Skip to main content

AutoGuard: A Dual Intelligence Proactive Anomaly Detection at Application-Layer in 5G Networks

  • 2070 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

Application-layer protocols are widely adopted for signaling in telecommunication networks such as the 5G networks. However, they can be subject to application-layer attacks that are hardly detected by existing traditional network-based security tools that often do not support telecommunication-specific applications. To address this issue, we propose in this work AutoGuard, a proactive anomaly detection solution that employs application-layer Performance Measurement (PM) counters to train two different Deep Learning (DL) techniques, namely, Long Short Term Memory (LSTM) networks and AutoEncoders (AEs). We leverage recent advancements in Machine Learning (ML) that show the advantages brought by combining multiple ML models to build a dual-intelligence approach allowing the proactive detection of application layer anomalies. Our proposed dual-intelligence solution promotes signaling workload forecasting and anomaly prediction as a proactive security control in 5G networks. As a proof of concept, we implement our approach for the proactive detection of Diameter-related signaling attacks on the Home Subscriber Server (HSS) core network function. To evaluate our solution, we conduct a set of experiments using data collected from a real 5G testbed. Our results show the effectiveness of our dual intelligence approach on proactively detecting signaling anomalies with a precision reaching 0.86.

Keywords

  • Proactive anomaly detection
  • Forecasting
  • 5G networks
  • Diameter protocol
  • Deep Learning

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_34
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.

Notes

  1. 1.

    Throughout the paper, we use the expressions anomaly prediction and proactive anomaly detection interchangeably.

  2. 2.

    ENCQOR 5G is a Canada-Québec-Ontario partnership which focuses on research and innovation in the field of 5G technologies. https://quebec.encqor.ca.

References

  1. The European Union Agency for Network and Information Security (ENISA). Signalling security in telecom ss7/diameter/5g (2018)

    Google Scholar 

  2. Global System for Mobile Communications Association (GSMA). FS.19 Diameter Interconnect Security (2019)

    Google Scholar 

  3. Malhotra, P., Vig, L., Shroff, G., Agarwal, P.: Long short term memory networks for anomaly detection in time series. In: ESANN (2015)

    Google Scholar 

  4. Salahuddin, M.A., Faizul, B.M., Alameddine, H.A., Pourahmadi, V., Boutaba, R.: Time-based anomaly detection using autoencoder. In: 16th International Conference on Network and Service Management (CNSM), pp. 1–9 (2020)

    Google Scholar 

  5. Ni, T., Gu, X., Wang, H., Li, Y.: Real-time detection of application-layer DDoS attack using time series analysis. J. Control Sci. Eng. 2013, 6 p. (2013). https://doi.org/10.1155/2013/821315. Article ID 821315

  6. Mantas, G., Stakhanova, N., Gonzalez, H., Jazi, H.H., Ghorbani, A.A.: Application-layer denial of service attacks: taxonomy and survey. Int. J. Inf. Comput. Secur. 7(2/3/4), 216–239 (2015)

    Google Scholar 

  7. Canard, S., Diop, A., Kheir, N., Paindavoine, M., Sabt, M.: BlindIDS: market-compliant and privacy-friendly intrusion detection system over encrypted traffic. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2017, pp. 561–574, New York, NY, USA, 2017. Association for Computing Machinery

    Google Scholar 

  8. Chowdhury, F.Z., Kiah, L.B.M., Ahsan, M.A.M., Idris, M.Y.I.B.: Economic denial of sustainability (EDoS) mitigation approaches in cloud: analysis and open challenges. In: 2017 International Conference on Electrical Engineering and Computer Science (ICECOS), pp. 206–211 (2017)

    Google Scholar 

  9. Raza, M.T., Lu, S., Gerla, M.: vEPC-sec: securing LTE network functions virtualization on public cloud. IEEE Trans. Inf. Forensics Secur. 14(12), 3287–3297 (2019)

    CrossRef  Google Scholar 

  10. Madi, T., Alameddine, H.A., Pourzandi, M., Boukhtouta, A.: NFV security survey in 5G networks: a three-dimensional threat taxonomy. Comput. Netw/. 197, 108288 (2021)

