Introduction
The rise in encrypted network traffic, driven by the use of HTTPS and Virtual Private Networks (VPN), poses challenges for traditional traffic analysis tools as they struggle to detect malicious activity. This, along with the large amount of traffic from mobile and IoT devices, demands advanced Artificial Intelligence (AI)-based techniques. These techniques enable intelligent, adaptable, and autonomous security management, helping to address the increasing complexities and real-time anomaly detection of the 5G/IoT network. However, the adoption of AI methods in IoT and future mobile networks is still in its infancy, with three major issues in the 5G/IoT domain. The challenges in advancing AI research for 4G/5G/IoT networks include the lack of diverse real-world datasets due to privacy concerns among telecom operators. Additionally, current AI security solutions prioritize accuracy and performance metrics, often lacking explainability for decision-making, which is crucial for the reliability of 5G infrastructure. Furthermore, ML models are susceptible to adversarial attacks, presenting a significant challenge in ensuring robustness against such threats.
Montimage developed three AI-based security applications that correspond to three main steps of Intrusion Detection and Response for real-time anomaly detection of the 5G/IoT network. Firstly, the Traffic Classification application characterizes network traffic to identify certain types of normal user activities, such as web browsing, chatting, or video streaming. Secondly, the Attack Detection application differentiates between malicious traffic and legitimate traffic to detect popular cyberattacks in 5G or IoT environments. Finally, the Root Cause Analysis (RCA) application employs a similarity-based machine learning approach to discover the root causes of problems in order to quickly identify appropriate solutions.
We aim to enhance the performance, explainability, and robustness of our AI-based security applications for network traffic analysis and anomaly detection in 5G/IoT networks, addressing the aforementioned challenges:
- Deploying real 4G/5G/IoT testbeds. It involves the deployment of real (private) 4G/5G/IoT networks as well as Security Analysis, providing detailed instructions for their setup.
- XAI framework for resilient 5G/IoT traffic analytics. We design and develop an open-source framework consisting of two main components: (1) Network Traffic Analysis and (2) XAI for Resiliency, which is integrated into the SPATIAL platform.
Extensive experimentation demonstrates the effectiveness of the AI models, evaluating accountability and resilience metrics using both public and private datasets through our testbeds, thereby validating the models’ robustness and reliability. Additionally, our framework serves a broad range of user groups, including network administrators, security analysts, IT operations teams, cybersecurity researchers, enterprises, organizations, and academic institutions, utilizing the framework for experiments, validation, teaching, and research in network security and AI.
Deploying real 5G/IoT testbeds
The 4G/5G testbed comprises an EPC-in-a-Box platform, representing a commercialized 4G/5G network core developed by Montimage and Cumucore. It allows for the quick creation of a complete 4G/5G network within minutes and serves as both a testing environment and a means to establish a small-scale mobile network for industrial use. The testbed consists of three main components: Radio Access Network (RAN), Evolved Packet Core (EPC) or 5G Core, and MMT. Once deployed, the testbed enables commercial devices to connect, granting access to Internet Protocol (IP) services in Public Data Networks and the Internet. MMT-Probe analyses the real-time traffic between the RAN and EPC, ensuring compliance with security requirements, while MMT-Operator facilitates automated decision-making and responses to anomalies. A step-by-step guide for deploying a 5G testbed using open-source tools and technologies can be found in the repository https://github.com/Montimage/cerberus-edge-configuration.
Figure 1: Inside of the super-micro server (left) and GUI of the 5G testbed (right)
The IoT testbed consists of various equipment, including Zolertia REMotes, a Raspberry Pi, and related accessories. These components form an IoT IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN). A border router mote acts as the gateway, collecting data from other motes and transmitting it to the server via a Universal Serial Bus (USB) connection on the Raspberry Pi. The MMT-Sniffer device captures network traffic and sends it to the Linux-based machine via USB, where MMT-IoT is deployed for traffic analysis and statistics extraction for the Root-cause Analysis module. The Raspberry Pi serves as the power source for the motes, hosts the server for handling sensed data, and receives the sniffed traffic for analysis by MMT-IoT.
