Abstract

Man-in-the-Middle (MiTM) attacks launched against the user equipment (UE) and the core networks represent a well-known security threat to the proper operation of telecommunication networks from earlier generations. Such attacks can potentially downgrade the security capabilities or degrade the quality of service to either prepare the ground for subsequent attacks or cause denial of service to the end users. Existing solutions focus on detecting specific MiTM attacks (e.g., utilizing false base stations or malicious UEs) while relying on the Radio Access Network (RAN) and considering it as a trusted entity. With the advent of virtualization of the RAN (i.e., vRAN) and the opening of the interfaces ( i.e., Open RAN), an attacker can potentially infect the vRAN (e.g., due to lateral movement) and launch MiTM attacks, making existing solutions not sufficient to cover this new attack vector. In this thesis, we therefore aim at proposing a verification solution, named Orion, for detecting the presence of a stealthy and smart MiTM attacker between UE and the core. For this purpose, our main ideas are (a) to leverage generative ML to continuously generate indistinguishable (to evade an MiTM attacker) and synchronous (to enable verification at both UE and core with minimal communication overhead) probing messages and (b) to engage both UE and the core in the verification (unlike existing works that only focus on one of them) of the probing messages to detect MiTM attacks. We implement Orion and integrate it into our testbed based on the OpenAirInterface (a popular open-source project used to test 4G and 5G), deployed on a Kubernetes cluster on the Amazon Elastic Kubernetes Service. To show case the feasibility, efficiency, and effectiveness of Orion, we use a MiTM attack scenario targeting specific unprotected control plane messages carrying radio and security capabilities. Our experiments show that Orion can detect such MiTM attacks using 14 probing (virtual) UEs in only 40 seconds (during which only two regular messages are compromised) and requiring about 60 probes on average while achieving an indistinguishability rate of 95% under different adversarial strategies. Additionally, Orion requires less than 350MB of memory, up to 100% of CPU for a little less than 17 minutes of time to generate probing messages required for each day of probing.