crowdsourcing analysis in 5g iot: cybersecurity threats ... · 3 crowdsourcing use cases and...
TRANSCRIPT
Crowdsourcing analysis in 5G IoT: Cybersecurity
Threats and Mitigation
Ana Nieto · Antonio Acien · Gerardo Fernandez
Received: date / Accepted: date
Abstract Crowdsourcing can be a powerfulweapon against cyberattacks in 5G networks.In this paper we analyse this idea in detail,starting with the use cases in crowdsourcingfocused on security, and highlighting those ar-eas of a 5G ecosystem where crowdsourcingcould be used to mitigate local and remoteattacks, as well as to discourage criminal ac-tivities and cybercriminal behaviour. We payparticular attention to the capillary network,where an infinite number of IoT objects coex-ist. The analysis considers the di↵erent partic-ipants in a 5G IoT ecosystem.
Keywords 5G security · Proactive security ·Cybersecurity · Digital Witness
1 Introduction
The main objective behind crowdsourcing is topose a problem to a participative community,willing to resolve the challenge, after whichthey expect a reward [7]. This idea has been
A. Nieto, A. Acien and G. Fernandez
Ada Byron Research Centre C/ Arquitecto Fran-
cisco Penalosa, n 18 Ampliacion Campus de Teati-
nos. Universidad de Malaga, 29071 Malaga (Spain)
Tel.: 34-951-952914
Fax: +34-951-952749
E-mail: {nieto,acien,gerardo}@lcc.uma.es
applied to the Internet of Things (IoT) contextin several ways, through users and their IoTdevices, for very diverse purposes (i.e. Section3). However, it has not yet been su�cientlydiscussed how these features can help mitigatethe e↵ect of cyberattacks in truly complex net-works. These are severely exposed due to thewide array of technologies at di↵erent levels ofabstraction, as is the case of the fifth genera-tion of cellular networks (5G).
Considering that the 5G IoT is the ecosys-tem formed by 5G including the IoT context,in this paper we discuss how crowdsourcingcould help stop or mitigate the e↵ect of attacksin 5G IoT, when applied at di↵erent levels,considering the participants involved (users,infrastructure and service providers) as crowds.
This paper is motivated by the rapid ex-pansion of 5G technologies and the slow adap-tation of IoT devices to these changes. It is un-realistic to think that IoT devices will be moresecure when 5G networks are fully deployed,or to trust 5G technologies (c.f. Section 2) tosolve IoT security problems on their own. In-stead, in this article we adopt a di↵erent pointof view: since the IoT devices will introducenumerous security problems, it is necessary toprovide cooperation mechanisms so that thedata of these devices can be used for the detec-tion and mitigation of threats. This additional
A. Nieto, A. Acien, and G. Fernandez, “Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation”, Mobile Networks andApplications (MONET), pp. 881-889, 2018.http://doi.org/https://doi.org/10.1007/s11036-018-1146-4NICS Lab. Publications: https://www.nics.uma.es/publications
2 Ana Nieto et al.
Network Function Virtualisation (NFV)
Virtual interfaces
Dynamic RAN (DyRAN)
Cloud RAN, vRAN
Mobile Edge Server
Software Defined InfrastructureInfrastructure as a service
Software Defined Networks (SDN)
Control Plane
Data Plane Network
device
Remote control plane
Software Defined Network FunctionPlatform as a service
Orchrestration
Virtual services
Virtual network servicesSlice 1 - Enhanced mobile broadband
High mobility, massive content, etc.
Software Defined Network Slices based on use cases
…
Slice 2 - Internet of Things (IoT)Subway service, inventory control, massive sensing, resource constrained.
Slice 3 - Automotive / Critical IoTAutonomous driving, road control, etc.
CloudData Centered
Virtualised Network Functions (VNF)
VNF SE - Slice xVNFC - Privacy
VNFC - Trust…
Virtual compute
Virtual storage
Virtual Network
VNF SE - Slice yVNFC - EWS…
Building blocks
User A
User B
Social FactorsIdentity, privacy,
individual relationships,
role, past behaviour, etc.
D1
D2
D3
D: device
VNFC - Isolation
Users Capillary network (physical user’s IoT devices)
Service Provisioning(Infrastructure properties)
D2D
Fig. 1: Crowds and 5G technologies
overhead would be acceptable for 5G networks,but the sources (crowds) have to be convincedto cooperate.
The concept of crowdsourcing links thesetwo worlds naturally, by defining interests forparticipants - users and providers - to moti-vate the mutual cooperation in order to stopcybercrime.
