Selected data fields of anonymized roaming signaling exchange between the visiting and the home mobile networks for security analysis

The dataset is a simulated roaming signaling exchange between a visiting and a home mobile network. One thousand UEs (User Equipments) in roaming-out have been simulated, i.e., HPLMN (with address: mnc262.mcc321) subscribers connected to VPLMN (with address: mnc261.mcc320) network. It has been simulated that the system injects 100 new subscribers every second. Every new subscriber is authenticated by the HPLMN through 5G-AKA procedures, the AMF in the VPLMN is registered for that subscriber, and a new PDU session is created. The sessions have been configured to remain active for 5 seconds before being torn down, that means, in a steady state the system will be handling about 500 simultaneous active subscribers. The load at that rate is maintained for 50 seconds, thus after ramp-up, the system holds the load (≈ 500 concurrent subscribers) for 50 seconds before stopping them. The raw signaling data needs to be transformed into a structured dataset of signaling messages. By using Tshark tool and Python scripting a CSV file has been built, where selected data fields for the security analysis (e.g., subscriber identities, secret material, location etc.) have been parsed and extracted in columns per message. The following pipeline has been followed: PCAP → (Tshark) → CSV (HTTP/2 headers/data) → (Python parser – JSON) → formatted CSV. Every message of the file, x_i, (in rows) contains the following data (in columns) extracted via Tshark tool: Source IP address Destination IP address HTTP/2 header path HTTP/2 header method HTTP/2 data (JSON in hexadecimal) From the HTTP/2 headers and data the following related security attributes have been extracted via Python scripting: SUPI (IMSI) SUCI PEI (Permanent Equipment Identifier) GPSI (Generic Public Subscription Identifier): MSISDN K_SEAF: Derived key for SEAF (Security Anchor Function) AUTN: Authentication Token RAND: Random number (challenge sent by the network to the UE) TAC: Tracking Area Code nrCellId: NR Cell Identity