5G-Spector is the first Open Radio Access Network (O-RAN) compliant layer-3 cellular attack detection service. It is based on the revolutionary O-RAN architecture that brings unprecedented programmability that enables stakeholders (e.g., network operators) and researchers to build innovative software-defined services on cellular networks. 5G-Spector is featured in project SE-RAN and an academic publication in the Network and Distributed System Security Symposium 2024 (NDSS 2024). The full paper is available here.

5G-Spector has passed the NDSS'24 artifact evaluation and is awarded all badges (available, functional, and reproduced).

5G-Spector is based on open-sourced 5G and OpenRAN software implementations, in particular the OpenAirInterface (OAI) project. Currently, you can instantiate and run an OAI-based 5G SA network from scratch with our extensions (optionally with the 5G-Spector components), which are interoperable with two different open-sourced near-RT RICs, including:

• O-RAN SC RIC. Please check out this guide!
• ONOS RIC within the SD-RAN project. Please check out this guide!

We have also provided a standalone VM artifact with a built-in OAI LTE network and 5G-Spector.

The below image shows the architecture of 5G-Spector's deployment. From a high level, it can be divided into the data plane and control plane based on the SDN concept.

Data Plane involves the user equipment (UE) and Radio Access Network (RAN), and the core network (LTE EPC / 5GC). As shown in the figure, the RAN data plane can be further broken down into different components:

• Radio Unit (RU) is the typical radio hardware deployed in the front-haul network to handle layer-1 (L1) physical radio signals from surrounding user equipment. It is replaced by either a commodity SDR (e.g., USRP B210) or the OpenAirInterface (OAI) RF emulator (no actual SDR hardware required).
• Distributed Unit (DU) and Central Unit (CU) are logical components that can be hosted at the edge to handle L2 and L3 functions of the cellular protocol. We use the state-of-the-art open-sourced implementation, OpenAirInterface, as the CU and DU. We further augment the CU and DU with SecSM Agent support that allows them to communicate with the control plane and MobieXpert xApp to report security telemetry, i.e., MobiFlow, to drive security analysis on the control plane.
• User Equipment (UE) broadly refers to a cellular mobile device subscribed to the operational network. We also use OAI as the UE implementation which supports L1 emulation capability (i.e., no actual hardware required). Alternatively, OAI UE can also run on an SDR over RF. You can also use LTE / 5G compatible COTS smartphones as the UE.
• Core Network is not shown in the image, and it handles network registration for the UEs. In this demonstration, we use either the OAI 5GC or the ONF's Open Mobile Evolved Core (OMEC) for LTE.

The control layer logic of O-RAN is disaggregated from the data plane based on the SDN principles. It involves the Near-Real-Time RAN Intelligent Controller (nRT-RIC) serves as a proxy for control services and connects to the RAN nodes (i.e., CUs and DUs) via the standard E2 interface. Based on the nRT-RIC's services, xApps can be programmed as “plug-n-play” software on the control plane. We use ONF's ONOS RIC of its Software-Defined RAN (SD-RAN) project as our nRT-RIC.

5G-Spector's analysis capability is powered by the novel security telemetry stream MobiFlow extracted by the MobiFlow Auditor xApp from the RAN data plane. MobiFlow supports sophisticated threat analysis such as the signature-based L3 attack detection within the MobieXpert xApp.

5G-Spector is dependent on the following source code repositories:

Security-enhanced OAI RAN implementation with RIC agent support to generate MobiFlow telemetry. It is currently dedicated to the ONOS RIC on SD-RAN. We plan to extend its support to other platforms and vendors such as the Flexible RAN Intelligent Controller (FlexRIC). It is licensed under OAI Public License V1.1.

The MobiFlow Auditor xApp is an O-RAN compliant xApp aiming to support fine-grained and security-aware statistics monitoring over the RAN data plane, which does not exist in the default O-RAN standard and service models. We abstract such telemetry streams as MobiFlow, a novel security audit trail for holding mobile devices accountable during the link and session setup protocols as they interact with the base station, and interval statistics generated for tracking large-scale patterns of abuse against the base station.

The MobieXpert xApp functions as an L3 exploit detection engine that allows efficient programming of cellular attack signatures. MobieXpert’s design is based on the Production-Based Expert System Toolset (P-BEST) language, which has been widely used for decades in stateful intrusion detection. With MobieXpert, network operators can program stateful production-based IDS rules for detecting a wide range of cellular L3 attacks.

We have provided a VM-based artifact to run and test 5G-Spector in a simulated LTE network with detailed instructions: 5G‐Spector Artifact in a Simulated LTE Network.

We have provided a pre-recorded video showing 5G-Spector's capability of detecting two over-the-air attacks targeting a real cellular network and devices.

Please visit our project website: 5gsec.com. 5G-Spector is featured in the Security-Enhanced RAN (SE-RAN) project sponsored by the NSF's 5G convergence accelerator program.

If you have used 5G-Spector to develop a research work or product, please cite our paper:

@inproceedings{5G-Spector:NDSS24,
  title     = {5G-Spector: An O-RAN Compliant Layer-3 Cellular Attack Detection Service},
  author    = {Wen, Haohuang and Porras, Phillip and Yegneswaran, Vinod and Gehani, Ashish and Lin, Zhiqiang},
  booktitle = {Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS'24)},
  address   = {San Diego, CA},
  month     = {February},
  year      = 2024
}