5G‐Spector Artifact in a Simulated LTE Network
This page presents an artifact of 5G-Spector running in a simulated LTE network, with a VM-based deployment and detailed steps to run 5G-Spector and verify its capability of detecting attacks.
To learn more about 5G-Spector, please visit the GitHub main repository at: https://github.com/5GSEC/5G-Spector or read our NDSS'24 paper https://web.cse.ohio-state.edu/~wen.423/papers/5G-Spector-NDSS24.pdf
5G-Spector has passed the NDSS'24 artifact evaluation and is awarded all badges (available, functional, and reproduced).
The current deployment of 5G-Spector demands very complex software dependencies (e.g., specific versions of OAI and SD-RAN). To save your time and make 5G-Spector reproducible, we have prepared a pre-built VM image involving a working environment for 5G-Spector with all necessary dependencies.
The only prerequisite for this artifact is a commodity Linux machine. It's recommended that your machine has at least 100GB of free storage before deployment.
According to our paper, the original evaluation of 5G-Spector was conducted with a host machine (Ubuntu 18.04 OS) equipped with 12 Intel i7-8700 cores and 32GB RAM.
Our artifact can be downloaded via a shared link
Alternative source to download the image
After the artifact is downloaded, verify its integrity
$ sha256sum 5g-spector.box
3d0d2778e5ffb630b3938b62b048c5d9e67de38b36f68cc5deaad12d66e32f4c 5g-spector.box
By default, the VM's setting is defined in Vagrantfile. It is highly recommended that your machine has a minimum of 8 CPU cores and 8GB RAM as set by default in the Vagrantfile, since this deployment has a high demand on computing resources. You may adjust the setting in this file for your machine.
Assume you are using a host machine with Debian-based Linux distribution, the first step is to install vagrant and the libvirt provider, by using the script below
#!/bin/bash
# Copyright 2022-present Open Networking Foundation
#
# SPDX-License-Identifier: Apache-2.0
echo Install VM hypervisor and OpenVSwitch
sudo apt update
sudo apt install qemu libvirt-daemon-system libvirt-clients libxslt-dev libxml2-dev libvirt-dev zlib1g-dev ruby-dev ruby-libvirt ebtables dnsmasq-base qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager openvswitch-switch -y
echo Install Vagrant
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install vagrant -y
echo Add Vagrant plugins
vagrant plugin install vagrant-libvirt
vagrant plugin install vagrant-mutate
echo Add OVS
sudo ovs-vsctl --may-exist add-br br0
sudo ovs-vsctl show
The above script is adapted from https://github.com/onosproject/sdran-in-a-box/blob/master/vagrant/setup.sh
At the downloaded folder, i.e., where the Vagrantfile is presented, import the downloaded VM image with Vagrant
vagrant up --provider libvirt
SSH into the VM
vagrant ssh
The default password is vagrant if you are prompted to enter it
We use SD-RAN's RAN-in-A-Box (RiAB) solution (https://docs.sd-ran.org/master/sdran-in-a-box/README.html) to deploy the cellular data plane and control plane. It is based on Kubernetes (https://kubernetes.io/), an open-source system for automating deployment, scaling, and management of containerized applications. Each individual service (e.g., MME) is deployed as a micro-service container application. By default, most of the required container images (e.g., OMEC core and Basic ONOS RIC services) can be downloaded. For those have relevant 5G-Spector components, i.e., the enhanced CU / DU, MobieXpert xApp, and attacker UEs, we will use different ways to deploy them.
If you run into any issues, please refer to the TroubleShooting section at the end of this document.
Before deployment, prepare the working directory
cd ~/sdran-in-a-box
Clean up everything first
make reset-test
Deploy the OMEC core
sudo /usr/share/openvswitch/scripts/ovs-ctl start
make omec
Verify the build is successful
vagrant@ran:~/sdran-in-a-box$ kubectl get pods -n riab
NAME READY STATUS RESTARTS AGE
cassandra-0 1/1 Running 0 2m19s
hss-0 1/1 Running 0 2m19s
mme-0 4/4 Running 0 2m19s
pcrf-0 1/1 Running 0 2m19s
spgwc-0 2/2 Running 0 2m19s
upf-0 4/4 Running 0 81s
If you encounter errors similar to:
error: no matching resources found
mk/epc.mk:11: recipe for target '/home/vagrant/sdran-in-a-box//workspace/milestones/omec' failed
make: *** [/home/vagrant/sdran-in-a-box//workspace/milestones/omec] Error
Please re-run the above command
make omec
This should be able to solve most of the problems during the deployment. Please contact us if this fails to work.
