pith. sign in

arxiv: 2603.04662 · v4 · submitted 2026-03-04 · 💻 cs.CR

When Connectivity Is Not Enough: Cross-Layer Attacks on UAV C2 over 5G

Wagner Comin Sonaglio , \'Agney Lopes Roth Ferraz , Andr\'e Elias Melo , Murray Evangelista de Souza , Guevara Noubir , Louren\c{c}o Alves Pereira J\'unior This is my paper

Pith reviewed 2026-05-15 16:05 UTC · model grok-4.3

classification 💻 cs.CR
keywords UAV C25G securitycross-layer attackscommand and controlUASMAVLinkconnectivity indicatorsBVLOS
0
0 comments X

The pith

Connectivity indicators alone do not guarantee safe closed-loop control for UAVs over 5G.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that 5G registration state and PDU session status are not sufficient evidence that command and control links for unmanned aerial vehicles remain safe. Attacks can cause unsafe conditions through degraded timeliness from user plane sharing, failed mobility continuity during control plane problems, or compromised command integrity at base stations. These issues matter for BVLOS operations because operators may assume connectivity means operational safety under current 3GPP specifications for unmanned aircraft systems. Experiments on a testbed with MAVLink traffic show stale telemetry, failsafe activations, and navigation hijacking without clean disconnections. The authors evaluate why these threats arise and discuss potential mitigations.

Core claim

The paper claims that attacks can degrade UAS C2 when timeliness degrades under shared User Plane contention, mobility continuity fails during Control Plane instability, or command integrity is violated at a trusted gNodeB. This undermines the use of connectivity indicators as the central security measure for UAV operations.

What carries the argument

Three threat models targeting user plane contention, control plane instability, and gNodeB command rewriting that force unsafe closed-loop states in MAVLink C2 without clean disconnect.

If this is right

  • Stale telemetry and heavy-tailed delays occur under co-tenant user plane contention.
  • Failsafe activation follows handover under control plane instability.
  • Navigation hijacking results from command rewriting at a compromised gNodeB.
  • Mitigations are needed to address timeliness, availability, and integrity failures.
  • Five robustness issues were disclosed, leading to CVEs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Real-world 5G networks for critical UAV operations may need additional safety layers beyond standard connectivity checks.
  • Similar vulnerabilities could affect other latency-sensitive applications using 5G for control.
  • Deployment assumptions in the testbed suggest the need for validation in live commercial networks.
  • Revising 3GPP UAS specifications to include cross-layer security checks could prevent such attacks.

Load-bearing premise

The Open5GS and UERANSIM testbed along with the commercial Nokia core accurately represent real-world 5G deployments and realistic attacker capabilities.

What would settle it

An observation in a production 5G network where all unsafe closed-loop states trigger a clean disconnect would falsify the central claim.

Figures

Figures reproduced from arXiv: 2603.04662 by \'Agney Lopes Roth Ferraz, Andr\'e Elias Melo, Guevara Noubir, Louren\c{c}o Alves Pereira J\'unior, Murray Evangelista de Souza, Wagner Comin Sonaglio.

Figure 1
Figure 1. Figure 1: Overview of the 5G standalone architecture highlight [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: UAV Communication Network (RF / Wi-Fi / 4G / 5G). [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Threat Model 1 - UAV, GCS, and ROGUE UE attached [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: CDF of C2 inter-arrival times under baseline, attack, [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Command delivery delays and drops around the attack [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Threat Model 2 - Insider Adversary with Access to the [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Timeline of the chained SBI attack on NRF and SMF and the resulting UAV failsafe after gNodeB handover. [PITH_FULL_IMAGE:figures/full_fig_p008_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Threat Model 3 - Compromised gNodeB. To evaluate this scenario in our testbed, we developed a custom deployment script that instantiates a 5G SA environ￾ment in a Kubernetes (Kind) cluster using Open5GS (AMF, SMF, UPF). The deployment includes three UERANSIM gNodeB instances: gNodeB01 (nci 0x10) and gNodeB-rogue (nci 0x30), the latter under attacker control and still connected to the legitimate core networ… view at source ↗
Figure 10
Figure 10. Figure 10: AoI over time under baseline and under MAVLink [PITH_FULL_IMAGE:figures/full_fig_p010_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Rolling p95 AoI. Under MAVLink signing, the tail [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗
read the original abstract

