Detection of Overshadowing Attack in 4G and 5G Networks
Authors: 
Jiongyu Dai, Usama Saeed, Ying Wang, Yanjun Pan, Haining Wang, Kevin T. Kornegay, Lingjia LiuAuthors Info & Claims
Jiongyu Dai, Usama Saeed, Ying Wang, Yanjun Pan, Haining Wang, Kevin T. Kornegay, Lingjia LiuAuthors Info & ClaimsPages 4615 - 4628
Abstract
Despite the promises of current and future cellular networks to increase security, privacy, and robustness, 5G networks are designed to streamline discovery and initiate connections with limited computation and communication costs, leading to the predictability of control channels. This predictability enables signal-level attacks, particularly on unprotected initial access signals. To assess vulnerability in access control and enhance robustness in cellular networks, we present a strategic approach leveraging O-RAN architecture in this paper that detects and classifies signal-level attacks for actionable countermeasure defense. We evaluate attack scenarios of various power levels on both 4G/LTE-Advanced and 5G communication systems. We categorize the types of attack models based on the attack cost: Overshadowing and Jamming. Overshadowing represents low attack power categories with time and frequency synchronization, while Jamming represents un-targeted attacks that cause similar quality-of-service degradation as overshadowing attacks but require high power levels. Our detection strategy relies on supervised machine-learning models, specifically a Reservoir Computing (RC) based supervised learning approach that leverages physical and MAC-layer information for attack detection and classification. We demonstrate the efficacy of our detection strategy through extensive experimental evaluations using the O-RAN platform with software-defined radios (SDRs) and commercial off-the-shelf (COTS) user equipment (UEs). Empirical results show that our method can classify the change in statistics caused by most overshadowing and jamming attacks with more than 95% classification accuracy.
References
[1]
F. Boccardi, R. W. Heath Jr., A. Lozano, T. L. Marzetta, and P. Popovski, “Five disruptive technology directions for 5G,” IEEE Commun. Mag., vol. 52, no. 2, pp. 74–80, Feb. 2014.
[2]
J. G. Andrews et al., “What will 5G be?,” IEEE J. Sel. Areas Commun., vol. 32, no. 6, pp. 1065–1082, Jun. 2014.
[3]
M. Agiwal, A. Roy, and N. Saxena, “Next generation 5G wireless networks: A comprehensive survey,” IEEE Commun. Surveys Tuts., vol. 18, no. 3, pp. 1617–1655, 3rd Quart., 2016.
[4]
M. Shafi et al., “5G: A tutorial overview of standards, trials, challenges, deployment, and practice,” IEEE J. Sel. Areas Commun., vol. 35, no. 6, pp. 1201–1221, Jun. 2017.
[5]
K. Kohls, D. Rupprecht, T. Holz, and C. Pöpper, “Lost traffic encryption: Fingerprinting LTE/4G traffic on layer two,” in Proc. 12th Conf. Secur. Privacy Wireless Mobile Netw., May 2019, pp. 249–260.
[6]
S. R. Hussain, M. Echeverria, O. Chowdhury, N. Li, and E. Bertino, “Privacy attacks to the 4G and 5G cellular paging protocols using side channel information,” in Proc. Netw. Distrib. Syst. Secur. (NDSS), 2019, pp. 1–15.
[7]
D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper, “Breaking LTE on layer two,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2019, pp. 1121–1136.
[8]
D. Rupprecht, K. Kohls, T. Holz, and C. Poepper, “IMP4GT: IMPersonation attacks in 4G NeTworks,” in Proc. Netw. Distrib. Syst. Secur. (NDSS), 2020, pp. 1–15.
[9]
S. R. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEInspector: A systematic approach for adversarial testing of 4G LTE,” in Proc. Netw. Distrib. Syst. Secur. (NDSS), 2018, pp. 1–15.
[10]
E. Bitsikas and C. Pöpper, “Don’t hand it over: Vulnerabilities in the handover procedure of cellular telecommunications,” in Proc. Annu. Comput. Secur. Appl. Conf., Dec. 2021, pp. 900–915.
[11]
S. A. Erni, “Protocol-aware reactive LTE signal overshadowing and its applications in DoS attacks,” M.S. thesis, Dept. Comput. Sci., ETH Zürich, Zürich, Switzerland, 2020.
[12]
S. Erni, M. Kotuliak, P. Leu, M. Roeschlin, and S. Capkun, “AdaptOver: Adaptive overshadowing attacks in cellular networks,” in Proc. 28th Annu. Int. Conf. Mobile Comput. Netw., Oct. 2022, pp. 743–755.
