The P2CODE - Attack Mitigation (P2CODE-AM) is an Intrusion Detection System (IDS) designed to detect and mitigate potential attacks in Packet Forwarding Control Protocol (PFCP) network traffic. PFCP is a protocol used in 5G mobile networks to manage and control user data flows between the User Equipment (UE) and the Data Network (DN). The deployed classifiers are trained on a dataset of PFCP-related attacks as published by Amponis et al. 2022.
A part of the P2CODE-AM is based on the so-called PFCP Network Intrusion Detection System (PFCP IDS Sensor). P2CODE-AM functionality is implemented and supported by a set of python packages:
attack_mitigation_idsattack_mitigation_rl
P2CODE-AM functionality is supported by two python packages that can be installed as-is in a python environment, conda or venv. In addition P2CODE-AM can be deployed as a separate docker container.
Preferably, create a new python environment to hold the package installations. Make sure that the new environment
includes basic installation libraries such as wheel and pip. These are supported by default for new conda
and venv environments (in most cases).
For each package, navigate to the package's setup.py file and build a package .whl file:
python setup.py bdist_wheel
Install the packages via their .whl files using pip:
pip install <my-package>.whl
P2CODE-AM can be deployed as a standalone docker container. Follow instructions included in the docker folder.
When deployed as python packages, P2CODE-AM can be called via terminal from their corresponding console entry points:
attack-mitigation-ids-analyzeattack-mitigaiton-ids-rl-analyze
These entry points are controlled via configuration files in toml format from which the following can be defined:
- Interface to collect Network traffic
- Path to flow classifier
- Path to
cicflowmeterexecutable - Path to RL agent to deploy (applicable only for
attack-mitigaiton-ids-rl-analyze)
When deployed as docker container, the above parameters are already included to the container. The service is initialized along with container initialization. The deployed container can listen to the network of other containers if deployed inside their network interface.
The Attack Mitigation component used data from the following publication:
- G. Amponis et al., “Threatening the 5G core via PFCP DoS attacks: the case of blocking UAV communications,” J Wireless Com Network, vol. 2022, no. 1, p. 124, Dec. 2022, doi: 10.1186/s13638-022-02204-5
with the following bibtex entry:
@article{Amponis2022-sr,
title = "Threatening the {5G} core via {PFCP} {DoS} attacks: the case of
blocking {UAV} communications",
author = "Amponis, George and Radoglou-Grammatikis, Panagiotis and Lagkas,
Thomas and Mallouli, Wissam and Cavalli, Ana and Klonidis,
Dimitris and Markakis, Evangelos and Sarigiannidis, Panagiotis",
journal = "EURASIP J. Wirel. Commun. Netw.",
publisher = "Springer Science and Business Media LLC",
volume = 2022,
number = 1,
month = dec,
year = 2022,
copyright = "https://creativecommons.org/licenses/by/4.0",
language = "en"
}