The advancements in the field of telecommunications have resulted in an increasing demand for robust, high-speed, and secure connections between User Equipment (UE) instances and the Data Network (DN). The implementation of the newly defined 3rd Generation Partnership Project 3GPP (3GPP) network architecture in the 5G Core (5GC) represents a significant leap towards fulfilling these demands. This architecture promises faster connectivity, low latency, higher data transfer rates, and improved network reliability. 5GC has been designed to support a wide range of critical Next Generation Internet of Things (NG-IoT) and industrial use cases that require reliable end-to-end communication services. However, this evolution raises severe security issues. In the context of the SANCUS project, a set of cyberattacks were investigated and emulated by K3Y against the Packet Forwarding Control Protocol (PFCP) between the Session Management Function (SMF) and the User Plane Function (UPF). Based on these attacks, an intrusion detection dataset was generated: 5GC PFCP Intrusion Detection Dataset that can support the development of Artificial Intelligence (AI)-powered Intrusion Detection Systems (IDS) that use Machine Learning (ML) and Deep Learning (DL) techniques. The goal of this report is to describe this dataset.
The 5GC PFCP Intrusion Detection Dataset was implemented following relevant methodological frameworks, including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata. A 5GC architecture was emulated, including the Network Slice Selection Function (NSSF), the Network Exposure Function (NEF), the Network Repository Function (NRF), the Policy Control Function (PCF), the User Data Management (UDM), the Access and Mobility Management Function (AF), the Authentication Server Function (AUSF), the Access Management Function (AMF), SMF, and UPF, in addition to a virtualised UE device, a virtualised gNodeB (gNB), and a cyberattacker impersonating a maliciously instantiated SMF. In particular, the following cyberattacks were performed:
- On Wednesday, October 05, 2022, the PFCP Session Establishment DoS Attack was implemented for 4 hours.
- On Thursday, October 13, 2022, the PFCP Session Deletion DoS Attack was implemented for four hours.
- On Tuesday, November 01, 2022, the PFCP Session Modification DoS Attack (DROP Apply Action Field Flags) was implemented for 4 hours.
- On Tuesday, November 22, 2022, the PFCP Session Modification DoS Attack (DUPL Apply Action Field Flag) was implemented for 4 hours.
The previous PFCP-related cyberattacks were executed, utilising penetration testing tools, such as Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a Comma-Separated Values (CSV) format and (c) the PFCP flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the PFCP flow statistics were generated based on a Custom PFCP Flow Generator, taking full advantage of Scapy.
Full Description (ReadMe): [PDF]
The dataset is publically available in IEEE Dataport and Zenodo.
Citation: G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, W. Mallouli, A. Cavalli, D. Klonidis, E. Markakis, and P. Sarigiannidis, “Threatening the 5G core via PFCP DOS attacks: The case of blocking UAV Communications”, EURASIP Journal on Wireless Communications and Networking, vol. 2022, no. 1, 2022, doi: 10.1186/s13638-022-02204-5.