Font Size: a A A

Research On Privacy And Security For LTE/5G Air Interface Protocol

Posted on:2024-09-02Degree:DoctorType:Dissertation
Country:ChinaCandidate:Z S ChengFull Text:PDF
GTID:1528306944966459Subject:Information security
Abstract/Summary:
In LTE and 5G mobile communication technologies,user equipment and base station use wireless communication technologies to exchange data.Due to the broadcast characteristic of wireless technology,LTE/5G faces the risk of malicious eavesdropping and tampering on air-interface data,which seriously threatens the privacy and security of mobile communication systems.This thesis focuses on researching the privacy and security of LTE/5G air-interface,including the collection and manipulation method of air-interface data,the privacy of user plane dedicated VoLTE/NR data and user plane general Internet data and the privacy protection method for air-interface protocol.Overall,this work discovered several privacy vulnerabilities of LTE/5G protocols and proposed an improved PDCP protocol.The results of this thesis can be used to optimize beyond-5G and 6G protocols to improve the security of mobile communication networks.The contributions of this work can be summarized as follows:1)To tackle the challenge of the current tools only supporting the collection and manipulation of LTE downlink control data,an SR and CQI analysis-based air-interface data collection and manipulation method is proposed,which aims to collect and modify the control plane and user plane data and provide data support for the following research on the privacy and security of the air-interface protocol.This method uses the manin-the-middle method to maintain a pair of wireless relay links between the victim UE and the relay node and between the relay node and the operator’s base station,and process and relay the uplink/downlink control plane and user plane data.In order to improve the stability of the relay links,this work proposes an AKA authentication bypass method to bypass the UE’s verification of the relay node;then proposes an SR and CQI-based physical layer frequency domain and time domain parameters analysis method to recover the encrypted EPS-bearer and physical layer configurations.At the same time,this work proposes a TA and SNR-based wireless noise data identification method to support the relay node distinguishing the source of the uplink messages.Experiment results conducted on 3 home and UK operator networks and 5 commercial UEs show that this method achieves a success rate of 91.67%in recovering physical layer parameters,is able to accurately distinguish noise uplink messages in crowded places and supports the collection and manipulation of LTE/5G SA uplink/downlink control plane and user plane data.The results also show that the LTE/5G network and commercial UEs cannot detect this method.2)To tackle the insufficient analysis of VoLTE/NR related air-interface data,a signalling template and VAD-based VoLTE/NR fingerprinting and entity mapping method is proposed,which aims to monitor victims’SIP signalling log and voice activity log by analysing encrypted air-interface data,and rapidly map victim’s phone number and anonymous network identifiers.To achieve these goals,this work firstly analyses the VoLTE/NR protocols to find the privacy vulnerabilities for both signalling plane and voice plane protocols,and finally proposes signalling template and sequence-based signalling plane fingerprinting method,VAD-based voice activity detection and signalling log-based entity mapping method.In order to verify the practice of the proposed method,this work runs 16 VoLTE calls and 105 seconds of voice activity on the commercial LTE network and generates 130 SIP messages and 4864/3353 uplink/downlink RTP packets.The experiment results show that this method achieves 100%fingerprinting accuracy,and the adversary can rapidly map users’ entities with only one SIP request message.This work also collects 60 hours of LTE control plane data to verify the validity period of the mapping results.The results show that the results remain valid for extended periods of time and the VoLTE call towards the victim is not frequently required.3)To tackle the challenge that current traffic fingerprinting methods mostly rely on downlink air-interface data and are only applicable to LTE networks,an uplink and downlink encrypted air-interface data-based application activity fingerprinting method is proposed,which aims to obtain victim’s application installation list and activity log by analysing LTE/5G uplink and downlink encrypted air-interface data.In order to achieve these goals,this work first analyses the air-interface protocol to find the vulnerabilities of the PDCP protocol.Then this work uses the payload size distribution to describe the behaviours of the user plane IP streams.Finally,this work uses the convolutional neural network to learn the behaviours for each type of application activity and identify the encrypted air-interface data.In order to verify the practice of this fingerprinting method,this work tested 40 applications and 49 activities on LTE/5G laboratory and commercial networks,which generated a quantity of 36.75 hours,29.92GB of training and testing data and 70 minutes,643MB verification data,respectively.The experimental results show that the fingerprinting achieves 98.32%of F1 score,and the precision score reaches 100%for some activities.This work also evaluates and analyses the performance and countermeasures in facing external interference factors such as unknown applications,software version diversity,device model diversity and poor network environment.4)To solve the problem that current privacy protection methods introduced significant bandwidth and delay overhead,a PDCP-ETH-based air-interface privacy protection method is proposed,which aims to optimise the procedure of processing user plane IP data at LTE/5G PDCP layer,prevent the adversary from obtaining metadata(i.e.,the length and frequency of IP stream)and defend against a fingerprinting attack on user plane data.In order to achieve these goals,a transmitting buffer,a transmitting timer and a receiving buffer are introduced at the PDCP layer to perform additional operations,such as segmentation,concatenation,filling and reassembly of IP data packets,to break the length mapping between PDCP packets and IP packets.This work implements a PDCP-ETH prototype system based on open-source srsRAN.The experimental results show that this method not only improves the privacy level of the air-interface,but also not introduces significant transmitting latency and bandwidth overload,i.e.,the bandwidth decreases an average of 0.38%.Furthermore,the method is able to improve the communication efficiency.For example,the method saves an average of 10.82%padding at the MAC layer.Finally,this work discusses and analyse the flexibility of PDCP-ETH to LTE/5G carrier aggregation and dual connectivity features.
Keywords/Search Tags:LTE/5G, air-interface protocol security, VoLTE/NR pri-vacy and security, air-interface data fingerprinting, privacy protection
Related items