Bandwidth Spoofing and Intrusion Detection System ...

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TVT.2017.2745110, IEEE Transactions on Vehicular Technology

1

Bandwidth Spoofing and Intrusion Detection System for Multi Stage 5G Wireless Communication Network Akhil Gupta, Member, IEEE, Rakesh Kumar Jha, Senior Member, IEEE, Pimmy Gandotra, Student Member, IEEE, Sanjeev Jain, Senior Member, IEEE  Abstract—All over the world, there is a gigantic stir in the number of subscribers which gave rise to numerous challenges, like interference management and capacity enhancement. The enabling candidates to deal with this plight are the enabling technologies of the 5G wireless communication networks. Though the 5G technologies meet the mounting demands, yet, security remains a vital concern. In this paper, the security issues of 5G wireless communication networks have been emphasized upon, with the game theoretic analysis of bandwidth spoofing attack on the multi stage 5G wireless communication network. The intrusion on the relay, small cell access point and base station, which are forming a multi stage 5G wireless communication network, is detected using a proposed Adaptive Intrusion Detection System. Index Terms—5G, Hidden Markov Model, Intrusion Detection System, Bandwidth Spoofing, Game Theory.

I. INTRODUCTION

T

he evolution of wireless communication started with the advent of analog voice calls. Today, superior quality, high data rate broadband services are available, to meet the growing user demands. New wireless technologies, which have been recently emerged for fulfilling the subscriber needs are High Speed Packet Access (HSPA) and Long Term Evolution (LTE). The announcement of the origin of 5G has brought about the notion of a thoroughly connected society, capable of providing anywhere and anytime access to the information. Such a perception involves incorporation of some enhanced technologies to the wireless networks, like Deviceto-Device (D2D) Communication, millimeter wave communication and massive MIMO. These technologies will certainly result in increased mobile traffic in the years to come [1]. These advancements have some additional challenges associated with them, like Energy Efficiency (EE), security, spectrum utility, delay, etc. The criteria of network performance can be evaluated in terms of throughput, delay and dense connectivity. Hence, there arise a need of overpowering the mentioned challenges, while maintaining the Akhil Gupta is an Assistant Professor in School of Electronics and Electrical Engineering, Lovely Professional University, Punjab, India. (Email: [email protected]). Rakesh Kumar Jha, is Assistant Professor in Department of Electronics and Communication Engineering, Shri Mata Vaishno Devi University, J&K, India. (E-mail: [email protected]). Pimmy Gandotra is a PhD Research Scholar in Department of Electronics and Communication Engineering, Shri Mata Vaishno Devi University, J&K, India. (E-mail: [email protected]) Sanjeev Jain is a Professor and Vice Chancellor in Shri Mata Vaishno Devi University, J&K, India. (E-mail: [email protected])

security. The basic theory of security involves maintenance of confidentiality and integrity of communication by protecting the individuality and privacy of subscribers within the network. The communication networks are largely vulnerable to cyber-attacks. In the recent past, hackers have grabbed the attention towards the mobile network, resulting in a surge of security breaches [2-5]. The liability of being attacked by the hackers is further increased in the 5G networks with the introduction of IP architectures and extensive cloud involvement for network processing and communication [6]. Thus, for incorporating security aspects within a 5G network is must. Hence, secrecy traits should now be the part of 5G architectural designs. The development of security in 5G networks has an immense scope. This paper presents a minor step towards securing the 5G Wireless Communication Networks (WCN’s). In order to focus towards security, a heterogeneous 5G cellular network architecture as proposed in [1], need to be addressed. Relays, macro-cells, microcells and small cells, are considered as an important component of the proposed architecture. Such a division of an architecture supports enhanced coverage and thus overcomes the low signal problem. But, in return they are creating a dynamic spot for the intrusion to happen. Since, unauthorized users can easily access relays and small cell access points, so these two locations are highly susceptible to attacks. Contribution: In this paper, the security in 5G WCN’s has been analyzed. The analysis has been done on various possible security breaches in the 5G WCN’s. In the Internet of Things (IoT), excessive dependence on the cloud increases liability of attacks and thus need special attention. This paper primarily focuses on the possible security attacks on the multi stage 5G WCN, which comprises of Relay, Small Cell Access point (SCA) and Base Station (BS). In this paper, the bandwidth spoofing attack on the multi stage 5G WCN has been mathematically analyzed using game theory. For the detection of intrusion on Relay, SCA and BS in multi stage 5G WCN, a proposed an adaptive Intrusion Detection System (IDS) has been proposed. This paper has also find a relation between the securities of the attacked site with its power level. The sole purpose of the multi stage 5G WCN is to optimize the power, while maintaining the security of the network components.

Copyright (c) 2015 IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the IEEE by sending a request to [email protected]. 0018-9545 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.


2

II. POSSIBLE SECURITY ATTACKS FOR 5G WIRELESS COMMUNICATION NETWORK The wireless communication networks have evolved, along with the evolving technologies, over the generations. Evolution is a mandatory phenomenon for the wireless networks. The user demands are increasing and evolution is obligatory to encounter these demands effectively. There are appropriate architectural and equipment level changes being carried out, for the fulfillment of the user demands. A shift towards flat networks has been brought about from the traditional closed hierarchical networks. The reason for this shift is porosity and easier penetration into these flat networks [6]. The developing technologies, therefore pave the way for attacks on the wireless networks. For ensuring a better quality of service, instead of the costly Radio Access Network (RAN) equipment’s, femto cells, small cells and Wi-Fi hotspots are being used, which provide service to the end users [7]. However, they are acting as an active intrusion site for the intruders for attacks. The authors in [8] has explained the

wireless network attacks in detail based on access control, authentication, availability, confidentiality and integrity. The evolution of the wireless industry has also led to the simultaneous evolution of intruders. The attackers are trying to discover new methods to intrude into the evolving networks, as pointed out in [7]. Among the number of security attacks listed in [7], Denial-of-Service (DoS) attack is considered to be the most common and dreadful attack. Its main aim is to exhaust the target resources. In the present scenario, it is the most common attack in the internet which is targeting the web services. Now a days, the mobile networks are becoming an integral part of our day-to-day life. But, they are the most plausible targets for the DoS attack, which are generally concede with a mobile botnet. The control plane elements are also being targeted, like Mobility Management Entity (MME) [2], in the 4G cellular networks. While, an attack against the Home Location Register (HLR) has been shown in [9]. The increased use of protocol stacks as open source software in the near future will result in a growing threat of the DoS attack, sustained by mobile botnets [2].

TABLE I BASIC ATTACKS Classification Access control attacks

Authentication attacks

Availability attacks

Confidentiality Attacks

Integrity attacks

Attacks

Description

War driving

Broadcasted access points are discovered and recorded by the moving beacons.

Rouge access point

Establishing an unsafe access point inside the firewall.

Ad-hoc associations

Access point security is destroyed by establishing a direct connection with an unsecured station.

MAC spoofing

Alteration of computer uniqueness by hiding MAC address.

RADIUS cracking

Hacking RADIUS authentication server to get login credentials.

Shared key guessing

Intruder tries to guess the shared key of network and gain access to it.

Pre-shared key

Seized key handshake frame is used for recovering the Wi-Fi protected access (WPA) pre shared key.

Application login theft

The username and password of the email id of the user’s is captured.

Domain login cracking

Recovering login and password of the windows of marked users.

VPN login cracking Identity theft

Recovering IPSec pre shared key by brute force attacks on VPN (Virtual Private Network) authentication protocol. Apprehending of user identities from clear text identity response packets.

Password guessing

The process of captured identity is used by frequently guessing the user’s password.

LEAP cracking

Seized LEAP packets helps in recovering the user’s identities.

EAP (Encrypted Authentication Protocol) downgrade Access point theft

Forcing wireless server to offer weaker response by NAK (Negative Acknowledgement) packets.

Denial of Service attack

Channel appear busy.

