Saflo: eBPF-Based MPTCP Scheduler for Mitigating Traffic Analysis Attacks in Cellular Networks
Sangwoo Lee, Liuyi Jin, Radu Stoleru
TL;DR
DCI-based traffic analysis in LTE/5G exposes user activity through plaintext control messages. The paper introduces Saflo, an eBPF-based MPTCP scheduler that couples a BLEST-inspired kernel scheduler with a user-space attack detector to hide traffic patterns by adaptively steering subflows, including routing suspected attacker traffic to a safer WiFi path. The three components—eBPF Scheduler, Subflow Manager, and Attack Detector—interact via shared maps and logs to enable randomized, attack-aware scheduling while preserving QoS; CNN classifiers detect attacks with high accuracy and trigger protective actions. In private LTE/5G testbeds, Saflo dramatically reduces video identification accuracy from 96.9% to 12.4% and user identification accuracy from 99.4% to 59.5%, while delivering competitive or superior network performance relative to baselines and TOR TrafficSliver. The work also opens-source the scripts, datasets, and Saflo implementation, enabling further exploration of cross-layer defenses against traffic analysis in cellular networks.
Abstract
This paper presents the $\underline{\textbf{saf}}$e sub$\underline{\textbf{flo}}$w (Saflo) eBPF-based multipath TCP (MPTCP) scheduler, designed to mitigate traffic analysis attacks in cellular networks. Traffic analysis attacks, which exploit vulnerabilities in Downlink Control Information (DCI) messages, remain a significant security threat in LTE/5G networks. To counter such threats, the Saflo scheduler employs multipath communication combined with additional security-related tasks. Specifically, it utilizes eBPF tools to operate in both kernel and user spaces. In the kernel space, the eBPF scheduler performs multipath scheduling while excluding paths disabled by the user-space programs. The user-space programs conduct security-related computations and machine learning-based attack detection, determining whether each path should be enabled or disabled. This approach offloads computationally intensive tasks to user-space programs, enabling timely multipath scheduling in kernel space. The Saflo scheduler was evaluated in a private LTE/5G testbed. The results demonstrated that it significantly reduces the accuracy of video identification and user identification attacks in cellular networks while maintaining reasonable network performance for users.