This article has been accepted for inclusion in a future issue of this magazine.

Content is final as presented, with the exception of pagination.

ACCEPTED FROM OPEN CALL

Automated Attack and Defense Framework toward 5G Security

Yanbin Sun, Zhihong Tian, Mohan Li, Chunsheng Zhu, and Nadra Guizani

Abstract To support diverse new applications and ser-

vices, a great number of technologies can be
5G networks are currently being developed rap- adopted by 5G, such that the aim “Internet of
idly and are dedicated to connect all things of the Everything” can be achieved. The technologies
Internet with new technologies, components and used in 5G are divided according to the require-
services. Due to the crucial role of 5G, as well as ments of different layers. The physical layer can
new architectures and designs, 5G faces a great provide advanced communication capabilities,
number of security threats and demands suitable such as low latency, high data bandwidth, high
security technologies. This article proposes an auto- coverage rate, and massive connectivity. To obtain
mated attack and defense framework toward 5G these capabilities, various technologies, such as
security with the aim of providing exploratory guid- multiple full-duplex communication, ultra-dense
ance for 5G security research. We first review the network, massive multiple-input multiple-output,
security challenges of attack/defense objects from and millimeter wave, can be adopted. The logi-
the perspective of a hierarchical structure, and then cal layer is designed to support diverse, efficient
propose a hierarchical security model that supports and low-cost services via network virtualization
both single-layer security and cross-layer security. and network slicing. Thus, the technologies, such
According to the hierarchical model, an automated as network functions virtualization (NFV), soft-
attack and defense framework based on a security ware-defined networking (SDN), new models of
knowledge graph is proposed for both known and forwarding and routing [4], as well as cloud-based
unknown security threats of 5G and provides possi- networking can be adopted.
ble directions toward 5G security automation. The security of 5G arises with the use of new
technologies and scenarios, which have attracted
Introduction much attention. A 5G security mechanism should
A large quantity of new mobile applications, such be considered at the beginning of 5G, and should
as the mobile Internet and Internet of Things (IoT), be integrated into the 5G architecture. It is infea-
have emerged due to the popularity of mobile sible to solve the 5G security issue by patching
devices and the development of mobile wireless which may result in a bloated 5G architecture.
communication technologies [1]. According to the An integrated 5G security design brings two main
cisco VNI report, the global mobile device number advantages. First, patching solutions can be large-
was 8.6 billion in 2017, and this will be 12.3 billion ly avoided. The security solutions will rarely affect
by 2022. Monthly mobile traffic will reach 77.5 the 5G architecture. Second, the anti-attack ability
exabytes by 2022 [2]. In the future, mobile wire- of 5G will be enhanced, with attacks against 5G
less communication will become one of the main- greatly weakened and reduced.
stream communication techniques and provide Although the critical security problems of 5G
various services with diverse requirements, such as have been widely studied, there still exist the fol-
large-scale IoT devices, high speed mobile devic- lowing challenges:
es and high-traffic applications. Although existing • The lack of consideration regarding cross-lay-
mobile wireless networks can meet the device er security. Since 5G applications are sup-
accessing and the traffic requirements at present, ported by the technologies of each layer, an
it may be difficult to fulfill future service require- attack may cross multiple layers instead of a
ments. Thus, the next-generation mobile wireless single layer.
network, that is, the 5G network, will arise. • The lack of consideration regarding unknown
The main services of 5G can be divided into security threats. Discovering 0-day vulnera-
three categories [3]: bilities and finding unknown attacks, which
• Enhanced mobile broadband (eMBB) with are helpful to handle potential attacks, play
high bandwidth requirements, such as virtual important roles in 5G security.
reality (VR) and augmented reality (AR). • The lack of consideration regarding security
• Ultra-reliable and low-latency communication automation. A manual security approach is
(uRLLC) with reliability and latency require- unsuitable for diverse and complex 5G sce-
ments, such as Internet of Vehicles (IoV), narios. Security automation is considered
remote control and tactile Internet. as one of the principles of the 5G security
• Massive machine-type communication vision [5].
(mMTC) with massive diverse device access To solve the above challenges, this article is
requirements, such as IoT. dedicated to explore a security framework toward

Digital Object Identifier: Yanbin Sun, Zhihong Tian (corresponding Author), and Mohan Li are with Guangzhou University;
10.1109/MNET.011.1900635 Chunsheng Zhu is with Southern University of Science and Technology and Peng Cheng Laboratory; Nadra Guizani is with Washington State University.

