Monitoring 5G Core Networks Vulnerabilities with eBPF

Abstract

The current design of 5G Core Network (5G CN) adopts a cloud-native service-based architecture, where Network Functions (NFs) are exposed as services that can be dynamically composed and managed to achieve high flexibility. These NFs are interconnected via interfaces that Standardization Development Organizations (SDOs) like 3GPP have standardized. The complexity of the interconnections and data sensitivity make these interfaces vulnerable. In this letter, we advocate the use of extended Berkeley Packet Filter (eBPF) to monitor the 5G CN interfaces activities. eBPF programs run in kernel space of the host machine, thereby providing visibility of all programs and this is especially convenient for observability of 5G CN NFs. With a specific use case implemented in Open Air Interface (OAI), we demonstrate the benefits of the eBPF framework to identify session deletion attacks and mitigate associated risks.