To undeploy the core network, run the following
make reset-omec
make OPT=ric
Verify the RIC is successfully deployed (along with the OMEC core)
vagrant@ran:~/sdran-in-a-box$ kubectl get pods -n riab
NAME READY STATUS RESTARTS AGE
cassandra-0 1/1 Running 0 6m39s
hss-0 1/1 Running 0 6m39s
mme-0 4/4 Running 0 6m39s
onos-a1t-68c59fb46-bfpks 2/2 Running 0 2m25s
onos-cli-c7d5b54b4-vjkxm 1/1 Running 0 2m25s
onos-config-5786dbc85c-pxf2s 3/3 Running 0 2m25s
onos-e2t-5798f554b7-znjf7 2/2 Running 0 2m25s
onos-kpimon-555c9fdb5c-jx2bb 2/2 Running 0 2m25s
onos-rsm-7b6d84b5fc-cnkpc 2/2 Running 0 2m25s
onos-topo-6b59c97579-d54pm 2/2 Running 0 2m25s
onos-uenib-6f65dc66b4-jz6zm 2/2 Running 0 2m25s
pcrf-0 1/1 Running 0 6m39s
sd-ran-consensus-0 1/1 Running 0 2m25s
sd-ran-consensus-1 1/1 Running 0 2m25s
sd-ran-consensus-2 1/1 Running 0 2m25s
spgwc-0 2/2 Running 0 6m39s
upf-0 4/4 Running 0 5m41s
Various RIC containers will be built, including those starting with onos- and sd-ran-.
To undeploy the RIC, run the following
make reset-ric
The MobieXpert xApp is built from ~/onos-ric-python-apps. By default (and to save your time), the VM comes with a prebuilt docker image of the xApp, namely
localhost:5000/sec-sm-xapp latest 8304ce6a5ec6 2 days ago 255MB
You can directly deploy the xApp as a Kubernetes pod by executing
vagrant@ran:~$ cd ~/onos-ric-python-apps/
vagrant@ran:~/onos-ric-python-apps$ ./install_secsm_xapp.sh
Verify the xApp is up and running
vagrant@ran:~/onos-ric-python-apps$ kubectl get pods -n riab
NAME READY STATUS RESTARTS AGE
...
sec-sm-xapp-6d8f56cb46-v9vzv 2/2 Running 0 93s
...
vagrant@ran:~/onos-ric-python-apps$ kubectl logs sec-sm-xapp-6d8f56cb46-v9vzv -n riab -c sec-sm-xapp
PBEST runtime library built Sat Sep 23 21:23:26 UTC 2023
INFO 2023-09-26 19:19:57 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:19:57 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:12 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:12 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:12 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:12 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:22 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:22 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:22 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:22 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:32 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:32 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:32 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:32 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-26 19:20:42 web_log.py:206] 10.0.2.15 [26/Sep/2023:19:20:42 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
Once you see the repeated log entries, the xApp should be good to go.
To undeploy the 5G-Spector xApp, run the following
vagrant@ran:~/onos-ric-python-apps$ ./uninstall_secsm_xapp.sh
The (5G-Spector enhanced) OAI RAN is deployed directly from the compiled binaries instead of Kubernetes. There are two source folders: OAI-5G (based on OAI version 2023.w23) contains the source code for compiling the enhanced OAI RAN and UE, while attack-OAI contains the source code for compiling the attacker UE (we will use it later in evaluation). By default, the required binaries have been compiled at cmake_targets/ran_build/build. To deploy the OAI RAN (eNB), you first need to obtain two addresses for the RAN configurations.
Obtain the E2T IP address
kubectl get po -n riab -o wide | grep onos-e2t | awk '{print $6}'
Obtain the MME IP address
kubectl get po -n riab -o wide | grep mme | awk '{print $6}'
A default configuration file has been provided at ~/enb.conf. Replace the following lines (E2T_ADDRESS and MME_ADDRESS) of the ~/enb.conf file with the addresses you got from above. IP_ADDRESS should be replaced with the IP address of the eth0 network interface (can be obtained via the ifconfig eth0 command).