Beyond Visual Line of Sight (BVLOS) unmanned aerial vehicle (UAV) operations increasingly use 5G standalone (SA) networks for command and control (C2) between the UAV and the ground control station (GCS). The 3rd Generation Partnership Project (3GPP) has specified mechanisms for authentication and authorization of unmanned aircraft systems (UAS) in this architectural setting. As a result, operators may treat registration state, Protocol Data Unit (PDU) session status, and IP reachability as evidence that the C2 path is available. In practice, however, these connectivity indicators alone do not guarantee that closed-loop control remains operationally safe. Attacks can degrade UAS C2 when timeliness degrades under shared User Plane contention, mobility continuity fails during Control Plane instability, or command integrity is violated at a trusted next-generation Node B (gNodeB). Such failures undermine connectivity as the central security indicator for UAV operations. In this paper, we demonstrate these issues using three distinct threat models on a reproducible Open5GS and UERANSIM testbed that carries Micro Air Vehicle Link (MAVLink) over the 5G User Plane, and we use a commercial Nokia core to ground deployment assumptions. We address timeliness, availability, and integrity through experiments in which attack success is defined as forcing an unsafe closed-loop state without a clean disconnect. We observe stale telemetry and heavy-tailed delay under co-tenant User Plane contention, failsafe after handover under Control Plane instability, and navigation hijacking after command rewriting at a compromised gNodeB. We further discuss why each threat model arises and evaluate mitigations for these cross-layer failures. Across the study, we disclosed five robustness issues: three CVEs have already been assigned, and two additional CVE requests are pending.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that 5G SA connectivity indicators (registration state, PDU session status, IP reachability) are insufficient to guarantee safe closed-loop C2 for BVLOS UAVs. Using three threat models on a reproducible Open5GS/UERANSIM testbed carrying MAVLink traffic (plus a commercial Nokia core), the authors demonstrate that shared user-plane contention produces stale telemetry and heavy-tailed delays, control-plane instability during handover triggers failsafe, and a compromised gNodeB enables command rewriting that hijacks navigation—all without triggering a clean disconnect. They report five robustness issues, three already assigned CVEs.

Significance. If the empirical results hold, the work is significant for highlighting that 3GPP UAS authentication/authorization mechanisms do not address cross-layer timing, mobility, and integrity failures in safety-critical C2 loops. The reproducible testbed, concrete MAVLink observations, and CVE disclosures provide a concrete basis for operators and standards bodies to move beyond connectivity-as-safety metrics.

major comments (2)
  1. [Testbed and experimental setup] Testbed fidelity section: the central claim that observed effects force unsafe closed-loop states in realistic deployments rests on Open5GS/UERANSIM plus Nokia core accurately modeling RRC state machines, radio resource allocation, and handover latency under UAV velocities and MAVLink traffic patterns. No explicit validation (e.g., comparison of simulated contention traces or handover timing against commercial gNodeB logs) is provided, leaving the mapping from testbed outcomes to operational risk unanchored.
  2. [Threat models and experiments] Attack success definition (experiments): attack success is defined as forcing an unsafe closed-loop state without clean disconnect, yet the manuscript does not specify quantitative thresholds (e.g., maximum allowable telemetry age before failsafe, or exact delay tail that triggers unsafe behavior). This makes it difficult to assess whether the reported stale telemetry and heavy-tailed delays actually cross operational safety boundaries.
minor comments (2)
  1. [Figures] Figure captions for the delay and handover plots should include the exact number of runs, confidence intervals, and the precise MAVLink message rates used.
  2. [Mitigations] The discussion of mitigations would benefit from a table mapping each threat model to the proposed countermeasure and its deployment feasibility in 3GPP Release 17/18 UAS frameworks.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below with clarifications and planned revisions to improve the manuscript.

read point-by-point responses

  1. Referee: [Testbed and experimental setup] Testbed fidelity section: the central claim that observed effects force unsafe closed-loop states in realistic deployments rests on Open5GS/UERANSIM plus Nokia core accurately modeling RRC state machines, radio resource allocation, and handover latency under UAV velocities and MAVLink traffic patterns. No explicit validation (e.g., comparison of simulated contention traces or handover timing against commercial gNodeB logs) is provided, leaving the mapping from testbed outcomes to operational risk unanchored.

