Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
162 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Gotta Detect 'Em All: Fake Base Station and Multi-Step Attack Detection in Cellular Networks (2401.04958v3)

Published 10 Jan 2024 in cs.CR

Abstract: Fake base stations (FBSes) pose a significant security threat by impersonating legitimate base stations (BSes). Though efforts have been made to defeat this threat, up to this day, the presence of FBSes and the multi-step attacks (MSAs) stemming from them can lead to unauthorized surveillance, interception of sensitive information, and disruption of network services. Therefore, detecting these malicious entities is crucial to ensure the security and reliability of cellular networks. Traditional detection methods often rely on additional hardware, rules, signal scanning, changing protocol specifications, or cryptographic mechanisms that have limitations and incur huge infrastructure costs. In this paper, we develop FBSDetector-an effective and efficient detection solution that can reliably detect FBSes and MSAs from layer-3 network traces using ML at the user equipment (UE) side. To develop FBSDetector, we create FBSAD and MSAD, the first-ever high-quality and large-scale datasets incorporating instances of FBSes and 21 MSAs. These datasets capture the network traces in different real-world cellular network scenarios (including mobility and different attacker capabilities) incorporating legitimate BSes and FBSes. Our novel ML framework, specifically designed to detect FBSes in a multi-level approach for packet classification using stateful LSTM with attention and trace level classification and MSAs using graph learning, can effectively detect FBSes with an accuracy of 96% and a false positive rate of 2.96%, and recognize MSAs with an accuracy of 86% and a false positive rate of 3.28%. We deploy FBSDetector as a real-world solution to protect end-users through a mobile app and validate it in real-world environments. Compared to the existing heuristic-based solutions that fail to detect FBSes, FBSDetector can detect FBSes in the wild in real-time.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (81)
  1. HOW MANY PEOPLE HAVE SMARTPHONES IN 2023?. https://www.oberlo.com/statistics/how-many-people-have-smartphones.
  2. Forecast number of mobile devices worldwide from 2020 to 2025 (in billions)*. https://www.statista.com/statistics/245501/multiple-mobile-device-ownership-worldwide/.
  3. PHOENIX: device-centric cellular network protocol monitoring using runtime verification. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, February 21-25, 2021. The Internet Society, 2021.
  4. Insecure connection bootstrapping in cellular networks: The root of all evil. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’19, page 1–11, New York, NY, USA, 2019. Association for Computing Machinery.
  5. {{\{{DoLTEst}}\}}: In-depth downlink negative testing framework for {{\{{LTE}}\}} devices. In 31st USENIX Security Symposium (USENIX Security 22), pages 1325–1342, 2022.
  6. Touching the untouchables: Dynamic security analysis of the lte control plane. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1153–1168, 2019.
  7. Lteinspector: A systematic approach for adversarial testing of 4g lte. In Network and Distributed System Security Symposium, 2018.
  8. Practical attacks against privacy and availability in 4g/lte mobile communication systems. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society, 2016.
  9. 5greasoner: A property-directed security and privacy analysis framework for 5g cellular network protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 669–684, New York, NY, USA, 2019. Association for Computing Machinery.
  10. Privacy attacks to the 4g and 5g cellular paging protocols using side channel information. Proceedings 2019 Network and Distributed System Security Symposium, 2019.
  11. Adaptover: adaptive overshadowing attacks in cellular networks. In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, pages 743–755, 2022.
  12. DHS confirms it has detected evidence of mobile snooping devices around DC. https://www.cnn.com/2018/04/03/politics/dhs-stingrays-washington-dc/index.html.
  13. Gang Of Drivers Caught Using Stingrays To Send Fake Links And Steal Cash. https://thainewsroom.com/2023/05/25/gang-of-drivers-caught-using-stingrays.
  14. 5g suci-catchers: Still catching them all? In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 359–364, 2021.
  15. Protecting the 4g and 5g cellular paging protocols against security and privacy attacks. Proceedings on Privacy Enhancing Technologies, 2020:126 – 142, 2020.
  16. Look before you leap: Secure connection bootstrapping for 5g networks to defend against fake base-stations. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, ASIA CCS ’21, page 501–515, New York, NY, USA, 2021. Association for Computing Machinery.
  17. 3GPP TS 33.809 Study on 5G security enhancements against False Base Stations (FBS): Certificate based solution for Protecting System Information Messages with Digital Signature in an NPN. https://www.3gpp.org/ftp/TSG_SA/WG3_Security/TSGS3_100Bis-e/Docs/S3-202717.zip.
  18. Mobileatlas: Geographically decoupled measurements in cellular networks for security and privacy research. In Joseph A. Calandrino and Carmela Troncoso, editors, 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023. USENIX Association, 2023.
