近年來，由於低成本軟體定義無線電 (Software-Defined Radio; SDR) 的興起，利用 4G 協議漏洞產生的惡意基地台攻擊行為日漸增加，因此，檢測這些未經授權的惡意基地台就愈加重要。在本文中，我們旨在利用惡意基地台發送的不穩定信號強度來提高檢測 4G LTE 中惡意基地台攻擊的準確性。在實驗中，我們採用基於 NAS 層漏洞的 Attach Reject 攻擊當作檢測對象。另外，我們使用開源軟體 srsLTE 和低成本的 SDR 構建一個具發送惡意 Attach Reject 訊息的 4G 惡意基地台，並且使用 srsUE 和商用 SIM 卡結合 SDR 設計一個可接收來自合法和惡意基地台信令的檢測器，並運行我們提出的檢測機制。我們使用的檢測機制流程是利用惡意基地台發送來自實體層的參考信號接收功率 (Reference Signal Received Power; RSRP) 不穩定之特性，計算 SIB1 和 Attach Reject 之間的最大訊號強度差來區分收到的訊息來自合法或惡意基地台。實驗結果表明，使用 RSRP 區分 Attach Reject 訊息的準確率為 91%。因此，透過該區間的最大信號強度差來提高識別 Attach Reject 訊息的方式是有效的。未來我們也可以藉由分析其他攻擊的 RSRP 分佈，將我們的機制擴展至可以檢測更多的惡意基站攻擊。

In recent years, due to the rise of low-cost Software-Defined Radio (SDR), malicious attacks using rogue base stations in 4G have increased. Therefore, it is more important to detect these unauthorized rogue base stations. In this paper, we aim to use the unstable signal strength of rogue base stations to improve the accuracy of detecting malicious base stations attacks in 4G LTE. In the experiment, we use the Attach Reject attack based on NAS layer vulnerabilities as the detection object. In addition, we use open-source software srsLTE and low-cost SDR to build a 4G rogue base station that can send malicious Attach Reject messages. Besides, we use srsUE and commercial SIM-card combined with SDR to design a detector that can receive signaling from legitimate and rogue base stations and run the detection mechanism we proposed. The procedure of the detection mechanism bases on the instability characteristics of the Reference Signal Received Power(RSRP) sent by the rogue base station from the PHY layer, and calculate the maximum signal strength difference between SIB1 and Attach Reject to distinguish received messages from legitimate or rogue base stations. The experimental results show that the accuracy of using RSRP to identify the Attach Reject messages is 91%. Therefore, it is available to improve the recognition of the Attach Reject message through the maximum signal strength difference in this interval. In the future, we can also extend our mechanism to detect more rogue base station attacks by analyzing the RSRP distribution of other attacks.

[1] S. Mavoungou, G. Kaddoum, M. Taha, and G. Matar, “Survey on threats and attacks on mobile networks,” IEEE Access, vol. 4, pp. 4543–4572, Aug. 2016.
[2] 3GPP, “System Architecture Evolution (SAE); Security architecture,” 3rd Generation Partnership Project (3GPP), Technical Specification (TS) 33.401, 01 2010, version 9.2.0.
[3] Z. Li et al., “FBS-Radar: Uncovering fake base stations at scale in the wild.” in Proc. NDSS, Jan. 2017.
[4] G. Lee et al., “This is your president speaking: Spoofing alerts in 4G LTE networks,” in Proc. ACM MobiSys 2019, June 2019, pp. 404–416.
[5] H. Yang, S. Bae, M. Son, H. Kim, S.-M. Kim, and Y. Kim, “Hiding in plain signal: Physical signal overshadowing attack on LTE,” in Proc. USENIX Security Symposium 2019, Aug. 2019, pp. 55–72.
[6] S. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEInspector: A systematic approach for adversarial testing of 4G LTE,” in Proc. NDSS Symposium 2018, Feb. 2018.
[7] “Android IMSI-catcher detector,” https://github.com/CellularPrivacy/ Android-IMSI-Catcher-Detector/, accessed: 2021-04-04.
[8] “Snoopsnitch,” https://opensource.srlabs.de/projects/snoopsnitch, 2019, accessed: 2021-04-04.
[9] P. Ziayi, S.-M. Farmanbar, and M. Rezvani, “YAICD: Yet another IMSI catcher detector in GSM,” Security and Communication Networks, vol. 2021, Jan. 2021.
[10] M. Echeverria, Z. Ahmed, B. Wang, M.-F. Arif, S.-R. Hussain, and O. Chowd hury, “PHOENIX: Device-centric cellular network protocol monitoring using runtime verification,” in Proc. NDSS 2021, Jan. 2021.
[11] S. Steig, A. Aarnes, V.-D. Thanh, and H.-T. Nguyen, “A network-based IMSI catcher detection,” in Proc. IEEE ICITCS 2016, Sept. 2016, pp. 1–6.
[12] P.-K. Nakarmi, M.-A. Ersoy, E.-U. Soykan, and K. Norrman, “Murat: Multi-RAT false base station detector,” arXiv preprint arXiv:2102.08780, Feb. 2021.
[13] L. Karaçay et al., “A network-based positioning method to locate false base stations,” IEEE Access, vol. 8, pp. 111 368–111 382, Aug. 2021.
[14] A. Ali and G. Fischer, “Enabling fake base station detection through sample-based higher-order noise statistics,” in Proc. TSP 2019, July 2019, pp. 695–700.
[15] “Fake antenna detection project,” https://fadeproject.org/, accessed: 2021-04.
[16] P. Ney, I. Smith, G. Cadamuro, and T. Kohno, “SeaGlass: enabling city-wide IMSI-catcher detection,” Proc. Sciendo PETS 2017, vol. 2017, no. 3, pp. 39–56, March 2017.
[17] Quintin and Cooper, “Detecting fake 4G LTE base stations in real-time,” in Proc. USENIX Association 2021, Feb. 2021.
[18] K.-W. Huang and H.-M. Wang, “Identifying the fake base station: A location-based approach,” IEEE Commun. Lett., vol. 22, no. 8, pp. 1604–1607, Aug. 2018.
[19] M. Saedi et al., “Generation of realistic signal strength measurements for a 5G rogue base station attack scenario,” in Proc. IEEE CNS 2020, June 2020, pp. 1–7.
[20] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” arXiv preprint arXiv:1510.07563, Aug. 2017.
[21] A. Shaik, R. Borgaonkar, S. Park, and J.-P. Seifert, “On the impact of rogue base stations in 4G/LTE self-organizing networks,” in Proc. ACM WiSec 2018, June 2018, pp. 75–86.
[22] R. Borgaonkar, L. Hirschi, S. Park, and A. Shaik, “New privacy threat on 3g, 4g, and upcoming 5g aka protocols,” Proc. Privacy Enhancing Technologies, vol. 2019, no. 3, pp. 108–127, Nov. 2019.
[23] D. Rupprecht, K. Kohls, T. Holz, and C. Pöpper, “Breaking LTE on layer two,” in Proc. IEEE SP 2019, May 2019, pp. 1121–1136.
[24] H. Kim, J. Lee, E. Lee, and Y. Kim, “Touching the untouchables: Dynamic security analysis of the LTE control plane,” in Proc. IEEE SP 2019, May 2019, pp. 1153–1168.
[25] Y. Li, C. Peng, Z. Yuan, J. Li, H. Deng, and T. Wang, “Mobileinsight: Extracting and analyzing cellular network information on smartphones,” in Proc. ACM MobiCom 2016, Oct. 2016, pp. 202–215.