Network Slices (NSs) are virtual networks operating over a shared physical infrastructure, each designed to meet specific application requirements while maintaining consistent Quality of Service (QoS). In Fifth Generation (5G) networks, User Equipment (UE) can connect to and seamlessly switch between multiple NSs to access diverse services. However, this flexibility, known as Inter-Slice Switching (ISS), introduces a potential vulnerability that can be exploited to launch Distributed Slice Mobility (DSM) attacks, a form of Distributed Denial of Service (DDoS) attack. To secure 5G networks and their NSs against DSM attacks, we present in this work, PUL-Inter-Slice Defender; an anomaly detection solution that leverages Positive Unlabeled Learning (PUL) and incorporates a combination of Long Short-Term Memory Autoencoders and K-Means clustering. PUL-Inter-Slice Defender leverages the Third Generation Partnership Project (3GPP) key performance indicators and performance measurement counters as features for its machine learning models to detect DSM attack variants while maintaining robustness in the presence of contaminated training data. When evaluated on data collected from our 5G testbed based on the open-source free5GC and UERANSIM, a UE/ Radio Access Network (RAN) simulator; PUL-Inter-Slice Defender achieved F1-scores exceeding 98.50% on training datasets with 10% to 40% attack contamination, consistently outperforming its counterpart Inter-Slice Defender and other PUL based solutions combining One-Class Support Vector Machine (OCSVM) with Random Forest and XGBoost.

翻译：网络切片（NSs）是在共享物理基础设施上运行的虚拟网络，每个切片旨在满足特定应用需求，同时保持一致的服务质量（QoS）。在第五代（5G）网络中，用户设备（UE）可以连接多个NSs并在其间无缝切换，以访问多样化服务。然而，这种被称为切片间切换（ISS）的灵活性引入了一个潜在漏洞，可能被利用来发起分布式切片移动性（DSM）攻击——一种分布式拒绝服务（DDoS）攻击形式。为保护5G网络及其NSs免受DSM攻击，我们在本文中提出了PUL-Inter-slice Defender；这是一种利用正例无标签学习（PUL）并结合长短期记忆自动编码器与K-Means聚类的异常检测解决方案。PUL-Inter-slice Defender利用第三代合作伙伴计划（3GPP）关键性能指标和性能测量计数器作为其机器学习模型的特征，以检测DSM攻击变体，同时在训练数据存在污染的情况下保持鲁棒性。当基于开源free5GC和UE/无线接入网（RAN）模拟器UERANSIM构建的5G测试平台所收集的数据进行评估时，PUL-Inter-slice Defender在攻击污染率为10%至40%的训练数据集上取得了超过98.50%的F1分数，持续优于其对应方案Inter-Slice Defender以及其他结合单类支持向量机（OCSVM）与随机森林和XGBoost的PUL解决方案。