1 0890-8044/20/$25.00 © 2020 IEEE IEEE Network • Accepted for Publication

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.

5G from an automated attack and defense per-

spective. Since 5G has not been deployed widely, Application
the proposed framework is an exploratory solu- Layer
tion toward 5G security. The main contributions Smart City Smart Car Multimedia Smart Campus Smart Factory Web Application Voice Call

of this article are as follows.

• We summarize the hierarchical framework of Management&
Service Orchestration
5G and review the security challenges and
Layer
solutions for each layer. IoT IoV VR/AR ICS
Slicing
• Instead of focusing on the security of a single
layer, cross-layer security is studied. Accord- VNF VNF VNF VNF VNF Managem
ing to the hierarchical structure of 5G, a Virtual ent&
hierarchical attack and defense model is pro- Layer Virtual Compute Virtual Storage Virtual Network Orchestra
tion
posed. The security threats and solutions on Virtualization layer
SDN
a single layer and cross layers are formally Control
described. Physical
• According to the proposed model, an auto- Layer Core network
Data
mated security framework based on security
knowledge graph is proposed in the hope
of providing automated attack and defense FIGURE 1. Hierarchical structure of 5G.
capabilities for 5G.
The rest of this article is organized as follows.
The 5G security challenges are first discussed, and securIty cHAllenges And solutIons
then a hierarchical security model is proposed. A target which is vulnerable and needs protec-
Then, an automated security framework based tion is called the attack/defense object. Here, we
on security knowledge graph is presented and review the security challenges of 5G from the per-
discussed. In the final section, we conclude the spective of attack/defense object of each layer
article. rather than the specific technologies. Our security
framework is also built around the attack/defense
securIty cHAllenges In object. Table 1 summarizes the attack/defense
objects of 5G with a rough division and contains
HIerArcHIcAl 5g frAMework both traditional objects (such as the operating sys-
Existing survey and tutorial articles [6, 7] for 5G secu- tem and the application software) and 5G-related
rity always focus on security approaches for specific objects (such as the virtual entity and control soft-
security issues. Unlike previous works, the 5G securi- ware). The object can continue to be divided. For
ty framework here is considered as a whole. We first example, the listed control software in the table
summarize the hierarchy of 5G architecture, and can be detailed with the specific software vendor
then review the corresponding security challenges and software version.
and solutions based on the hierarchy. Objects in the first two rows of Table 1 (the
hardware device and wireless channel) belong
HIerArcHIcAl structure of 5g to the physical layer. For the hardware device,
Diverse 5G schemes have been proposed [8] fake device, side-channel attacks, and malicious
but without unified architecture. By analyzing destruction are the main security challenges which
the architecture of these schemes, a hierarchical can lead to spoofing, data leakage and device
structure for 5G can be extracted. Figure 1 shows unavailability. To solve these security threats,
the hierarchical structure. The architecture of 5G security management, authorization and encryp-
is divided into four layers from the bottom up: tion mechanisms can be used. The security man-
the physical layer, virtual layer, service layer, and agement keeps devices isolated from attackers.
application layer. The last three layers can be col- The authorization and encryption mechanisms
lectively called the logical layer corresponding to can be used to identify the attacker and prevent
the physical layer. the data from being corrupted and leaked. Due
The physical layer provides unified physical to the openness of radio propagation [10], the
resources, as well as corresponding communica- wireless channel faces two main challenges: unau-
tion technologies for the upper layers. By virtualiz- thorized access and eavesdropping attacks. To
ing the physical resource, the logical layer is used solve these two challenges, the wireless channel
to support specific 5G applications. To satisfy dif- must be prevented from being measured, repli-
ferent requirements of 5G scenarios, the virtualized cated and reconstructed by an attacker. Based on
resources are customized to diverse services by the uniqueness, reciprocity, and diversity of 5G,
combining SDN, network slicing, and correspond- some new 5G-related security technologies are
ing management and orchestration (right part of proposed to satisfy the requirement, such as radio
Fig. 1). The detailed process is as follows. Based on frequency recognition approaches, wiretap coding
the virtualization technology, the unified physical technologies, key generation technologies using
resources are converted to virtual resources on the random characteristics (e.g., channel state informa-
virtual layer and the traditional hardware-supported tion, received signal strength, phase information),
networking is turned into SDN [9]. By managing secure multi-antenna technologies, and so on [11].
and orchestrating the virtual resources, the network The remaining objects in Table 1 belong to the
slice (i.e., the virtual network) for a specific service logical layer. The main security challenges are as
can be obtained. Then, the network slice provides follows.
resources for specific applications, for example, the Data Leakage: By using NFV and network
IoT service can be used to support the smart facto- slicing, the physical resources of 5G are shared
ry, smart city, and so on. among different service. With a poor isolation

IEEE Network • Accepted for Publication 2

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.