TKIP MIC exploits Eavesdropping

The LAN (Local Area network) service is suspended by increasing the target access point’s MIC (Message Integrity Check) error threshold. Interception of the personal data.

WEP key cracking

Cracking WEP (Wired Equivalent Privacy) key usually by aircrack-ng.

Evil Twin access point

Deceiving wireless access point traps the users as a valid access point.

Access point phishing

For phishing the confidential data, a web server is to be executed on an evil twin access point.

Man in the middle

Attacker acts as a client for the server and as a server for the client.

Frame injection

Attacker injects their own frames and crafted the original one.

Data replay

Attacker captures the data frames and uses it later after modification.

Authentication replay

Attacker captures the EAP identity RADIUS access.

Access point is physically removed from the local space.



3 Another type of DoS attack exists, accustomed as radio interface jamming. The jamming involves transmission of a high power signal for blocking the band of frequencies. In contrast to 3GPP specific mobile networks, the control channel must be blocked in a selective manner for jamming, which is completing the task of radio interfacing. The most effective attack is on a regular mobile, where attacker has the ability to obtain a botnet of devices, thereby turning them into devices executing jamming [2]. A number of distributed sources may combine coordinated attacks, resulting in Distributed denial of service (DDoS) attack. This type of attack is very challenging. There are certain methods which are capable of provisionally providing restricted protection. It involves monitoring of incoming internet traffic rate or blocking of offending sources. These measures can also be applicable to the present and future 5G mobile communication networks. There are certain other measures by which the jamming effects can be pulled down. One of the measure involves designing of control plane protocols between the network and the mobile terminal, so that a significant effort will not be required from the network side for the detection of an illicit request. Another measure involves developing an overload protection mechanism which allows functioning of the network functions even when a large number of requests exist. The cooperation between security and radio researchers is essential, in order to alleviate the impact of smart jamming [2]. With the evolution of wireless communication, attackers are also evolving and finding different ways to intrude into the network. These are classified on the basis of access control, authentication, availability, confidentiality and integrity in [8] and are briefly described in Table I. But with the increasing user demand, our network architecture and equipment are changing accordingly. From closed hierarchical networks, we have shifted to flat networks which are more porous and easier to penetrate. Likewise, rather than using expensive Radio Access network (RAN) equipment, we make use of femto cells, small cells and Wi-Fi hot spots [10]. They act as an entry point to the mobile networks providing an intrusion site. These advancements and changes in the network topologies provide different ways to the intruders to attack the system. Innovation in the intruders paved the way for the new attacks in 5G WCN as given in [10] and are briefly described in Table II. For extending the coverage area and overcoming the low signal problem, relays and SCAs are introduced in the 5G wireless cellular network (WCN) architecture. However, these act as dynamic sites for intruders, to carry out intrusion. By acting as a simple relay, an attacker can easily eavesdrop the ongoing communication between two users. The man-in-themiddle attack (MITMA) can be initiated by the rouge relay, which intercepts and manipulates the information which is exchanged between two users. Additionally, communication among clients and relays can be interrupted by external jammers, with the intentional introduction of noise within the system. This results in a DoS or DDoS attack. The susceptibility of attacks at the SCA is very high, as an external

entity can seize the SCA and induce the man-in-the-middle attack. In the recent wireless architectures, bandwidth spoofing attack is considered as one of the attack which is affecting the network in a most dreadful manner [7]. In this attack, the attacker floods into the network and spoofs a major part of the bandwidth. Attacks Distributed Denial of Service attack Ping flood IP port scan SYN flood

SQL injection

TABLE II 5G WCN ATTACKS Description Resources or bandwidth of the target system is flooded by multiple systems. Saturation of the target system by continuous transmission of ICMP echo request (ping) packets. Target system is scanned for available active ports and the possible vulnerabilities. SYN packets are transmitted by attacker in succession making the system busy and unavailable for legitimate user. Malicious SQL statements are injected for execution to make unauthorized changes.

DNS hijacking

Redirecting DNS queries to malicious server.

Fraggle attack

Sending spoofed UDP packets for broadcast in the network.

Bandwidth Spoofing IP spoofing

Flooding a network to an extent that they start affecting legitimate traffic Creation of IP packets with forged IP address to conceal source identity

The network shown in Fig.1 is an example of a multi stage 5G WCN which comprises of a BS, relay and SCA communicating with each other, supporting efficacious transmission and reception of information to/from the users (clients). However, the likelihood of attack is maximum at the relay, which is then followed by the SCA and BS in the network. The scenario shown in Fig. 1 is depicting a massive MIMO and small cell scenario [11-12], with a fixed number of SCAs deployed around the BS for traffic offloading and capacity enhancement. The users in the range of the SCA initially report to the SCA, which then further reports to the BS. Now, if there is an attack on the BS as shown in Fig. 1, then the BS should be well prepared with a strong defensive measure, because the security of all the devices connected to it, is the responsibility of the BS. There is also a possibility of a security breach at the SCA. An attacker can enter into the SCA as a client, and then procure it, as all the devices within the SCA report to the SCA first. Along with this, there also exists a sub-network with a relay. This scenario is similar to D2D communication. The clients within the SCA first report to the SCA, which then reports to the BS. But the users which are on the edge of the SCA and are unable to report to the SCA, will now report via relay. The relay is chosen for the data transfer by the edge users is because of the better signal quality provided with the incorporation of D2D communication. But, for this case, there exists a possibility of security breach at the relay. Any attacker, entering the network as a SCA client may attack the relay, acquire it for monitoring the clients which are conversing through the relay. The above mentioned breaches of security on the multi stage 5G WCNs



4 can be curtailed with the implementation of an adaptive Intrusion Detection System (IDS) on each of the multi stage component i.e. BS, SCA and Relay. Implementing an IDS system brings an enhanced security in the network, with less power consumption. According to the above discussion, it is concluded that the

major threat to the 5G WCN’s is by the DoS attack. In the years to come, alleviation in the attack will be of major concern. The following section encompasses the use of game theory for mathematically analyzing the bandwidth spoofing attack (a type of the DoS attack) on the multi stage 5G WCN comprises of Relay, SCA and BS.

Internet

SCA1

SCA1

SCA2

Authenticated User Intruder C-RAN

Control Link Communication Link

BS

D2D Pair

Intruding Link

Relay

Direct Link BS ~ Base Station SCA ~ Small Access Point

Cell

SCA3

Fig.1. Security Attack on multi stage 5G Wireless Communication Network.

III. MATHEMATICAL MODELLING FOR BANDWIDTH SPOOFING ATTACK IN 5G WIRELESS COMMUNICATION NETWORK From the preceding section, it is apparent that DoS attacks pose a major threat to the 5G WCN’s. In this section, the bandwidth spoofing attack [13-16], which is a type of DoS attack, is being formulated using the game theory. The attacker in the bandwidth spoofing attack is aware about the uplink/downlink (UL/DL) traffic between the client-BS, SCABS and Relay-BS. The complete communication between the client-BS, SCA-BS and Relay-BS is completed in three phases. The first phase involves the operation of ranging, which is performed by the BS. After the completion of ranging, requests can be sent to the server, by the SCA/Relay/Client. These requests are sent from the BS (i.e. UL traffic), and constitute the second phase. The server then responds to the specific application of the requesting SCA/Relay/Client, from BS (DL), completing the third phase.

This process requires bandwidth, which is allocated by the BS to every single SCA/Relay/Client. During the third phase of bandwidth assignment to the SCA/Relay/Client, there are high chances of acquisition of the bandwidth by the attacker. This section examines the bandwidth attack from an unauthorized client, i.e. an attacker on the SCA/Relay/Client, i.e. defenders, using game theory. This section analyzes the technique by means of which the attacker triumphs the game, by spoofing the bandwidth. It also analyzes the method by which the SCA/Relay/Client will protect the bandwidth from spoofing, by means of Nash equilibrium. 1) Game Theory The game theory is applied to the situation where two entities are interacting in accordance with the game rules. According to the theory, the game is open for definable number of moves available to the client, while it ends for the limited number [17]. Game theory is applied in this paper for



5 analyzing the approach by which the intruder triumphs the game via bandwidth spoofing. In this paper, there are two interacting entities: SCA/Relay/Client, represented by P and the attacker, represented by Q. Both these play the game in order to grab the bandwidth. In this paper, game theory is applied and accompanied by linear programming in each and every area. The anticipated results with regards to mathematics is: {For a Zero sum game, one will gain (P) then other will lose (Q)} Illustration: The two clients P and Q, while playing the game of tossing a coin decide that for the same faces, i.e. (h, h) and (t, t), P wins, and Q pays. For different faces, however, Q wins and P pays. The toss is carried out without any associated bias. h t ℎ +1 −1 𝑃𝑎𝑦 𝑜𝑓𝑓 𝑃 = [ ] 𝑡 −1 +1

solution concept is the Nash Equilibrium. It involves two or more players, with each player knowing the equilibrium strategies of the rest of the players. None of the players can gain anything by changing their respective strategies. Nash equilibrium can be explained for the problem of noncooperative games by using the below mentioned theorems. Theorem 1: The game is considered to be stated as

Here h stands for Head and t stands for Tail. The Payoff matrix P is mentioned above, while the payoff matrix Q can be deduced from this matrix conveniently. In the game theory, two types of clients are uncoveredintelligent and rational. The intelligent clients are the ones who have the capability of logical thinking and can acquire profitable decisions, based on their experience. But the rational ones are keeping their preferences consistent, with the ultimate outcomes of the decision making process. They try to maximize those preferences. The utility function helps in achieving a certain gain, which then supports preference maximization. Since both P and Q are intelligent clients, so after some time, Q realizes that the game is being played by P, which is continuously showing h. Accordingly, Q adapts and shows up t. With the progression of the game, P and Q both continue to act intelligently, with gain maximization being targeted by P, and loss minimization is targeted by Q. The matrix thus obtained shall be Min Max loss for Q +1 −1 𝑀𝑎𝑥 𝑀𝑖𝑛 𝑔𝑎𝑖𝑛 𝑜𝑓 𝑃 [ ] −1 +1 As stated, P maximizes the minimum gain and Q minimizes the maximum loss. Therefore, the step between various entities is the game. 2) Nash Equilibrium In the game theory, the games are catalogued as Cooperative and Non-Cooperative games. Coalition formations are studied by the cooperative games. Binding agreements are also considered, which could be beneficial to individual components. The mechanism of personalized decision is dealt by the non-cooperative games, where there are no mandatory alliances and the entire process is positioned on personalized reasoning. There are two forms of the noncooperative games, the extended form and the strategic form. The game is described with a tree structure in extended form. The strategic form, however, specifies the space of strategies, number of clients and the utility function of every client [18]. This paper considers the strategic form of non-cooperative game. In the game theory, for a non-cooperative game, a

Theorem 2: For the game, as defined in Theorem 1, the strategy vector is said to be at Nash equilibrium, if the payoff value does not increase with any unilateral change, in the sense

ζ ≜ {Ǹ, (𝑤𝑗 )𝑗∈Ǹ , (ℚ𝑗 )𝑗∈Ǹ } Here Ǹ is the set of ‘n’ number of players of the game, 𝑤𝑗 (𝑡) is the strategy for jth player in the game, 𝑊 ⊂ 𝑆 Ǹ = {𝑤𝑗 │jϵǸ} is the strategy space, and ℚ𝑗 is the payoff function for the jth player. Additionally, define ℚ𝑗 ≜ ℚ𝑗 (𝑤𝑗 (𝑡), 𝑤−𝑗 (𝑡), б𝑗 (𝑡)), where б𝑗 (𝑡) is a time varying unknown vector and 𝑤−𝑗 (𝑡) denotes the strategy for each and every players other than the player j.

∗ (𝑡), б𝑖 (𝑡)) , ∀𝑗 ∈ Ǹ. ℚ𝑗 (𝑤𝑗∗ (𝑡), 𝑤−𝑗

The strategic game can be defined as a model which involves a number of interactive clients, which are also called as decision makers. It includes the following parameters: a)

A set of clients

b)

A set of strategies for each client

c)

Preferences over the set of strategic profiles for each client

There are a variety of strategies for each client. The client can choose amongst mixed and pure strategies. The clients choose their moves deterministically in a pure strategy. On the other hand, in a mixed strategy, there are a number of diverse strategies, from which, the client chooses one. For instance, for a certain set of possible strategies, clients may choose a probability distribution for randomly picking up one, prior to the start of the game. However, in a game, the finest choice of strategy for a client is the mixed strategy. But, pure strategy can be an optimal choice in some games. In this paper, the mixed strategy has been applied by both the clients, with prisoner’s dilemma in an iterative manner, for spoofing the bandwidth. The above mentioned strategy is adopted by a client and is designated as an attacker, while other is considered as a defender. But no one is willing to lose the bandwidth under any circumstances. For analyzing a game in the game theory, the standard example that will be taken is of prisoner’s dilemma. It depicts the reason of non-cooperation between rational individuals, even if the cooperation appears to be in their best interest. An extended iterated version also exists for the game, which allows a repetitive classic game between the alike prisoners. As a result, each of the prisoners has the opportunity to castigate the other for earlier settlements. If the players know



6 the number for which the game will be played, a pair of classically rational players will betray each other over and over again, in accordance with the backward induction concept. The reason of repetitive betrayal is same as the single shot variant. In a game of an unknown length, there is no optimal fixed technique. For the same Prisoner’s dilemma, events have been carried out for competing and testing algorithms. Various real-world situations which implicate cooperative behavior can be modeled using prisoner’s dilemma technique. __________________________________________________ Pseudo Code 1 for bandwidth accessibility between valid and invalid users using game theory __________________________________________________ Step 1: Initialize both subscriber seeking for same BW Initialize rounds of operation Step 2: Initialize Q as strategies vector Initialize PD as Pay off matrix Initialize player P and Q’s scores to zero Step 3: Pass Q’s two index values, PD, and rounds parameters to Iterated PD function in the input of Pseudo Code 2 Step 4: Catch Player P’s and Q’s final scores using 16 element 4x4 matrix from the output of Pseudo Code 2 Step 5: Add contents of scores matrix row wise for comparison Step 6: If the score of P is more than the score of Q Then Declare P is winning player with assigned BW Else Declare Q is winning player with assigned BW __________________________________________________ Four diverse conditions have been utilized in this paper, as represented below. Condition 1: In order to be legitimate users for the BS, clients P and Q console. To be a valid user, a lot of same parameters exist among the clients. However, these do not possess sufficient evidence to condemn either of the valid clients, until one produces a superior response in connection with the terms of validation. Condition 2: If both are acting to be valid clients with regard to authentication, authorization, and accounting (AAA), then there are chances of assignment of the bandwidth to both. However, such a possibility is very less. Condition 3: Client P acts as an intelligent client, with an extremely secured links between itself and the BS. As a result, it will play a game or adopt a strategy in such a way that the client Q will become unable to beat in every situation, and thereafter loose. Condition 4: However, client Q becomes intelligent after sometime and is able to recognize the strategy which P follows. Once it is able to identify the loophole of security aspects between the BS and client P’s link, it spoofs the bandwidth, at the expense of client P.

The above stated four conditions have been summarized as follows. The Attacker and the Defender are the two clients. Whether authorized or unauthorized, they show their validation to the BS, one by one. If the attacker has been able to prove its authorization in every existing way, then the defender tends to lose the assigned bandwidth. Although, if the attacker is unable to substantiate it in the second step, the bandwidth assigned to the valid user will be lost. __________________________________________________ Pseudo Code 2 for setting a strategy for player P and Q using Iterated Prisoner’s dilemma (PD) for Bandwidth spoofing __________________________________________________ Step 1: Receive Parameters like Q’s two index values, PD, and Rounds from the output of Step 3 in Pseudo Code 1 Step 2: Initialize defeat variable Initialize cooperative variable Initialize Win variable Initialize Lose variable Step 3: Set strategies of both players P & Q Initialize player P and Q’s Score to zero Step 4: Pass Player P and Q’s instances with their strategies to function named Play in the input of Pseudo Code 3 Step 5: Catch new instances of Player P and Q which are one of either ‘1’ or ‘0’ from the output of Pseudo Code 3 Step 6: If the value of New P & New Q is equal to 0 Then Both will Lose and move to step 4 of Pseudo code 1 Else If the value of New P = 1 & New Q = 0 Then Player Q win and Player P lose so update scores of both players and move to step 4 of Pseudo code 1 Else If the value of New P = 0 & New Q = 1 Then Player P win and Player Q lose so update scores of both players and move to step 4 of Pseudo code 1 Else Move to step 4 of Pseudo code 1 __________________________________________________ A. Real Time Implementation of Bandwidth Spoofing Attack Based on Game Theory on SCA/Relay/BS in 5G WCN The bandwidth attack on the SCA/Relay/BS in a multi stage 5G WCN scenario is depicted in Fig 1. At the same time, the Pseudo code 1, Pseudo code 2 and Pseudo code 3 will explain the conduct of the bandwidth attack on the Relay, SCA and BS in a multi stage 5G WCN, using game theory. The steps which have been used for the implementation of the bandwidth attack, using game theory, on the Relay, SCA and



7

The defeat, cooperative, Win and Lose variables are first initialized in this function. These variables represent the outcomes after the application of the mixed strategy. Then strategies are set for the players P and Q with definite instances and passed to the function named Play as shown in pseudo code 3. In this function, depending upon the strategies, new instances in the form of ‘1’ and ‘0’ are assigned to the Player P and Q which represents the attack and non-attacked condition, respectively. Now depending upon the instances, the winning and losing of the players is decided for each round. Now the final scores of all the rounds of both the players are taken in 16 element 4x4 matrix and then compared. Now depending on the number of winning rounds based on the average score, the winner will be decided and bandwidth will be assigned to that player. Now the steps that have been explained in the given Pseudo codes are simulated for eight iterations of four rounds. B. Simulation Results Various steps, which are performed using game theory, have been depicted in the pseudo codes. The bandwidth spoofing attack has been modeled using game theory and simulation has been performed for four rounds, involving ten iterations. The results of the simulation are shown in Table III.

The genuine client is the player P, while player Q is the attacker. For the simulation, four rounds have been conducted. For the respective players, the average score is recorded. The steps to be followed for the same are specified in the Pseudo codes. Thereafter, for every player, the average score is compared with its correspondent. The player winning higher number of rounds is capable of acquiring the bandwidth. Since 10 iterations are performed, as shown in Table III, it is apparent that in the initial iterations, the strategies of the Players P and Q are fixed. However, once Player Q becomes aware of Player P’s strategy, it modulates its own strategy subsequently. This results in Player Q to win, resulting in the bandwidth to be with it. The bandwidth remains with Q for the subsequent iterations until Player P becomes aware of Player Q’s strategy and modulates its own strategy for gaining the bandwidth. When the simulation is made to run for different numbers of iterations and for different attacking sites, the percentage of bandwidth acquisition by the attacker is noteworthy and is making the bandwidth spoofing attack impactful. For different iterations, the simulation has been conducted and the winning percentage of the attacker has been reported, as shown in Fig.2. It is clear from the figure that the winning percentage of the attacker on all the attacking sites is significant. But, it is interesting to note that the winning percentage of the attacker is decreasing in the order of power associated with the attacking site. The relay is having the least backup power and thus supports only 30 Iterations, while SCA and BS are supporting 90 and 180 iterations, respectively, according to the power backup. Thus, with less power backup, relay/SCA will get drained out when more attacks are applied on them, which in turn increased the winning percentage of the attacker. Winning Percentage of Attacker

BS in a multi stage 5G WCN have been systematically analyzed and represented in Pseudo codes. Pseudo code 1 represents the convenience of access between valid and invalid users. The set of strategies for player P and Q are depicted in pseudo code 2 and pseudo code 3 using Iterated Prisoner’s dilemma. Initialization of the players P and Q, in quest of same bandwidth, marks the beginning of the implementation. Next is the initialization of the operation rounds. Choose the strategies vector as S and the Pay off matrix as PM. Then initialize S and PM to their particular designation, and denote the initial scores of player’s A and B as zero. Thereafter, a mixed strategy has been applied for both clients, in support of the strategic form of non-cooperative game, for bandwidth spoofing. Following initialization, the parameters values, like two index values of S, representing the various strategies in the form of indices, PM and Rounds are passed to the Iterated Prisoner’s dilemma function, as depicted in pseudo code 2. __________________________________________________ Pseudo Code 3 of a function representing set of strategies __________________________________________________ Step 1: Receive Parameters like First Player as Master, Second Player as Slave and Strategy of Master from Step 4 of Pseudo code 2 Step 2: If Strategy=1 always Defeat If Strategy=2 always Cooperate If Strategy=3 always Tit for Tat If Strategy=4 Random Step 3: Assign ‘0’ or ‘1’ as a new instances of player P and Q and send the values to the Step 5 of Pseudo code 2. __________________________________________________

50 40 30 20

50

45.6

40

10 0 Relay (30 SCA (90 BS (180 Iterations) Iterations) Iterations) Attacking sites with number of attempts

Fig.2. Winning percentage of attacker on different attacking sites

Analysis- It is concluded from the above results that a valuable method for examining the bandwidth attack is provided by the Game theory, since the attacker has the ability of bandwidth spoofing from the defender by way of prisoner’s dilemma game theory along with a considerable percentage of winning of the attacker. As a result, it has turned out to be a



8 major challenge for the 5G WCN security, since resource allocation is based upon IP in these networks. Additionally, another important conclusion is that the bandwidth spoofing attack has a more detrimental effect if only a single client is targeted by the attacker, for the reason that if the attacker plays with diverse number of clients, its winning probability will be little and complexity high. Good channel conditions are assumed for the analysis of results. If it is not so, then the payoff matrix predictions will change, causing difficulty in acquiring the bandwidth from the defenders. The bandwidth attack has been revealed on the Relay, SCA and BS of the

multi stage 5G WCN’s, while making use of the game theory. It is also concluded from the above results that the level of security is a dependent factor of the power associated with that particular attacking site. The relay, SCA and BS are supporting 30, 90 and 180 iterations, respectively, according to their power backup. Thus, with less power backup, relay/SCA will get drained out when more attacks are applied on them, which in turn increased the winning percentage of the attacker. The next section helps in detection of an intruder which tries to acquire the bandwidth by attacking the Relay, SCA and BS.

Round 1

TABLE III RESULTS OF THE GAME THEORY FOR BANDWIDTH SPOOFING ATTACK Round 2 Round 3 Round 4 No. of Winning Round

Iterations 1 Player P Average Score Player Q Average Score

103 107

114 74

63 91

57 93

1 3

Player Q wins with average score 28


108 108

90 82

75 79

79 91

1 2

Player P wins with average score -8


102 102

102 78

85 81

70 86

2 1

Player P wins with average score 12


101 105

102 78

68 100

60 92

1 3



101 105

114 74

85 73

80 72

3 1



99 103

120 72

79 75

80 80

2 1



98 106

102 78

83 79

68 76

2 2



105 109

108 76

74 90

76 92

1 3



99 103

114 74

70 78

70 70

1 2



97 101

111 83

68 92

68 84

1 3


IV. ADAPTIVE INTRUSION DETECTION SYSTEM FOR MULTI STAGE 5G WIRELESS COMMUNICATION NETWORK USING HIDDEN MARKOV MODEL (HMM) In the preceding section, it has been concluded that a constructive method for examination of the bandwidth attack is the Game theory. Since spoofing the defender’s bandwidth by the attacker is possible by means of prisoner’s dilemma game theory, with a considerable winning probability. Thus, it will be a chief apprehension in 5G WCN security and need to

