Zeyad Abdelhay,Yahuza Bello,Ahmed Refaey

DOI: https://doi.org/10.48550/arXiv.2312.17271

2023-12-27

Cryptography and Security

Abstract:The upcoming Sixth Generation (6G) network is projected to grapple with a range of security concerns, encompassing access control, authentication, secure connections among 6G Core (6GC) entities, and trustworthiness. Classical Virtual Private Networks (VPNs), extensively deployed in Evolved Packet Core (EPC) network infrastructure, are notoriously susceptible to a variety of attacks, including man-in-the-middle incursions, Domain Name System (DNS) hijacking, Denial of Service (DoS) attacks, port scanning, and persistent unauthorized access attempts. This paper introduces the concept of Software Defined Perimeter (SDP) as an innovative solution, providing an alternative to VPNs with the goal of fostering a secure zero-trust milieu within the 6G Core networks. We capitalize on the SDP controller-based authentication and authorization mechanisms to secure the EPC network's control and data plane functions, conceiving an architecture that is expansible to the 6G network. Further, we augment the SDP zero-trust capabilities via the incorporation of a dynamic component, the Moving Target Defense (MTD). This enhances the network's resilience against attacks targeting traditionally static network environments established via VPNs. Following rigorous testbed analysis, our proposed framework manifests superior resilience against DoS and port scanning attacks when juxtaposed with traditional VPN methodologies.

Zeyad Abdelhay,Yahuza Bello,Ahmed Refaey

DOI: https://doi.org/10.1109/mwc.001.2300358

IF: 12.777

2024-04-12

IEEE Wireless Communications

Abstract:The upcoming Sixth Generation (6G) network is projected to grapple with a range of security concerns, encompassing access control, authentication, secure connections among 6G Core (6GC) entities, and trustworthiness. Classical Virtual Private Networks (VPNs), extensively deployed in Evolved Packet Core (EPC) network infrastructure, are notoriously susceptible to a variety of attacks, including man-in-the-middle incursions, Domain Name System (DNS) hijacking, Denial of Service (DoS) attacks, port scanning, and persistent unauthorized access attempts. This paper introduces the concept of Software Defined Perimeter (SDP) as an innovative solution, providing an alternative to VPNs with the goal of fostering a secure zero-trust milieu within the 6G Core networks. We capitalize on the SDP controller-based authentication and authorization mechanisms to secure the EPC network's control and data plane functions, conceiving an architecture that is expansible to the 6G network. Further, we augment the SDP zero-trust capabilities via the incorporation of a dynamic component, the Moving Target Defense (MTD). This enhances the network's resilience against attacks targeting traditionally static network environments established via VPNs. Following rigorous testbed analysis, our proposed framework manifests superior resilience against DoS and port scanning attacks when jux-taposed with traditional VPN methodologies.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Xu Chen,Wei Feng,Ning Ge,Yan Zhang

DOI: https://doi.org/10.1109/mnet.2023.3326356

IF: 10.294

2023-01-01

IEEE Network

Abstract:The upcoming sixth generation (6G) network is expected to be more open and heterogeneous, posing new challenges to conventional security architectures. Traditionally, these architectures rely on the construction of a security perimeter at network boundaries. In this article, we propose a software-defined zero trust architecture (ZTA) for 6G networks, offering a promising approach to establish an elastic and scalable security regime. Our proposed architecture ensures secure access control through adaptive collaborations among control domains, effectively mitigating malicious access behaviors like distributed denial of service (DDoS) attacks, malware spread, and zero-day exploits. We also highlight key design aspects of this architecture and present simulation results from a case study that demonstrate the effectiveness and robustness of ZTA for 6G. Finally, we discuss open issues that warrant further exploration to promote and enhance this novel architecture.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Haotian Xu,Mianxiong Dong,Kaoru Ota,Jun Wu,Jianhua Li

