Systematic Meets Unintended: Prior Knowledge Adaptive 5G Vulnerability Detection via Multi-Fuzzing
Jingda Yang, Ying Wang, Yanjun Pan, Tuyen X. Tran
TL;DR
This work presents a digital twin–driven fuzzing framework for 5G vulnerability detection that adapts to attacker knowledge levels through three strategies: LAL (black-box), SyAL (gray-box), and SoAL (white-box). It demonstrates protocol- and platform-agnostic testing on a srsRAN–based testbed, uncovering 129 RRC vulnerabilities with rapid detection (avg. 0.072 s) and enabling real-time proactive defense via a predictive LSTM model. A probability-based SyAL strategy further improves efficiency versus random fuzzing, while SoAL exposes three MITM vulnerabilities, validating the approach’s breadth and explainability. Collectively, these results show scalable vulnerability discovery and defense simulation across open-source and commercial 5G stacks, with a practical digital twin that supports rapid validation and hardening of 5G/NextG protocols.
Abstract
The virtualization and softwarization of 5G and NextG are critical enablers of the shift to flexibility, but they also present a potential attack surface for threats. However, current security research in communication systems focuses on specific aspects of security challenges and lacks a holistic perspective. To address this challenge, a novel systematic fuzzing approach is proposed to reveal, detect, and predict vulnerabilities with and without prior knowledge assumptions from attackers. It also serves as a digital twin platform for system testing and defense simulation pipeline. Three fuzzing strategies are proposed: Listen-and-Learn (LAL), Synchronize-and-Learn (SyAL), and Source-and-Learn (SoAL). The LAL strategy is a black-box fuzzing strategy used to discover vulnerabilities without prior protocol knowledge, while the SyAL strategy, also a black-box fuzzing method, targets vulnerabilities more accurately with attacker-accessible user information and a novel probability-based fuzzing approach. The white-box fuzzing strategy, SoAL, is then employed to identify and explain vulnerabilities through fuzzing of significant bits. Using the srsRAN 5G platform, the LAL strategy identifies 129 RRC connection vulnerabilities with an average detection duration of 0.072s. Leveraging the probability-based fuzzing algorithm, the SyAL strategy outperforms existing models in precision and recall, using significantly fewer fuzzing cases. SoAL detects three man-in-the-middle vulnerabilities stemming from 5G protocol vulnerabilities. The proposed solution is scalable to other open-source and commercial 5G platforms and protocols beyond RRC. Extensive experimental results demonstrate that the proposed solution is an effective and efficient approach to validate 5G security; meanwhile, it serves as real-time vulnerability detection and proactive defense.