Result

be overdone. This can be achieved by using an Intrusion detection system (IDS). For the maintenance of security in a network, previously, an IDS was used at every BS. In order to verify all the received requests at the BS, each of them is propounded to the IDS. The client details are received in respect of MAC ID and BS ID for verification. A genuine or non-genuine request is validated, although the service types offered are unknown to the IDS. On the basis of the requester’s sending profile, it endeavors the anomaly in the request. If a malicious request is confirmed by the IDS, an



9 alarm is raised and the request is declined by the BS. An alert about the conciliation of the BS security is contacted to the concerned client. Since fresh attacks and attack sites are arriving, the classic IDS require supplementary features for a superior detection of intrusion. Thus, for an Adaptive IDS, the Hidden Markov Model (HMM) is used. However, IDS for the 5G WCN will run not only at the BS, but also at the Relay and SCA, i.e. the sites which are having a high possibility of attack. High complexity systems can be best modeled by an HMM, in comparison to the classic Markov model, because of being a double embedded stochastic process possessing two-hierarchy levels. A limited number of states are possessed by an HMM which is being governed by a set of transition probabilities. For a definite state, with a defined probability distribution, generation of an observation is possible. The observation is manifested by a peripheral observer, not the state [19]. Previously, the use of HMM has been encountered in a number of applications like bioinformatics, genomics, speech recognition, etc. However, HMM is being used by the presentday researchers for security. The authors in [20] investigate the efficiency of HMM for detection of anomaly, where the TCP network traffic is classified as an attack or by using normal HMM. The detection of multistage network attacks has been proposed in [21]. An intrusion detection system has been suggested in [22], based on HMM. Privilege transition flows have been considered by the authors, for performance improvement. These are centered on domain knowledge of attacks and also permit modeling time improvement. HMM and a number of other methods for anomaly detection have been used in [23], which builds a multilayer model of program calling for detection of the anomaly. For the purpose of human behavior modeling, HMM models are used, as stated in [24]. Thus, if an attacker deviates from its behavior and does not act like a genuine user, alarm is raised. Description of HMM is as follows [19]: 1) In the model, the number of states in the model are denoted by Ns and the set of states by Ŝ = {Ŝ1 , Ŝ2 , … … Ŝ𝑁𝑠 }, where Ŝ𝑘 = 1,2, … . . ȵ denotes an individual state. At any time instant ‘t’, the corresponding state is denoted by ⍴𝑡 . 2) The number of distinct observation symbols is represented as ϻ, and these keep up a correspondence to the physical output per state of the system. Correspondingly, the set of symbols will be given by 𝒱 = {𝒱1 , 𝒱2 , … . 𝒱ϻ }, where 𝑉𝑘 = 1,2, … . ϻ, denotes an individual symbol. 3) The state transition probability matrix is denoted as 𝐵 = [𝑏𝑚𝑛 ], where 𝑏𝑚𝑛 = 𝑃𝑟(⍴𝑡+1 = 𝑆𝑛 | ⍴𝑡 = 𝑆𝑚 ), 1 ≤ 𝑚 ≤ 𝑁𝑠 , 1 ≤ 𝑛 ≤ 𝑁𝑠 ; 𝑡 = 1,2.. (1) 4) However, in a general single step case, where any state n can be reached from another state m, we have 𝑏𝑚𝑛 ≥ 0 𝑁𝑠 ∀ 𝑚, 𝑛. Also ∑𝑛=1 𝑏𝑚𝑛 = 1, 1 ≤ 𝑚 ≤ 𝑁𝑠 .

5) The observation symbol probability matrix is represented as 𝑃𝑜𝑏𝑠 = [𝑝𝑛 (𝑧)], where 𝑝𝑛 (𝑧) = 𝑃𝑟(𝒱𝑧 |𝑆𝑛 ), 1 ≤ 𝑛 ≤ 𝑁𝑠 , 1 ≤ 𝑧 ≤ ϻ and 𝑠 ∑𝑁 (2) 𝑧=1 𝑝𝑛 (𝑧) = 1, 1 ≤ 𝑛 ≤ 𝑁𝑠 . 𝜉 = [𝜉𝑖 ], denotes the initial state probability vector, where 𝑁𝑠 𝜉𝑖 = 𝑃𝑟(⍴1 = Ŝ𝑖 ), 1 ≤ 𝑖 ≤ 𝑁𝑠 , such that ∑𝑖=1 𝜉𝑖 = 1. (3) 6) The observation sequence is denoted as ℽ = ℽ1 , ℽ2 , ℽ3 , … . ℽŗ , where each observation ℽ𝑡 is a symbol from the set 𝒱, and ŗ represents the number of observations in the sequence. From the above description, it is quite eminent that an inclusive description of HMM requires estimation of the model parameters 𝑁𝑠 and ϻ, and the probability distributions B, 𝑃𝑜𝑏𝑠 and 𝜉. For specification of the entire set of parameters, the notations are employed as µ= (B, 𝑃𝑜𝑏𝑠 and 𝜉). The values Ns and ϻ are included ultimately in B and 𝑃𝑜𝑏𝑠 . It is clear from the above discussion that a comprehensive description of an HMM is not complete without estimating the two model parameters, N and M, and three probability distributions A, B and π. These notations are used as λ= (A, B, π) to specify the complete set of parameters of the model. The N and M are indirectly included in A and B. The observation sequence mentioned above has the ability to take up many possible state sequences and one of them will be like ⍴ = ⍴1 , ⍴2 , … . . ⍴ŗ, (4) where the initial state is ⍴1 . For the observation sequence ℽ, the probability of generation of the sequence from the given state sequence, assuming statistical independence of observations is specified as ŗ 𝑃𝑟(ℽ|⍴, µ) = ∏𝑡=1 𝑃(ℽ𝑡 |⍴𝑡 , µ), (5) The equation above can be expanded as: 𝑃𝑟(ℽ|⍴, µ) = 𝑝⍴1 (ℽ1 ), 𝑝⍴2 (ℽ2 ), … . . 𝑝⍴ŗ (ℽŗ ).

(6)

For the state sequence ⍴, the probability is stated as: 𝑃𝑟(⍴|µ) = 𝜋⍴1 𝑏⍴1⍴2 , 𝑏⍴2 ⍴3 , … . . 𝑏⍴ŗ−1⍴ŗ .

(7)

Thus, from HMM, the probability of generation of the observation sequence ℽ, indicated by µ can be represented as: 𝑃𝑟(⍴|µ) = ∑𝑎𝑙𝑙 ⍴ 𝑃𝑟(ℽ|⍴, µ)𝑃𝑟(⍴│µ) (8) Computation of 𝑃𝑟(⍴|µ) is possible by using the ForwardBackward procedure which is stated in [19]. In this paper, threshold level sequence 𝑃𝑟 has been taken into consideration, and not ℽŗ. The next part of this section is focused on IDS processing using HMM model. A. HMM Model for IDS Processing There are six steps that are involved in mapping the IDS processing operation using HMM: 1) Decision on Observation Symbols The first step while using HMM involves decision of the observation symbols. The number of request values can be



10 quantized into ϻ number of service ranges at the BS, as 𝒱1 , 𝒱2 , … . 𝒱ϻ . For every symbol, spending habit of every client decides the valid range of service. Dynamic determination of service ranges is possible through a specific clustering algorithm technique, which depends upon the service request of each client. In this paper, 𝒱k has been used for characterizing the observation symbol and the equivalent service range, with k=1, 2,……ϻ. 2) Decision on the State Representation and Determination of the Transition Probabilities for Multi Stage Bandwidth Spoofing Following to the decision on the number of observation symbols, there arises a requirement of considering the number of states. According to the approach followed in this paper, the three states will be considered as, the Base Station (BS), SCA and Relay. These are represented as Ŝ = (Base Station, SCA and Relay) After the determination of the state and symbol representations, the HMM representation will be completed by involving the probability matrices B, 𝑃𝑜𝑏𝑠 and 𝜉. For the computation of the three model parameters, Baum-Welch algorithm [20] is used for training purpose. Valid Client