    Authors: We acknowledge the referee's point on testbed fidelity. The manuscript already uses a commercial Nokia core alongside the Open5GS/UERANSIM setup specifically to ground deployment assumptions for core network and handover behaviors. However, we agree that direct quantitative comparisons (such as contention traces or handover timings) against proprietary commercial gNodeB logs are absent. In the revision, we will add a new subsection to the testbed description that explicitly discusses fidelity limitations, cites publicly available 5G handover latency data from standards and prior studies, states the UAV velocity and MAVLink traffic assumptions, and clarifies how the Nokia core results support the mapping to operational risk. This addresses the anchoring concern without claiming full equivalence to all commercial deployments. revision: partial

  2. Referee: [Threat models and experiments] Attack success definition (experiments): attack success is defined as forcing an unsafe closed-loop state without clean disconnect, yet the manuscript does not specify quantitative thresholds (e.g., maximum allowable telemetry age before failsafe, or exact delay tail that triggers unsafe behavior). This makes it difficult to assess whether the reported stale telemetry and heavy-tailed delays actually cross operational safety boundaries.

    Authors: We agree that explicit quantitative thresholds are needed for clarity. In the revised manuscript, we will add precise definitions in the threat models and experiments sections: for example, telemetry age exceeding 2 seconds (based on MAVLink heartbeat intervals and typical BVLOS failsafe triggers) constitutes an unsafe state, and delay tails beyond 500 ms are flagged as crossing safety boundaries per common UAV C2 requirements. These thresholds will be justified with references to MAVLink specifications and operational guidelines, and the reported results will be re-presented against them to demonstrate that the observed stale telemetry and heavy-tailed delays do cross these boundaries. revision: yes

Circularity Check

0 steps flagged

Empirical testbed demonstration with no derivations or fitted predictions

full rationale

The paper is an empirical security study that demonstrates cross-layer attacks via experiments on Open5GS/UERANSIM and a Nokia core testbed carrying MAVLink traffic. No equations, parameters, or derivation chains appear in the manuscript. Claims about timeliness degradation, handover failures, and command integrity are supported directly by observed outcomes (stale telemetry, failsafe triggers, navigation hijacking) rather than any reduction of a 'prediction' to fitted inputs or self-citation. No self-definitional steps, uniqueness theorems, or ansatz smuggling are present. The work is self-contained as a reproducible experimental report.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities; the central claim rests on experimental observations rather than mathematical derivation.

pith-pipeline@v0.9.0 · 5658 in / 1166 out tokens · 41228 ms · 2026-05-15T16:05:52.511630+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

46 extracted references · 46 canonical work pages

  1. [1]

    Risk assessment in BVLoS operations for UA Vs: Challenges and solutions,

    F. B. Sorbelli, P. Chatterjee, P. Das, and C. M. Pinotti, “Risk assessment in BVLoS operations for UA Vs: Challenges and solutions,” in2024 20th International Conference on Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT), Apr 2024, pp. 300–307. [Online]. Available: https://ieeexplore.ieee.org/abstract/ document/10621576

    work page arXiv 2024

  2. [2]

    Enabling beyond-visual-line-of-sight drones operation over open RAN 5G networks with slicing,

    P. Baguer, E. Municio, G. Garcia-Aviles, and X. Costa-P ´erez, “Enabling beyond-visual-line-of-sight drones operation over open RAN 5G networks with slicing,”IEEE Network, vol. 38, no. 6, pp. 163–169, Nov 2024. [Online]. Available: https://ieeexplore.ieee.org/ abstract/document/10578056

    work page arXiv 2024

  3. [3]

    TS 23.256: Support of Uncrewed Aerial Systems (UAS) connec- tivity, identification and tracking; Stage 2 (Release 17),

    3GPP, “TS 23.256: Support of Uncrewed Aerial Systems (UAS) connec- tivity, identification and tracking; Stage 2 (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep., 2022

    work page 2022

  4. [4]

    Overview of drone communication requirements in 5G,

    R. Singh, K. D. Ballal, M. S. Berger, and L. Dittmann, “Overview of drone communication requirements in 5G,” inInternet of Things. Cham: Springer International Publishing, 2022, pp. 3–16

    work page 2022

  5. [5]

    SoK: Security and privacy in the age of commercial drones,

    B. Nassi, R. Bitton, R. Masuoka, A. Shabtai, and Y . Elovici, “SoK: Security and privacy in the age of commercial drones,” in2021 IEEE Symposium on Security and Privacy (SP), May 2021, pp. 1434–1451. [Online]. Available: https://ieeexplore.ieee.org/document/9519393

    work page arXiv 2021

  6. [6]

    Cyber attacks on commercial drones: A review,

    B. Branco, J. Silvestre Serra Silva, and M. Correia, “Cyber attacks on commercial drones: A review,”IEEE Access, vol. 13, pp. 9566–9577,

    work page

  7. [7]