DOI: https://doi.org/10.1109/ithings/greencom/cpscom/smartdata.2019.00158

2019-07-01

Abstract:Recently, the integrated architecture of 5G-enabled software defined vehicular networks (5G-SDVN) is becoming a new trend of the next generation vehicular networks. 5G-SDVN architecture can provide various improvements for traditional vehicular networks. The most important high throughput and low latency can be guaranteed by 5G. Centralized vehicle control and vehicular network programmability are provided by software defined networks (SDN). Vehicular network security is always critical because it is directly related to personal safety and traffic efficiency. However, security issues of 5G-SDVN are complicated and challenging due to the rapid mobility of vehicles and complex network topology. Also, the scalability and programmability of SDN can enlarge the attack surface, leading to more defects and vulnerabilities. Hence, a dynamic security defense service is urgently needed. In this paper, a software defined dynamic security defense (SD-DSD) scheme is proposed to provide security-as-service for 5G-SDVN. The proposed scheme firstly conducts a security assessment to evaluate the security level of current system. Based on the security assessment result, the proposed scheme then dynamically generates and deploys security strategies in an software defined way. In consequence, the proposed scheme can improve the security level of a given 5G-SDVN system. The evaluation demonstrated that the proposed scheme can improve the system security level effectively and efficiently with a high network performance.

Tao Li,Yunian Pan,Quanyan Zhu

2023-10-03

Abstract:Multi-domain warfare is a military doctrine that leverages capabilities from different domains, including air, land, sea, space, and cyberspace, to create a highly interconnected battle network that is difficult for adversaries to disrupt or defeat. However, the adoption of 5G technologies on battlefields presents new vulnerabilities due to the complexity of interconnections and the diversity of software, hardware, and devices from different supply chains. Therefore, establishing a zero-trust architecture for 5G-enabled networks is crucial for continuous monitoring and fast data analytics to protect against targeted attacks. To address these challenges, we propose a proactive end-to-end security scheme that utilizes a 5G satellite-guided air-ground network. Our approach incorporates a decision-dominant learning-based method that can thwart the lateral movement of adversaries targeting critical assets on the battlefield before they can conduct reconnaissance or gain necessary access or credentials. We demonstrate the effectiveness of our game-theoretic design, which uses a meta-learning framework to enable zero-trust monitoring and decision-dominant defense against attackers in emerging multi-domain battlefield networks.

Cryptography and Security

Mohammed Gharib,Fatemeh Afghah

2023-08-21

Abstract:5G made a significant jump in cellular network security by offering enhanced subscriber identity protection and a user-network mutual authentication implementation. However, it still does not fully follow the zero-trust (ZT) requirements, as users need to trust the network, 5G network is not necessarily authenticated in each communication instance, and there is no mutual authentication between end users. When critical communications need to use commercial networks, but the environment is ZT, specific security architecture is needed to provide security services that do not rely on any 5G network trusted authority. In this paper, we propose SCC5G Secure Critical-mission Communication over a 5G network in ZT setting. SCC5G is a post-quantum cryptography (PQC) security solution that loads an embedded hardware root of authentication (HRA), such as physically unclonable functions (PUF), into the users' devices, to achieve tamper-resistant and unclonability features for authentication and key agreement. We evaluate the performance of the proposed architecture through an exhaustive simulation of a 5G network in an ns-3 network simulator. Results verify the scalability and efficiency of SCC5G by showing that it poses only a few kilobytes of traffic overhead and adds only an order of $O(0.1)$ second of latency under the normal traffic load.

Networking and Internet Architecture

Baozhan Chen,Siyuan Qiao,Jie Zhao,Dongqing Liu,Xiaobing Shi,Minzhao Lyu,Haotian Chen,Huimin Lu,Yunkai Zhai

DOI: https://doi.org/10.1109/jiot.2020.3041042

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:The key features of 5G network (i.e., high bandwidth, low latency, and high concurrency) along with the capability of supporting big data platforms with high mobility make it valuable in coping with emerging medical needs, such as COVID-19 and future healthcare challenges. However, enforcing the security aspect of a 5G-based smart healthcare system that hosts critical data and services is becoming more urgent and critical. Passive security mechanisms (e.g., data encryption and isolation) used in legacy medical platforms cannot provide sufficient protection for a healthcare system that is deployed in a distributed manner and fail to meet the need for data/service sharing across "cloud-edge-terminal" in the 5G era. In this article, we propose a security awareness and protection system that leverages zero-trust architecture for a 5G-based smart medical platform. Driven by the four key dimensions of 5G smart healthcare including "subject" (i.e., users, terminals, and applications), "object" (i.e., data, platforms, and services), "behavior," and "environment," our system constructs trustable dynamic access control models and achieves real-time network security situational awareness, continuous identity authentication, analysis of access behavior, and fine-grained access control. The proposed security system is implemented and tested thoroughly at industrial-grade, which proves that it satisfies the needs of active defense and end-to-end security enforcement of data, users, and services involved in a 5G-based smart medical system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xian Guo,Hongbo Xian,Tao Feng,Yongbo Jiang,Di Zhang,Junli Fang

