware § Cyberattacks tools

Traffic capture§ Pcap, Netflow, Tstat

Experiment MonitoringDataset labelling and storageTesting ML models using DeepAugur smart trafficanalysers (STA)☨

..The dataset laboratory for AI

Client attacker

HoneyNet

Network Infrastructure

Monitoring Interface

VNFProbe

Labelled DataSet

Supervised ML training

Classification

Client synthetic traffic

Cloud

Video

Browser

OSS Monitoring dashboard

Internal Servers

WebServer

CloudFile

Provider

VNFs

…

…

… Cloud

Video

Browser

DataSet AnomaliesUnsupervisedML training

VNFLabelling

Videostream

WebServer

Videostream

Videostream

CloudFile

Provider

CloudFile

Provider

WebServer

Traffic generators Module

Dataset Collectors Module Train & Validate ModuleLabel Module

Launcher

*https://doi.org/10.1145/3230833.3233283☨https://www.eitdigital.eu/fileadmin/files/2018/factsheets/digital-infrastructure/Deep-Augur_FactSheet_.pdf

Consumeror

producerrole NF

ML datasetCollection

Research activities envisioned for 5G control traffic

VNFattack

VNFattackxNF

VNFProbe

Mgmt.Network

SignalingNetwork

5GC internal SBA type traffic characterization. E.g: NRF⟷AMF, AMF ⟷AUSF,AF ⟷NEF

xNF

VNFattack

VNFattack

VNFsattack

VNFProbe

Mgmt.Network

SignalingNetwork

Cyberattacks over SBI

SEPPVNF

Probe

Mgmt.Network

SignalingNetwork

IPX

VNFattack

VNFattackHTTPSnoise

xNF

Roaming attacks

VNFattack

VNFattackxNF

VNFsattack

Insights over encrypted SBI traffic:Classify signalling traffic and types of messages

Performance impacts on slices by monitoring the physical network traffic

Identify attacks by detecting signalling traffic anomalies

Detects attacks to underlying application servers

Use AI to mimic attacker:Fuzzing attacks

Generative Adversarial Networks (GAN)

VNFattack

VNFattack

VNFsClient

VNFProbe

OSS

Mgmt.Network

SignallingNetwork

MouseworldLogical Network Experiments

VNFattack

VNFattack

VNFsServer

MANO+SDN

SBI

Scenarios AI use cases