Network intrusion prevention in the evolved packet core utilising software defined networks and network function virtualisation

Master Thesis


Permanent link to this Item
Journal Title
Link to Journal
Journal ISSN
Volume Title
Mobile Networks (MNs) are fundamental infrastructures in modern life. As traffic volumes rise and subscriber needs are expanding, MNOs need to adapt in order to keep up with the demand. This has led to MNOs virtualising the Core Network (CN) by utilising Software Defined Networking (SDN) and Network Functions Virtualisation(NFV). The security and reliability of the MN are under higher levels of scrutiny as more traffic and subscribers make use of the MN. As MNs become more popular so do they become more enticing for malicious actors as targets for attacks. The virtualisation of the CN has led to new security issues being introduced such as unused network paths being created for attackers to exploit. This research aims to utilise SDN and NFV to mitigate this issue by only allowing for critical network paths to be traversable in a virtualised CN without triggering alerts and node quarantines. The CN of a MN controls/manages all network traffic flows through the mobile network from User Equipment (UE) to a backhaul network (e.g., the Internet). Flows are streams of data that make use of a network path between two or more nodes within a network. Security has mostly been focussed on defending the perimeter of the CN to prevent unwanted access to the internals of the CN, as well as preventing the UE of subscribers from getting compromised. This perimeter only focus has led to the High Value Assets (HVAs) of the CN being vulnerable to attacks from malicious actors that have gained access to the internal nodes of a CN. Vulnerabilities still exist in the system that could allow for the attacker to compromise a node within the CN. If an attacker were to gain access to a node within the CN then they would be able to manoeuvre throughout the network undetected and unhindered along any and every network path with an HVA being their most likely goal. Therefore a Network Intruder Prevention System (NIPS) is proposed that will limit the paths that are allowed within the CN and detects whenever an attempt is made to traverse a non critical network path. This will greatly increase the probability of an attacker being detected. The NIPS will leverage off of two new network architectures in order to protect the CN’s HVAs. First SDN is leveraged to gain a holistic view of network traffic flows within the CN. SDN allows for network control functions to integrate with a logically centralised controller. The controller also allows for programmatic management of the network which proves to be crucial in detecting, containing and responding to security threats internal to a network. Second is NFV which allows for specific network functions within the CN to be virtualised. With the ability to virtualise the specific nodes within the CN comes the chance to programmatically deploy network functions with the specific goal of security once an anomaly is detected within the network. NFV is selected for this research due to its ability to quickly deploy false instances of the target of a network attack, therefore allowing for comprehensive containment. SDN and NFV create a better environment in which attackers attempting to target a HVA can be mitigated. A SDN based NIPS is proposed that applies strict control rules to the network traffic flows allowed between nodes in the CN. During normal functionality of the CN, only flows that make use of critical network paths are required. If a flow is requested from the SDN controller that is determined to be malicious, then the SDN application is designed to automatically deploy a virtualised decoy version of the intended target, by means of NFV. The controller is then able to redirect malicious flows away from their intended target towards the decoy, effectively quarantining the compromised node therefore mitigating the attacks damage. It is shown that a NIPS with the described functionality would detect, contain and respond to the attackers attempting lateral movement.