The paper is structured as follows. Section 2describes the new context introduced by 5GIoT. Section 3 discusses a set of use cases forcrowdsourcing and how these can evolve to-wards cybersecurity in 5G. Section 4 analy-ses the areas in 5G that could harness crowd-sourcing for cybersecurity. Based on these re-sults, Section 5 introduces a model to analysethe use case of end-user collaboration consid-ering a native solution for IoT. Section 6 showspreliminary results about how a witness-basedmechanism can contribute to mitigate the ef-fect of attacks based on the proximity of theo↵ender to the victim. Finally, Section 7 con-cludes the paper.
2 5G and the Internet of Things (IoT)
One of the most notorious changes introducedin 5G is the massive use of software-definednetworks (c.f. Fig. 1). In particular, there will
be three fundamental parts in a 5G environ-ment that will be defined by software, increas-ing the flexibility of the cellular network: net-work slices, the communication infrastructureand network functions.
Network slices are defined based on specific
use case requirements, but using shared (net-work) resources. The IoT is considered an im-portant use case in 5G [1, 14, 17], for whichspecific slices should be defined. IoT networkslices have to consider the resource-constrainednature of the devices and other requirementsrelated to the specific purpose of the networkslice (e.g. e-home, industrial IoT). Therefore,the need for the network to provide specialcoverage for IoT objects is clear. Nevertheless,how IoT objects will be adapted to this con-textual change, in particular to not be a threatto the infrastructure, is still an open challenge.Moreover, while the proliferation of attacks isa↵ecting to the current, deployed cellular net-works, in 5G the problem is even more wor-risome, since the speed improvements in thecommunications also allow a more e�cient dif-fusion of the attacks, and the software layersare intrinsically related.
In addition, the communication infrastruc-ture will be defined by software, which meansa higher decoupling between software (controldecisions) and hardware (network devices). One
Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation 3
of the open challenges in 5G is how to imple-ment aDynamic Radio Access Network (DyRAN),which will allow the mix of generic 5G ser-
vices, enabling real-time decisions about theaccess of the devices to the network based onthe service requirements. Note that behind thistechnology there are management decisions whicha↵ect (shared) network resources. Therefore,controlling misbehaviour in this vulnerable partof the network will be essential to avoid re-source starvation. The lack of responsibility forthese actions is a clear problem in the IoT [11],which, in turn a↵ects 5G networks.
An important feature in 5G is to make useof Device-to-Device (D2D) communication toincrease the coverage of the network, for exam-ple, using network relays [13]. Therefore, in acellular network, D2D communications will betypical in the capillary network (due the func-tionality of IoT devices and mobile platforms),but also as part of the infrastructure in orderto work. This opens the door to a new set ofvulnerabilities and attacks that can be propa-gated hop by hop to reach a vulnerable devicefrom which critical parts of the infrastructurecan be accessed (e.g., software controllers). Asis throughly described in the latest ENISA 5Gsecurity report [1], SDN controllers are vul-nerable to attacks against the communicationAPIs used between the controllers and also be-tween the controllers and the SDN elementsthat will be close to the user.
Note that a marked di↵erence in 5G com-pared to previous generations, is the need tobring the technology to the user. Thus, hottopic movements such asMobile Edge Comput-
ing (MEC) will bring the Cloud closer to thecapillary network of devices. This will bringabout, in addition to improvements in perfor-mance, improvements in data management toexploit the architectural changes. Therefore,5G environments will be better prepared towork with massive data from the capillary net-
work. This is a crucial factor that will make 5Genvironments much better prepared than theirpredecessors for crowdsourcing solutions.
Finally, the ability to virtualise network func-tions will be critical in providing specific net-work services while minimising hardware de-pendency. Using Network Function Virtualisa-
tion (NFV), the network services could be in-stalled in a standard hardware platform. Fur-thermore, the software can be replaced easilythan the hardware. This also helps security,in the sense that an attack could be containedand the a↵ected services stopped and launchedagain, while new services are launched to at-tend to the user’s demands. However, the useof software also exposes the system to unknownvulnerabilities.
3 Crowdsourcing use cases and
Evolution to 5G IoT Cybersecurity
In this section the use cases for crowdsourcingthat can be adapted to be used for 5G cyber-security are discussed.
3.1 Commercial purposes
As part of the 5G business model, parts of thephysical infrastructure can be shared amongseveral service providers (SPs) (c.f. MEC, Sec-tion 2). In this context, it will be critical topromote crowdsourcing between SPs to to iden-tify attacks that can a↵ect a shared infrastruc-ture of a common set of services. Therefore, se-curity mechanisms must be deployed for shar-ing relevant information between the SPs tomitigate the e↵ects of a possible propagationof an attack while ensuring that these servicesmeet privacy and confidentiality requirements,as well as other ethical aspects. This will be es-sential to ensure the shared information doesnot encourage corporate espionage.
