NCSRD-DS-5GDDoS: 5G Radio and Core metrics containing sporadic DDoS attacks

NCSRD-DS-5GDDoS is a comprehensive dataset recorded in a real-world 5G testbed that aligns with the 3GPP specifications. The dataset captures Distributed Denial of Service (DDoS) attacks initiated by malicious connected UEs. The setup comprises of 2 cells with a total of 9 UEs connected to the same core network. The 5G network is implemented by the Amarisoft Callbox Mini solution, and we further employ a second cell using the Amarisoft Classic, that also hosts the 5G core. The setup utilizes a broad set of UE devices comprising a set of smart phones (Huawei P40), microcomputers (Raspberry Pi 4 - Waveshare 5G Hat M2), industrial 5G routers (Industrial Waveshare 5G Router), a WiFi-6 mobile hotspot (DWR-2101 5G Wi-Fi 6 Mobile Hotspot) and a CPE box (Waveshare 5G CPE Box). All UEs are being operated by subsidiary hosts which are responsible for the traffic generation, occurring from scheduled communications times. All identifiers are artificially generated and do not represent or based on personal data. We identify each UE through its ‘imeisv’ ID, that corresponds to the device in use, due to vendor implementation, that uses the same IMSI for all UEs. There are 8 attacker UEs in the testbed and 1 benign user with imeisv = 8609960480666910. The benign user streams YouTube traffic, while the malicious users are performing two DDoS attacks (UDP floods using hping3); the first attack takes place on 24-01-2024 between 14:48:30-14:58:30 and the second one on 25-01-2014 between 14:05:00-14:10:00. Throughout the recording session, handover events also take place. The dataset is recorded through the use of a data collector that interfaces with the 5G network and gathers data regarding UEs, gNBs and the Core Network. The data are recorded in an InfluxdB and pre-processed into three separate tabular .csv files for more efficient processing: “amari_ue_data.csv”, “enb_counters.csv” and “mme_counters.csv”. The ”amari_ue_data.csv” consists of 56 features, providing information on the UEs regarding identification (“imeisv”, “5g_tmsi”, “rnti”), IP addressing, bearer information, cell information (“tac”, “ran_plmn”), and cell information (“cell_X_ul_bitrate”, “cell_X_dl_bitrate”, “cell_id”, retransmissions per user per cell “cell_X_ul_retx” as well as aggregated bit rates for each cell). The ”enb_counters.csv” focuses on cell-level information, providing downlink and uplink bitrates, usage ratio per user, cpu load of the gNB. The “mme_counters.csv” provides information on the Non-Access Stratum (NAS) of the 5G Network and focuses on session status reports (e.g., number of PDU session establishments, paging, context setup. This part gives an overview of the connection management throughout the recording session, and provides information on features suggested by 3GPP for abnormal user behaviour, as we summarized in Table II of this work. A description of the majority of features below can be found in https://tech-academy.amarisoft.com/ See README.TXT for the list of features in each file.