Saflo: eBPF-Based MPTCP Scheduler for Mitigating Traffic Analysis Attacks in Cellular Networks

TL;DR

Saflo is an eBPF-based MPTCP scheduler that enhances cellular network security by mitigating traffic analysis attacks through multipath communication and machine learning-based attack detection, while preserving network performance.

Contribution

Introduces Saflo, a novel eBPF-based MPTCP scheduler that integrates security tasks with multipath scheduling to counter traffic analysis attacks in LTE/5G networks.

Findings

Reduces attack accuracy in video and user identification.

Maintains acceptable network performance.

Effective in a private LTE/5G testbed.

Abstract

This paper presents the $\underline{\textbf{saf}}$e sub$\underline{\textbf{flo}}$w (Saflo) eBPF-based multipath TCP (MPTCP) scheduler, designed to mitigate traffic analysis attacks in cellular networks. Traffic analysis attacks, which exploit vulnerabilities in Downlink Control Information (DCI) messages, remain a significant security threat in LTE/5G networks. To counter such threats, the Saflo scheduler employs multipath communication combined with additional security-related tasks. Specifically, it utilizes eBPF tools to operate in both kernel and user spaces. In the kernel space, the eBPF scheduler performs multipath scheduling while excluding paths disabled by the user-space programs. The user-space programs conduct security-related computations and machine learning-based attack detection, determining whether each path should be enabled or disabled. This approach offloads computationally intensive tasks to user-space programs, enabling timely multipath scheduling in kernel space. The Saflo scheduler was evaluated in a private LTE/5G testbed. The results demonstrated that it significantly reduces the accuracy of video identification and user identification attacks in cellular networks while maintaining reasonable network performance for users.