Category Object defense objects are distributed to each layer. For

two objects in the same layer, there may exist a
Hardware device Base station, repeater, router, switch, server, smart device, and so on relationship between the two objects. Based on
the object relationships in a layer, a graph is con-
Channel Wireless channel, optical fiber, cable, and so on
structed. As shown in Fig. 2a, there are four layers
Openstack, VMWare, hypervisor, docker, vSwitch, virtual machine (VM), and each layer contains a graph. In the graph,
Virtual entity
virtual resource, and so on a node denotes the attack/defense object. The
edge is determined by the relationship between
Operating system (OS) Enea OSE, C/OS, Linux, Windows, and so on two nodes. If there exist one or multiple rela-
Control software SDN controller, slicing controller, and so on tionships between two nodes, an edge exists.
The relationship between nodes is viewed as an
Application software Web browser, database, smartphone app, and so on edge attribute and is determined by the attack
and defense requirements. For example, for two
Communication protocol, networking protocol, authorization protocol, API,
Protocol objects on the physical layer, a connectivity rela-
and so on
tionship can be used. For two objects on the logi-
TABLE 1. Objects of 5G networks. cal layer, a function relationship can be used.
The object relationship is not limited to one
layer. There may exist vertical edges between
approach, the attacker may illegally access the two layers. Multiple relationships, such as man-
data of other services by breaking the isolation. agement, orchestration, functional support, and
Additionally, since the physical resources are resource sharing, can be used as the attribute of
always reallocated from one service to another edge. Based on the vertical edge, a hierarchical
service, the residual data from the previous ser- graph is obtained. Figure 2b shows the hierarchi-
vice may be leaked to the latter. Thus, some cal graph. The dotted line represents the vertical
promising approaches are studied, such as VM/ edge and connects all separate graphs. Note that
slice isolation, data erasure, data encryption and the sliced service layer may have multiple slices
secure communication [10]. and one slice is chosen to denote the layer.
The Vulnerabilities of Firmware, Software Based on the hierarchical graph, the attack to
and Protocol: One of the key components of an attack/defense object can be represented by a
5G is the controller, that is, the management and triple <obj, atk, atk_rst>. The obj denotes the cor-
orchestration software. The vulnerability of the responding object. The atk is a tuple which con-
controller can be exploited and used to launch tains two elements: the condition of attack and
attacks on the network slicing and corresponding the method of attack. The atk is expressed as <cdt,
services. In addition to controller vulnerabilities, mtd>. The akt_rst is a list of results correspond-
5G encourages new software and protocols, but ing to a different object which is affected by atk.
it also presents unknown software or protocol vul- It can be expressed as a list of tuples with each
nerabilities which pose new threats to 5G. tuple containing two elements: the affected object
The Outside Security Threat: Attacks from the aft_obj and the result of attack per. According to
outside, such as Dos, DDos and MITM, toward the obtained permission, the attack result contains
key components of 5G can result in serious prob- multiple permissions, such as disable, readable,
lems, for example, service unavailability and fake writable, executable, and so on. Thus, the attack
data. result is expressed as <<aft_obj1, per1>, <aft_obj2,
per2><aft_objk, perk>>. Based on the formalized
Hierarchical Attack and Defense Model attack <obj, atk, atk_rst>, a directed edge between
The security threats reviewed previously are spe- the attacked object and the affected object is
cific to each layer. However, most threats to 5G established. If multiple objects are affected, then
are caused by a combination of attacks instead multiple directed edges are established. For exam-
of a single attack. The combination of multiple ple, a triple <Obj1, <Cdt, Atk>, <<Obj2, Readable>,
attacks can be called the attack chain. Different <Obj3, Excutable>>> denotes that object Obj1 is
from the traditional definition of attack chain [12], attacked by attack method Atk under the attack
attack chain here focuses on how to construct condition Cdt. Two objects Obj 2 and Obj 3 are
an attack path toward an object across multiple affected and the readable and executable permis-
objects rather than the detailed steps to launch an sions are obtained. Therefore, two directed edges
attack. However, the attack chain for 5G is lack are established from Obj1 to Obj2 and Obj3.
of attention. Moreover, the attack chain for 5G is According to the triple <obj, atk, atk_rst>, a
not limited to a single layer; the cross-layer attack directed edge is obtained from the attacked
is also a crucial aspect of 5G. Here, a hierarchi- object to the affected object on the hierarchical
cal attack and defense model is first proposed, graph. Figure 2c shows the hierarchical graph
such that the single-layer and cross-layer attack with directed edges that are denoted by the black
chains and corresponding defense strategies can arrow line. Thus, the hierarchical graph turns into
be expressed. Then, the relationship between the a hierarchical directed graph. The directed edge
model and 5G is discussed. is distributed in a layer or between layers. Based
on the directed graph, multiple adjacent directed
Hierarchical Model edges may form an attack chain. Given an initial
The hierarchical model is based on the attack/ object and a target object, the attack chain pro-
defense object. In this section, the object is vides an attack path between the two nodes and
not a rough division, but it is a specific attack/ the attack can be launched step by step. Howev-
defense object with a detailed vendor and ver- er, not all directed paths can be used as attack
sion. According to the hierarchical structure of 5G chains. Each attack on an attack chain should
and corresponding security challenges, attack/ satisfy its attack condition. For any two adjacent