# Begin RIC-specific settings
RIC : {
remote_ipv4_addr = "<E2T_ADDRESS>"; # TODO Replace it with the actual RIC e2t Address
remote_port = 36421;
enabled = "yes";
};
...
...
////////// MME parameters:
mme_ip_address = ( { ipv4 = "<MME_ADDRESS>"; # TODO replace it with the actual mme address
ipv6 = "192:168:30::17";
#port = 36412 ;
active = "yes";
preference = "ipv4";
}
);
...
...
NETWORK_INTERFACES :
{
ENB_INTERFACE_NAME_FOR_S1_MME = "eth1";
ENB_IPV4_ADDRESS_FOR_S1_MME = "<IP_ADDRESS>"; # TODO replace it with the VM's network interface IP address
ENB_INTERFACE_NAME_FOR_S1U = "eth1";
By default, the OAI RAN is compiled from the source code at ~/OAI-5G, and the resulting binaries are located in ~/OAI-5G/cmake_targets/ran_build/build. We have also prepared corresponding shortcut scripts for launching the OAI RAN, simply open a terminal and run
~/run_enb.sh
To verify the RAN has been deployed and communicating with the nRT-RIC, you should see the following repeated log entries from the console
[RIC_AGENT] [2023/8/28 | 2:9:31] ---- Sending KPM RIC Indication, timer_id 600244270 function_id 1---------
<E2AP-PDU>
...
</E2AP-PDU>
[RIC_AGENT] Encoded succesfully, encoded size = 406
[RIC_AGENT] Send SCTP data, ranid:0, assoc_id:19, len:406
[RIC_AGENT] [SECSM] Total UE: 0
[RIC_AGENT] [2023/8/28 | 2:9:32] ---- Sending KPM RIC Indication, timer_id 600244270 function_id 1---------
Similar to OAI RAN, we have also prepared a script to run OAI UE. The UE's sim profile is provided at ~/lteue.usim-ci.conf. To run it, simply open another terminal and execute
~/run_ue.sh
Before evaluation, please make sure 5G-Spector is successfully deployed. To begin with, stop any eNB and UE instances you are running. You should reach a evaluation state with the OMEC core, ONOS RIC, MobieXpert xApp up and running:
vagrant@5g-spector:~/onos-ric-python-apps$ kubectl get pods -n riab
NAME READY STATUS RESTARTS AGE
cassandra-0 1/1 Running 0 18m
hss-0 1/1 Running 0 18m
mme-0 4/4 Running 0 18m
onos-a1t-68c59fb46-kvlfz 2/2 Running 0 14m
onos-cli-c7d5b54b4-d6b5s 1/1 Running 0 14m
onos-config-5786dbc85c-c8jjt 3/3 Running 0 14m
onos-e2t-5798f554b7-c67xx 2/2 Running 0 14m
onos-kpimon-555c9fdb5c-jfg2x 2/2 Running 0 14m
onos-rsm-7b6d84b5fc-g7xf4 2/2 Running 0 14m
onos-topo-6b59c97579-6plpr 2/2 Running 0 14m
onos-uenib-6f65dc66b4-pd6dj 2/2 Running 0 14m
pcrf-0 1/1 Running 0 18m
sd-ran-consensus-0 1/1 Running 0 14m
sd-ran-consensus-1 1/1 Running 0 14m
sd-ran-consensus-2 1/1 Running 0 14m
sec-sm-xapp-6d8f56cb46-jnpqt 2/2 Running 0 53s
spgwc-0 2/2 Running 0 18m
upf-0 4/4 Running 0 16m
It is OK to have some RESTARTS counts for some containers. However, if most of them have been restarted, it is probably problematic (e.g., no sufficient resources). Please refer to the Troubleshooting section.
This is to test 5G-Spector under normal cellular network situations (no attack presented). Run the OAI RAN and UE:
~/run_enb.sh
Note: During the evaluation, please make sure the MME and E2T addresses in the enb.conf always match with the corresponding containers' IP addresses.
At another terminal, launch the OAI UE
~/run_ue.sh
Check the MobieXpert xApp log output, below is the example output
vagrant@5g-spector:~/onos-ric-python-apps$ kubectl logs sec-sm-xapp-6d8f56cb46-jnpqt -n riab -c sec-sm-xapp -f
...
...
INFO 2023-09-28 14:48:50 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;0;1695912530657.8647;v1.0;SECSM;0;0;0;0;e0100;1000;0;0;0;1695912530657.0688;0
[INFO 2023-09-28 14:48:50,658 PBest.py:66] [PBest] [DEBUG] INIT_eXpert: Initialized
[INFO 2023-09-28 14:48:50,658 PBest.py:66] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 1
INFO 2023-09-28 14:48:55 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:48:55 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:48:55 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:48:55 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:05 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:05 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:05 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:05 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:15 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:15 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:15 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:15 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;0;1695912559035.1458;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionRequest;0;0;0;0;0;0;0;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;1;1695912559087.073;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionSetup;2;0;0;0;1695912559034.0737;0;0;0
[INFO 2023-09-28 14:49:19,096 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 1
[INFO 2023-09-28 14:49:19,096 PBest.py:66] [PBest] [DEBUG] Add UE session: 2607
INFO 2023-09-28 14:49:19 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;1;1695912559104.9255;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;2;1695912559121.4985;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionSetupComplete;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:19 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;2;1695912559123.8071;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;3;1695912559150.9224;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;ATTACH_REQUEST;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:19,228 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 2
[INFO 2023-09-28 14:49:19,228 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:19,229 PBest.py:66] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 2
[INFO 2023-09-28 14:49:19,229 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 3
[INFO 2023-09-28 14:49:19,230 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:19,230 PBest.py:66] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 3
[INFO 2023-09-28 14:49:19,231 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 4
[INFO 2023-09-28 14:49:19,231 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;4;1695912562020.2327;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;AUTHENTICATION_REQUEST;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;5;1695912562028.1758;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;AUTHENTICATION_RESPONSE;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:22,029 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 5
[INFO 2023-09-28 14:49:22,029 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:22,029 PBest.py:66] [PBest] [DEBUG] remove bs mobiflow record: 0
[INFO 2023-09-28 14:49:22,029 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 6
[INFO 2023-09-28 14:49:22,029 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;6;1695912562998.1577;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;SECURITY_MODE_COMMAND;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:23,002 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 7
[INFO 2023-09-28 14:49:23,002 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:23 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;7;1695912563003.9834;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;SECURITY_MODE_COMPLETE;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:23,006 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 8
[INFO 2023-09-28 14:49:23,006 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:25 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:25 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:25 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:25 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;8;1695912567006.509;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;SecurityModeCommand;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;9;1695912567008.7659;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;SecurityModeComplete;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:27,009 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 9
[INFO 2023-09-28 14:49:27,011 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:27,011 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 10
[INFO 2023-09-28 14:49:27,011 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:27,012 PBest.py:66] [PBest] [DEBUG] [Null Cipher][GENERATE_EVENT] Event detected for UE 2607 at BS 0
INFO 2023-09-28 14:49:27 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;3;1695912567010.4744;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
[INFO 2023-09-28 14:49:27,015 PBest.py:66] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 3
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;10;1695912567016.0605;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;UECapabilityEnquiry;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;11;1695912567018.6091;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;UECapabilityInformation;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
[INFO 2023-09-28 14:49:27,019 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 11
[INFO 2023-09-28 14:49:27,020 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:27,020 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 12
[INFO 2023-09-28 14:49:27,021 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;12;1695912567019.9158;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;RRCConnectionReconfigurationComplete;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;13;1695912567024.9546;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;ATTACH_COMPLETE;2;2;1;0;1695912559034.0737;0;1695912559034.0737;1695912567004.2295
INFO 2023-09-28 14:49:27 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;4;1695912567025.6887;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
[INFO 2023-09-28 14:49:27,026 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 13
[INFO 2023-09-28 14:49:27,027 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:27,027 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 14
[INFO 2023-09-28 14:49:27,027 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
[INFO 2023-09-28 14:49:27,027 PBest.py:66] [PBest] [DEBUG] add_bs_mobiflow: bs_mobiflow_count: 4
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;14;1695912567996.377;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;EMM_INFORMATION;2;2;1;0;1695912559034.0737;0;1695912559034.0737;1695912567004.2295
[INFO 2023-09-28 14:49:27,996 PBest.py:66] [PBest] [DEBUG] add_ue_mobiflow: ue_mobiflow_count: 15
[INFO 2023-09-28 14:49:27,996 PBest.py:66] [PBest] [DEBUG] Update UE session: 2607
INFO 2023-09-28 14:49:35 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:35 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
INFO 2023-09-28 14:49:35 web_log.py:206] 192.168.121.245 [28/Sep/2023:14:49:35 +0000] "GET /status HTTP/1.1" 200 180 "-" "kube-probe/1.23"
Note: The container name above sec-sm-xapp-6d8f56cb46-jnpqt should be adapted to your actual deployment
If attacks are detected, corresponding detecting logs will be printed in red, and warning events will be printed in yellow. Since the above running example is simply connecting a benign UE, no attack log is produced. To filter the detailed MobiFlow log, you can use keyword filtering
vagrant@5g-spector:~/onos-ric-python-apps$ kubectl logs sec-sm-xapp-6d8f56cb46-jnpqt -n riab -c sec-sm-xapp | grep "MobiFlow"
INFO 2023-09-28 14:48:50 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;0;1695912530657.8647;v1.0;SECSM;0;0;0;0;e0100;1000;0;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;0;1695912559035.1458;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionRequest;0;0;0;0;0;0;0;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;1;1695912559087.073;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionSetup;2;0;0;0;1695912559034.0737;0;0;0
INFO 2023-09-28 14:49:19 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;1;1695912559104.9255;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;2;1695912559121.4985;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;RRCConnectionSetupComplete;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:19 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;2;1695912559123.8071;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:19 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;3;1695912559150.9224;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;ATTACH_REQUEST;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;4;1695912562020.2327;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;AUTHENTICATION_REQUEST;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;5;1695912562028.1758;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;AUTHENTICATION_RESPONSE;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:22 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;6;1695912562998.1577;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;SECURITY_MODE_COMMAND;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:23 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;7;1695912563003.9834;v1.0;SECSM;0;2607;0;208010272923904;0;0;0;3;SECURITY_MODE_COMPLETE;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;8;1695912567006.509;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;SecurityModeCommand;2;1;0;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;9;1695912567008.7659;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;SecurityModeComplete;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;3;1695912567010.4744;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;10;1695912567016.0605;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;UECapabilityEnquiry;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;11;1695912567018.6091;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;UECapabilityInformation;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;12;1695912567019.9158;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;RRCConnectionReconfigurationComplete;2;1;1;0;1695912559034.0737;0;1695912559034.0737;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;13;1695912567024.9546;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;ATTACH_COMPLETE;2;2;1;0;1695912559034.0737;0;1695912559034.0737;1695912567004.2295
INFO 2023-09-28 14:49:27 CsvWriter.py:33] [MobiFlow] Writing BS Mobiflow: BS;4;1695912567025.6887;v1.0;SECSM;0;0;0;0;e0100;1000;1;0;0;1695912530657.0688;0
INFO 2023-09-28 14:49:27 CsvWriter.py:18] [MobiFlow] Writing UE Mobiflow: UE;14;1695912567996.377;v1.0;SECSM;0;2607;0;208010272923904;0;0;2;3;EMM_INFORMATION;2;2;1;0;1695912559034.0737;0;1695912559034.0737;1695912567004.2295
The MobiFlow logs present the fine-grained state transition of the UE's control plane procedure (i.e., connection with the RAN) as well as the aggregated RAN-level statistics (e.g., number of connected UEs). The detailed descriptions of MobiFlow telemetry can be found at Section IV of our paper.
This section provides the instructions to evaluate the major claim of the 5G-Spector paper that it is able to detect 7 types of known L3 attacks from the previous literature and 11 unknown variants derived from these attacks. As a result, there are 18 attack instances in total in this evaluation. For detailed descriptions of the attacks, please refer to our original paper.
For the remaining claims in the paper (scalability, performance, and overhead), this artifact does not provide corresponding evaluation instructions, due to the difficulty of reproduction with limited time and specific hardware dependency.
Before attack evaluation, please ensure the VM is in the evaluation state (i.e., with OMEC core, ONOS RIC, and xApp up and running). Stop the eNB and UEs if you are running any of them. It is recommended to do a fresh restart of the eNB with ~/run_enb.sh before evaluating each attack.