A similar approach to crowdsourcing canbe found in projects like the Malware Informa-
tion and Sharing Platform (MISP) [16] whichis a software platform for sharing informationbetween organisations about recent threats, fos-tering the development of countermeasures bygenerating Indicators of Compromise (IOC) for
4 Ana Nieto et al.
antivirus software, firewalls and Intrusion De-tection Systems. For instance, the CIRL MISPThreat Sharing Service [8] comprises more than700 di↵erent organisations and companies (mainlyEuropean) where analysts share knowledge aboutcurrent malware campaigns, correlating the in-formation available and providing new evidenceas soon as it is collected.
3.2 Fast response after natural disasters
The power of crowdsourcing applications towarn of natural disasters is highlighted in [5],where crowdsourcing is proposed to mitigatedisasters through the cooperation of individ-uals using social media. Although the resultsof this paper could help improve the mitiga-tion mechanisms after an attack, the nature ofcybercrime is complex enough to require di↵er-ent mitigation techniques. First, in cybercrimescenarios there are human actors with the in-
tention to cause harm to an individual or tosociety [2]. Second, the pattern to predict theattack or to predict the extent of the damageare not the same. While natural disasters canbe predicted through observation, and whenthey occur the damage can be clearly seen,cyberattacks are much more complex. Clearexamples of this are the Advanced Persistent
Threats (APT). These are latent and thereforego unnoticed in the targeted system, waitingto act in the moment they have the best chanceof causing the most damage to the system. Inother words, APTs do not necessarily follow aknown, identifiable pattern. These attacks willalso a↵ect cellular networks.
3.3 Mitigation of physical attacks
In [10] crowdsourcing data is generated frommobile phones with integrated chemical-agentdetectors in order to provide an Early Warn-
ing System (EWS) within a security network,which quickly warns of detected threats. Theproposed solution depends on a sensor network
infrastructure which sends commands to a se-cure network to fight against physical attacks.
However, software attacks are very di↵er-ent from physical attacks and require new mod-els to be analysed. It must be highlighted thatone of the main problems in 5G networks isthat the infrastructure is unable to store de-tailed information about the IoT devices aftera certain time (due the density of the networks,and the capabilities of the relay nodes). There-fore, after a time, the relays forget if a new
input-node to the cell was a malicious node.Physical layer security mechanisms attempt toaddress these issues [19, 13], but depends onnetwork information that they simply don’thave (e.g. the location of the attacker). Oneway to solve or mitigate these problems is todeploy part of the security controls at the edgeor in the user’s IoT devices, or to implementcrowdsourcing mechanisms between trustwor-thy devices to identify potential threats.
3.4 Social media
One example of massive crowdsourcing are so-cial networks [18]. These have encouraged theneed of the user to be always-on. Social ap-plications, such as Whatsapp, Twitter, Face-
book, to name a few, serve to e↵ectively spreadnews items, even before these are published inthe traditional media. These and other open
platforms have permitted, for example, the co-operation between anonymous people to stopthe propagation of the recent WannaCry mal-ware [6]. In the same way, these communi-cation highways generate rich information foranalysis to identify patterns and relationshipsbetween individuals. This is a serious concernwith regards to privacy.
Therefore, social media is another vehiclefor 5G crowdsourcing in two ways: 1) tradi-tional crowdsourcing between humans but fo-cused on identifying misbehaviour or physicalattacks against the devices of the infrastruc-ture (e.g. relays), and 2) crowdsourcing to ex-tract relevant information to be processed by
Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation 5
automatic tools to identify patterns (e.g. au-tomatic analysis using open source intelligencebut centered on parameters of interest for theservice providers).
3.5 End-user collaboration
Crowdsourcing is fundamental as a tool forend-user collaboration against attacks target-ing user devices. In this regard, the conceptof digital witness (DW), is defined in [11] forIoT environments. The idea is to help citi-zens report misbehaviour, attacks and o↵encesagainst themselves or other citizens, and tostore digital evidence in order for it to be usedin a court of law. This solution requires the co-operation of people to stop those attacks thatas humans we cannot see, but our devices can
detect. This reasoning can be applied at theedge of a 5G IoT network, providing the DWfunctionality as a service (c.f. Section 5.1.3).In [4] the authors applied similar concepts toobtain electronic evidence from vehicular net-works (cars as witness), which is very usefulconsidering that vehicular networks are a keyuse case in 5G. A common requirement in pre-vious related work is that everyone insists onthe need to have a trusted third party ele-ment, either embedded or as part of an ex-ternal query trustworthy system.
4 Crowdsourcing for 5G IoT security
Crowdsourcing can be classified, in accordancewith di↵erent factors, as stated in [7], whereeight general characteristics are identified: (a)there is a clearly defined crowd; (b) there existsa task with a clear goal; (c) the recompense thecrowd receives is clear; (d) the crowdsourcer isclearly identified; (e) the compensation to bereceived by the crowdsourcer is clearly defined;(f) it is an online-assigned participative pro-cess; (g) it uses an open call of variable extent;(h) it uses the Internet. While the concept hasevolved to include autonomous entities (e.g.sensors), these criteria are still being applied.
Table 1 shows the relationships between thecharacteristics of crowdsourcing as listed andwhat we consider to be potential crowds in 5G(Fig. 1) i.e. users, the IoT devices in the cap-illary network, legacy RATs, and the serviceproviders.
4.1 Users
The users in a 5G network have at least oneIoT device, and have the possibility to person-
alise the software of their devices, for example,installing specific tools for crowdsourcing.
The role of the user in 5G cybersecurity istwofold. First, as mentioned in Section 3.4, so-cial media as a crowdsourcing mechanism canbe used to warn of cyberattacks or to helpcoordinate individuals to help understand thethreat. Second, Table 1 shows a di↵erent pointof view, close to the idea of end-user collabo-ration, but applied to physical attacks or tra-ditional digital evidence (e.g. images). Thus,the user can contribute to the prosecution oftraditional criminals, using the 5G infrastruc-ture as a resource to share the information.These attacks could be from physical attacksagainst the physical components of the infras-tructure (e.g. vandalism against legacy RATelements) captured by the citizen to prove thata well-known cybercriminal is close to a criticalinfrastructure. How to address these require-ments while still integrating privacy issues is acritical concern. Permitted actions should bethe same as those actions allowed using thetraditional compliant mechanisms for citizens.
4.2 Capillary network - IoT devices in 5G
The capillary network in 5G is formed by IoTdevices, some of them able to connect to otherdevices via D2D (Section 2). In 5G this con-cept is extended to Machine Type Communi-
cation (MTC)[15]. According to [3], the de-vices have di↵erent ways of connecting to the5G infrastructure: a) direct, b) aggregation, c)short-range D2D. All these types of access are
6 Ana Nieto et al.
Table 1: Crowdsourcing for 5G IoT Cybersecurity
Crowd Crowdsourcer Publishing
(a)
Who
(b) Task (c) Reward (d) Who (e) Benefit (f) Pro-
cess
(g) Call (h) Internet
Users Social media for co-
ordination & Warn-
ing of crime
Duty to the
community
Subscriber (Cyber)
criminal
profiles
Certified
software
from LEA
All end-
users
Through 5G
Capillary
network
Warn of misbe-
haviour and attacks
Increase trust/
reputation
Legacy
RATs
Cybercriminal
profiles
D2D Ser-
vice
All de-
vices
Using a de-
vice or 5G
Legacy
RATs
Warn of local attack-
ers, fake relays and
BSs
Protect them-
selves from lo-
cal attacks
SP at
the core
Physical 5G
infrastruc-
ture
Inclusion
in RAT
protocols
Antennas
and re-
lays
Access to
the 5G in-
frastructure
Service
Provider
(SP)
Identify vulnerabili-
ties in the SW and
the physical infras-
tructure
Access to the
information
provided by
other SPs
Service
Providers
Shared
database for
cybersecu-
rity
The process, and the call has to be
private to certain SPs with com-
mon interests
grouped under what is known asMassive MTC
(mMTC). Critical services, such as road safetyand industrial manufacturing, require Ultra-
reliable MTC (uMTC). In addition, to increasethe coverage of the antennas, whilst avoidingthe obstacles in the signal propagation, the 5Ginfrastructure uses relays (Section 4.3). There-fore, the devices or machines have to connectto the antennas using the relays.
The devices in the capillary network canuse crowdsourcing mechanisms to warn of mis-behaviour and local attacks on D2D. The crowd-sourcer will be the legacy RATs where the finalcoordination of IoT devices to access the 5Ginfrastructure is done (Section 6). Note that,to make this possible, it is mandatory to en-sure the integrity of the devices, and proba-bly not all the devices are able to provide reli-able information about the attack. Moreover,in 5G it will be necessary to deploy local se-curity controls in the IoT devices. There aremany reasons for this, but, mainly, the densityof devices makes it unfeasible to control andanalyse all the tra�c at the core, and in realtime. Moreover, certain tra�c can be danger-ous once it passes the capillary network andmoves to the core.
Finally, SDN allows di↵erent criteria to beapplied to the di↵erent use cases and flows.This makes it possible to deploy tra�c anal-ysis and mitigation mechanisms based on thedata provided by the crowds, in specific net-work slices. As Fig. 1 shows, a single user canhave more than one device connected to the
5G infrastructure, and a device can require ser-vices from two di↵erent network slices (e.g. acar for navigation and for HD video). This en-tails a serious concern about the crowdsourc-ing in the capillary network; when devices senddata to other devices (e.g. for aggregation) orto the legacy RATs (e.g. summary of the at-tack) it must be carefully considered whetherthe user’s identity can be deduced from thedata provided (linkability, etc.). It is essentialto ensure that 5G IoT crowdsourcing mecha-nisms are designed in accordance with privacyprinciples.
4.3 Enablers for Dynamic RAN
The IoT devices in the capillary network con-nect to the physical components of the 5G in-frastructure (e.g. powerful 5G antennas andrelays) using the available Radio Access Tech-
nologies (RAT) (e.g. LTE-A, mmWave). Oneof the improvements in 5G is that it uses DyRAN(Section 2), enabling the devices to act as tem-porary access nodes, amongst other advantages[3]. This part of the 5G ecosystem is highly ex-posed to physical attacks, particularly in thecase of relay networks. Relays are much neededin 5G because they allow the coverage of theantennas to be increased. Therefore if the re-lays are a↵ected, the communication betweenthe IoT devices in a specific area and the SPsis interrupted. In addition to physical attacks,it is possible to a↵ect the communications by
Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation 7
supplanting the base station closest to the re-lay (or to any DyRAN device) and drop thetra�c, or perform a DoS attack by jamming.
The traditional security solutions in thiscontext are called physical security as someof these consist in bypassing the attacker bychanging the communicating parameters be-tween the relays [13]. However, it is not al-ways possible to apply these solutions due toa lack of low-level security functionality or be-cause the information about the attacker is notavailable (e.g. the location and the transmis-sion range). Another major problem are at-tacks which exploit vulnerabilities to gain con-trol of the relays, and those that are performedremotely (because the relays will be connectedwith a command and control system throughthe Internet).
Crowdsourcing can help mitigate some ofthese security issues if the DyRAN enablersare able to store and share information aboutthe state of the relays. This information will beprocessed at the core of the network, becauserelays are part of the 5G infrastructure, andthe rest of the elements need to be informedas quickly as possible.
4.4 Service provisioning
The boundaries of crowdsourcing from a secu-rity point of view between SPs are detailed inSection 3.1. However, there are additional as-pects in service provisioning that can a↵ect 5Gsecurity. These are related to the technologiesshown in Fig. 1.
SPs are responsible for facilitating a fastdeployment of services to satisfy the user’s de-mands. A clear consensus is that NFV is a keytechnology to satisfy this purpose in 5G (Sec-tion 2). One example of how NFV can be usedfor security can be seen in Fig. 1. NFV enablesVirtual Network Functions (VNF) to be de-fined with security (SE) requirements for spe-cific services. The security requirements canbe separated into VNF Components (VNFC),which allows their use by other VNF SE suchas dockers. However, as described in Section 2,
isolation mechanisms can be bypassed by moresophisticated malware.
Therefore, crowdsourcing mechanisms canbe useful for secure service provisioning in twoways. First, to collect information about thephysical components of the 5G infrastructure(Section 3.1) and, second, to control the soft-ware components; virtual services, controllers,etc. One way to control the software compo-nents using crowdsourcing is to provide toolsfor the clients of the multi-tenant architectureto evaluate the services from a security pointof view. Another way is to designate virtualcomponents with more security restrictions toact as crowdsourcers and collect informationof the orchestrator of the virtual environment.
5 Entity-based crowdsourcing model
Fig. 2 shows the key components to be consid-ered in a model for mitigation of cybersecuritythreats through crowdsourcing.
CROWDS
CROWDSOURCERS1
EXTERNAL, IMPARTIAL SOURCES
3
4
PROCESSING UNITS
2Task
collaborationevidence
Expert support
Fig. 2: Crowdsourcing-based collaboration
The model considers four main entities:
– Crowds. Provide the data according to pre-established principles and agreements withthe crowdsourcers. These can be users anddevices, either public or private to the 5Ginfrastructure (c.f. Table 1).
– Crowdsourcers. Determine the crowdsourc-ing plan and provide the management ofthe rewards. Some potential 5G infrastruc-ture crowdsourcers are listed in Table 1.
– Processing Units. Components responsiblefor data management and providing answers.
8 Ana Nieto et al.
Early detection units, when these are allo-cated in the edge (e.g. using MEC) or re-mote detection units, when these are pro-vided in the core of the network.
– External, impartial sources. External trustedparties, agents who are responsible for pro-viding additional support that is not pro-vided by the crowdsources. A direct exam-ple is a Legal Agency Enforcement (LEA),as is shown in the use case in Section 6.
This model should be adapted to the usecase to be implemented. For example, Fig. 3shows this model applied to a specific use case.This use case, in particular, focuses on the end-user collaboration described in Section 3.5. Theuse case covers one of the most notorious, iden-tified open challenges in 5G IoT: how to fightagainst attacks in a part of the 5G ecosystemthat is not entirely under the control of the SP.
The rest of the section describes the crowd-sourcing model using this specific use case.
5.1 Applying the crowdsourcing model forend-user collaboration
The use case concentrates on the user and cap-illary network (Table 1). In this context, dif-ferent types of IoT devices are possible (e.g.sensors, vehicles, mobile phones, and drones)subscribed to services provided by the 5G in-frastructure (e.g. tra�c control information,video, and autonomous navigation).
We identify three types of crowds in 5G IoTwhich are mapped into this scenario (Fig. 3):(i) users, (ii) IoT devices enabled for D2D, and(iii) digital witnesses (c.f. Section 3). A devicecan have the role of digital witness if it satis-fies the conditions in [11] (e.g. anti-tamperingbehaviour, binding credentials and security ca-pabilities) and is certified by an LEA. Theseactors provide di↵erent data about their envi-ronment. Therefore, Fig. 3 shows three practi-cal examples about crowdsourcing in 5G IoTdescribed below.
5.1.1 User (social media) - Service provider
The first sequence for crowdsourcing is as fol-lows. (1) The service provider (SP) announcesthe task and reward (e.g. vouchers for usersto be spent on a premium service) and a pos-sible service to those users who want to col-laborate in the crowdsourcing experiment (e.g.subscription to receive information about at-tacks in their surroundings). The subscribersare other users or entities who also collaboratein the crowdsourcing. (2) The user sends tradi-tional digital evidence (e.g. pictures of vandal-ism). This evidence is manually collected, forexample, by using the camera of the device.(3) Depending on the type of evidence and theurgency, the SP may request the interventionof the LEA, or simply use this information toperform other internal tasks to improve the 5Ginfrastructure. The user will receive the rewardafter a validation process according to the ini-tial conditions of the challenge.
Note that in this sequence the user is hon-est. However, a clear requirement is to identifydishonest behaviour of users and to penalisethese kinds of actions. This can be done, forexample, ensuring the traceability of the in-formation provided by the user, in order todetermine the responsibility of the user whenhe/she provides information that could com-promise other users or the infrastructure. Forexample, the traceability could be possible us-ing the user’s personal devices as the followingsection shows. Note that this entails a seriousconcern about privacy and how this can be en-sured providing a correct balance between pri-vacy and security.
5.1.2 D2D devices - 5G Infrastructure
The task in this case is to warn of misbehavioursand network attacks (Table 1). The communi-cation is performed at the low level and doesnot require the participation of the user. This,therefore can be an additional service of the in-frastructure to help protect the capillary net-work. (1) The task performed by the IoT de-
Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation 9
User(Honest)
Sends Traditional digital evidence
Service Provider
(SP)
(a) CROWDS for citizen collaboration
Suita
ble
targ
ets
D2D device
coop
erat
ion
/ acc
ess
Digital Witness
(DW)
Gua
rdia
n Additional Security
Mechanisms
has
Sends digital evidence
(b) TASK
Legacy RAT coordinator
cooperation
Legal Agency Enforcement (LEA)
cooperation
Local check
Warns of networkattacks
Countermeasure(c) REWARD
(d) CROWDSOURCERS Announces the (b) TASK, (c) REWARD &
Services to participate
(f) PROCESS , (g) CALL, (h) INTERNET
Crowdsourcing data
Crowdsourcing data
1
2
3
BigData analysis & correlation4
5 Validation6(c) REWARD
1
2
3
4
1
Can act as
3
2
D2D deviceLegend
High level
UE / device
Security
Processing
Fig. 3: Model for end-user collaboration for mitigation of cybersecurity threats in 5G IoT
vice is to provide information about local at-
tacks and vulnerabilities in the software of the
devices. (2) The coordinator of this feature forRAT evaluates the data with local informationand (3) it contacts the SP if it needs more in-formation or if the data provided by the de-vices needs further analysis. (4) The coordina-tor communicates what countermeasure are tobe taken and assigns the reward (e.g. increasethe reputation).
In addition, Fig. 4a shows some exampleswhere personal devices can be e↵ective earlydetection systems in this context. When a per-sonal device realises that it is executing a newransomware malware (e.g. Flocker [9]), for ex-ample by detecting the encryption process, itcan (anonymously) send the last actions per-formed (URLs accessed, applications executed,etc.) to the SP. This information can be usedby the SP to query malware intelligence ser-vices, like MISP introduced in Section 3.1, tocorrelate and warn other connected devices sub-scribed to the service. Therefore, a distant usercan benefit from this interaction without evenknowing that a new ransomware campaign isactually running. A similar idea is to identifycommon patterns of infection from multipleIoT devices, in order to identify if the malwarecan a↵ect heterogeneous platforms and to alertthe users and administrators of the sectors ofthe infrastructure a↵ected (Fig. 4b).
Another scenario that fits perfectly is thedetection of web phishing and spear phishing.There are actually many ways to detect thesetypes of attacks, even modern web browsersare capable of detecting them. This informa-tion can also be shared with the SP to informother connected devices that some live phish-ing sites are actually attracting users.