  19. Trust in 5g open rans through machine learning: Rf fingerprinting on the powder pawr platform. In GLOBECOM 2020 - 2020 IEEE Global Communications Conference, pages 1–6, 2020.
  20. A network-based positioning method to locate false base stations. IEEE Access, 9:111368–111382, 2021.
  21. Murat: Multi-rat false base station detector. CoRR, abs/2102.08780, 2021.
  22. Imsi-catch me if you can: Imsi-catcher-catchers. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, page 246–255, New York, NY, USA, 2014. Association for Computing Machinery.
  23. Cooper Quintin. Detecting fake 4g LTE base stations in real time. USENIX Association, February 2021.
  24. Enabling fake base station detection through sample-based higher order noise statistics. In 2019 42nd International Conference on Telecommunications and Signal Processing (TSP), pages 695–700, 2019.
  25. Imsi catcher detection method for cellular networks. In 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS), pages 1–6, 2019.
  26. Identifying the fake base station: A location based approach. IEEE Communications Letters, 22:1604–1607, 2018.
  27. One trace is all it takes: Machine learning-based side-channel attack on eddsa. Cryptology ePrint Archive, Paper 2019/358, 2019. https://eprint.iacr.org/2019/358.
  28. Applying machine learning on rsrp-based features for false base station detection. In Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES ’22, New York, NY, USA, 2022. Association for Computing Machinery.
  29. Fbs-radar: Uncovering fake base stations at scale in the wild. Proceedings 2017 Network and Distributed System Security Symposium, 2017.
  30. Darshak. https://github.com/darshakframework/darshak.
  31. The Android-IMSI-Catcher-Detector (short: AIMSICD). http://www.tea-after-twelve.com/about-us/our-authors/aimsicd.
  32. Baron: Base-station authentication through core network for mobility management in 5g networks. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec ’23, page 133–144, New York, NY, USA, 2023. Association for Computing Machinery.
  33. SnoopSnitch. https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch&hl=en_US&gl=US.
  34. OVERWATCH IMSI CATCHER DETECTION SERVICES. https://comsecllc.com/comsec-llc-adds-overwatch.
  35. SeaGlass: City-Wide IMSI-Catcher Detection. .https://news.ycombinator.com/item?id=27173717.
  36. CellDAM: User-Space, rootless detection and mitigation for 5g data plane. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23), pages 1601–1619, Boston, MA, April 2023. USENIX Association.
  37. Radio frequency fingerprint identification for device authentication in the internet of things. IEEE Communications Magazine, pages 1–7, 2023.
  38. Apple and Google Are Introducing New Ways to Defeat Cell Site Simulators, But Is it Enough?. https://www.eff.org/deeplinks/2023/09/apple-and-google-are-introducing-new-ways-defeat-cell-site-simulators-it-enough.
  39. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1072.
  40. Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2440.
  41. Powder: Platform for open wireless data-driven experimental research. In Proceedings of the 14th International Workshop on Wireless Network Testbeds, Experimental Evaluation and Characterization, WiNTECH’20, page 17–24, New York, NY, USA, 2020. Association for Computing Machinery.
  42. How degrading network conditions influence machine learning end systems performance? In IEEE INFOCOM 2022 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pages 1–6, 2022.
  43. Nexran: Closed-loop ran slicing in powder -a top-to-bottom open-source open-ran use case. In Proceedings of the 15th ACM Workshop on Wireless Network Testbeds, Experimental Evaluation & CHaracterization, WiNTECH ’21, page 17–23, New York, NY, USA, 2021. Association for Computing Machinery.
  44. Towards using the powder platform for rf propagation validation. In IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pages 1–6, 2021.
  45. Wimatch: Wireless resource matchmaking. In IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pages 1–6, 2021.
  46. Zhenghao Zhang. Zcnet: Achieving high capacity in low power wide area networks. In 2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), pages 702–710, 2020.
  47. {{\{{LTrack}}\}}: Stealthy tracking of mobile phones in {{\{{LTE}}\}}. In 31st USENIX Security Symposium (USENIX Security 22), pages 1291–1306, 2022.
  48. 5G - 4G-5G Subscribers March 2022 – Quarterly update. https://gsacom.com/paper/4g-5g-subscribers-march-2022-quarterly-update/.
  49. Mobile subscriptions outlook. https://www.ericsson.com/en/reports-and-papers/mobility-report/dataforecasts/mobile-subscriptions-outlook.
