5GShield: HTTP/2 Anomaly Detection in 5G Service-Based Architecture

Fifth Generation (5G) core network leverages the application-layer Hypertext Transfer Protocol version 2 (HTTP/2) to enable the communication between the Network Functions (NFs) of its Service-Based Architecture (SBA). 5G SBA adopts the security-by-design principle, yet, the usage of HTTP/2 introduces some vulnerabilities related to its features exploitation. For instance, the HTTP/2 stream multiplexing attack exploits the stream multiplexing feature, which allows carrying multiple requests over a single TCP connection, and causes a Denial of Service (DoS) on 5G SBA. HTTP/2 attacks can be detected using traditional flow-based anomaly detection solutions in a web environment. Nonetheless, these solutions fall short in detecting these attacks in a 5G network, as we show in this work. To reinforce 5G core network security against HTTP/2 attacks, we propose 5GShield, a novel application-layer anomaly detection framework that uses neural networks, namely, Autoencoder, for anomaly detection. To evaluate our approach, we deploy a 5G testbed, simulate the HTTP/2 stream multiplexing attack and collect HTTP/2 data. Our experimental results show that 5GShield can detect HTTP/2 stream multiplexing attack with an F1-score of 0.992, outperforming a flow-based anomaly detection solution that exhibits an F1-score of 0.78. 5GShield shows the efficiency of 5G-specific application-layer features in exposing HTTP/2 attacks that can go undetected at the network layer.