PhD Oral Exam - Ricardo Misael Ayala Molina, Information and Systems Engineering

When studying for a doctoral degree (PhD), candidates submit a thesis that provides a critical review of the current state of knowledge of the thesis subject as well as the student’s own contributions to the subject. The distinguishing criterion of doctoral graduate research is a significant and original contribution to knowledge.

Once accepted, the candidate presents the thesis orally. This oral exam is open to the public.

Abstract

The evolution of Fifth Generation (5G) technology has introduced network slicing as a pivotal innovation, enabling the creation of virtualized and logically isolated networks that operate over a shared physical infrastructure. Each Network Slice (NS) is tailored to specific application requirements, ensuring consistent Quality of Service (QoS) across diverse services. This architectural flexibility allows User Equipment (UE) to simultaneously connect to or switch between multiple slices through the Inter-Slice Switching (ISS) procedure to access varied services efficiently. However, this capability also exposes a critical vulnerability that can be exploited to launch a Distributed Slice Mobility (DSM) attack, which is a specialized form of Distributed Denial of Service (DDoS) that overwhelm the 5G control plane with excessive signaling traffic.

This thesis investigates advanced anomaly detection approaches to enhance the resilience of 5G NSs against DSM attacks under both static and evolving conditions. It first establishes a data-driven detection framework based on Long Short-Term Memory (LSTM)-Autoencoders, capable of capturing temporal dependencies in Third Generation Partnership Project (3GPP) Key Performance Indicators and Performance Measurement counters that characterize the control plane’s behavior during normal and attack scenarios. To reflect the realities of 5G network environments where training data is often contaminated with mixed benign and malicious samples, the study integrates Positive-Unlabeled Learning (PUL) into the detection process, enabling accurate differentiation between normal and attack traffic without requiring exhaustive labeling.

As 5G networks evolve and adversaries adapt their strategies, the research further introduces an adaptive detection framework designed to address incremental concept drift in DSM attack patterns. Leveraging a Conditional Wasserstein Generative Adversarial Network with Gradient Penalty (CWGAN-GP) to simulate drifted DSM traffic distributions, the framework integrates continual learning with latent feature extraction and clustering to ensure coordinated adaptation and sustained detection performance under evolving traffic distributions. Drift detection is achieved using the wasserstein distance, which quantifies distributional shifts and triggers retraining when significant deviations are detected. The model incorporates advanced regularization techniques such as Maximum Mean Discrepancy (MMD), Elastic Weight Consolidation (EWC), Self-Information Regularization (SIR), and Mean Squared Error (MSE) to preserve previously acquired knowledge while adapting to evolving attack behaviors.

Extensive evaluations on a Free5GC-based 5G testbed demonstrate the robustness and adaptability of the proposed methodologies. The models consistently achieve high detection accuracy and maintain stable performance in dynamic environments characterized by contaminated and drifted data. By integrating PUL and continual adaptation into a unified anomaly detection pipeline, this work contributes to the development of resilient, intelligent, and data-efficient defense mechanisms for securing NSs in next-generation mobile networks.