  50. Tracking the 4G Decade. https://blog.telegeography.com/tracking-the-4g-decade.
  51. The Mobile Economy 2023. https://www.gsma.com/mobileeconomy/wp-content/uploads/2023/03/270223-The-Mobile-Economy-2023.pdf.
  52. Number of LTE subscriptions worldwide from 2018 to 2023 (in billions)*. https://www.statista.com/statistics/206615.
  53. Attribute reduction based on d-s evidence theory in a hybrid information system. International Journal of Approximate Reasoning, 148:202–234, 2022.
  54. A new correlation belief function in dempster-shafer evidence theory and its application in classification. Scientific Reports, 13(1):7609, May 2023.
  55. Never let me down again: Bidding-down attacks and mitigations in 5g and 4g. 2023.
  56. Dempster–Shafer theory. https://en.wikipedia.org/wiki/Dempster%E2%80%93Shafer_theory.
  57. Open5GS. https://github.com/open5gs/open5gs.
  58. srsRAN. https://github.com/srsran/srsRAN.
  59. tshark. https://www.wireshark.org/docs/man-pages/tshark.html.
  60. Mobileinsight: Extracting and analyzing cellular network information on smartphones. In Proceedings of the 22nd Annual International Conference on Mobile Computing and Networking, MobiCom ’16, page 202–215, New York, NY, USA, 2016. Association for Computing Machinery.
  61. tensorflow-lite. https://www.tensorflow.org/lite/guide/inference?utm_campaign=Thoughts%20on%20HCI%20and%20Applied%20AI%20&utm_medium=email&utm_source=Revue%20newsletter.
  62. flutter. https://docs.flutter.dev/.
  63. USRP B210 SDR Kit - Dual Channel Transceiver (70 MHz - 6GHz) - Ettus Research. https://www.ettus.com/all-products/ub210-kit/.
  64. The messenger shoots back: Network operator based imsi catcher detection. In International Symposium on Recent Advances in Intrusion Detection, 2016.
  65. Ltesniffer: An open-source lte downlink/uplink eavesdropper. 2023.
  66. Hiding in plain signal: Physical signal overshadowing attack on {{\{{LTE}}\}}. In 28th USENIX Security Symposium (USENIX Security 19), pages 55–72, 2019.
  67. Call me maybe: Eavesdropping encrypted lte calls with revolte. In Proceedings of the 29th USENIX Conference on Security Symposium, SEC’20, USA, 2020. USENIX Association.
  68. Breaking lte on layer two. In 2019 IEEE Symposium on Security and Privacy (SP), pages 1121–1136. IEEE, 2019.
  69. Don’t hand it over: Vulnerabilities in the handover procedure of cellular telecommunications. In Annual Computer Security Applications Conference, ACSAC ’21, page 900–915, New York, NY, USA, 2021. Association for Computing Machinery.
  70. Instructions unclear: Undefined behaviour in cellular network specifications. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3475–3492, Anaheim, CA, August 2023. USENIX Association.
  71. Imp4gt: Impersonation attacks in 4g networks. In ISOC Network and Distributed System Security Symposium (NDSS). ISOC, February 2020.
  72. Bookworm game: Automatic discovery of lte vulnerabilities through documentation analysis. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1197–1214, 2021.
  73. Sherlock on specs: Building LTE conformance tests through automated reasoning. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3529–3545, Anaheim, CA, August 2023. USENIX Association.
  74. Seeing the forest for the trees: Understanding security hazards in the {{\{{3GPP}}\}} ecosystem through intelligent analysis on change requests. In 31st USENIX Security Symposium (USENIX Security 22), pages 17–34, 2022.
  75. On the impact of rogue base stations in 4g/lte self organizing networks. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec ’18, page 75–86, New York, NY, USA, 2018. Association for Computing Machinery.
  76. New privacy threat on 3g, 4g, and upcoming 5g aka protocols. Proceedings on Privacy Enhancing Technologies, 2019:108 – 127, 2019.
  77. Towards simultaneous attacks on multiple cellular networks. In 2023 IEEE Security and Privacy Workshops (SPW), pages 394–405. IEEE, 2023.
  78. You have been warned: Abusing 5g’s warning and emergency systems. In Proceedings of the 38th Annual Computer Security Applications Conference, pages 561–575, 2022.
  79. Prochecker: An automated security and privacy analysis framework for 4g lte protocol implementations. In 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pages 773–785, 2021.
  80. Noncompliance as deviant behavior: An automated black-box noncompliance checker for 4g lte cellular devices. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 1082–1099, New York, NY, USA, 2021. Association for Computing Machinery.
  81. Android 14 introduces first-of-its-kind cellular connectivity security features. https://security.googleblog.com/2023/08/android-14-introduces-first-of-its-kind.html.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets