長期演進技術 LTE (Long Term Evolution)，是近年來最主流的行動網路技 術，通用行動通訊系統 UMTS (Universal Mobile Telecommunications System) 正在逐漸退場，離 5G 新無線電 NR (New Radio) 普及還有很長的時間間隔， LTE 的安全問題就顯得格外重要，現在 LTE 已存在有國際移動用戶辨識碼竊 取 IMSI-catcher (International Mobile Subscriber Identity-catcher)、阻斷服務攻擊 DoS attack (denial-of-service attack)、中繼攻擊 (relay attack) 等攻擊，這些攻擊 通常透過惡意基站來完成，但是攻擊範圍受限於惡意基站的訊號強度，本論文 提出一個自我組織虛擬化容器無線電接取網路平台，透過軟體定義無線電裝置 USRP (Universal Software Radio Peripheral) 與開源軟體 OAI (Openairinterface) 搭建各種攻擊用途核心網路與惡意基站，並使用開源容器技術 Docker 與覆蓋網 路技術 (Overlay network) 將其虛擬化，透過我們的實驗平台，可以快速的搭建各種攻擊用虛擬化無線電接取網路，另外我們在虛擬化服務當中配置了各種 API 實現了自我組織功能，來降低使用者設置與維護的成本，同時提升資源使用率，特別的是我們利用我們的實驗平台實現了幾種合作式惡意基站攻擊，最後我們透過一些使用情境來攻擊實際的電信商來驗證我們合作式惡意基站攻擊與我們實驗平台的可行性。

LTE (Long Term Evolution) is governing mobile communication technology in recent years. UMTS (Universal Mobile Telecommunications System) is gradually being replaced by LTE. 5G New Radio still needs a lot of time to be tested. Therefore, the security issues of LTE are very important in the transition period. We surveyed LTE security issues in recent years, such as IMSI-catcher (International Mobile Subscriber Identity-catcher), DoS attack (Denial-of-Service attack), relay attack. The attackers usually used the rogue base station to implement the attacks. However, most of these rogue base stations use open source LTE projects and low-cost hardware development antennas. These attacks ranges are heavily affected by antenna power. In this paper, we have proposed a Self-Organized Container Virtualization Radio Access Network (SOCV-RAN) platform, which is flexible, scalability, and rapid expansion, to realized some cooperative rogue base station attacks. We used several open source LTE projects with USRP a software-defined radio to build the rogue base station. We virtualized these attack functions by using Docker container technology and overlay networks. In our experiment platform, we can quickly build several kinds of attack virtualized radio access networks. Moreover, we provided various APIs to implement self-organized which let user maintenance easily, and dynamically allocate hardware and software resource to increase the efficiency of resource utilization. Finally, we use some scenarios to attack real telecom vendors to verify the various feasibility of our cooperative rogue base station attacks and experimental platform.

[1] A. Gudipati, D. Perry, L. E. Li, and S. Katti, “SoftRAN: Software defined radio access network,” in Proc. ACM SIGCOM 2013, Aug. 2013, pp. 25–30.
[2] W. Wu, L. E. Li, A. Panda, and S. Shenker, “PRAN: Programmable radio access networks,” in Proc. ACM HotNets 2014, Oct. 2014, p. 6.
[3] I. Chih-Lin, H. Li, J. Korhonen, J. Huang, and L. Han, “RAN Revolution with NGFI (xHaul) for 5G,” Journal of Lightwave Technology, vol. 36, no. 2, pp. 541–550, Jan. 2018.
[4] J. Zeng, X. Su, J. Gong, L. Rong, and J. Wang, “5G virtualized radio access network approach based on NO Stack framework,” in Proc. IEEE ICC 2017, Jul. 2017, pp. 1–5.
[5] O. Chabbouh, S. B. Rejeb, N. Agoulmine, and Z. Choukair, “Cloud RAN architecture model based upon flexible RAN functionalities split for 5G networks,” in Proc. IEEE WAINA 2017, May 2017, pp. 184–188.
[6] G. C. Valastro, D. Panno, and S. Riolo, “A SDN/NFV based C-RAN architecture for 5G Mobile Networks,” in Proc. IEEE MoWNeT 2018, Aug. 2018, pp. 1–8.
[7] M. Yang, Y. Li, D. Jin, L. Su, S. Ma, and L. Zeng, “OpenRAN: a software-defined ran architecture via virtualization,” in Proc. ACM SIGCOMM 2013,vol. 43, no. 4, Aug. 2013, pp. 549–550.
[8] H. Zhang, N. Liu, X. Chu, K. Long, A.-H. Aghvami, and V. C. Leung, “Network slicing based 5G and future mobile networks: mobility, resource management, and challenges,” vol. 55, no. 8, pp. 138–145, Aug. 2017.
[9] D. Bega, A. Banchs, M. Gramaglia, X. Costa-Pérez, and P. Rost, “CARES: Computation-aware Scheduling in Virtualized Radio Access Networks,” Dec. 2018.
[10] A. Garcia-Saavedra, X. Costa-Perez, D. J. Leith, and G. Iosifidis, “FluidRAN: Optimized vRAN/MEC Orchestration,” in Proc. IEEE INFOCOM 2018, Apr. 2018, pp. 2366–2374.