Valid Client

0.01

0.7 Base Station

SCA

0.1

Intruder

Intruder

3) Dynamic Generation of Observation Symbols Similar to client, the training and maintenance of the BS’s will be accomplished using HMM. Hence, for finding the observation symbols for each individual client, dynamic requests are sent, thereafter compiling and executing a clustering algorithm based on the past requests. Requests of the numerous attributes are confined in the BS database. However, the attributes that have been considered in the paper are the one which are spent by the client in his request. For the determination of clusters, K-means clustering algorithm [2526] is used. An unsubstantiated learning algorithm is provided by K-means comprising of grouping a specified set of data on the basis of resemblance in their feature values, generally referred to as cluster. The K clusters are fixed apriori. Distance between each data point and the centroid of the cluster to which the point belongs is computed. Minimization of the sum of squares of the distances results in cluster formation. 4) Client’s Spending Profiles The spending profile of a client is represented by its usual spending behavior. Based on the spending habits, explicit characterization of clients is done as, high spending group, medium spending group, and low spending group. The normally used service of the high spending group is video on demand. The rest of the groups follow the associated classification. The spending profiles of clients are ultimately determined at the closing stage of the clustering step. Assuming the percentage of the total number of requests of the clients belonging to a cluster with mean 𝑚𝑖 be 𝜉, then, for a client x, the spending profile (SP) is determined as: 𝑆𝑃(𝑥) = arg max(𝜉) (9) 𝑖

Valid Client

Relay

Intruder

0.01

Fig. 3. HMM for intruder detection with transition probabilities according to Table IV.

For a fully connected HMM, with transition probabilities in accordance with Table IV is depicted in Fig. 3, where every stage can be reached to any other stage in one hop. Each and every client will be trained and maintained using HMM. TABLE IV PROPOSED HMM FOR INTRUDER DETECTION WITH TRANSITION PROBABILITIES Demand Response

Base station (BS) SCA (A) Relay (B)

5) Estimating the Model Parameter and Training Baum-Welch algorithm has been used for the estimation of HMM parameters for every client. The preliminary estimates of the parameters like B, 𝑃𝑜𝑏𝑠 and 𝜉, and the others, converge to the most accessible and nearest local maximum of the likelihood function. The primary state probability distribution of Ns number of states, is measured to be uniform. Thus, for each state, the initial state probability for individual states will be denoted as 1⁄𝑁 . For the observation symbol probabilities, 𝑠

the initial guess is uniform. However, for higher precision in the initial guess of observation symbol probabilities, spending profiles computed in the preceding step, are taken into account. This will help in an accurate learning of the model. Uniformity is considered in the initial guess of the HMM training because the state transition probabilities are not known apriori. Following are the steps that are involved in the training algorithm:

Intruder

a)

HMM parameter Initialization

0.15

Valid Client 0.1

0.04

b)

Forward procedure.

0.01

0.59

0.2

0.1

c)

Backward procedure.

0.074

0.01

0.65

0.2

Base Station (BS) 0.01

SCA (A) 0.70

Relay (B)

0.10 0.075

Further details about the training steps are presented in [19], describing the training of HMM. When the training phase



11 terminates, the corresponding sequences which were formed for each client, from the observation symbols are extracted. The performance of the processing clients is not affected by this step, as it is executed offline. 6) Detecting the Intruder at Multi Stages After learning with HMM parameters, a primary sequence of symbols is created from the symbols of the training data of the client. Let 𝑃1 , 𝑃2 … . . 𝑃𝑁 be an N-length sequence. This is a recorded sequence, which is made from the request of the clients, up to time instant ṫ. Next, computation of the probability of acceptance is performed by entering the above sequence to the HMM. Let the probability be 𝛷1 , which can be inscribed as: 𝛷1 = 𝑃𝑟(𝑃1 , 𝑃2 , 𝑃3 … . . 𝑃𝑁 │µ) (10) Let, at time instant ṫ+1, a new symbol 𝑃𝑁+1 is generated. For forming another N-length sequence, drop 𝑃1 and affix 𝑃𝑁+1 in the existing sequence, inducing 𝑃2 , 𝑃3 … . . 𝑃𝑁 , 𝑃𝑁+1 , which appears as the new sequence. Entering this fresh sequence to the HMM, calculates the probability of acceptance. Assuming the new probability be 𝛷2 , which can

be written as: 𝛷2 = 𝑃𝑟(𝑃2 , 𝑃3 , 𝑃4 … . . 𝑃𝑁+1 │µ) (11) Let Δ𝛷 = 𝛷1 − 𝛷2 (12) If Δ𝛷 ≥ 0, then evidently, the latest sequence is accepted by the HMM with little probability, and with a greater possibility of being an intruder. The symbol added lately, is preserved to be fake, if the fractional change in the probability is greater than some threshold (𝛷t), i.e. Δ𝛷⁄ > 𝛷 (13) 𝑡 𝛷 1

It is possible to empirically learn the threshold value. The BS does not accept a malicious request for 𝑃𝑁+1 and the symbol is rejected by the IDS. Otherwise, permanent addition of 𝑃𝑁+1 to the sequence results in its use for defining the validity of the subsequent request, by the BS. New number of malicious symbols are added to primarily capture the varying spending behavior of the clients. The entire flow process of dataset training and the proposed adaptive IDS model is shown in Fig. 4. Training is carried out offline, while detection is performed online. Intruder Initial Sequence PN

Block

PR

Remove the next Intruder entry

Detection of Intruder

Intruder PS

Relay

Verify the client at SCA

Priority Sequence

Create Database for BS

Identify SCA, Relay and Client with MAC Address and BSID

Assign set of probabilities to SCA Relay Client

Construct sequence for relay training data

Combine and develop training model

Construct sequence for Client training data

Verify

Verify the client at BS

Generate the new sequence threshold level PR→ PR+1, PS→ PS+1, PC→ PC+1

> ft

Construct sequence for SCA training data

PC

Calculate ∆P

Accept both PR, PS, PC and PR+1, PS+1, PC+1Sequence

Add PR+1, PS+1, and PC+1 from New Sequence

Compare with Actual Dataset

≤ ft

Give the Permission

Fig.4. Process flow of proposed model of adaptive IDS.

For the detection of an intruder in the scenario of a 5G WCN, as shown in Fig 1, the proposed model will be useful. The entire course of action for intruder detection will be carried out in two steps. The training of dataset is the first step, for intruder detection. But the main process of intrusion detection is in the second step, which is carried out by using the proposed model, as explained in pseudo code 4. The first step initializes the total number of users and active users in each iteration. In this paper, the total numbers of users are considered as 10, while the number of active users are random, for every iteration. The next step comprises of the generation of priority, transmitted probability and obstruction probability. Following this, intrusion is endeavored by the intruder, into the network. If it fails to intrude, it tries to reenter in to the network. If it turns out to be victorious in intruding, it is assigned with zero probability, and the number

of active user data is incremented by 1. In the subsequent step, data base is created by training the data using HMM. In the second step, the valid users i.e. Ns number of users, are extracted from the updated transmission probability matrix. To the probability value of all the valid users, a magnitude 1 is added, prior to storing them to the matrix of the valid user after the first step. After the second step, 𝑁𝑠 + 1𝑡ℎ user is designated with a minimum priority and is added to the matrix of the valid users. In order to improve the parameter guessing, maximum likelihood parameters estimation is applied. Then, the difference between the probabilities of the valid user’s matrix in the first and the second step is calculated, given by ∆P. The user possessing the minimum value of ∆P is referred to as the intruder, and is occluded and eliminated from the network.



12 _______________________________________________________________

Pseudo code 4 for showing the process of training and Intrusion Detection using proposed model __________________________________________________ //* Pseudo Code for the process of training dataset for IDS in the 1st step Step 1: Initialize Total Number of users and active users Step 2: Start First Step with N Number of active users, Priority matrix of N elements, Transmitted probability matrix of NxN element, and Obstruction probability matrix of Nx3 elements Step 3: Intruder trying to enter in to Network Step 4: If Intruder has got success Then Active users=Active users+1 Assign Intruder with Probability=0 Else Go back to Step 3 Step 5: Create the dataset by training the data using HMM //*Pseudo Code for the process of Intrusion Detection using proposed model in the 2nd step Step 6: Start Second Step with N Number of active users, Updated Priority matrix of N elements, Updated Transmitted Probability matrix of NxN element, and Updated Obstruction Probability matrix of Nx3 elements Step 7: Extract valid users from Updated Transmitted Probability Matrix i.e. N Users Step 8: BS assign minimum priority to N+1th user and add N+1th user to valid user’s matrix Step 9: Create the updated dataset by training it with HMM and by passing updated Priority, Transmitted Probability, and Obstruction Probability matrix Step 10: Valid intruder user’s matrix after 1st Iteration = Valid user’s matrix+1 Step 11: Apply Maximum Likelihood parameter Estimation for improving the guessing of parameters Step 12: ∆P= (Valid intruder user’s matrix after 2nd Iteration) - (Valid intruder user’s matrix after 1st Iteration) Step 13: Estimate the user with minimum ∆P as Intruder Step 14: Block the user with minimum ∆P __________________________________________________ Conclusion: The explanation given above is describing the process flow of proposed model of adaptive IDS, while considering the attack on BS. But, the main focus of the paper is on the multi stage 5G WCN, which comprises of the attack of the intruder on all the three main components of the 5G WCN i.e. Relay SCA and BS. The security of the network in the 5G is very important and it needs improvement. In this paper, the work on the security of 5G WCN has been done by implementing the IDS on the all the possible attacking sites

which comprises of Relay, SCA and BS. But, while increasing the security by implementing an IDS on each attacking site, there occurs a very genuine problem of the backup power at each attacking site. The backup power at the Relay is least as compared to the power level at SCA and BS. For the implementation of IDS on each attacking site of the multi stage 5G WCN, the constraint of the power is to be kept in mind. As explained and proved in the previous section that the power level of the relay or SCA will get drained out after a certain limit of iterations of attacks. The power availability at the site is needed for implementing an IDS. For overcoming this drawback, the concept of multi stage 5G WCN has been introduced. In this network, when the intruder tries to attack the relay, the IDS at the relay will try to prevent the attack and block the intruder. But, due to low power level, the winning percentage of the attacker will increase. For decreasing the number of attacks and for removing the intruder from the network, the intruder data from the relay will further sent to the SCA for verification and in the end to the BS. Similarly, if the attack is on the SCA then the intruder data is further sent to the BS for verification. This concept is proposed and represented as the process flow of Adaptive IDS in Fig. 4. For the multi stage 5G WCN, the training of the proposed model is done according to the priority level in which the highest priority is given to the SCA, then Relay and the last to the client from the BS. Similarly, in the detection process of an intruder, the highest authority for removing an intruder from the network is with the BS, irrespective of the site on which the attack has occurred. In Fig.4, 𝑃𝑅 , 𝑃𝑠 , 𝑃𝐶 are representing the primary sequences for the different cases of attacks on the Relay, SCA and BS, respectively. While 𝑃𝑅+1 , 𝑃𝑠+1 , 𝑃𝐶+1 represents the sequences after the entry of the intruder in to the network. B. Simulation Results In this paper, an adaptive IDS has been proposed for the detection of an intruder which is performing the bandwidth spoofing attack on the multi stage 5G WCN comprising of Relay, SCA and BS. By following the steps given in pseudo code 4, simulation has been performed. After every iteration, the probability of valid users and probability of intruders is recorded, as shown in Table V. In this simulation, a total of 10 users have been assumed in the network and one space has been left for the intruder to intrude in to the wireless communication network. The probabilities for 10 iterations have been recorded. Following the analysis of the recorded table, we conclude that the number of active users in each iteration will be different and the user possessing a probability minimum than the valid user probability will be considered as intruder. The detected intruder will be blocked and removed in the subsequent step. For each iteration, the intruder probability is shown in red color and threshold probability of the valid user is shown in green color. At the same time, the graph shown in Fig. 5 evidently depicts that the intruder probability is always less than the probability of the valid user.



13

No. of users No. of Iterations 1

1

TABLE V PROBABILITY OF VALID USERS AND PROBABILITY OF INTRUDERS AFTER EACH ITERATION 2 3 4 5 6 7 8 9

0.9193

0.8454

0.9580

0.8823

0.8968

0.9852

0.9860

0.9020

0.2232

2 3

1.0102

0.7425 0.1517

0.8486

0.9880

0.8622

0.9646

0.9597

0.0774

0.2924

0.8572 1.3513

4 5

0.8981 0.9024

1.0040 0.9708

0.3123 0.9374

0.2409 0.7377

0.9036

1.0627

0.7876

0.3062

6 7 8

1 0.9905 0.9882

0.2892 0.8582

0.6678 0.6815

1.0613 0.9863

1.0121

0.8136

0.1670

0.5113

9 10

0.9769 1.0777

0.8162 0.5117

1.0284 0.9748

0.1973 0.1775

10

11

0.0519

Thus, detection and removal of intruder is easy, using the proposed model of adaptive IDS. The probability values shown in Fig.5 are noted for the different number of users in the network. It is clear from the figure that, as the number of users increases in the network, the threshold probability of the valid user is also increases, while the intruder probability is ranging in a certain limit. This is due to the fact that, as the number of users in the network increases, the number of attacks in the network will also increase. With variable power levels of different attacked sites, the threshold probability value of the valid user client will also increase. It is due to the fact that the increased number of users in the network are not been tolerated by the lower power levels of the Relay or SCA. All the intruder cases will now move to the BS as shown in the proposed model. So, with lower power

levels the percentage of detecting an intruder is considerably low, which further give rise to lower values of threshold probabilities. Since BS is able to detect the intruder from the large number of clients, so the threshold value of the valid user probability is more for the BS as compared to the case of Relay or SCA. Analysis: It is concluded from the above results, the intruder detection in a multi stage 5G WCN is possible from the proposed adaptive IDS, where intruder tries to spoof the bandwidth from the Relay, SCA and BS. It has been clearly shown in the simulations that the intruder probability is always less than the valid user probability, for different number of users. Thus, it becomes simple for the proposed model to detect intruder initially, and then eliminate it from the database in the succeeding step.

1.2 Probability

1 0.8 0.6 0.4 0.2

0 10

20

30

40

50

60

70

80 90 100 110 120 130 140 150 160 170 180 Number of Users

Valid User Probability

Intruder Probability

Fig.5. Valid User Probability vs Intruder Probability

V. SIGNIFICANCE AND TRENDS With changing demands, scenarios evolved many new techniques from time to time moving from 1G to 4G. But with the growing needs of more coverage, high data rate, negligible latency and many more, 5G is now the another

attempt to meet these surplus demands. With the increase in technologies, threats to security are also increasing. Due to flat and open architectures, 5G scenario is inherently more vulnerable to attacks than LTE or 3GPP. Hence there arise a need of integrated security system in upcoming 5G technology for secure data communication. This paper has laid stress on the security issues of 5G comprises of security breaches



14 through Relay, SCA and BS. While an intrusion detection system (IDS) is employed for detecting any internal or external breach by continuously monitoring the system. This closed loop system detects the deviations from the normal behavior and triggers the alarm. After detecting the intrusion, the newly emerged techniques i.e. intrusion prevention system (IPS) and IPSec are used for the protection of the system.

According to the market research done in 2011 about the utility of IDS in the market as shown in Fig. 7, it is revealed that total market size of IDS varies from $70 million to $80 million, and this number has increased manifold today. About 40.1 % of total IDS is used in panels which is the largest share. Detectors are the second largest consumers of IDS and about 33% of total market produce is consumed here. Keypads and accessories are also amongst the prime users of IDS taking a share of 15.9 % and 10.5% respectively.

