Browse Theses

The proliferation of 4G/LTE (Long Term Evolution) technique for cellular network calls for new methods and tools for assessing its resilience and vulnerabilities effectively and efficiently. Existing methods focus their works on ad-hoc attacks and defenses requiring significant human efforts, such as manual examination of LTE protocol specifications or manual analysis of LTE network traffic, to identify potential vulnerabilities. According to the 4G/LTE network architecture, there are three main components always targeted by attackers: user equipment, evolved nodeB and evolved packet core, each of which consists of multiple layers processing various LTE information.This dissertation presents a new approach to automate vulnerability assessment of 4G/LTE network mobile devices based on machine learning methods. Towards this end, we develop LEFT (LTE Oriented Emulation-Instrumented Fuzzing Testbed), which perturbs the behavior of LTE network modules to elicit vulnerable internal states of mobile devices under test. LEFT uses reinforcement learning to guide behavior perturbation in an instrumented LTE network emulator for both exploration and exploitation. We have implemented LEFT in a laboratory environment to fuzz two key LTE protocols and used it to assess the vulnerabilities of four COTS (Commercial Off-The-Shelf) Android mobile phones. The experimental results have shown that LEFT can evaluate the security of 4G/LTE-capable mobile devices automatically and effectively.Then we investigate a new type of threats called paging storm attacks. Compared with the previous attack towards user equipment, this attack can be launched from a regional botnet to exhaust the limited paging capacity of cells in a 4G/LTE core network. The paging storm attacks can delay paging requests for legitimate time-critical voice or video calls in a target area. we mathematically analyze the probability that normal paging requests are delayed due to a botnet attack, after which design and implement a proof-of-concept Android botnet that can coordinate bot activities to create pulsating paging requests in a short period of time. Experimental results observed from a high-fidelity emulation testbed reveal that paging storm attacks launched from a regional botnet can create repetitive surges of paging requests in the target LTE network, thereby delaying time-critical voice/video calls by several seconds.This dissertation summarizes existing attacks for 4G/LTE network and finally comes up with a general 4G/LTE testbed in order to fast deploy and manage 4G/LTE network experiments. The testbed consists of multiple virtual hosts running on a multi-core cluster server, with software emulated or simulated network elements. The implementation is based on lightweight Linux containers to achieve the flexibility and convenience of deploying and managing the experiments running on the testbed. In order to accommodate various experiment sets for completeness, the testbed adopts several functions in 4G/LTE specification not being implemented by existing open source 4G/LTE emulators/simulators, and connects with external services such as Android and IP multimedia system. Several existing attacks have been launched and evaluated on the testbed making it usable for practical experiments and evaluations towards the 4G/LTE network.