XAI framework for resilient 5G/IoT traffic analytics
We design and implement the Montimage AI Platform (MAIP), an XAI framework with an intuitive and user-friendly interface for network traffic analysis and classification in 5G/IoT networks. It comprises two principal components: Network Traffic Analysis and XAI for Resiliency. While the Network Traffic Analysis component aims to fulfill the need for effective analysis and classification of encrypted traffic using advanced AI techniques, the XAI for Resiliency component aims to enhance the robustness of AI models built within the Network Traffic Analysis module, making them more resilient against different types of adversarial machine learning attacks.
The Network Traffic Analysis component aims to meet the demand for effective analysis and classification of encrypted traffic using advanced AI techniques. The Data Acquisition module collects raw traffic data from networks or 4G/5G/IoT testbeds in either online or offline mode. Additionally, it can leverage Cyber Threat Intelligence (CTI) sources, e.g., deployed honeypots, to learn and continuously train our models using attack patterns and past anomaly information stored in the database, especially for anomaly detection applications. The Data Analysis and Processing phase employs the open-source Montimage Monitoring Tools MMT-Probe to parse raw network traffic, extract network and application-based events (such as protocol field values and statistics), compute the features required for AI models and translate them into a numeric form. The modular architecture of the MMT-Probe allows for the addition of new protocols to parse. The extracted features comprise multiple parameters that are computable on raw traffic independently of whether the traffic is encrypted or not, including statistics involving byte and time information. For instance, for anomaly detection, we extract and employ 59 features, including basic features in packet headers and statistical features after performance traffic aggregation into flows. The AI models module is tasked with constructing various models to classify vectorized network traffic data for diverse objectives, such as classifying user activity, detecting anomalies in encrypted traffic, and conducting root cause analysis.
The XAI for Resiliency component aims to enhance the robustness of AI models built within the Network Traffic Analysis module, making them more resilient against various types of adversarial machine learning attacks. The Adversarial Attacks module focuses on injecting various evasion and poisoning adversarial attacks, such as label flipping attacks and Generative Adversarial Networks (GANs) attacks or integrating existing AI-based attack libraries for the robustness analysis of AI models. The Explainable AI module aims to produce post-hoc global and local explanations of predictions generated by our model. Specifically, we employ popular model-agnostic post-hoc XAI techniques, such as SHAP (Shapley Additive explanations) and LIME (Local Interpretable Model-Agnostic Explanations), to explain predictions of our models. Furthermore, we incorporate defence mechanisms, such as adversarial training and leveraging XAI techniques, to prevent attacks against the AI models. The relationship between XAI and adversarial attacks is intricate and multi-dimensional. On one hand, increasing the transparency and interpretability of a model can make it more vulnerable to adversarial attacks. By leveraging the explanations provided by XAI methods, attackers can identify model weaknesses and create more potent adversarial examples. On the other hand, if a model lacks transparency and interpretability, it becomes difficult not only to understand the reasoning behind its predictions but also to detect and address adversarial attacks. Hence, it is crucial to find a balance between XAI and adversarial attacks to develop secure and robust AI models. As we need to consider the trade-off between explainability, robustness and performance of our system, we measure quantifiable metrics for its accountability (e.g., through accuracy, currentness, and confidence metrics) and resilience (e.g., through impact, complexity metrics).
Our framework is implemented in Node.js, utilizing the MMT-Probe tool written in C for feature extraction. We leverage popular Python libraries for machine learning (e.g., numpy, scikit-learn, tensorflow, xgboost, lightgbm) and XAI (e.g., SHAP, LIME). These components are packaged in Docker containers, enabling users to install and test them locally effortlessly. Users have the flexibility to interact with the components either via the locally hosted Swagger UI or directly through the SPATIAL platform’s API gateway. For an enhanced user experience, we’ve also developed a client-side built-in React, providing users with an intuitive and user-friendly interface to access all services. This includes extracting features, building or retraining the model, injecting adversarial attacks, producing explanations, and evaluating our model using different metrics, all provided by our two components.