Search for: All records

The advent of 5G technology introduces significant advancements in speed, latency, and device connectivity, but also poses complex security challenges. Among typical denial-of-service (DoS) attacks, jamming attack can severely degrade network performance by interfering critical communication channels. To address this issue, we propose a novel security solution utilizing multipath communication, which distributes message segments across multiple paths to ensure message recovery even when some paths are compromised. This strategy enhances network resilience and aligns with zero-trust architecture principles. Moreover, the proposed scheme has been implemented in our testbed to validate the concept and assess the network performance under jamming attacks. Our findings demonstrate that this method eliminates the negative impacts caused by DoS attacks, maintaining the integrity and availability of critical network services. The results highlight the robustness of multipath communication in securing 5G networks against sophisticated attacks, thereby safeguarding essential communications in dynamic and potentially hostile environments. 

In this paper, we present Hermes, an end-to-end framework to automatically generate formal representations from natural language cellular specifications. We first develop a neural constituency parser, NEUTREX, to process transition-relevant texts and extract transition components (i.e., states, conditions, and actions). We also design a domain-specific language to translate these transition components to logical formulas by leveraging dependency parse trees. Finally, we compile these logical formulas to generate transitions and create the formal model as finite state machines. To demonstrate the effectiveness of Hermes, we evaluate it on 4G NAS, 5G NAS, and 5G RRC specifications and obtain an overall accuracy of 81-87%, which is a substantial improvement over the state-of-the-art. Our security analysis of the extracted models uncovers 3 new vulnerabilities and identifies 19 previous attacks in 4G and 5G specifications, and 7 deviations in commercial 4G basebands. 

We develop 5GBaseChecker— an efficient, scalable, and dynamic security analysis framework based on differential testing for analyzing 5G basebands' control plane protocol interactions. 5GBaseChecker first captures basebands' protocol behaviors as a finite state machine (FSM) through black-box automata learning. To facilitate efficient learning and improve scalability, 5GBaseChecker introduces novel hybrid and collaborative learning techniques. 5GBaseChecker then identifies input sequences for which the extracted FSMs provide deviating outputs. Finally, 5GBaseChecker leverages these deviations to efficiently identify the security properties from specifications and use those to triage if the deviations found in 5G basebands violate any properties. We evaluated 5GBaseChecker with 17 commercial 5G basebands and 2 open-source UE implementations and uncovered 22 implementation-level issues, including 13 exploitable vulnerabilities and 2 interoperability issues.