    Available: https://ieeexplore.ieee.org/abstract/document/ 10835757

    [Online]. Available: https://ieeexplore.ieee.org/abstract/document/ 10835757

    work page

  8. [8]

    TS 23.501: System architecture for the 5G System (5GS) (Release 17),

    3GPP, “TS 23.501: System architecture for the 5G System (5GS) (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep., 2022

    work page 2022

  9. [9]

    Invade the walled garden: Evaluating GTP security in cellular networks,

    Y . Zhang, T. Wan, Y . Yang, H. Duan, Y . Wang, J. Chen, Z. Wei, and X. Li, “Invade the walled garden: Evaluating GTP security in cellular networks,” in2025 IEEE Symposium on Security and Privacy (SP), May 2025, pp. 1159–1177. [Online]. Available: https://ieeexplore.ieee.org/document/11023482

    work page arXiv 2025

  10. [10]

    RANsacked: A domain-informed approach for fuzzing LTE and 5G RAN-core interfaces,

    N. Bennett, W. Zhu, B. Simon, R. Kennedy, W. Enck, P. Traynor, and K. R. B. Butler, “RANsacked: A domain-informed approach for fuzzing LTE and 5G RAN-core interfaces,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. New York, NY , USA: Association for Computing Machinery, Dec 2024, pp. 2027–2041. [Online]. Avail...

    work page doi:10.1145/3658644.3670320 2024

  11. [11]

    CoreCrisis: Threat-guided and context-aware iterative learning and fuzzing of 5G core networks,

    Y . Dong, T. Yang, A. A. Ishtiaq, S. M. M. Rashid, A. Ranjbar, K. Tu, T. Wu, M. S. Mahmud, and S. R. Hussain, “CoreCrisis: Threat-guided and context-aware iterative learning and fuzzing of 5G core networks,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 5287–5306. [Online]. Available: https: //www.usenix.org/conference/usenixsecurity25/...

    work page 2025

  12. [12]

    5GC- Fuzz: Finding deep stateful vulnerabilities in 5G core network with black-box fuzzing,

    Y . Sun, X. Liu, Q. Sun, J. Wang, L. Tian, and J. Liu, “5GC- Fuzz: Finding deep stateful vulnerabilities in 5G core network with black-box fuzzing,” inIEEE INFOCOM 2025 - IEEE Conference on Computer Communications, May 2025, pp. 1–10. [Online]. Available: https://ieeexplore.ieee.org/document/11044489

    work page arXiv 2025

  13. [13]

    Exploiting the vulnerabilities in MA VLink protocol for UA V hijacking,

    F. Du, J. Ge, W. Wang, Y . Zou, S.-Y . Chang, and W. Fan, “Exploiting the vulnerabilities in MA VLink protocol for UA V hijacking,” in 2024 17th International Conference on Security of Information and Networks (SIN), Dec 2024, pp. 1–8. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/10871546

    work page arXiv 2024

  14. [14]

    TS 23.502: Procedures for the 5G System (5GS) (Release 17),

    3GPP, “TS 23.502: Procedures for the 5G System (5GS) (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep., 2022

    work page 2022

  15. [15]

    TS 29.244: Interface between the Control Plane and the User Plane nodes (PFCP) (Release 17),

    ——, “TS 29.244: Interface between the Control Plane and the User Plane nodes (PFCP) (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep., 2022

    work page 2022

  16. [16]

    TS 33.501: Security architecture and procedures for 5G System (Release 17),

    ——, “TS 33.501: Security architecture and procedures for 5G System (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep., 2022

    work page 2022

  17. [17]

    Fact-checking 5G security: Bridging the gap between expectations and reality,

    O. Lasierra, N. Ludant, G. Garcia-Aviles, E. Municio, G. Noubir, A. Skarmeta, and X. Costa-P ´erez, “Fact-checking 5G security: Bridging the gap between expectations and reality,”IEEE Open Journal of the Communications Society, vol. 6, pp. 6242–6257, 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/11098478

    work page arXiv 2025

  18. [18]

    BigMac: Performance overhead of user plane integrity protection in 5G networks,

    “BigMac: Performance overhead of user plane integrity protection in 5G networks,” inProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2023. [Online]. Available: https://dl.acm.org/doi/10.1145/3558482.3581777

    work page doi:10.1145/3558482.3581777 2023

  19. [19]

    Catch me if you can: Covert information leakage from drones using MA VLink protocol,