Run the RAN (i.e., eNB), and then at a new terminal, start the attack
./run_attack.sh --bts-attack 1 --bts-delay 100
Detection log example
[CRITICAL 2023-09-29 00:39:31,499 PBest.py:71] [PBest] Attack event detected
[CRITICAL 2023-09-29 00:39:31,499 PBest.py:72] {
"Event ID": 1,
"Event Name": "BTS Resource Depletion",
"Affected base station ID": 0,
"Time": "2023-09-29 00:39:31.419822",
"Number of DoS UE": 4
}
Note: this attack involves some randomness (e.g., intervals between each RA restart) that may have impact on it. Please restart the attack if it does not work. This attack will also naturally trigger alerts for "Downlink DoS overshadowing" since the attacker UE is not responding to the NAS Authentication Request.
In this attack, we need to run two UEs, with one being the victim and the other being the attacker who replays the same TMSI to attack the victim. However, we cannot execute the lte-uesoftmodem (OAI UE binary) twice directly. The solution is to use docker to host two OAI UE instances. To simulate this, first start the eNB
~/run_enb.sh
Then start the first (victim) UE, i.e., UE0
cd ~/blind_dos
docker compose up -d oai_ue0
After UE0 has been successfully connected, launch the second (attacker) UE, i.e., UE1
cd ~/blind_dos
docker compose up -d oai_ue1
Detection log example
[CRITICAL 2023-09-29 16:58:14,533 PBest.py:71] [PBest] Attack event detected
[CRITICAL 2023-09-29 16:58:14,533 PBest.py:72] {
"Event ID": 2,
"Event Name": "Blind DoS",
"Affected base station ID": 0,
"Time": "2023-09-29 16:58:14.486219",
"Affected UE ID": 14097
}
The docker-compose yaml file is presented in ~/blind_dos/docker-compose.yaml that describes how the two UEs are configured. To save time, we have included the precompiled UE docker image oai-lteue:latest.
By default, the docker-compose.yaml has configured the correct address for the two UEs to connect to the eNB's RF Simulator, i.e., RFSIMULATOR: 192.168.251.4. In case the address has shifted in a new deployment, please make sure this address matches the enb interface address:
$ ifconfig
...
enb: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.251.4 netmask 255.255.255.0 broadcast 0.0.0.0
ether 5e:24:57:54:37:b9 txqueuelen 1000 (Ethernet)
RX packets 13 bytes 824 (824.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
To undeploy the UE containers, run
~/blind_dos/stop.sh
Run attack (VAR can be selected from 1-2)
./run_attack.sh --uplink-dos-attack <VAR>
Detection log example
[WARNING 2023-09-28 15:47:53,231 PBest.py:67] [PBest] Warning event detected
[WARNING 2023-09-28 15:47:53,231 PBest.py:68] {
"Event ID": 1,
"Event Name": "Uplink DoS Service Request",
"Affected base station ID": 0,
"Time": "2023-09-28 15:47:53.210439",
"Affected UE ID": 32539
}
Run attack (VAR can be selected from 1-6)
./run_attack.sh --dnlink-dos-attack <VAR>
Detection log example
[INFO 2023-09-28 21:03:22,659 PBest.py:75] [PBest] [DEBUG] Unsolicited response detected for SECURITY_MODE_COMMAND: ATTACH_REJECT
[CRITICAL 2023-09-28 21:03:22,659 PBest.py:70] [PBest] Attack event detected
[CRITICAL 2023-09-28 21:03:22,659 PBest.py:71] {
"Event ID": 0,
"Event Name": "Downlink Overshadowing",
"Affected base station ID": 0,
"Time": "2023-09-28 21:03:22.658086",
"Affected UE ID": 32911
}
Run attack
./run_attack.sh --uplink-imsi-extr 1
Detection log example
[WARNING 2023-09-28 15:51:46,687 PBest.py:67] [PBest] Warning event detected
[WARNING 2023-09-28 15:51:46,687 PBest.py:68] {
"Event ID": 1,
"Event Name": "Uplink IMSI Extractor",
"Affected base station ID": 0,
"Time": "2023-09-28 15:51:46.667721",
"Affected UE ID": 43557
}
Run attack (VAR can be selected from 1-5)
./run_attack.sh --dnlink-imsi-extr <VAR>
Detection log example
[CRITICAL 2023-09-28 15:11:04,076 PBest.py:61] [PBest] Attack event detected
[CRITICAL 2023-09-28 15:11:04,076 PBest.py:62] {
"Event ID": 6,
"Event Name": "Downlink IMSI Extractor",
"Affected base station ID": 4,
"Time": "2023-09-28 15:11:04.039173",
"Affected UE ID": 43881
}
Run attack (VAR can be selected from 1-2)
./run_attack.sh --null-cipher-integ <VAR>
Detection log example
[WARNING 2023-09-28 15:52:29,684 PBest.py:67] [PBest] Warning event detected
[WARNING 2023-09-28 15:52:29,687 PBest.py:68] {
"Event ID": 4,
"Event Name": "Null Cipher & Integrity (RRC)",
"Affected base station ID": 0,
"Time": "2023-09-28 15:52:29.676571",
"Affected UE ID": 31084
}
If you encounter any issues, such as the xApp not receiving any message, etc., below are our general solutions:
First, try to restart the attack if it does not work.