    Google Scholar 

  11. National Vulnerability Database. Cve-2019-5736. https://nvd.nist.gov/vuln/detail/CVE-2019-5736. Accessed 21 Dec 2019

  12. Affeldt, S., Labiod, L., Nadif, M.: Spectral clustering via ensemble deep autoencoder learning (SC-EDAE). Pattern Recogn. 108, 107522 (2020)

    Google Scholar 

  13. Chaurasia, S., Goyal, S., Rajput, M.: Outlier detection using autoencoder ensembles: a robust unsupervised approach. In: 2020 International Conference on Contemporary Computing and Applications (IC3A), pp. 76–80 (2020)

    Google Scholar 

  14. Mavoungou, S., Kaddoum, G., Taha, M., Matar, G.: Survey on threats and attacks on mobile networks. IEEE Access 4, 4543–4572 (2016)

    CrossRef  Google Scholar 

  15. Jover, R.P., Marojevic, V.: Security and protocol exploit analysis of the 5g specifications. IEEE Access 7, 24956–24963 (2019)

    Google Scholar 

  16. Hu, X., Liu, C., Liu, S., You, W., Zhao, Y.: Signalling security analysis: is http/2 secure in 5g core network? In: 2018 10th International Conference on Wireless Communications and Signal Processing (WCSP), pp. 1–6(2018)

    Google Scholar 

  17. Ahmad, I., Shahabuddin, S., Kumar, T., Okwuibe, J., Gurtov, A., Ylianttila, M.: Security for 5g and beyond. IEEE Commun. Surveys Tutorials 21(4), 3682–3722 (2019)

    CrossRef  Google Scholar 

  18. Hussain, B., Du, Q., Sun, B., Han, Z.: Deep learning-based DDoS-attack detection for cyber-physical system over 5G network. IEEE Trans. Industr. Inf. 17(2), 860–870 (2021)

    CrossRef  Google Scholar 

  19. Thanh, T.Q., Rebahi, Y., Magedanz, T.: A diameter based security framework for mobile networks. In: 2014 International Conference on Telecommunications and Multimedia (TEMU), pp. 7–12 (2014)

    Google Scholar 

  20. Jarvis, K.: Network Intrusion Prevention in the Evolved Packet Core utilising Software Dened Networks and Network Function Virtualisation (2019)

    Google Scholar 

  21. Essien, A., Petrounias, I., Sampaio, P., Sampaio, S.: Improving urban traffic speed prediction using data source fusion and deep learning. In: 2019 IEEE International Conference on Big Data and Smart Computing (BigComp), pp. 1–8 (2019)

    Google Scholar 

  22. Wu, C., Ho, J., Lee, D.T.: Travel-time prediction with support vector regression. IEEE Trans. Intell. Transp. Syst. 5(4), 276–281 (2004)

    CrossRef  Google Scholar 

  23. Amini, M.H., Kargarian, A., Karabasoglu, O.: ARIMA-based decoupled time series forecasting of electric vehicle charging demand for stochastic power system operation. Electr. Power Syst. Res. 140, 378–390 (2016)

    Google Scholar 

  24. Essien, A., Giannetti, C.: A Deep learning framework for univariate time series prediction using convolutional LSTM stacked autoencoders. In: 2019 IEEE International Symposium on INnovations in Intelligent SysTems and Applications (INISTA), pp. 1–6 (2019)

    Google Scholar 

  25. Muzaffar, S., Afshari, A.: Short-term load forecasts using LSTM networks. Energy Procedia 158, 2922–2927 (2019)

    CrossRef  Google Scholar 

  26. Essien, A., Giannetti, C.: A deep learning model for smart manufacturing using convolutional LSTM neural network autoencoders. IEEE Trans. Industr. Inf. 16(9), 6069–6078 (2020)

    CrossRef  Google Scholar 

  27. Liu, Y., et al.: Deep anomaly detection for time-series data in industrial IoT: a communication-efficient on-device federated learning approach. IEEE Internet Things J. 8, 6348–6358 (2021). https://doi.org/10.1109/JIOT.2020.3011726