    M. Veksler, K. Akkaya, and S. Uluagac, “Catch me if you can: Covert information leakage from drones using MA VLink protocol,” inProceedings of the 19th ACM Asia Conference on Computer and Communications Security. New York, NY , USA: Association for Computing Machinery, Jul 2024, pp. 902–914. [Online]. Available: https://dl.acm.org/doi/10.1145/3634737.3637672

    work page doi:10.1145/3634737.3637672 2024

  20. [20]

    MA VLink guide,

    MA VLink Development Team, “MA VLink guide,” 2025. [Online]. Available: https://mavlink.io/

    work page 2025

  21. [21]

    MA VLink2 signing,

    ArduPilot Dev Team, “MA VLink2 signing,” 2024. [Online]. Available: https://ardupilot.org/sub/docs/common-MA VLink2-signing.html

    work page 2024

  22. [22]

    Integrity under siege: A rogue gNodeB’s manipulation of 5G network slice allocation,

    J. Xu, V . Loscri, and R. Rouvoy, “Integrity under siege: A rogue gNodeB’s manipulation of 5G network slice allocation,” arXiv preprint arXiv:2511.03312, Nov 2025. [Online]. Available: http://arxiv.org/abs/2511.03312

    work page arXiv 2025

  23. [23]

    TS 33.256: Security aspects of Uncrewed Aerial Systems (UAS) (Release 17),

    3GPP, “TS 33.256: Security aspects of Uncrewed Aerial Systems (UAS) (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep

    work page

  24. [24]

    Open5GS: An open source c-language implementation of 5G core and EPC,

    Open5GS, “Open5GS: An open source c-language implementation of 5G core and EPC,” 2026. [Online]. Available: https://open5gs.org/

    work page 2026

  25. [25]

    Kubernetes,

    Cloud Native Computing Foundation, “Kubernetes,” 2026. [Online]. Available: https://kubernetes.io/

    work page 2026

  26. [26]

    Open5GS operator for kubernetes,

    Gradiant, “Open5GS operator for kubernetes,” 2026. [Online]. Available: https://gradiant.github.io/open5gs-operator/

    work page 2026

  27. [27]

    UERANSIM: Open source 5G UE and RAN (gNodeB) simulator,

    A. Gungor, “UERANSIM: Open source 5G UE and RAN (gNodeB) simulator,” 2026. [Online]. Available: https://github.com/aligungr/ UERANSIM

    work page 2026

  28. [28]

    kind: Kubernetes IN docker,

    The Kubernetes Authors, “kind: Kubernetes IN docker,” 2026. [Online]. Available: https://kind.sigs.k8s.io/

    work page 2026

  29. [29]

    [Online]

    Docker Inc., “Docker,” 2026. [Online]. Available: https://www.docker. com/

    work page 2026

  30. [30]

    Python programming language,

    Python Software Foundation, “Python programming language,” 2026. [Online]. Available: https://www.python.org/

    work page 2026

  31. [31]

    pymavlink: Python MA VLink interface and utilities,

    ArduPilot, “pymavlink: Python MA VLink interface and utilities,” 2026. [Online]. Available: https://github.com/ArduPilot/pymavlink

    work page 2026

  32. [32]

    5G network slicing: A security overview,

    R. F. Olimid and G. Nencioni, “5G network slicing: A security overview,”IEEE Access, vol. 8, pp. 99 999–100 009, 2020. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9099823

    work page arXiv 2020

  33. [33]

    Tackling bufferbloat in 3G/4G networks,

    H. Jiang, Y . Wang, K. Lee, and I. Rhee, “Tackling bufferbloat in 3G/4G networks,” inProceedings of the 2012 ACM Conference on Internet Measurement Conference (IMC ’12). New York, NY , USA: Association for Computing Machinery, Nov 2012, pp. 329–342. [Online]. Available: https://dl.acm.org/doi/10.1145/2398776.2398810

    work page doi:10.1145/2398776.2398810 2012

  34. [34]

    Comments on bufferbloat,

    M. Allman, “Comments on bufferbloat,”ACM SIGCOMM Computer Communication Review, vol. 43, no. 1, pp. 30–37, Jan 2013. [Online]. Available: https://dl.acm.org/doi/10.1145/2427036.2427041

    work page doi:10.1145/2427036.2427041 2013

  35. [35]

    Active queue management in 5g and beyond cellular networks using machine learning,

    A. Stoltidis, K. Choumas, and T. Korakis, “Active queue management in 5g and beyond cellular networks using machine learning,”Computer Communications, vol. 236, p. 108108, 2025. [Online]. Available: https://doi.org/10.1016/j.comcom.2025.108108

    work page doi:10.1016/j.comcom.2025.108108 2025

  36. [36]