5.1.3 Digital Witness - LEAs
The digital witnessing (DW) feature is pro-vided as a service. The objective is to pro-pose crowdsourcing services able to warn otherusers of a possible attack in one specific area.In this case, (1) the DW sends digital evidence(electronically stored information in the de-vice, such as logs or information about theirapplications and can contain personal data)signed using the security protocols accepted bythe LEA. In some critical cases, a DW can re-quire the validation of the information beforebeing sent to the LEA (e.g. using biometricfeatures). This is specified during the config-uration of the device [11]. (2) The LEA pro-cesses the information and takes countermea-sures that could require the initiation of le-gal proceedings. (3) If it is required, the LEAshould contact the SP to get more informationor cooperate to stop certain threats against the5G ecosystem.
There is no direct material reward for theDW. Initially, as is described in [11], the owner
10 Ana Nieto et al.
Subscriber
Service Provider(SP)
Subscription service
subscription
URLs accessed, applications
executed
Source
Process data
Alert to subscriberswith similar
Characteristics
expossed
countermeasure
(a) Early Warning Service for Subscribers
MService Provider(SP)
Subscription service
subscriptionX, Z, K
Source 2(Type B)
Identify common patterns
X
Alert to potential victims
Source 1(Type A)
Source 3(Type C)
L, X , J
M, N, X
Subscriber
Machine
countermeasure
5G ecosystem
…
Machine Machine Machine
(b) Common patterns from heterogeneous IoT devices
Fig. 4: Crowdsourcing for mitigation in 5G IoT environments
of the DW acts following a duty to the commu-
nity. However, the SP can promote the crowd-sourcing using similar rewards like in the previ-ous case. The additional advantage of the dig-ital witness is that it allows traceability, whichcan help identify and penalise misbehaviours.
Some requirements are clear at this point.First, the anonymity of the people involved incertain tasks must be ensured and kept fromthe rest of participants in the crowd. Neithermust critical information about the sources bepublic to the rest of the crowd. Finally, infor-mation about vulnerabilities should be sharedonly with the a↵ected users / devices. Some di-rections about how to introduce privacy-awaremechisms in digital witness-based scenarios areprovided in [12].
6 Experimental results
To illustrate the e↵ect that one of these at-tacks would have on end users and the con-tribution of the crowdsourcing mechanisms tomitigate this e↵ect, we performed a valida-tion using OMNET++. We define two specialnodes, one single attacker, Eve, and a protec-tor of the network namedGuardian. The proofof concept is reduced to a single cell, wherethe nodes communicate over VoIP. Eve willa↵ect communications by directing the attackagainst the service that supplies to the rest
of nodes. Then, the Guardian will perceive afault in the service provisioning, and follow theproper procedures for their recovery.
Fig. 5 highlights the behaviour of Eve (red),Guardian (blue) and the Server that receivesthe request from one of the UEs. Eve beginsto act in t = 2ms. Then, considering that allthe nodes are using the service, the commu-nication between the nodes is a↵ected propor-tionally to the number of messages that thenodes can send during the time window thatthe service remains inoperative. UE send mes-sages to the Server that will only be han-dled if the Guardian is present to restore theservice. It can be seen that at 8ms there isan interruption in the service and the Serverstops responding to the UE requests, becausethe Guardian is not present. In general, onlywhen the Guardian starts operating does theServer starts listening to requests.
Therefore, if the attack depends on the strate-gic location of the attacker, then correctivemeasures can be taken from the source of thethreat. If theGuardian can react, it could eveninhibit the attacker, or store digital evidenceabout the attack and the context (potentialdigital witness in the area). An additional in-teresting study that we leave for future workis to analyse how these data vary with mo-bile nodes at di↵erent speeds, and varying thenumber of guardians and attackers.
Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation 11
Fig. 5: Simulation results with a single cell
Finally, it must be highlighted that IoT de-vices have serious limitations in computationand storage. Even worst, most of them are asecurity risk in themselves. However, we canuse the density of IoT devices to obtain infor-mation from many sources to improve the dataanalysis and the extraction of conclusions. Thisinformation could be taken in two ways: a)from those IoT devices able to contribute (notall IoT devices are equally limited) or b) fromthose intermediary platforms able to providedata summaries relevant to the context.
7 Conclusions
Given the proliferation of technologies and de-vices in 5G it is unrealistic to assume that se-curity should only be provided at the core ofthe network. Rather the opposite is true, theonly way to react e�ciently to new forms ofthreats is to do so at the edge of the communi-cation. More specifically, crowdsourcing mech-anisms can be an e↵ective weapon against cy-bersecurity threats in 5G IoT. In this paperthis idea has been analysed in depth to showthe advantages of this cooperation in the dif-ferent areas of 5G. We have also adapted anexample of crowdsourcing to help improve se-curity in 5G environments using IoT devices.The results of this paper can be adjusted toany final context where crowdsourcing will beapplied. Additional challenges are, for exam-ple, to consider the privacy and trust in the
di↵erent models for crowdsourcing applied to5G IoT. Along these lines, some work has al-ready been done on digital witnessing, but theproblem must be particularised to the di↵erentcontexts of the 5G infrastructure.
Finally, note that the solution proposed per-fectly fits in the current LTE/4G network. How-ever, from our point of view, the real changewhere collaboration will be fundamental willoccur when the decoupling between softwareand hardware is greater. Unlike 4G, 5G hasbeen conceived to support specific use casesin IoT, and this is a serious problem becausethese devices continue to be insecure. Not onlythat, if a security problem occurs, there are noproactive solutions that help clarify what hashappened.
Acknowledgments
This work has been partially funded by theSpanish Ministry of Economy and Competi-tiveness through the projects IoTest (TIN2015-72634-EXP /AEI) and SMOG (TIN2016-79095-C2-1-R).
References
1. Belmonte Martin A, Marinos L, RekleitisE, Spanoudakis G, Petroulakis N (2015)Threat landscape and good practice guidefor software defined networks/5g
12 Ana Nieto et al.
2. Chon KHS, et al (2016) Cybercrime pre-cursors: towards a model of o↵ender re-sources
3. Dohler M, Nakamura T (2016) 5G mobileand wireless communications technology.Cambridge University Press
4. de Fuentes JM, Gonzalez-Manzano L,Gonzalez-Tablas AI, Blasco J (2013)Wevan–a mechanism for evidence creationand verification in vanets. Journal of Sys-tems Architecture 59(10):985–995
5. Gao H, Barbier G, Goolsby R (2011) Har-nessing the crowdsourcing power of socialmedia for disaster relief. IEEE IntelligentSystems 26(3):10–14
6. Hanslovan K (2017) Proud mo-ment: Wannacry collaboration. URLhttps://medium.com/@KyleHanslovan/proud-moment-wannacry-collaboration-e1f6fafe76dc
7. Howe J (2006) The rise of crowdsourcing.Wired magazine 14(6):1–4
8. Luxembourg TCIRC (2017)Cirl misp threat sharing. URLhttps://www.circl.lu/services/misp-malware-information-sharing-platform/
9. Micro T (2016) Flocker mobile ran-somware crosses to smart tv. URLhttp://blog.trendmicro.com/trendlabs-security-intelligence/flocker-ransomware-crosses-smart-tv/
10. Monahan T, Mokos JT (2013) Crowd-sourcing urban surveillance: The develop-ment of homeland security markets forenvironmental sensor networks. Geoforum49:279–288
11. Nieto A, Roman R, Lopez J (2016) Digi-tal witness: Safeguarding digital evidenceby using secure architectures in personaldevices. IEEE Network 30(6):34–41
12. Nieto A, Rios R, Lopez J (2018) Iot-forensics meets privacy: Towards cooper-ative digital investigations. Sensors 18(2)
13. Nomikos N, Nieto A, Makris P, SkoutasDN, Vouyioukas D, Rizomiliotis P, LopezJ, Skianis C (2015) Relay selection for se-cure 5g green communications. Telecom-
munication Systems 59(1):169–18714. Palattella MR, Dohler M, Grieco A, Rizzo
G, Torsner J, Engel T, Ladid L (2016) In-ternet of things in the 5g era: Enablers,architecture, and business models. IEEEJournal on Selected Areas in Communica-tions 34(3):510–527
15. Ratasuk R, Prasad A, Li Z, Ghosh A,Uusitalo MA (2015) Recent advancementsin m2m communications in 4g networksand evolution towards 5g. In: Intelligencein Next Generation Networks (ICIN), 201518th International Conference on, IEEE,pp 52–57
16. Wagner C, Dulaunoy A, Wagener G, Ik-lody A (2016) Misp: The design and imple-mentation of a collaborative threat intelli-gence sharing platform. In: Proceedings ofthe 2016 ACM on Workshop on Informa-tion Sharing and Collaborative Security,ACM, pp 49–56
17. Xu L, Collier R, O’Hare GMP (2017) Asurvey of clustering techniques in wsns andconsideration of the challenges of apply-ing such to 5g iot scenarios. IEEE Inter-net of Things Journal PP(99):1–1, DOI10.1109/JIOT.2017.2726014
18. Xu Z, Zhang H, Hu C, Mei L, XuanJ, Choo KKR, Sugumaran V, Zhu Y(2016) Building knowledge base of ur-ban emergency events based on crowd-sourcing of social media. Concurrency andComputation: Practice and Experience28(15):4038–4052
19. Yang N, Wang L, Geraci G, Elkashlan M,Yuan J, Di Renzo M (2015) Safeguarding5g wireless communication networks usingphysical layer security. IEEE Communica-tions Magazine 53(4):20–27