DOI: https://doi.org/10.7717/peerj-cs.1674

2023-11-17

Abstract:Software-defined networking (SDN) faces many of the same security threats as traditional networks. The separation of the SDN control plane and data plane makes the controller more vulnerable to cyber attacks. The conventional "perimeter defense" network security model cannot prevent lateral movement attacks caused by malicious insider users or hardware and software vulnerabilities. The "zero trust architecture" has become a new security network model to protect enterprise network security. In this article, we propose an intelligent zero-trust security framework IZTSDN for the software-defined networking by integrating deep learning and zero-trust architecture, which adopts zero-trust architecture to protect every resource and network connection in the network. IZTSDN uses a traffic anomaly detection mode CALSeq2Seql based on a deep learning algorithm to analyze users' network behavior in real-time and achieve continuous tracking and analysis of users, restrict malicious users from accessing network resources, and realize the dynamic authorization process. Finally, the Mininet simulation platform is extended to build the simulation platform MiniIZTA supporting zero-trust architecture and the proposed security framework IZTSDN is experimentally analyzed. The experimental results show that the IZTSDN security framework can provide about 80.5% of throughput when the network is attacked. The accuracy of abnormal traffic detection reaches 99.56% on the SDN dataset, which verifies that the reliability and availability of the IZTSDN security framework are verified.

Zhihong Tian,Yanbin Sun,Shen Su,Mohan Li,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.48550/arXiv.1902.04009

2019-02-12

Abstract:The 5th generation (5G) network adopts a great number of revolutionary technologies to fulfill continuously increasing requirements of a variety of applications, including ultra-high bandwidth, ultra-low latency, ultra-massive device access, ultra-reliability, and so on. Correspondingly, traditional security focuses on the core network, and the logical (non-physical) layer is no longer suitable for the 5G network. 5G security presents a tendency to extend from the network center to the network edge and from the logical layer to the physical layer. The physical layer security is also an essential part of 5G security. However, the security of each layer in 5G is mostly studied separately, which causes a lack of comprehensive analysis for security issues across layers. Meanwhile, potential security threats are lack of automated solutions. This article explores the 5G security by combining the physical layer and the logical layer from the perspective of automated attack and defense, and dedicate to provide automated solution framework for 5G security.

Networking and Internet Architecture

Jaspreet Singh,Yahuza Bello,Ahmed Refaey,Amr Mohamed

DOI: https://doi.org/10.48550/arXiv.2007.01246

2020-07-03

Abstract:The rise in embedded and IoT device usage comes with an increase in LTE usage as well. About 70\% of an estimated 18 billion IoT devices will be using cellular LTE networks for efficient connections. This introduces several challenges such as security, latency, scalability, and quality of service, for which reason Edge Computing or Fog Computing has been introduced. The edge is capable of offloading resources to the edge to reduce workload at the cloud. Several security challenges come with Multi-access Edge Computing (MEC) such as location-based attacks, the man in the middle attacks, and sniffing. This paper proposes a Software-Defined Perimeter (SDP) framework to supplement MEC and provide added security. The SDP is capable of protecting the cloud from the edge by only authorizing authenticated users at the edge to access services in the cloud. The SDP is implemented within a Mobile Edge LTE network. Delay analysis of the implementation is performed, followed by a DoS attack to demonstrate the resilience of the proposed SDP. Further analyses such as CPU usage and Port Scanning were performed to verify the efficiency of the proposed SDP. This analysis is followed by concluding remarks with insight into the future of the SDP in MEC.

