The virtualization and softwarization of 5G and NextG are critical enablers of the shift to flexibility, but they also present a potential attack surface for threats. However, current security research in communication systems focuses on specific aspects of security challenges and lacks a holistic perspective. To address this challenge, a novel systematic fuzzing approach is proposed to reveal, detect, and predict vulnerabilities with and without prior knowledge assumptions from attackers. It also serves as a digital twin platform for system testing and defense simulation pipeline. Three fuzzing strategies are proposed: Listen-and-Learn (LAL), Synchronize-and-Learn (SyAL), and Source-and-Learn (SoAL). The LAL strategy is a black-box fuzzing strategy used to discover vulnerabilities without prior protocol knowledge, while the SyAL strategy, also a black-box fuzzing method, targets vulnerabilities more accurately with attacker-accessible user information and a novel probability-based fuzzing approach. The white-box fuzzing strategy, SoAL, is then employed to identify and explain vulnerabilities through fuzzing of significant bits. Using the srsRAN 5G platform, the LAL strategy identifies 129 RRC connection vulnerabilities with an average detection duration of 0.072s. Leveraging the probability-based fuzzing algorithm, the SyAL strategy outperforms existing models in precision and recall, using significantly fewer fuzzing cases. SoAL detects three man-in-the-middle vulnerabilities stemming from 5G protocol vulnerabilities. The proposed solution is scalable to other open-source and commercial 5G platforms and protocols beyond RRC. Extensive experimental results demonstrate that the proposed solution is an efficient and efficient approach to validate 5G security; meanwhile, it serves as real-time vulnerability detection and proactive defense.

翻译：5G及下一代网络的虚拟化与软件化是实现灵活性转型的关键推动力，但同时也引入了潜在的攻击面威胁。然而，当前通信系统的安全研究多聚焦于特定安全挑战，缺乏全局视角。为应对这一挑战，本文提出一种新型系统性模糊测试方法，能够在攻击者具备或不具备先验知识假设的条件下，实现漏洞的揭示、检测与预测。该方法同时作为系统测试与防御仿真管道的数字孪生平台。本文提出三种模糊测试策略：监听-学习（LAL）、同步-学习（SyAL）和源码-学习（SoAL）。LAL策略为黑盒模糊测试方法，用于在无协议先验知识场景下发现漏洞；SyAL策略同样为黑盒模糊测试，但通过攻击者可获取的用户信息及基于概率的新型模糊方法，可更精准地定位漏洞；SoAL策略则采用白盒模糊测试，通过对关键比特位进行模糊处理来识别并解释漏洞。基于srsRAN 5G平台，LAL策略在平均检测时长0.072秒内识别出129个RRC连接漏洞。采用基于概率的模糊算法后，SyAL策略在显著减少模糊测试用例数量的情况下，在精确率和召回率指标上均优于现有模型。SoAL策略检测出三项源于5G协议漏洞的中间人攻击漏洞。所提方案具备可扩展性，适用于除RRC外的其他开源及商用5G平台与协议。大量实验结果表明，该方案是验证5G安全性的高效方法，同时可作为实时漏洞检测与主动防御机制。