  28. Lin, S., Clark, R., Birke, R., Schönborn, S., Trigoni, N., Roberts, S.: Anomaly detection for time series using VAE-LSTM hybrid model. In: ICASSP 2020–2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 4322–4326 (2020)

    Google Scholar 

  29. Kieu, T., Yang, B., Guo, C., Jensen, C.S.: Outlier detection for time series with recurrent autoencoder ensembles. In: Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, IJCAI-19, pp. 2725–2732. International Joint Conferences on Artificial Intelligence Organization (2019)

    Google Scholar 

  30. Buda, T.S., Assem, H., Xu, L.: ADE: an ensemble approach for early anomaly detection. In: 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 442–448 (2017)

    Google Scholar 

  31. Lee, M.-C., Lin, J.-C., Gran, E.G.: RePAD: real-time proactive anomaly detection for time series. In: Barolli, L., Amato, F., Moscato, F., Enokido, T., Takizawa, M. (eds.) AINA 2020. AISC, vol. 1151, pp. 1291–1302. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44041-1_110

    CrossRef  Google Scholar 

  32. Doan, M., Zhang, Z.: Deep learning in 5G wireless networks-anomaly detections. In: 2020 29th Wireless and Optical Communications Conference (WOCC), pp. 1–6. IEEE (2020)

    Google Scholar 

  33. Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.W.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: INFOCOM, pp. 1–14. Citeseer (2006)

    Google Scholar 

  34. Yadav, S., Subramanian, S.: Detection of application layer DDoS attack by feature learning using stacked autoencoder. In: 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT), pp. 361–366. IEEE (2016)

    Google Scholar 

  35. Ericsson: Core network evolution from EPC to 5G core made easy. https://www.ericsson.com/en/digital-services/5g-core. Accessed 23 Dec 2020

  36. 3GPP. 3gpp TS 29.230 v16.3.0 diameter applications; 3gpp specific codes and identifiers (release 16)

    Google Scholar 

  37. 3GPP. 3gpp TS 29.272 version 16.3.0. evolved packet system (eps); mobility management entity (MME) and serving GPRS support node (SGSN) related interfaces based on diameter protocol (release 16)

    Google Scholar 

  38. 3GPP. 3gpp TS 29.336 v16.2.0 home subscriber server (HSS) diameter interfaces for interworking with packet data networks and applications (release 16)

    Google Scholar 

  39. Internet Engineering Task Force (IETF). Diameter Base Protocol. Available at: https://tools.ietf.org/html/rfc6733 (2012)

  40. Jeffrey, L., Steven, J., Hicks, L.: Introduction to diameter. https://www.ibm.com/developerworks/library/wi-diameter/wi-diameter-pdf.pdf

  41. Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-catch me if you can: IMSI-catcher-catchers. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 246–255, New York, NY, USA, 2014. Association for Computing Machinery

    Google Scholar 

  42. Yu, R., Li, Y., Shahabi, C., Demiryurek, U., Liu, Y.: Deep Learning: A Generic Approach for Extreme Condition Traffic Forecasting, pp. 777–785 (2017)

    Google Scholar 

  43. Zhao, Z., Chen, W., Wu, X., Chen, P.C.Y., Liu, J.: LSTM network: a deep learning approach for short-term traffic forecast. IET Intell. Transp. Syst. 11, 68–75 (2017)

    Google Scholar 

  44. Sutskever, I., Vinyals, O., Le, Q.V.: Sequence to sequence learning with neural networks. CoRR, abs/1409.3215 (2014)

    Google Scholar 

  45. Zhao, Y., Nasrullah, Z., Li, Z.: PyOD: a python toolbox for scalable outlier detection (2019)

    Google Scholar 

  46. Munir, M., Chattha, M.A., Dengel, A., Ahmed, S.: A comparative analysis of traditional and deep learning-based anomaly detection methods for streaming data. In: 2019 18th IEEE International Conference On Machine Learning And Applications (ICMLA), pp. 561–566 (2019)