3 IEEE Network • Accepted for Publication

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.

Application Application
Application Layer
Layer Layer

S
Service S
Service
Service Layer
Layer Layer

Virtual Virtual
Virtual Layer
Layer Layer

Physical Physical
Physical
Layer Layer
Layer

(a) (b) (c)

FIGURE 2. Hierarchical attack and defense model.

edges, if the attack condition for the attack of the cal model is only a theoretical model for 5G;
last edge is satisfied by the attack result obtained how to apply the model to solve specific
by the attack of the first edge, then the two adja- security issues remains a problem. In the next
cent edges form an attack chain. section, we will present an automated attack
The defense strategy can also be represented and defense framework by using this model.
by a triple <cost, mtd, dfs_rst>. Each triple cor-
responds to an attack (a directed edge) and can AutoMAted AttAck And defense frAMework
be one of the attributes of the edge. The cost Most 5G security studies rely on an expert’s knowl-
denotes the defense resources which are need- edge and require manual interventions. It is hard to
ed by the strategy. The mtd denotes the detailed satisfy the requirements of scalability, accuracy and
defense method. The dfs_rst denotes the defense efficiency for addressing security threats. Therefore,
effect. In response to the attack chain, a list of automated attack and defense becomes one of the
defense strategies can be achieved. However, key research areas for 5G security.
not all defense strategies need to be executed. The proposed hierarchical attack and defense
We only need to break the connectivity of the model is essentially a graph containing the objects
attack chain by choosing some specific defense in all layers and their relationships. Correspond-
strategies according to the security requirement ingly, it can be implemented by a security knowl-
or a defense strategy toward a critical attack on edge graph. Base on such a knowledge graph, the
the attack chain. specific objects, vulnerabilities, attacks, defense
strategies, and so on, can be correlated with
dIscussIon of HIerArcHIcAl Model each other. Thus, given an attack/defense object,
The hierarchical attack and defense model can attack or defense can be performed automatically
support the security description for not only the according to the relationships on security knowl-
single-layer threat but also the cross-layer threat. edge graph.
For example, 5G can be used for smart factory An automated attack and defense framework
in the future. There may exist some attacks to the is constructed based on a security knowledge
industrial control process, such as tampering the graph. Figure 3 shows the structure of framework
monitoring data or the control data. The attack which consists of four components: the security
process may cross multiple layers. The ferry attack knowledge graph, automated attack technologies,
is first used to access the physical server, and then automated defense technologies, and 5G secu-
the NFV manager vulnerability can be used to find rity testbed. Based on large amounts of security
the corresponding industrial control service slicing. data, the knowledge graph is first constructed and
Base on the slicing resources, the logical topology used to support automated attack and defense
of smart factory is identified, and the data tam- by using known knowledge. Then, to explore
pering attack is performed according to specific unknown security threats and effective defense
application. The whole attack process crosses all strategies, the automated attack technology and
layers. According to the hierarchical characteristic automated defense technology are studied to pro-
of 5G architecture, an attack starting from a layer vide feedback to the knowledge graph. To verify
and spreading to objects in other layers or in the new security technologies, a security testbed of
same layer will be one of the main threats to 5G. 5G is needed.
The hierarchical security model has three
advantages: securIty knowledge grApH
• Complex security threats can be formally The security knowledge graph is based on the
represented and deeply analyzed such that the hierarchical attack and defense model. Mul-
effective strategies against security threats tiple entities (objects) are identified from large
can be adopted. amounts of scattered security knowledge and
• Based on directed paths, unknown security corresponding attributes and relationships are
threats can be found such that security risks extracted. Figure 4 shows a part of a security
are avoided when possible. knowledge graph. To distinguish different attacks
• The hierarchical model is essentially a graph to an attack/defense object, the security threat
and it is suitable for supporting automated (such as attack, vulnerability, and so on) is also
attack and defense. However, the hierarchi- viewed as an object and the defense strategy is

