Fake base stations (FBSes) pose a significant security threat by impersonating legitimate base stations (BSes). Though efforts have been made to defeat this threat, up to this day, the presence of FBSes and the multi-step attacks (MSAs) stemming from them can lead to unauthorized surveillance, interception of sensitive information, and disruption of network services. Therefore, detecting these malicious entities is crucial to ensure the security and reliability of cellular networks. Traditional detection methods often rely on additional hardware, rules, signal scanning, changing protocol specifications, or cryptographic mechanisms that have limitations and incur huge infrastructure costs. In this paper, we develop FBSDetector-an effective and efficient detection solution that can reliably detect FBSes and MSAs from layer-3 network traces using machine learning (ML) at the user equipment (UE) side. To develop FBSDetector, we create FBSAD and MSAD, the first-ever high-quality and large-scale datasets incorporating instances of FBSes and 21 MSAs. These datasets capture the network traces in different real-world cellular network scenarios (including mobility and different attacker capabilities) incorporating legitimate BSes and FBSes. Our novel ML framework, specifically designed to detect FBSes in a multi-level approach for packet classification using stateful LSTM with attention and trace level classification and MSAs using graph learning, can effectively detect FBSes with an accuracy of 96% and a false positive rate of 2.96%, and recognize MSAs with an accuracy of 86% and a false positive rate of 3.28%. We deploy FBSDetector as a real-world solution to protect end-users through a mobile app and validate it in real-world environments. Compared to the existing heuristic-based solutions that fail to detect FBSes, FBSDetector can detect FBSes in the wild in real-time.
翻译:伪基站通过伪装成合法基站构成重大安全威胁。尽管已有诸多努力应对此威胁,但时至今日,伪基站及其衍生的多步攻击仍可导致未经授权的监控、敏感信息拦截及网络服务中断。因此,检测这些恶意实体对于保障蜂窝网络的安全性与可靠性至关重要。传统检测方法通常依赖附加硬件、规则库、信号扫描、修改协议规范或加密机制,这些方法存在局限性且需高昂基础设施成本。本文开发了FBSDetector——一种高效检测方案,可在用户设备侧利用机器学习从三层网络流量中可靠检测伪基站与多步攻击。为构建FBSDetector,我们创建了首个包含伪基站实例及21种多步攻击的高质量大规模数据集FBSAD与MSAD。这些数据集采集了包含合法基站与伪基站的多种现实蜂窝网络场景(包括移动性与不同攻击者能力)下的网络流量。我们提出的新型机器学习框架采用多层次检测策略:通过带注意力机制的状态化LSTM实现数据包分类与流量级分类以检测伪基站,并运用图学习技术识别多步攻击。该框架能以96%的准确率与2.96%的误报率有效检测伪基站,并以86%的准确率与3.28%的误报率识别多步攻击。我们将FBSDetector部署为移动端应用程序以保护终端用户,并在真实环境中进行验证。相较于现有基于启发式规则且无法有效检测伪基站的方案,FBSDetector能够实时检测现实环境中的伪基站。