SAQ3 – Security Architectures and Processes II
Friday, 5 June 2026, 9:00-10:30, room Sala 6 (1st floor)
Session Chair: Aydin Sezgin (RUB, DE)
Federated Learning Framework for Cybersecurity and Regulatory-Oriented Detection of Fake Base Stations
Eduardo Jorge Brito Rodrigues (Aeronautics Institute of Technology – ITA, Brazil & Duke University, USA); David Hoffman (Duke University, USA); Lourenço Alves Pereira, Jr (ITA – Aeronautics Institute of Technology, Brazil); Arturo F Ehuan (Duke University, USA)
Fake Base Stations (FBS) continue to represent a relevant and persistent threat to 4G and 5G mobile networks, exploiting radio access vulnerabilities to conduct SMS spoofing, forced downgrade attacks, large-scale fraud, and user tracking. This paper proposes an integrated, regulatory-action-oriented framework that leverages Federated Learning (FL) to enable distributed, privacy-preserving threat intelligence across mobile operators, regulators, and law enforcement. By combining continuous radiofrequency (RF) monitoring, federated anomaly detection, automated evidence correlation, and institutional alert routing, the framework, validated through simulation in a 2 km² urban environment, reduced end-to-end response time from weeks to under four days while maintaining 91.45% detection accuracy and eliminating manual verification drive tests. Grounded in real enforcement experience from Brazil, the work moves beyond purely academic detection to deliver an operational framework that bridges technical cybersecurity with regulatory action, strengthening the state’s capacity for timely, evidence-based intervention.
Privacy-Preserving Identifier Checking in 5G
Marcel Gräfenstein (Technische Universität Dresden, Germany); Stefan Köpsell (TU Dresden, Germany); Maryam Zarezadeh (Barkhausen Institut, Germany)
Device identifiers like the International Mobile Equipment Identity (IMEI) are crucial for ensuring device integrity and meeting regulations in 4G and 5G networks. However, sharing these identifiers with Mobile Network Operators (MNOs) brings significant privacy risks by enabling long-term tracking and linking of user activities across sessions. In this work, we propose a privacy-preserving identifier checking method in 5G. This paper introduces a protocol for verifying device identifiers without exposing them to the network while maintaining the same functions as the 3GPP-defined Equipment Identity Register (EIR) process. The proposed solution modifies the PEPSI protocol [USENIX, 2024] for a Private Set Membership (PSM) setting using the BFV homomorphic encryption scheme. This lets User Equipment (UE) prove that its identifier is not on an operator’s blacklist or greylist while ensuring that the MNO only learns the outcome of the verification. The protocol allows controlled deanonymization through an authorized Law Enforcement (LE) hook, striking a balance between privacy and accountability. Implementation results show that the system can perform online verification within five seconds and requires about 15 to 16 MB of communication per session. This confirms its practical use under post-quantum security standards. The findings highlight the promise of homomorphic encryption for managing identifiers while preserving privacy in 5G, laying the groundwork for scalable and compliant verification systems in future 6G networks.
Unsupervised Techniques for Anomaly and Novelty Detection in 5G and Beyond
Pedro Martinez Marques and Laura Maximova Batista (Altice Labs, Portugal); Filipe Cabral Pinto (Alticelabs, Portugal)
Unsupervised machine learning techniques are increasingly critical for detecting novel attacks in 5G networks, where traditional signature-based intrusion detection systems prove inadequate against evolving threat landscapes. This study systematically evaluates nine unsupervised algorithms, using the 5G-NIDD dataset containing real operational 5G traffic. Two experimental scenarios assess performance: general anomaly detection for malicious traffic filtering, and novelty detection using a leave-one-attack-out strategy to simulate novelty attack identification. Results demonstrate that Local Outlier Factor achieves superior overall performance (F1=0.896, AUROC=0.914) in classifying benign from malicious traffic, while hyperparameter optimization yields substantial improvements for certain algorithms, particularly Gaussian Mixture Models (F1 increase from 0.189 to 0.678). Novelty detection performance varies significantly across attack types, with application-layer attacks like HTTPFlood readily detectable (F1>0.90) while mimicrybased attacks such as SlowrateDoS remain challenging even for optimized models. The findings underscore that no single unsupervised technique universally excels across all scenarios, suggesting hybrid architectures combining multiple approaches offer the most promising path for robust intrusion detection in dynamic 5G and Beyond environments.
A Security Closed Loop-Based Framework for Addressing Security Challenges in 6G Networks
Marco Ruta (Nextworks, Italy); Alberto García Pérez (University of Murcia, Spain); Louis Cailliot (Thales Group, France); Pietro Giardina (Nextworks, Italy); José María Jorquera Valero and Manuel Gil Pérez (University of Murcia, Spain); Dhouha Ayed (Thales, France); Giada Landi (Nextworks, Italy)
The increasing complexity and openness of 6G networks present unprecedented security challenges that traditional Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solutions cannot effectively address due to limited interoperability and heavy reliance on human expertise. This work proposes a Zero-touch Security framework based on the concept of Security Closed Loops (S-CLs). Inspired by ETSI ZSM, the framework harmonizes S-CL stages with the NIST Incident Response Plan (IRP) steps to ensure procedural rigor. A key outcome of this approach is a solution where each loop stage is agnostic of the underlying tools and environments. This is achieved through a programmable monitoring platform and the adoption of two OASIS standards: CACAO for standardized decision-making and OpenC2 for platform-agnostic actuation. Furthermore, this work defines the Security Service (SSe), a construct that encompasses the deployment of Security Functions (SFs) and S-CLs to maintain a continuous security posture. Finally, we explore the integration of semantic reasoning and Large Language Models (LLMs) to automate the customization of security services for heterogeneous 6G environments.
Robust Semi-Supervised Temporal Intrusion Detection for Adversarial Cloud Networks
Anasuya Chattopadhyay (German Research Center for Artificial Intelligence (DFKI), Germany); Daniel Reti (Deutsches Forschungszentrum für Künstliche Intelligenz GmbH, Germany); Hans D. Schotten (University of Kaiserslautern, Germany)
Cloud networks increasingly rely on machine learning based Network Intrusion Detection Systems to defend against evolving cyber threats. However, real-world deployments are challenged by limited labeled data, non-stationary traffic, and adaptive adversaries. While semi-supervised learning can alleviate label scarcity, most existing approaches implicitly assume benign and stationary unlabeled traffic, leading to degraded performance in adversarial cloud environments. This paper proposes a robust semi-supervised temporal learning framework for cloud intrusion detection that explicitly addresses adversarial contamination and temporal drift in unlabeled network traffic. Operating on flow-level data, this framework combines supervised learning with consistency regularization, confidence-aware pseudo-labeling, and selective temporal invariance to conservatively exploit unlabeled traffic while suppressing unreliable samples. By leveraging the temporal structure of network flows, the proposed method improves robustness and generalization across heterogeneous cloud environments. Extensive evaluations on publicly available datasets (CIC-IDS2017, CSE-CIC-IDS2018, and UNSW-NB15) under limited-label conditions demonstrate that the proposed framework consistently outperforms state-of-the-art supervised and semi-supervised network intrusion detection systems in detection performance, label efficiency, and resilience to adversarial and non-stationary traffic.