    Google Scholar 

  47. Chen, J., Sathe, S., Aggarwal, C., Turaga, D.: Outlier detection with autoencoder ensembles. In: SDM (2017)

    Google Scholar 

  48. Iwana, B.K., Seiichi, U.: An empirical survey of data augmentation for time series classification with neural networks. arXiv preprint arXiv:2007.15951 (2020)

  49. Wen, Q., Sun, L., Song, X., Gao, J., Wang, X., Xu, H.: Time series data augmentation for deep learning: a survey. ArXiv, abs/2002.12478 (2020)

    Google Scholar 

  50. Rashid, K.M., Louis, J.: Time-warping: a time series data augmentation of IMU data for construction equipment activity identification. In: Al-Hussein, M. (ed.) Proceedings of the 36th International Symposium on Automation and Robotics in Construction (ISARC), pp. 651–657. International Association for Automation and Robotics in Construction (IAARC), May 2019

    Google Scholar 

  51. Hussain, S.R., Chowdhury, O., Mehnaz, S., Bertino, E.: LTEInspector: a systematic approach for adversarial testing of 4G LTE. In: Proceedings 2018 Network and Distributed System Security Symposium (2018)

    Google Scholar 

  52. Wu, N., Green, B., Ben, X., O’Banion, S.: Deep transformer models for time series forecasting: the influenza prevalence case (2020)

    Google Scholar 

  53. Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15(1), 1929–1958 (2014)

    MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Taous Madi or Hyame Assem Alameddine .

Editor information

Editors and Affiliations

9 Appendix

9 Appendix

1.1 9.1 Effect of the Aggregation Time Window on the Forecasting

Fig. 8.
figure 8

Effect of the time window on the predictive performance of the FM.

The objective of this set of experiments is to evaluate the effect of the aggregation time window that is used for the generation of the statistical multivariate time series. To this end, we fix the look back and predict forward parameters to the pair (3, 3). From our empirical analysis, we found that when the time window is small (between two and six), the FM performs well in the prediction of the recurrent observations but fails in predicting the rare events compared with the same model trained using time series generated with larger time window values. This is mainly due to the fact that the statistical features generated over large time windows provides a better characterization of the time dependencies over sequences of observations. Since in our solution we are interested in forecasting anomalies, which are considered as rare event, we focus on evaluating the predictive performance related to larger time windows (beyond six). As illustrated in Fig. 8, the value 12 provides the best predictive performance among the large time window values. As such, we set the time window size to 12 for the remaining sets of experiments.

1.2 9.2 Hyper-parameters Tuning for the Forecasting Model

The objective of this set of experiments is to study the impact of the learning rate and the dropout regularization technique on the FM’s performance. While the learning rate controls how rigorous the model’s learning should be, the dropout allows preventing neural network models from over-fitting [53]. Following common practices, we vary the learning rate 1.00E−04 to 1.00E−01 and the dropout within the set {0.0, 0.2, 0.4, 0.6}. As reported in Table 1a, the best predictive performance is reached when the learning rate is equal to 0.001 with a negligible increase in the training time compared to larger learning rate values (i.e., 0.1 and 0.01).

We remark a notable increase in the training time between 1.00E−4 and 1.00E−3 for a marginal decrease in the prediction error. Though, the performance gain (in terms of RMSE) is significant from 1.00E−1 to 1.00E−2 and 1.00E−3 while the increase in time for 1.00E−2 and 1.00E−3 is marginal, therefore, the learning rate 1.00E−3 seems to achieve the best trade-off training time/predictive performance.

As for the dropout regularization, we consider the input dropout, which is applied to the input layer and the recurrent dropout that is applied to the recurrent input signal on the LSTM nodes. As depicted in Table 1b, both the input and the recurrent dropout do not have a significant impact on the model performance, however a slight improvement (smaller error) is achieved when no dropout is considered. Based on those findings, we fix the learning rate to 0.001 and avoid using the dropout for the remaining sets of experiments.

Table 1. Evaluating the effect of learning rate and dropout on the FM.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Madi, T., Alameddine, H.A., Pourzandi, M., Boukhtouta, A., Shoukry, M., Assi, C. (2021). AutoGuard: A Dual Intelligence Proactive Anomaly Detection at Application-Layer in 5G Networks. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)