IEEE Network • Accepted for Publication 4

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.

Test&Ver
Testbed for automated attack and defense of 5G networks
ification

verification support verification support

Automated attack technologies Automated defense technologies

Attack chain search and generation upgrade Attack chain prediction and defense
Attack& Security
Defense Automated Automated AI-based Security Automated AI-based
password Confront risk
vulnerability vulnerability automated threat vulnerability automated
guessing ation assessme
mining exploiting attack detection repair defense
nt

supplement support supplement support

Large-scale security knowledge graph construction
Data
support Security knowledge Security knowledge Hierarchical directed
Security data collection
extraction and fusion reasoning graph construction

FIGURE 3. Automated attack and defense framework.

used as the corresponding attribute. The red lines Vulnerability mining automatically digs for vul-
in the figure denote an attack chain from Object1 nerabilities in firmware, software and protocols.
to Object3. In addition to the presented objects, Fuzzing technologies combined with symbolic
other objects, relationships, and attributes also execution are always used. Automated vulnerabil-
exist; these are not shown in the figure. ity exploitation technology automatically locates
Security knowledge graph construction con- the jumpable address of a program stack and
sists of three steps: data collection, knowledge then uses the layout memory to replace the jump-
extraction and fusion, and knowledge reasoning. able address with a shellcode address, such that
Although mature technologies can be directly the shellcode can be executed. Due to the large
used for the construction, special requirements number of IoT devices in 5G, the vulnerabilities
for 5G should be considered. For data collection, of IoT firmware and new protocols need further
the large-scale and dynamic requirements should research. For password guessing, AI-based pass-
be satisfied. The security data can be obtained word generation for password libraries is a prom-
in many existing ways, such as vulnerability data- ising technology. Based on the password library,
bases, exploit-db, Github, dark networks, security password guessing tools, such as HashCat an
competitions, and security event analysis. To sup- John the Ripper, are used to guess the password,
port 5G security, a centralized 5G security data and they may play an important role especially
platform is needed. Data extraction and fusion when dealing with IoT devices of 5G. To bypass
face challenges of accuracy and completeness. the security detection, an AI-based automated
Due to the existence of multisource and unstruc- attack is studied, for example, by dynamically
tured data, two representations of an entity may changing the characteristic and the rule of device
be identified as different entities, thus it is hard access with AI technology, a DDoS attack detec-
to extract a relationship accurately and com- tion for a base station can be bypassed.
pletely. Multisource knowledge fusion, as well as The above technologies are used to provide
semi-structured and unstructured data process, feedback knowledge to the knowledge graph. To
should be further studied. Security knowledge rea- utilize the knowledge graph, attack chain search
soning can be used to discover the hidden rela- technology and attack chain generation tech-
tionship and the efficiency is the main challenge. nology can be studied for existing and potential
In consideration of the large-scale knowledge threats.
graph, subgraph-based knowledge reasoning or Since existing attack chains are already record-
AI-based knowledge reasoning can be promising ed in the knowledge graph, the attack chains
approaches. started from an object or against an object can
If the attack chain from an object to another be obtained by attack chain search technology.
object exists in the knowledge graph, the attack Given an object, multiple attack chains with a tree
or corresponding defense strategies can be structure starting from the object can be obtained
obtained automatically. Otherwise, new entries according to some conditions, such as the minimal
and relationships should be added. To support cost and the maximum threat. Similarly, an attack
unknown security threats, automated attack and chain against the object can also be found. On the
defense technologies are needed. large graph, efficiency is one of the main focuses
of attack chain search technology. Path search on
AutoMAted AttAck tecHnology large graphs may be a promising technology.
The research on automated attack focuses on two An unknown attack chain can be predicted
aspects. Key technologies for automated attack- and constructed by using attack chain genera-
ing, such as vulnerability mining and exploitation, tion technology based on existing knowledge.
password guessing, AI-based automated attack, AI-based technology (such as a graph neural net-
and so on, are studied separately. The search and work) is a promising technology. Existing attack
generation of attack chain is studied to find exist- chains are first learned by training of an AI model,
ing and potential attack chains. then the trained AI model can be used to pre-

5 IEEE Network • Accepted for Publication

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.

dict a potential attack chain. Based on potential Condition

attack chain, the specific attack for each edge is &method
explored to determine whether or not the poten- Defense
Defense
tial attack chain is effective. Attack1
Result
Automated Defense Technology Condition Object1 Defense
&method
Similar to automated attack technology, the Attack2
research on automated defense technology also Result
Vulnera
consists of two aspects: Attribute bility2
Result
• Co-related key automated defense technolo- Object2
gies including security threat detection, risk Object3 Condition
assessment, vulnerability repair, and AI-based Vulnerability 1 &exploit
automated defense. Condition
• Prediction and defense for an attack chain, Result
&exploit
Defense
which can predict the attack chain and
choose corresponding defense strategies. FIGURE 4. An Example of security knowledge graph.
To detect attacks on attack/defense objects
of 5G, security threat detection technology is
adopted and security situational awareness is con- for realizing a 5G security testbed. According to
sidered as a promising detection approach. How- the scale of 5G security testbed, there are three
ever, due to cross-layer security threats, traditional aspects that can be further studied:
situational awareness becomes limited. Therefore, • An integrated testbed with all layers can be
detecting changes in the physical layer and sup- built for large-scale security testing.
porting NFV, SDN and network slicing are the • A horizontal testbed for a single layer can be
main focuses of further research. To guarantee studied for the security of the corresponding
the effectiveness of defense strategy, security risk layer, for example, the testbed of the physi-
assessment technology is adopted such that the cal layer and the testbed of the virtual layer.
security threat is quantitatively evaluated. Due • A testbed for vertical services can also be
to the large number of objects and complex 5G built.
environment, previous assessment approaches
are no longer applicable to 5G and improved
approaches are needed. Movement detection
Automated Attack and
may be a promising approach [13]. In response to Defense Framework for 5G
vulnerabilities, automated vulnerability repair tech- The automated attack and defense framework is
nology [14] can be adopted. Corresponding to not a one-fits-all framework for 5G security. The
AI-based attack technology, an AI-based defense framework is not intended to completely solve
technology, which learns dynamic defense meth- 5G security problems, but to provide possible
ods from existing defense or attack methods, can directions and some helpful ideas for 5G security
be adopted. In addition to the above defense automation.
technologies, traditional defense technologies, The automated attack and defense framework
such as encryption, authentication, and key man- is helpful in dealing with combined attack threats
agement [15], can also be applied. for a single-layer and cross-layer in 5G. The auto-
Based on the above technologies, attack mated attack and defense framework can also
chain prediction and defense technology can be deal with both known and unknown security
achieved. When an attack to an object is detect- threats of 5G. Since existing attack chain and
ed, the attack chain and potential final target can defense strategies are stored in the security knowl-
be predicted. Thus, a corresponding defense strat- edge graph, they can be found in the knowledge
egy can be obtained. Due to the dynamic feature graph automatically. Relatively, by using automat-
of attack and defense, attack chain prediction and ed attack technologies and automated defense
defense strategy choice can adopt an approach technologies, the unknown threat to 5G can be
based on game theory. In addition, reinforcement discovered and recorded in the knowledge graph.
learning is also helpful for the defense strategy The framework adopts an open architecture
chosen. The best reward action can be learned based on a security knowledge graph. For the
through trial and error. Thus, a combination of the attack or defense technology, it can be support-
two technologies may be a promising approach. ed by the security knowledge graph and be used
to discover new knowledge to provide feedback
5G Security Testbed knowledge to the knowledge graph. The relation-
The 5G testbed plays an important role in 5G ships between technologies are mostly loosely
security. It provides a platform for attack and coupled. Thus, the technology used in the frame-
defense experiments and provides a verification work is not limited to existing technologies; fur-
approach for new security technologies. By using ther research of new technologies that conforms
the 5G security testbed, existing security issues to the 5G characteristic can also be carried out
are widely and deeply studied, and unknown and integrated into the framework. Existing securi-
security threats are found and responded to rap- ty technologies toward 5G and new security tech-
idly and effectively. nologies for 5G are both worth studying.
Several 5G testbeds have been proposed,
but the security testbed is still lacking, especially Conclusion
for automated attack and defense technologies. This article focuses on 5G security and explores
Here, we do not focus on the specific technical potential directions for 5G. An automated attack
details but discuss some promising directions and defense framework toward 5G security is pro-

IEEE Network • Accepted for Publication 6

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for inclusion in a future issue of this magazine. Content is final as presented, with the exception of pagination.
[11] Y. Liu et al., “Physical Layer Security for Next Generation
Wireless Networks: Theories, Technologies, and Challeng-
The automated attack and defense framework is not a one-fits-all framework for 5G security. es,” IEEE Commun. Surveys Tuts., vol. 19, no. 1, First Quarter
The framework is not intended to completely solve 5G security problems, but to provide possible 2016, pp. 347–76.
[12] E. M. Hutchins et al., “Intelligence-Driven Computer Net-
directions and some helpful ideas for 5G security automation. work Defense Informed by Analysis of Adversary Campaigns
and Intrusion Kill Chains,” Proc. 6th Int’l Conf. Information
Warfare and Security, vol. 1, no. 1, Jan. 2011, pp. 113–25.
[13] J. Qiu et al., “Nei-TTE: Intelligent Traffic Time Estimation
posed. By reviewing the architecture and challeng- Based on Fine-Grained Time Derivation of Road Segments
es of 5G, a hierarchical security model supporting for Smart City,” IEEE Trans. Ind. Informat., vol. 16, no. 4, Apr.
2020, pp. 2659–66.
both single-layer security and cross-layer security [14] S. Mechtaev et al., “Angelix: Scalable Multiline Program
is presented. The security model corresponds to a Patch Synthesis via Symbolic Analysis,” Proc. 38th Int’l. Conf.
security knowledge graph. Based on such a secu- Software Engineering, May 2016, pp. 691–701.
rity knowledge graph, a 5G security framework [15] X. Du et al., “A Routing-Driven Elliptic Curve Cryptography
based Key Management Scheme for Heterogeneous Sensor
is obtained and can be used to deal with both Networks,” IEEE Trans. Wireless Commun., vol. 8, no. 2, Mar.
known and unknown 5G security threats. 2009, pp. 1223–29.

