False base stations -- IMSI catchers, Stingrays -- are devices that impersonate legitimate base stations, as a part of malicious activities like unauthorized surveillance or communication sabotage. Detecting them on the network side using 3GPP standardized measurement reports is a promising technique. While applying predetermined detection rules works well when an attacker operates a false base station with an illegitimate Physical Cell Identifiers (PCI), the detection will produce false negatives when a more resourceful attacker operates the false base station with one of the legitimate PCIs obtained by scanning the neighborhood first. In this paper, we show how Machine Learning (ML) can be applied to alleviate such false negatives. We demonstrate our approach by conducting experiments in a simulation setup using the ns-3 LTE module. We propose three robust ML features (COL, DIST, XY) based on Reference Signal Received Power (RSRP) contained in measurement reports and cell locations. We evaluate four ML models (Regression Clustering, Anomaly Detection Forest, Autoencoder, and RCGAN) and show that several of them have a high precision in detection even when the false base station is using a legitimate PCI. In our experiments with a layout of 12 cells, where one cell acts as a moving false cell, between 75-95\% of the false positions are detected by the best model at a cost of 0.5\% false positives.
翻译:假基站 -- -- IMSI抓捕者、Stingrays -- -- 是假基站的装置,假冒合法基地站,作为未经授权的监视或通信破坏等恶意活动的一部分。使用3GPP标准测量报告在网络一侧检测它们是一种很有希望的技术。当攻击者使用非法的物理细胞识别器(PCI)运行假基站时,使用预先设定的检测规则非常有效。当攻击者使用更聪明的攻击者首先扫描邻居而获得的合法PCI操作假基站时,检测就会产生虚假的负值。在本文中,我们展示了机器学习(ML)如何应用来减轻这种虚假的负值。我们通过使用 ns-3 LTE 模块在模拟设置中进行实验来展示我们的方法。我们根据参考信号接收能力(RSRPP)在测量报告和单元格位置(RSRP) 进行三个强的ML功能(COL、DI、XI、XY(RSRP),我们根据参考信号信号接收器报告对四个ML模型(Regionionion Contracional croduction,Aut Foration For、 Autencoder and and and RCGANAN)进行模拟定位,我们12 测测测测测测测测测测测到一个正的P-25的PL)时,在12个底基点之间,我们测测算为一个正的正。