As the new year brings mobile devices closer to the promise of faster 5G speed, cyber sleuths are developing defenses to the inevitable, sophisticated attacks that could hijack millions of phones and turn them into botnets.

“Botnets are one of the most powerful cyber threats affecting continuity and delivery of existing network services. Detecting and mitigating attacks promoted by botnets become a greater challenge with the advent of 5G networks, as the number of connected devices with high mobility capabilities, the volume of exchange data, and the transmission rates increase significantly,” write the authors of “Dynamic Reconfiguration in 5G Mobile Networks to Proactively Detect and Mitigate Botnets,” which appears in the September/October 2017 issue of IEEE Internet Computing.

We have already seen the devastating effects of these attacks, and the powerful bandwidth of 5G mobile tech, which could roll out as early as 2019, will provide hackers with a richer environment for their piracy. At least one provider is expected to offer 5G residential broadband service this year in a few cities.

botnet detection for 5G

Proactive scenario to detect and mitigate botnets. The scenario is composed of two 5G network operators that provide certain services in two different countries. They separate the Radio Access Network (RAN) from the non-radio aspects considered as an Evolved Packet Core (EPC) network. UE stands for User Equipment, and areas labeled a through f indicate the key architectural points where the architecture needs to face functional requirements.

The sprawling networks of infected devices — called botnets — execute malicious attacks, not the least of which is a DDoS, or a distributed denial of service that was responsible for shutting down major consumer websites over the past several years.

What is a botnet

A botnet is a network of thousands or millions of compromised devices known as bots, infected by an unconsciously installed malware, going on to be controlled by a command and control server remotely.

Typically, recruited bots ask from time to time to the command and control server if they should trigger actions.

“Kaspersky Lab reported for the third quarter of 2016 that the botnet-assisted DDoS attacks comprised 78.9 percent of all detected attacks, where the largest number was observed on 3 August 2016 with 1,746 attacks. As real examples, the Mirai and Leet botnets launched crippling DDoS attacks in 2016, reaching up to 650 gigabits per second (Gbps) of network traffic to disrupt services of Amazon and Netflix, among others,” say the authors.

However, these cyber-security experts are on it.

The researchers—who hail from the University of Murcia in Spain, the University of the West of Scotland, and Nextworks, a digital content delivery company—propose a 5G-oriented solution for proactively detecting and mitigating botnets in a highly dynamic 5G network. The study’s authors are Manuel Gil Pérez, Alberto Huertas Celdrán, Fabrizio Ippoliti, Pietro G. Giardina, Giacomo Bernini, Ricardo Marco Alaez, Enrique Chirivella-Perez, Félix J. García Clemente, Gregorio Martínez Pérez, Elian Kraja, Gino Carrozzo, Jose M. Alcaraz Calero, and Qi Wang.

Strategy against 5G botnets

To tackle the problem, their remedy would do what other botnet detectors cannot.

“Detecting and mitigating botnets have been addressed by many works, among which we can highlight BotHunter and BotMiner as popular detectors. BotHunter focuses on detecting specific stages of the malware infection process, conducted during the first recruitment phase, while BotMiner consists of a network anomaly-based botnet detection system that clusters similar traffic to identify C&C communication patterns. Yet, they focus on inspecting network packet payloads, which isn’t a feasible choice in 5G because of the large volumes of data generated from 5G subscribers’ User Equipment, causing Deep Packet Inspection tools to be overloaded,” the authors write.

The new approach proposed by the authors includes an architecture highly compatible with current technologies that adds an extra punch designed to detect and mitigate the unique botnets in 5G networks.

“The main novelty of this approach comes from the conduction of two control loops, with two different levels of abstraction for detection, because of the large number of expected 5G subscribers’ UEs: a (light) high-level detection to analyze network flows and identify suspicious bots very quickly; and, once possible bots are observed, conducting a (heavy) low-level DPI to confirm that the botnet is in place,” the authors say.

honeynet in 5G fight against botnets

Proposed 5G-oriented solution for the mobile use case. C&C = command and control; DPI = Deep Packet Inspection; FM = Flow Monitoring; LTE TM = Long-Term Evolution Topology Manager; HSS = Home Subscriber Server; P-GW = Packet Data Network (PDN) Gateway; S-GW = Serving Gateway; and SDN = software-defined network.

The plan is to set a trap.

Using honeynets

First, the researchers create vulnerabilities in a network on purpose in order to lure attackers in and study their methods, allowing them to create an even stronger security system.

They will use a honeynet, so called because it is like drawing flies to honey.

“For its mitigation, we propose the deployment of a virtualized and personalized honeynet to isolate the botnet communications through bots’ behavior emulation. In this scenario, the bots’ mobility is also considered and properly addressed, managing and detecting UEs’ movements to dynamically deploy and/or reconfigure NFs in the 5G network infrastructure at runtime,” say the authors.

Next, the proposed system chases the attackers down relentlessly, pulling them deeper in with real-time, virtual network functions.

“Our architecture uses the four well-known processes for detection and reaction purposes — known as the Monitor, Analyze, Plan, and Execute (MAPE) approach — to present a functional decomposition of the proposed 5G botnet detection and mitigation architecture. This will ‘close the loop’ from monitoring GTP flows and packets (analysis) to the orchestrated deployment of new VNFs in real time. As we mentioned, our proposal follows an approach of two detection phases with different levels of abstraction,” the authors write.

control loops for 5G security

Workflows of the two control loops of detection from (a) a high-level and (b) a fine-granularity level perspective. ANPPF = average number of packets per flow; ABf = average of bytes per flow; ADf = average of duration per flow; HNet = honeynet; and OVS = Open Virtual Switch. (Click to enlarge.)

This is when it gets good.

Two cloud computing platforms, OpenDaylight and OpenStack, are configured to hunt down the source of the botnets. The proposed architecture combines these free and open source network technologies in a fully virtualized environment, together with certain custom 5G software components to target the offenders.

“When the Plan process decides to install a rule in OVS, SDNO queries the controller’s inner datastores to retrieve all needed network topology information. This procedure is necessary to identify the involved switches and hosts (UEs, VNFs, C&C, and so on) connected to them. Once the targets (that is, bots, the C&C, and Snort when generating the network flow mirroring rule) are identified in the network, SDNO generates the flow rule as a JavaScript Object Notation (JSON) payload of a REST query to send to OpenDaylight,” the authors say.

The task is grueling, no doubt. But, suffice it to say, while the rest of us enjoy gloriously fast internet speeds, cybersecurity experts are working hard to hunt down and block those who would ruin it for us.


Research related to 5G technology in the Computer Society Digital Library: