5G networks are susceptible to cyber attacks due to reasons such as implementation issues and vulnerabilities in 3GPP standard specifications. In this work, we propose lateral movement strategies in a 5G Core (5GC) with network slicing enabled, as part of a larger attack campaign by well-resourced adversaries such as APT groups. Further, we present 5GLatte, a system to detect such malicious lateral movement. 5GLatte operates on a host-container access graph built using host/NF container logs collected from the 5GC. Paths inferred from the access graph are scored based on selected filtering criteria and subsequently presented as input to a threshold-based anomaly detection algorithm to reveal malicious lateral movement paths. We evaluate 5GLatte on a dataset containing attack campaigns (based on MITRE ATT&CK and FiGHT frameworks) launched in a 5G test environment which shows that compared to other lateral movement detectors based on state-of-the-art, it can achieve higher true positive rates with similar false positive rates.

翻译：5G网络因实现问题和3GPP标准规范中的漏洞等原因，易受网络攻击。本研究提出在启用网络切片的5G核心网（5GC）中的横向移动策略，作为APT组织等高资源对手发起的更大规模攻击活动的一部分。此外，我们提出系统5GLatte，用于检测此类恶意横向移动。5GLatte基于从5GC收集的主机/NF容器日志构建的主机-容器访问图进行检测。系统根据选定的过滤标准对从访问图中推断出的路径进行评分，随后将其作为输入提交给基于阈值的异常检测算法，以揭示恶意横向移动路径。我们在包含5G测试环境中发起的攻击活动（基于MITRE ATT&CK和FiGHT框架）的数据集上评估5GLatte，结果表明，与基于最先进技术的其他横向移动检测器相比，它能在相似虚警率下实现更高的真阳率。