[13]
H. Yang, S. Bae, M. Son, H. Kim, S. M. Kim, and Y. Kim, “Hiding in plain signal: Physical signal overshadowing attack on LTE,” in Proc. 28th USENIX Secur. Symp., 2019, pp. 55–72.
[14]
N. Ludant and G. Noubir, “SigUnder: A stealthy 5G low power attack and defenses,” in Proc. 14th ACM Conf. Secur. Privacy Wireless Mobile Netw., Jun. 2021, pp. 250–260.
[15]
R. Piqueras Jover, “Security attacks against the availability of LTE mobility networks: Overview and research directions,” in Proc. 16th Int. Symp. Wireless Pers. Multimedia Commun. (WPMC), Jun. 2013, pp. 1–9.
[16]
M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed, “LTE/LTE-A jamming, spoofing, and sniffing: Threat assessment and mitigation,” IEEE Commun. Mag., vol. 54, no. 4, pp. 54–61, Apr. 2016.
[17]
H. Pirayesh and H. Zeng, “Jamming attacks and anti-jamming strategies in wireless networks: A comprehensive survey,” IEEE Commun. Surveys Tuts., vol. 24, no. 2, pp. 767–809, 2nd Quart., 2022.
[18]
D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location leaks on the GSM air interface,” in Proc. ISOC Netw. Distrib. Syst. Secur. (NDSS), 2012, pp. 1–13.
[19]
T. Ta and J. S. Baras, “Enhancing privacy in LTE paging system using physical layer identification,” in Data Privacy Management and Autonomous Spontaneous Security. Berlin, Germany: Springer, 2012, pp. 15–28.
[20]
A. Singla, S. R. Hussain, O. Chowdhury, E. Bertino, and N. Li, “Protecting the 4G and 5G cellular paging protocols against security and privacy attacks,” Proc. Privacy Enhancing Technol., vol. 2020, no. 1, pp. 126–142, Jan. 2020.
[21]
A. Krayani, M. Baydoun, L. Marcenaro, A. S. Alam, and C. Regazzoni, “Self-learning Bayesian generative models for jammer detection in cognitive-UAV-radios,” in Proc. IEEE Global Commun. Conf., Dec. 2020, pp. 1–7.
[22]
Y. Wang, S. Jere, S. Banerjee, L. Liu, S. Shetty, and S. Dayekh, “Anonymous jamming detection in 5G with Bayesian network model based inference analysis,” in Proc. IEEE 23rd Int. Conf. High Perform. Switching Routing (HPSR), Jun. 2022, pp. 151–156.
[23]
O. Pu nal, I. Aktas, C.-J. Schnelke, G. Abidin, K. Wehrle, and J. Gross, “Machine learning-based jamming detection for IEEE 802.11: Design and experimental evaluation,” in Proc. IEEE Int. Symp. World Wireless, Mobile Multimedia Netw., Jun. 2014, pp. 1–10.
[24]
L. Bonati, M. Polese, S. D’Oro, S. Basagni, and T. Melodia, “OpenRAN gym: An open toolbox for data collection and experimentation with AI in O-RAN,” in Proc. IEEE Wireless Commun. Netw. Conf. (WCNC), Apr. 2022, pp. 518–523.
[25]
M. Polese, L. Bonati, S. D’Oro, S. Basagni, and T. Melodia, “Understanding O-RAN: Architecture, interfaces, algorithms, security, and research challenges,” 2022, arXiv:2202.01032.
[26]
Z. Zhou, L. Liu, and H.-H. Chang, “Learning for detection: MIMO-OFDM symbol detection through downlink pilots,” IEEE Trans. Wireless Commun., vol. 19, no. 6, pp. 3712–3726, Jun. 2020.
[27]
L. Li, L. Liu, Z. Zhou, and Y. Yi, “Reservoir computing meets extreme learning machine in real-time MIMO-OFDM receive processing,” IEEE Trans. Commun., vol. 70, no. 5, pp. 3126–3140, May 2022.
[28]
J. Xu, Z. Zhou, L. Li, L. Zheng, and L. Liu, “RC-struct: A structure-based neural network approach for MIMO-OFDM detection,” IEEE Trans. Wireless Commun., vol. 21, no. 9, pp. 7181–7193, Sep. 2022.
[29]
Base Station (BS) Radio Transmission Reception, document 3GPP TS 36.104, Version 14.3.0, Release 14, 2017.
