Saved in:
Bibliographic Details
Main Authors: Manca, Cristian, Scano, Christian, Piras, Giorgio, Brau, Fabio, Pintor, Maura, Biggio, Battista
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2602.03596
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911463931641856
author Manca, Cristian
Scano, Christian
Piras, Giorgio
Brau, Fabio
Pintor, Maura
Biggio, Battista
author_facet Manca, Cristian
Scano, Christian
Piras, Giorgio
Brau, Fabio
Pintor, Maura
Biggio, Battista
contents Machine learning-based anomaly detection systems are increasingly being adopted in 5G Core networks to monitor complex, high-volume traffic. However, most existing approaches are evaluated under strong assumptions that rarely hold in operational environments, notably the availability of independent and identically distributed (IID) data and the absence of adaptive attackers. In this work, we study the problem of detecting 5G attacks in the wild, focusing on realistic deployment settings. We propose a set of Security-Aware Guidelines for Evaluating anomaly detectors in 5G Core Network (SAGE-5GC), driven by domain knowledge and consideration of potential adversarial threats. Using a realistic 5G Core dataset, we first train several anomaly detectors and assess their baseline performance against standard 5GC control-plane cyberattacks targeting PFCP-based network services. We then extend the evaluation to adversarial settings, where an attacker tries to manipulate the observable features of the network traffic to evade detection, under the constraint that the intended functionality of the malicious traffic is preserved. Starting from a selected set of controllable features, we analyze model sensitivity and adversarial robustness through randomized perturbations. Finally, we introduce a practical optimization strategy based on genetic algorithms that operates exclusively on attacker-controllable features and does not require prior knowledge of the underlying detection model. Our experimental results show that adversarially crafted attacks can substantially degrade detection performance, underscoring the need for robust, security-aware evaluation methodologies for anomaly detection in 5G networks deployed in the wild.
format Preprint
id arxiv_https___arxiv_org_abs_2602_03596
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SAGE-5GC: Security-Aware Guidelines for Evaluating Anomaly Detection in the 5G Core Network
Manca, Cristian
Scano, Christian
Piras, Giorgio
Brau, Fabio
Pintor, Maura
Biggio, Battista
Machine Learning
Machine learning-based anomaly detection systems are increasingly being adopted in 5G Core networks to monitor complex, high-volume traffic. However, most existing approaches are evaluated under strong assumptions that rarely hold in operational environments, notably the availability of independent and identically distributed (IID) data and the absence of adaptive attackers. In this work, we study the problem of detecting 5G attacks in the wild, focusing on realistic deployment settings. We propose a set of Security-Aware Guidelines for Evaluating anomaly detectors in 5G Core Network (SAGE-5GC), driven by domain knowledge and consideration of potential adversarial threats. Using a realistic 5G Core dataset, we first train several anomaly detectors and assess their baseline performance against standard 5GC control-plane cyberattacks targeting PFCP-based network services. We then extend the evaluation to adversarial settings, where an attacker tries to manipulate the observable features of the network traffic to evade detection, under the constraint that the intended functionality of the malicious traffic is preserved. Starting from a selected set of controllable features, we analyze model sensitivity and adversarial robustness through randomized perturbations. Finally, we introduce a practical optimization strategy based on genetic algorithms that operates exclusively on attacker-controllable features and does not require prior knowledge of the underlying detection model. Our experimental results show that adversarially crafted attacks can substantially degrade detection performance, underscoring the need for robust, security-aware evaluation methodologies for anomaly detection in 5G networks deployed in the wild.
title SAGE-5GC: Security-Aware Guidelines for Evaluating Anomaly Detection in the 5G Core Network
topic Machine Learning
url https://arxiv.org/abs/2602.03596