    Pod lifecycle,

    Kubernetes, “Pod lifecycle,” 2026, accessed 2026-03-27. [Online]. Avail- able: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/

    work page 2026

  37. [37]

    Uncovering hidden paths in 5G: Exploiting protocol tunneling and network boundary bridging,

    A. Shaik, R. Jaschek, and J.-P. Seifert, “Uncovering hidden paths in 5G: Exploiting protocol tunneling and network boundary bridging,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. New York, NY , USA: Association for Computing Machinery, Nov 2025, pp. 231–245. [Online]. Available: https://dl.acm.org/doi/10.1145/3...

    work page doi:10.1145/3719027.3765206 2025

  38. [38]

    SNI5GECT: A practical approach to inject anrchy into 5G NR,

    S. Luo, M. Garbelini, S. Chattopadhyay, and J. Zhou, “SNI5GECT: A practical approach to inject anrchy into 5G NR,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 5385–5404. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity25/presentation/luo-shijie 14

    work page 2025

  39. [39]

    TR 33.809: Study on 5G security enhancements against False Base Stations (FBS) (Release 17),

    3GPP, “TR 33.809: Study on 5G security enhancements against False Base Stations (FBS) (Release 17),” 3rd Generation Partnership Project (3GPP), Tech. Rep

    work page

  40. [40]

    Component-based formal analysis of 5G-AKA: Channel assumptions and session confusion,

    C. Cremers and M. Dehnel-Wild, “Component-based formal analysis of 5G-AKA: Channel assumptions and session confusion,” in Proceedings 2019 Network and Distributed System Security Symposium (NDSS). San Diego, CA: Internet Society, 2019. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2019/ 02/ndss2019 06B-1 Cremers paper.pdf

    work page 2019

  41. [41]

    Threatening the 5G core via PFCP DoS attacks: The case of blocking UA V communications,

    G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, W. Mallouli, A. Cavalli, D. Klonidis, E. Markakis, and P. Sarigiannidis, “Threatening the 5G core via PFCP DoS attacks: The case of blocking UA V communications,”EURASIP Journal on Wireless Communications and Networking, vol. 2022, no. 1, p. 124, Dec 2022. [Online]. Available: https://doi.org/10.1186/s13638-...

    work page doi:10.1186/s13638-022-02204-5 2022

  42. [42]

    On the criticality of integrity protection in 5G fronthaul networks,

    J. Xing, X. Foukas, D. Kim, and M. K. Reiter, “On the criticality of integrity protection in 5G fronthaul networks,” inNetwork and Distributed System Security Symposium (NDSS), 2024

    work page 2024

  43. [43]

    Logic gone astray: A security analysis framework for the control plane protocols of 5G basebands,

    K. Tu, A. Al Ishtiaq, S. M. M. Rashid, Y . Dong, W. Wang, T. Wu, and S. R. Hussain, “Logic gone astray: A security analysis framework for the control plane protocols of 5G basebands,” in 33rd USENIX Security Symposium (USENIX Security 24), Aug 2024, pp. 3063–3080. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity24/presentation/tu

    work page 2024

  44. [44]

    SIMurai: Slicing through the complexity of SIM card security research,

    T. P. Lisowski, M. Chlosta, J. Wang, and M. Muench, “SIMurai: Slicing through the complexity of SIM card security research,” in 33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 4481–4498. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity24/presentation/lisowski

    work page 2024

  45. [45]

    5Greplay: A 5G network traffic fuzzer - application to attack injection,

    Z. Salazar, H. N. Nguyen, W. Mallouli, A. R. Cavalli, and E. Montes de Oca, “5Greplay: A 5G network traffic fuzzer - application to attack injection,” inProceedings of the 16th International Conference on Availability, Reliability and Security. New York, NY , USA: Association for Computing Machinery, Aug 2021, pp. 1–8. [Online]. Available: https://dl.acm....

    work page doi:10.1145/3465481.3470079 2021

  46. [46]

    Sage-5gc: Security-aware guidelines for evaluating anomaly detection in the 5g core network,

    C. Manca, C. Scano, G. Piras, F. Brau, M. Pintor, and B. Biggio, “Sage-5gc: Security-aware guidelines for evaluating anomaly detection in the 5g core network,” 2026. [Online]. Available: https://arxiv.org/ abs/2602.03596 15

    work page arXiv 2026