Acknowledgment Biographies
This work is supported by the National Yanbin Sun received the B.S., M.S. and Ph.D. degrees in com-
Key Research and Development Plan (no. puter science from Harbin Institute of Technology (HIT), Harbin,
China. He is currently an assistant professor at Guangzhou Uni-
2018YFB0803504); the Guangdong Prov- versity, China. His research interests include network security,
ince Key Area R&D Program of China (no. future networking and scalable routing.
2019B010137004, 2019B010136001); the
National Natural Science Foundation of Zhihong Tian received the Ph.D. degree. He was a Standing
Director of the CyberSecurity Association of China. From 2003
China (no. 61702223, 61702220, 61871140, to 2016, he was with the Harbin Institute of Technology. He
U1636215); the Guangdong Province Univer- is currently a professor, a Ph.D. supervisor, and a Dean of the
sities and Colleges Pearl River Scholar Funded Cyberspace Institute of Advanced Technology, Guangzhou Uni-
Scheme (2019); the Natural Science Foundation versity. He was a member of the China Computer Federation.
His current research interests include computer network and
of Guangdong Province (2020A151501450); the network security. His research has been supported in part by
project PCL Future Greater-Bay Area Network the National Natural Science Foundation of China; the National
Facilities for Large-scale Experiments and Appli- High-tech R&D Program of China (863 Program); the National
cations (LZC0019); and the Opening Project Basic Research Program of China (973 Program); and the Post-
doctoral Science Foundation of China.
of Shanghai Trusted Industrial Control Platform
(TICPSH202003014-ZC). Mohan Li received her B.S., M.S. and Ph.D degrees in comput-
er science from Harbin Institute of Technology (HIT), Harbin,
References China. From 2016 to 2018, she worked at Jinan University. She is
[1] X. Du and H. Chen, “Security in Wireless Sensor Networks,” currently an associate professor at Guangzhou University, China.
IEEE Wireless Commun., vol. 15, no. 4, Aug. 2008, pp. Her research interests include data quality and data security.
60–66.
[2] Cisco, “Cisco Visual Networking Index: Global Mobile Data Chunsheng Zhu is an associate professor at the SUSTech Insti-
Traffic Forecast update (2016-2021),” Cisco White Paper, tute of Future Networks at Southern University of Science and
Feb. 2017. Technology in China. He is also an associate researcher at the
[3] H. Ji et al., “Ultra-Reliable and Low-Latency Communications PCL Research Center of Networks and Communications at the
in 5G Downlink: Physical Layer Aspects,” IEEE Wireless Com- Peng Cheng Laboratory in China. He received the Ph.D. degree in
mun., vol. 25, no. 3, July 2018, pp. 124–30. electrical and computer engineering from The University of British
[4] Z. Tian et al., “Vcash: A Novel Reputation Framework for Columbia, Canada. He has authored more than 100 publications
Identifying Denial of Traffic Service in Internet of Con- published by refereed international journals (e.g., IEEE Transactions
nected Vehicles,” IEEE IoT-J., Nov. 2019, DOI: 10.1109/ on Industrial Electronics, IEEE Transactions on Computers, IEEE
JIOT.2019.2951620. Transactions on Information Forensics and Security, IEEE Transac-
[5] N. G. M. N., Alliance, “NGMN 5G White Paper,” Next tions on Industrial Informatics, IEEE Transactions on Vehicular Tech-
Generation Mobile Networks, White paper, Feb. 2015, pp. nology, IEEE Transactions on Emerging Topics in Computing, IEEE
1–125. Transactions on Cloud Computing, ACM Transactions on Embed-
[6] Y. Wu et al., “A Survey of Physical Layer Security Techniques ded Computing Systems, ACM Transactions on Cyber-Physical
for 5G Wireless Networks and Challenges Ahead,” IEEE Systems), magazines (e.g., IEEE Communications Magazine, IEEE
JSAC, vol. 36, no. 4, Apr. 2018, pp. 679–95. Wireless Communications Magazine, IEEE Network Magazine), and
[7] I. Ahmad, et al., “Overview of 5G Security Challenges and conferences (e.g., IEEE INFOCOM, IEEE IECON, IEEE SECON,
Solutions,” IEEE Commun. Standards Mag., vol. 2, no. 1, Mar. IEEE DCOSS, IEEE ICC, IEEE GLOBECOM). His research interests
2018, pp. 36–43. mainly include Internet of Things, wireless sensor networks, cloud
[8] M. Agiwal et al., “Next Generation 5G Wireless Networks: computing, big data, social networks, and security.
A Comprehensive Survey,” IEEE Commun. Surveys Tuts., vol.
18, no. 3, Third Quarter 2016, pp. 1617–55. Nadra Guizani is an assistant professor at the School of Electri-
[9] H. Hawilo et al., “NFV: State of the Art, Challenges, and cal Engineering & Computer Science, Washington State Univer-
Implementation in Next Generation Mobile Networks sity, USA. She received her Ph.D. from Purdue University, USA.
(vEPC),” IEEE Network, vol. 28, no. 6, Nov. 2014, pp. Her Ph.D. research work revolved around prediction and access
18–26. control of disease spread data on dynamic network topologies.
[10] X. Wang et al., “Physical-Layer Authentication for Wire- Her research interests include machine learning, mobile net-
less Security Enhancement: Current Challenges and Future working, large data analysis, and prediction techniques. She is
Developments,” IEEE Commun. Mag., vol. 54, no. 6, Jun. an active member of both the Women in Engineering program
2016, pp. 152–58. and the Computing Research Association (CRA).

7 IEEE Network • Accepted for Publication

Authorized licensed use limited to: Northwestern University. Downloaded on May 04,2020 at 00:20:58 UTC from IEEE Xplore. Restrictions apply.