Device-level Anomaly fRamEwork (DARE) offers a set of assessment tools for critical communications infrastructure, building a new level of trust and reliability into the Nation's telecommunication systems. This framework is a non-invasive, physical metrology-based approach that utilizes correlated multilayer measurements coupled with cross-layer anomaly detection to expose tampering or misconfiguration of wireless communication devices, base stations, and other radio access hardware.
Current cybersecurity strategies do not offer this level of security assessment as they typically monitor and defend the layers independently. These strategies generally do not have visibility into tampering aimed at the device's lower-level physical layer, nor do they leverage information from multiple layers or parts of the system to detect tampering. Driven by stakeholder engagement and national priorities in 5G security, this collaborative research effort aligns commercial, government, and manufacturing interests by providing additional cybersecurity methodology that allows Industry a broader analysis.
Cross-layer anomaly detection leveraging physical layer (L1), medium access control layer (L2), and network (L3) measurements to detect misconfiguration or tampering of gNB & User Equipment. 1) Measurements of telecommunication devices at L1, L2, and L3 in 5G commercial-grade network 2)Cross-layer correlation and time alignment of observable responses 3)Identification of anomalous telecommunication device behavior.
A collaborative NIST team is taking a multi-disciplinary approach in cybersecurity, wireless communications, and machine learning. The DARE project leverages NIST's diligent approach and capabilities, including detailed use cases, design of experiments with rigorous multilayer measurements, and robust machine learning algorithms.
Discussions with stakeholders have yielded insightful information for the development of impactful use cases, including detection of misconfigured or tampered base stations and rogue gNBs impersonating legitimate gNBs.
Design of Experiment with Rigorous Multilayer Measurements - gNBs have thousands of settings or "factors" that require configuration before commissioning and deployment. Reducing this large number of gNB factors down to a small, security-relevant number of factors (e.g., 5 to 10) is accomplished using a rigorous experimental design and stressed test cases. Multilayer measurements of the gNB behavior operating within a 5G commercial-grade network with instrumentation of metrology-level diagnostics capability in the controlled 5G Spectrum Sharing testbed ensure high quality and accurate collection of the experimental responses. Test cases accentuate the behavior of the gNB's observable responses. The output of the design of the experiment combined with physical measurements in a controlled laboratory setting enables us to bound the performance of the gNB; thus, creating the security reference device.
Robust anomaly detection algorithms quantify the variation between measurements of reference and "unknown" gNBs with rigorous clustering and classification techniques. We broaden the class of discoverable anomalies compared to traditional anomaly detection techniques by leveraging the correlation of measurements between the physical, MAC, and network layers. The specific features which indicate anomalous behavior in "unknown" gNBs are another output of value; they can lead to more efficient measurements. We also use classical measures of detection performance, such as receiver operating characteristic (ROC) curves, to improve anomaly detection algorithms and evaluate new ones to improve anomaly detection algorithms and evaluate new ones.