Next, if restarting the attack is insufficient, try restart the eNB and xApp.
cd ~/onos-ric-python-apps
./uninstall_secsm_xapp.sh && ./install_secsm_xapp.sh
If that still does not work, restart all services and retry
cd ~/sdran-in-a-box
make reset-test && make omec && make OPT=ric
You can always track if any Kubernetes containers go off by executing
kubectl get pods -n riab
Please remember to update the MME and E2T addresses at the enb.conf after redeployment. It could be possible that the onos-e2t and mme-0 containers may crash and restart with a new IP, and thus the enb.conf file needs to be updated as well.
Created symlink /etc/systemd/system/multi-user.target.wants/openvswitch-switch.service → /lib/systemd/system/openvswitch-switch.service.
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.56) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
sudo ovs-vsctl --if-exists del-br br-enb-net
ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)
mk/infra.mk:72: recipe for target '/home/vagrant/sdran-in-a-box//workspace/milestones/fabric' failed
make: *** [/home/vagrant/sdran-in-a-box//workspace/milestones/fabric] Error 1
Run
sudo /usr/share/openvswitch/scripts/ovs-ctl start
make omec
(Kudos to the anonymous artifact reviewer who provided the solution)
vagrant@5g-spector:~/onos-ric-python-apps$ ./install_secsm_xapp.sh
Release "sec-sm-xapp" does not exist. Installing it now.
NAME: sec-sm-xapp
LAST DEPLOYED: Tue Oct 31 18:26:02 2023
NAMESPACE: riab
STATUS: deployed
REVISION: 1
TEST SUITE: None
error: no matching resources found
Please ignore this error as it won't actually fail the deployment.
If you encounter the below error while executing the OAI eNB or UE:
CMDLINE: "./lte-softmodem" "-O" "/home/vagrant/enb.conf" "--rfsim"
[CONFIG] get parameters from libconfig /home/vagrant/enb.conf [LIBCONFIG] Path for include directive set to: /home/vagrant
[CONFIG] function config_libconfig_init returned 0
[CONFIG] config module libconfig loaded
Illegal instruction
Try to recompile the OAI binaries from scratch:
cd ~/OAI-5G/cmake_targets
./build_oai -c --eNB --UE --build-ric-agent -w SIMU --ninja --noavx512
When you run make OPT=ric, you may encounter an error message below:
Error: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "kpimon" namespace: "" from "": no matches for kind "Entity" in version "topo.onosproject.org/v1beta1"
Thanks to @RogelioPumajulca's solution, you can work around it with:
helm repo add onosproject https://charts.onosproject.org
helm repo update
helm install -n kube-system onos-operator onosproject/onos-operator --wait
Link to the orignal issue: https://github.com/5GSEC/5G-Spector/issues/2
As you may have realized, the artifact uses an LTE (4G) network to demonstrate 5G-Spector instead of a real 5G network. This is due to multiple considerations: (1) the RRC / NAS protocols and attacks covered are appliable to both LTE and 5G, (2) SD-RAN and OMEC core has better compatibility with the LTE network on OAI, (3) the original attack descriptions are based on LTE and thus it is more convenient to implement them in LTE.
Nevertheless, we have successfully integrated 5G-Spector into a 5G SA network, with enhanced RIC agent support for OAI 5G RAN implementation and the ONOS RIC. We are working towards a functional 5G SA prototype.