Networking and Internet Architecture,Numerical Analysis

Min Chen,Yongfeng Qian,Shiwen Mao,Wan Tang,Ximin Yang

DOI: https://doi.org/10.1007/s11036-015-0665-5

2016-01-09

Mobile Networks and Applications

Abstract:The future 5G wireless is triggered by the higher demand on wireless capacity. With Software Defined Network (SDN), the data layer can be separated from the control layer. The development of relevant studies about Network Function Virtualization (NFV) and cloud computing has the potential of offering a quicker and more reliable network access for growing data traffic. Under such circumstances, Software Defined Mobile Network (SDMN) is presented as a promising solution for meeting the wireless data demands. This paper provides a survey of SDMN and its related security problems. As SDMN integrates cloud computing, SDN, and NFV, and works on improving network functions, performance, flexibility, energy efficiency, and scalability, it is an important component of the next generation telecommunication networks. However, the SDMN concept also raises new security concerns. We explore relevant security threats and their corresponding countermeasures with respect to the data layer, control layer, application layer, and communication protocols. We also adopt the STRIDE method to classify various security threats to better reveal them in the context of SDMN. This survey is concluded with a list of open security challenges in SDMN.

computer science, information systems,telecommunications, hardware & architecture

Marinos Vomvas,Norbert Ludant,Guevara Noubir

2024-05-21

Abstract:The fifth generation (5G) of cellular networks starts a paradigm shift from the traditional monolithic system design to a Service Based Architecture, that fits modern performance requirements and scales efficiently to new services. This paradigm will be the foundation of future cellular core networks beyond 5G. The new architecture splits network functionalities into smaller logical entities that can be disaggregated logically, physically, and geographically. This affords interoperability between the mobile network operators and commercial software and hardware vendors or cloud providers. By making use of commodity services and products, this system construct inherits the vulnerabilities in those underlying technologies, thereby increasing its attack surface and requiring a rigorous security analysis. In this work, we review the security implications introduced in B5G networks, and the security mechanisms that are supported by the 5G standard. We emphasize on the support of Zero Trust Architecture in 5G and its relevance in decentralized deployments. We revisit the definition of trust in modern enterprise network operations and identify important Zero Trust properties that are weakened by the nature of cloud deployments. To that end, we propose a vertical extension of Zero Trust, namely, Zero Trust Execution, to model untrusted execution environments, and we provide an analysis on how to establish trust in Beyond-5G network architectures using Trusted Execution Environments. Our analysis shows how our model architecture handles the increased attack surface and reinforces the Zero Trust Architecture principles in the 5G Core, without any changes to the 5G standard. Finally, we provide experimental results over a 5G testbed using Open5GS and UERANSIM that demonstrate minimal performance overhead, and a monetary cost evaluation.

Cryptography and Security

Vijay Varadharajan,Uday Tupakula,Kallol Karmakar

DOI: https://doi.org/10.48550/arXiv.2006.15270

2020-06-27

Abstract:The 5G network systems are evolving and have complex network infrastructures. There is a great deal of work in this area focused on meeting the stringent service requirements for the 5G networks. Within this context, security requirements play a critical role as 5G networks can support a range of services such as healthcare services, financial and critical infrastructures. 3GPP and ETSI have been developing security frameworks for 5G networks. Our work in 5G security has been focusing on the design of security architecture and mechanisms enabling dynamic establishment of secure and trusted end to end services as well as development of mechanisms to proactively detect and mitigate security attacks in virtualised network infrastructures. The focus of this paper is on the latter, namely the facilities and mechanisms, and the design of a security architecture providing facilities and mechanisms to detect and mitigate specific security attacks. We have developed and implemented a simplified version of the security architecture using Software Defined Networks (SDN) and Network Function Virtualisation (NFV) technologies. The specific security functions developed in this architecture can be directly integrated into the 5G core network facilities enhancing its security. We describe the design and implementation of the security architecture and demonstrate how it can efficiently mitigate specific types of attacks.

