AI/ML-Based IDS as 5G Core Network Function in the Control Plane for IP/non-IP CIoT Traffic

In this paper, we design and implement an Intrusion Detection System (IDS) within the 5G core network, which is capable of inspecting both IP and non-IP data flows. By leveraging the Access and Mobility Management Function (AMF) Network Function (NF) communication service, our IDS can analyze all Cellular Internet of Things (CIoT) data traffic flowing across both the User and Control Planes (UP and CP), enabling the detection of malicious activities originating from or targeting IoT networks. Our proposal is aligned with the 3GPP Release 17 (R17) standard and makes use of predefined functionalities to ensure compliance. Our proposal is non-intrusive and does not interfere with the core network's usual processes based on existing Service Based Interfaces (SBI). Additionally, we demonstrate that the classification of a data packet as malicious or benign is context-dependent using AI/ML Transformer Encoder architectures. We implement and integrate our proposed 5GCIoT IDS as a Network Function inside the 5G Amarisoft platform for extensive experimentation. To evaluate the models' performance, we train our models with different categories of safe and malicious generated traffic and apply them to an emulated realistic scenario. We obtained a very promising result.