[11] I. Gomez-Miguelez, A. Garcia-Saavedra, P. D. Sutton, P. Serrano, C. Cano, and D. J. Leith, “srsLTE: an open-source platform for LTE evolution and experimentation,” in Proc. ACM WiNTECH 2016, Oct. 2016, pp. 25–32.
[12] srslte github. [Online]. Available: https://github.com/srsLTE/srsLTE
[13] S. R. Hussain, O. Chowdhury, S. Mehnaz, and E. Bertino, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE,” in Proc. NDSS 2018, Jan. 2018, pp. 18–21.
[14] N. Nikaein, M. K. Marina, S. Manickam, A. Dawson, R. Knopp, and C. Bonnet, “OpenAirInterface: A flexible platform for 5G research,” Proc. ACM SIGCOMM 2014, vol. 44, no. 5, pp. 33–38, Oct. 2014.
[15] F. Giannone, H. Gupta, K. Kondepu, D. Manicone, A. Franklin, P. Castoldi, and L. Valcarenghi, “Impact of RAN Virtualization on Fronthaul Latency Budget: An Experimental Evaluation,” in Proc. IEEE GC Wkshps 2017, Dec. 2017, pp. 1–5.
[16] O. Neji, N. Chendeb, O. Chabbouh, N. Agoulmine, and S. B. Rejeb, “Experience deploying a 5G C-RAN virtualized experimental setup using OpenAirInterface,” in Proc. IEEE ICUWB 2017, Jan. 2017, pp. 1–5.
[17] N. Makris, C. Zarafetas, P. Basaras, T. Korakis, N. Nikaein, and L. Tassiulas, “Cloud-based Convergence of Heterogeneous RANs in 5G Disaggregated Architectures,” in Proc. IEEE ICC 2018, Jul. 2018, pp. 1–6.
[18] X. Foukas, N. Nikaein, M. M. Kassem, M. K. Marina, and K. Kontovasilis, “FlexRAN: A flexible and programmable platform for software-defined radio access networks,” in Proc. ACM CoNEXT 2016, Dec. 2016, pp. 427–441.
[19] Nextepc. [Online]. Available: http://nextepc.org/
[20] Nextepc github. [Online]. Available: https://github.com/acetcom/nextepc
[21] R. Borgaonkar, L. Hirshi, S. Park, A. Shaik, A. Martin, and J. Seifert, “New Adventures in Spying 3G & 4G Users: Locate, Track, Monitor,” in Blackhat Las Vegas Conference, Jul. 2017.
[22] F. Gringoli, P. Patras, C. Donato, P. Serrano, and Y. Grunenberger, “Performance Assessment of Open Software Platforms for 5G Prototyping,” IEEE Wireless Communications, vol. 25, no. 5, pp. 10–15, Nov. 2018.
[23] A. M. Joy, “Performance comparison between linux containers and virtual machines,” in Proc. IEEE ICACEA 2015, Jul. 2015, pp. 342–346.
[24] P. Sharma, L. Chaufournier, P. Shenoy, and Y. Tay, “Containers and virtual machines at scale: A comparative study,” in Proc. ACM Middleware 2016, Dec. 2016, p. 1.
[25] A. Machen, S. Wang, K. K. Leung, B. J. Ko, and T. Salonidis, “Live service migration in mobile edge clouds,” IEEE Wireless Communications, vol. 25, no. 1, pp. 140–147, Feb. 2018.
[26] CoreOS. Flannel. [Online]. Available: https://github.com/coreos/flannel
[27] Weaveworks. Weave net. [Online]. Available: https://github.com/weaveworks/weave
[28] Open virtual networking with docker. [Online]. Available: http://docs.openvswitch.org/en/latest/howto/docker/
[29] Docker. Libnetwork. [Online]. Available: https://github.com/docker/libnetwork
[30] Y. Park, H. Yang, and Y. Kim, “Performance Analysis of CNI (Container Networking Interface) based Container Network,” in Proc. IEEE ICTC 2018, Nov. 2018, pp. 248–250.
[31] R. Bankston and J. Guo, “Performance of Container Network Technologies in Cloud Environments,” in Proc. IEEE EIT 2018, Oct. 2018, pp. 0277–0283.
[32] H. Zeng, B. Wang, W. Deng, and W. Zhang, “Measurement and Evaluation for Docker Container Networking,” in Proc. IEEE CyberC 2017, Oct. 2017, pp. 105–108.
[33] S. F. Mjølsnes and R. F. Olimid, “Easy 4G/LTE IMSI catchers for nonprogrammers,” CoRR, vol. abs/1702.04434, Feb. 2017.
[34] M. Lichtman, R. P. Jover, M. Labib, R. Rao, V. Marojevic, and J. H. Reed, “LTE/LTE-A jamming, spoofing, and sniffing threat assessment and mitigation,” vol. 54, Apr. 2016, pp. 54–61.
[35] R. P. Jover, “LTE security, protocol exploits and location tracking experimentation with low-cost software radio,” CoRR, vol. abs/1607.05171, Jul. 2016.
[36] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” in Proc. NDSS 2016, Feb. 2016.