Core Network Honeypot and Machine Learning

Attacks to the IPX via the Internet are not theoretical, they do happen. We set up a GTP and diameter honeypot to collect attack sample data to apply machine learning to. We will introduce the motivation and challenges of using machine learning in IPX security, the design and feature choices we made and where we see further work needed.

Attacks on IPX

• How do attackers get in? – Just to set the scene
  • Darknet
  • Service companies
  • Hack your way in (focus of this talk)
  • Trick a local operator
• Introduction to Shodan.io
  • How does it work
• GTP crawler on internet?
• real or fake?

• we wanted to know

• Why is GTP important today?
• 5G Service Based Architecture
• N9 interface

• GTP_U v1.0

• Attack detection in the firewall
• Static rules good start
• Attackers will get better (maybe they are already)
• Need to be able to use “magic”

Machine Learning

• Machine Learning Magic
• Clustering
• Classification
• Regression

• Dimension reduction

• Using Machine Learning for anomaly detection in IPX
• Give me…..DATA, DATA, DATA…. maybe
• Labels???????
• Can we ask attacker to use the evil bit RFC?

Our honeypot - Architecture used in our honeypot - Brief introduction on the set-up and software used - How does it look from the outside and why do we make it look like that? - Ports open and why those

• Findings
  • Normal stuff (scanning, OS specific etc)
• The interesting attacks (GTP specific)

-Geographical attack distribution

• Applying Machine Learning (baby steps) • Data crunching and conversion • Feature extraction for machine learning ◦ Discussion with audience ▪ if they think those are the best possible features ▪ Is the feature selection biased? Next steps • Take real traffic data and cluster around the found labeled attack • Make the honeypot “chattier”…. Summary & Wrap-up