[30]
5G; NR; Physical Layer; General Description, document 3GPP TS 38.201, Version 16.0.0, Release 16, 2020.
[31]
E. Dahlman, S. Parkvall, and J. Skold, 5G NR: The Next Generation Wireless Access Technology. New York, NY, USA: Academic, 2020.
[32]
E. Dahlman, S. Parkvall, and J. Skold, 4G: LTE/LTE-Advanced for Mobile Broadband. New York, NY, USA: Academic, 2013.
[33]
O-RAN. (2021). O-RAN Alliance. [Online]. Available: https://www.o-ran.org/
[34]
A. Dabrowski, N. Pianta, T. Klepp, M. Mulazzani, and E. Weippl, “IMSI-catch me if you can: IMSI-catcher-catchers,” in Proc. 30th Annu. Comput. Secur. Appl. Conf., Dec. 2014, pp. 246–255.
[35]
S. S. Mosleh, L. Liu, C. Sahin, Y. R. Zheng, and Y. Yi, “Brain-inspired wireless communications: Where reservoir computing meets MIMO-OFDM,” IEEE Trans. Neural Netw. Learn. Syst., vol. 29, no. 10, pp. 4694–4708, Oct. 2018.
[36]
OAIC. (2022). Open AI Celluar. [Online]. Available: https://github.com/openaicellular/oaic
[37]
L. Van der Maaten and G. Hinton, “Visualizing data using t-SNE,” J. Mach. Learn. Res., vol. 9, no. 11, pp. 2579–2605, 2008.
[38]
L. Weissbart, S. Picek, and L. Batina, “One trace is all it takes: Machine learning-based side-channel attack on EdDSA,” in Proc. Int. Conf. Secur., Privacy, Appl. Cryptogr. Eng., Gandhinagar, India. New York, NY, USA: Springer, Dec. 2019, pp. 86–105.
[39]
C. Pöpper, N. O. Tippenhauer, B. Danev, and S. Capkun, “Investigation of signal and message manipulations on the wireless channel,” in Proc. 16th Eur. Symp. Res. Comput. Security. Berlin, Germany: Springer, 2011, pp. 40–59.
[40]
M. Wilhelm, J. B. Schmitt, and V. Lenders, “Practical message manipulation attacks in IEEE 802.15. 4 wireless networks,” in Proc. MMB DFT 2012 Workshop, Mar. 2012, pp. 29–31.
[41]
Q. Hu, Y. Liu, A. Yang, and G. P. Hancke, “Preventing overshadowing attacks in self-jamming audio channels,” IEEE Trans. Dependable Secure Comput., vol. 18, no. 1, pp. 45–57, Jan. 2021.
[42]
N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, and S. Capkun, “On the requirements for successful GPS spoofing attacks,” in Proc. 18th ACM Conf. Comput. Commun. Secur., Oct. 2011, pp. 75–86.
[43]
P. K. Nakarmi, J. Sternby, and I. Ullah, “Applying machine learning on RSRP-based features for false base station detection,” in Proc. 17th Int. Conf. Availability, Rel. Secur. New York, NY, USA: ACM, Aug. 2022, pp. 1–7.
[44]
G. Reus-Muns, D. Jaisinghani, K. Sankhe, and K. Chowdhury, “Trust in 5G open RANs through machine learning: RF fingerprinting on the POWDER PAWR platform,” in Proc. IEEE Global Commun. Conf. (GLOBECOM), Dec. 2020, pp. 1–6.
Index Terms
- Detection of Overshadowing Attack in 4G and 5G Networks
Index terms have been assigned to the content through auto-classification.
Recommendations
Leveraging Overshadowing for Time-Delay Attacks in 4G/5G Cellular Networks: An Empirical Assessment
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and SecurityEnsuring both reliable and low-latency communications over 4G or 5G Radio Access Network (RAN) is a key feature for services such as smart power grids and the metaverse. However, the lack of appropriate security mechanisms at the lower-layer protocols of ...
Countermeasure Based on Smart Contracts and AI against DoS/DDoS Attack in 5G Circumstances
The development of 5G has substantially increased the destructiveness of DoS/DDoS attacks because the data processing capability of computers has not been accordingly enhanced, and this contradiction creates a vulnerability for attackers to compromise a ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive StrategiesNow a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...
Comments
Information & Contributors
Information
Published In
1063-6692 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 23 October 2024
Published in TON Volume 32, Issue 6
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 7Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)7
Reflects downloads up to 02 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in