Cryptography and Security,Networking and Internet Architecture

Yiliang Liu,Zhou Su,Haixia Peng,Yushan Xiang,Wei Wang,Ruidong Li

DOI: https://doi.org/10.1109/mwc.001.2300375

IF: 12.777

2024-04-12

IEEE Wireless Communications

Abstract:With the rapid advancement of air interface technology and the exponential growth of mobile services, mobile networks have become significantly complex. Traditional network security models, relying on regional defense strategies, are no longer sufficient to meet the current security demands. This article proposes the zero-trust architecture as a potential security mode for 6G. However, the distributed network architecture, the proliferation of connected devices, and the diverse service requirements of 6G pose sub-stantial challenges to this security model implementation. To address these issues, the article explores the opportunities presented by artificial intelligence (Al) and novel air interface technologies, which promote robust and efficient identity authentication, access control, and confidential data transmission for 6G. Finally, the article outlines a visionary outlook for the zero trust-based 6G security architecture, highlighting its potential impact on the future of mobile networks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Seunghwan Son,Deokkyu Kwon,Sangwoo Lee,Hyeokchan Kwon,Youngho Park

DOI: https://doi.org/10.1109/access.2024.3484522

IF: 3.9

2024-10-29

IEEE Access

Abstract:The sixth generation (6G) is the next generation of wireless communication technology, is not limited to cellular networks but can be used to provide better services in all areas of wireless communication, including vehicles, drones, and smart homes. However, these advancements in 6G technology require further security considerations. In earlier networks, authentication schemes were designed to rely on a secure channel between the core network and access points. The 6G network is an open, distributed network that integrates multiple domains and entities and cannot guarantee secure channels in the network. The 6G network requires a new security authentication scheme that applies the zero-trust model. Therefore, this study proposes a zero-trust authentication scheme with access control for 6G-enabled Internet of Things environments. The scheme uses blockchain technology for mutual authentication in a distributed environment and lightweight attribute-based encryption to ensure dynamic access control and network efficiency. This study compares the proposed authentication method with existing methods and demonstrates that this scheme has better performance and security. To the best of our knowledge, this paper is the first to propose a specific authentication protocol with access control considering the zero-trust model in a 6G environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Harsh Sanjay Pacherkar,Guanhua Yan

DOI: https://doi.org/10.1145/3643833.3656129

2024-05-27

Abstract:As 5G networks become part of the critical infrastructures whose dysfunctions can cause severe damages to society, their security has been increasingly scrutinized. Recent works have revealed multiple specification-level flaws in 5G core networks but there are no easy solutions to patch the vulnerabilities in practice. Against this backdrop, this work proposes a unified framework called PROV5GC to detect and attribute various attacks that exploit these vulnerabilities in real-world 5G networks. PROV5GC tackles three technical challenges faced when deploying existing intrusion detection system (IDS) frameworks to protect 5G core networks, namely, message encryption, partial observability, and identity ephemerality. The key idea of PROV5GC is to use provenance graphs, which are constructed from the communication messages logged by various 5G core network functions. Based on these graphs, PROV5GC infers the original call flows to identify those with malicious intentions. We demonstrate how PROV5GC can be used to detect three different kinds of attacks, which aim to compromise the confidentiality, integrity, and/or availability of 5G core networks. We build a prototype of PROV5GC and evaluate its execution performance on commodity cluster servers. We observe that due to stateless instrumentation, the logging overhead incurred to each network function is low. We also show that PROV5GC can be used to detect the three 5G-specific attacks with high accuracy.

Computer Science,Engineering

Hichem Sedjelmaci,Nesrine Kaaniche,Kamel Tourki

DOI: https://doi.org/10.1007/s10922-024-09807-x

2024-03-14

Journal of Network and Systems Management

Abstract:The upcoming sixth generation (6 G) networks present significant security challenges due to the growing demand for virtualization, as indicated by their key performance indicators (KPIs). To ensure communication secrecy in such a distributed network, we propose an intelligent zero trust (ZT) framework that safeguards the radio access network (RAN) from potential threats. Our proposed ZT model is specifically designed to cater to the distributed nature of 6 G networks. It accommodates secrecy modules in various nodes, such as the base station, core network, and cloud, to monitor the network while performing hierarchical and distributed threat detection. This approach enables the distributed modules to work together to efficiently identify and respond to the suspected RAN threats. As a RAN security use case, we address the intrusion detection issues of the 6 G-enabled internet of drones. Our simulation results show the robustness of our ZT framework, which is based on distributed security modules, against potential attacks. The framework exhibits low detection time and low false positives, making it a reliable solution for securing 6 G networks. Furthermore, the ZT model enables the accommodation of secrecy modules in various nodes and provides the needed enhanced security measures in the network.

computer science, information systems,telecommunications