Fire Detection

Security

Analogue Camera Intrusion Detection

Legacy Access Control

Contactless Cards Access Control

Standard Resolution IP Cameras High Resolution Cameras

Biometric Access Control

Video Analytics

SaaS PSIM

1st

2nd

3rd

4th

Generations Fig.6. Evolution of security levels from generations to generations

Percentage IDS Consumption

With the evolution of generations, the security methods and components have also evolved. The graph as shown in Fig. 6 describes the evolution of security levels from 1G to 4G. SaaS and PSIM are the key founding elements for security market. After this, high resolution cameras, standard resolution IP cameras and biometric access control has increased the security levels through generations. Intrusion detection and analog cameras put the security to a higher level. Fire detection systems and legacy access control are the methods that also helps intrusion detection to attain the level of security, which the next generation wireless networks demand.

VI. CONCLUSION With the growing number of users in the network, it has become very important to maintain the security. In the present generation, the level of the security need to be raised. In this paper, we have analyzed the different aspects of security threats in 5G WCN. The major goal of 5G WCN is to increase the capacity as well as to reduce the load at the BS. To achieve this, researchers have introduced the concept of relays, SCAs and wi-fi hotspots. But this introduction has paved the way for the possible security breach in to the network, as they provide active sites for the attackers. Hence 5G WCN has now become highly vulnerable to security threats. The key focus of the paper is on the security threats, particularly, the bandwidth spoofing attack on the Relay, SCA and BS. In this paper, it is concluded that the prisoner’s dilemma game theory is a suitable method for investigating the bandwidth spoofing attack in the multi stage 5G WCN. The conclusion is supported with the results, in which the intruder is successfully spoofing the bandwidth from the valid client with a substantial winning percentage. After the successful intrusion using prisoner’s dilemma game theory, this paper has provided an adaptive intrusion detection system for the multi stage 5G WCN. The proposed adaptive intrusion detection system is capable of detecting and eliminating an intruder attack which is intended for the bandwidth spoofing attack on the Relay, SCA and BS. This paper has incorporated the concept of power levels of the Relay, SCA and BS with probability of the intruder to intrude in to the network. It is concluded from the simulation results that in the multi stage 5G WCN, the BS is having the maximum intruder detection capability as compared to the SCA and Relay because of the more power levels. REFERENCES [1]

40.1 33.5

[2] [3]

15.9 10.5

[4]

Panels

Detectors

Keypads

Accessories

IDS Utility in the market Fig.7. Intrusion detection system consumers in the market

[5]

Gupta, A.; Jha, R.K., "A Survey of 5G Network: Architecture and Emerging Technologies," in Access, IEEE, vol.3, no., pp.1206-1232, 2015. Schneider, P.; Horn, G., "Towards 5G Security," in Trustcom/Big DataSE/ISPA, 2015 IEEE , vol.1, no., pp.1165-1170, 20-22 Aug. 2015. C. Wang and H. M. Wang, "Physical Layer Security in Millimeter Wave Cellular Networks," in IEEE Transactions on Wireless Communications, vol. 15, no. 8, pp. 5569-5585, Aug. 2016. HuiMing Wang, T.X. Zheng, J. Yuan, D. Towsley, and M. H. Lee, “Physical layer security in heterogeneous cellular networks,” IEEE Transactions on Communications, vol. 64, no. 3, pp. 12041219, Mar. 2016. Y. Zhang, H. M. Wang, Q. Yang and Z. Ding, "Secrecy Sum Rate Maximization in Non-orthogonal Multiple Access," in IEEE Communications Letters, vol. 20, no. 5, pp. 930-933, May 2016.



15 [6]

[7] [8]

[9]

[10] [11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

Jin Cao; Maode Ma; Hui Li; Yueyu Zhang; Zhenxing Luo, "A Survey on Security Aspects for LTE and LTE-A Networks," in Communications Surveys & Tutorials, IEEE , vol.16, no.1, pp.283-302, First Quarter 2014. Monica Paolini, “Wireless security in LTE networks”, White paper,2012. Gupta, A.; Jha, R.K., "Security threats of wireless networks: A survey," in Computing, Communication & Automation (ICCCA), 2015 International Conference on , vol., no., pp.389-395, 15-16 May 2015. Patrick Traynor et al., “On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core”, Proceedings of the 16th ACM conference on Computer and communications security, 2009. Monica Paolini, “Wireless security in LTE networks”, White paper, 2012. Gupta, Akhil, and Rakesh Kumar Jha. "Power optimization using massive MIMO and small cells approach in different deployment scenarios." Wireless Networks 23.3 (2017): 959-973. Gupta, Akhil, and Rakesh Kumar Jha. "Power optimization using optimal small cell arrangements in different deployment scenarios." International Journal of Communication Systems (2017). Devi, Reeta, et al. "Implementation of Intrusion Detection System using Adaptive Neuro-Fuzzy Inference System for 5G wireless communication network." AEU-International Journal of Electronics and Communications 74 (2017): 94-106. Gupta, Akhil, Rakesh Kumar Jha, and Sanjeev Jain. "Attack modeling and intrusion detection system for 5G wireless communication network." International Journal of Communication Systems 30.10 (2017). Geva, M.; Herzberg, A.; Gev, Y., "Bandwidth Distributed Denial of Service: Attacks and Defenses," in Security & Privacy, IEEE, vol.12, no.1, pp.54-61, Jan.-Feb. 2014. Snyder, M.E.; Sundaram, R.; Thakur, M., "A Game-Theoretic Framework for Bandwidth Attacks and Statistical Defenses," in Local Computer Networks, 2007. LCN 2007. 32nd IEEE Conference on, vol., no., pp.556-566, 15-18 Oct. 2007. Tom, L., "Game-theoretic approach towards network security: A review," in Circuit, Power and Computing Technologies (ICCPCT), 2015 International Conference on , vol., no., pp.1-4, 19-20 March 2015 M. Ye and G. Hu, "Distributed seeking of time-varying Nash equilibrium for non-cooperative games," Control and Automation (ICCA), 2013 10th IEEE International Conference on, Hangzhou, 2013, pp. 1674-1679. L.R. Rabiner, “A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition,” Proc. IEEE, vol. 77, no. 2, pp. 257-286, 1989. S.S. Joshi and V.V. Phoha, “Investigating Hidden Markov Models Capabilities in Anomaly Detection,” Proc. 43rd ACM Ann. Southeast Regional Conf., vol. 1, pp. 98-103, 2005. D. Ourston, S. Matzner, W. Stump, and B. Hopkins, “Applications of Hidden Markov Models to Detecting Multi-Stage Network Attacks,” Proc. 36th Ann. Hawaii Int’l Conf. System Sciences, vol. 9, pp. 334-344, 2003. S.B. Cho and H.J. Park, “Efficient Anomaly Detection by Modeling Privilege Flows Using Hidden Markov Model,” Computer and Security, vol. 22, no. 1, pp. 45-55, 2003. X.D. Hoang, J. Hu, and P. Bertok, “A Multi-Layer Model for Anomaly Intrusion Detection Using Program Sequences of System Calls,” Proc. 11th IEEE Int’l Conf. Networks, pp. 531-536, 2003. T. Lane, “Hidden Markov Models for Human/Computer Interface Modeling,” Proc. Int’l Joint Conf. Artificial Intelligence, Workshop Learning about Users, pp. 35-44, 1999. L. Kaufman and P.J. Rousseeuw, Finding Groups in Data: An Introduction to Cluster Analysis, Wiley Series in Probability and Math. Statistics, 1990. T. X. Zheng, H. M. Wang, Q. Yang and M. H. Lee, "Safeguarding Decentralized Wireless Networks Using Full-Duplex Jamming Receivers," in IEEE Transactions on Wireless Communications, vol. 16, no. 1, pp. 278-292, Jan. 2017.
