BigData Analysis in a 4G Roaming Scenario
4G, Roaming, BigData
Description
Mobile roaming enables users to seamlessly access internet and communication services across the globe. These services are facilitated by Mobile Network Operators (MNOs) through extensive roaming agreements with numerous international counterparts. As a result, roaming interfaces have evolved into highly complex interconnection points, supporting a wide array of protocols and multiple generations of mobile network technologies. Large-scale MNOs, serving millions of inbound and outbound roaming users, must efficiently manage high volumes of network traffic — often processing thousands of packets per second. Even when focusing solely on control plane messages, this traffic generates substantial data, all of which passes through firewalls and contributes to extensive logging activity. Beyond firewall logs, several other data sources — such as diameter routing agents, DNS servers, and passive monitoring systems — offer valuable insights and can be integrated into a comprehensive analysis.
The aim of this research internship is to explore selected data sources within a controlled environment to identify correlations, uncover trends, and propose innovative approaches for leveraging this data in operational network management. The investigation will focus on a 4G roaming scenario, analyzing and comparing two distinct one-hour timeframes: A high-traffic hour during an international event, characterized by elevated roaming activity, and a regular hour on a typical day with no special events. Through this comparative analysis, the student will gain hands-on experience in data interpretation, network behavior analysis, and the development of actionable insights for real-world mobile network operations.
Objectives
1. Work into different data sources.
a) Firewall logs.
b) Diameter Routing Agent logs.
c) DNS server logs.
d) Logs from passive monitoring.
2. Investigate trends and correlations between the data sources.
3. Investigate the possible detection special events.
4. Investigate differences between the two distinct data sets.
5. Evaluate results and draw conclusions on the applicability of the collected information.
6. What can be done in future work?
Prerequisites
• Interest in mobile networks and roaming.
• Interest in BigData analysis.
• Motivation to explore and analyze complex network functions.
• Solid knowledge of Wireshark.
Additional points that are beneficial but not required:
• Basic understanding of mobile core networks, especially GTP, Diameter, and 4G Core architecture.
• Knowledge of the Elastic stack (mainly Kibana).
Further Information
This research internship is done in an open collaboration with Deutsche Telekom Technik GmbH. The topic shall be worked on as an intern at Telekom in order to access the relevant data. A follow-up Master Thesis is encouraged.
Contact
Supervisor:
Investigating Roaming User-Plane Security in a 4G/5G Combo-Core
5G, 4G, Roaming, Combo-Core, User Plane, Security
Description
Mobile networks have evolved significantly over the years—from older generations like 2G, 3G, and 4G to the latest 5G technology. Each generation brings new features and changes in how data is handled and secured.
In older networks (2.5G to 4G), a special type of firewall called a GTP-Firewall was used to protect both the control signals (which manage the connection) and the actual user data (like videos or messages). These firewalls could see and filter all the traffic because it was sent in a readable format.
With 5G, things are changing. The control signals now use a different protocol (HTTP/2), and the user data might be encrypted using IPSec. This makes it harder for traditional firewalls to inspect and secure the traffic in the same way.
To address this, a new function called IPUPS was introduced in the 5G standard. It helps secure user data but works differently—it doesnot allow the same kind of visibility as the old firewalls. This is fine in a pure 5G network, but it becomes tricky when 4G and 5G are combined in one system, especially when users move between the two (a process called handover).
This research internship will explore how to combine the old and new approaches to security in a way that works smoothly in a mixed 4G/5G network. The goal is to understand the challenges and propose solutions that ensure both security and performance.
Objectives
1. Analyze the architectural and security differences between legacy GTP-Firewalls and the 5G IPUPS function.
2. Investigate the implications of HTTP/2-based CP and IPSec-protected UP on traffic inspection and security enforcement.
3. Design a hybrid model that enables secure and efficient CP and UP handling in a 4G/5G Combo Core.
4. Evaluate the model in terms of:
• Handover performance (4G <-> 5G)
• Security (visibility, integrity, confidentiality)
• Operability and maintainability
5. Compare the hybrid modes with standalone 5G and legacy 4G implementations.
Prerequisites
• Interest in mobile network security and interworking between generations.
• Motivation to explore and analyze complex network functions. Additional points that are beneficial but not required:
• Basic understanding of mobile core networks, especially GTP, UPF, and 5G Core architecture.
• Familiarity with network protocols such as HTTP/2.
Further Information
This research internship is done in an open collaboration with Deutsche Telekom Technik GmbH and a follow-up Master Thesis is encouraged.
Contact
Oliver Zeidler oliver.zeidler@tum.de
Supervisor:
Formal Security Analysis of the 5G PRINS Protocol using the Tamarin Prover
Description
5G is the latest generation of mobile networks, offering high data rates, ultra-low latency, and support for a wide range of applications. A key component of the 5G Core is the Security Edge Protection Proxy (SEPP), which ensures secure communication between Public Land Mobile Networks (PLMNs) in roaming scenarios.
To secure the control plane traffic between SEPPs, 3GPP defines the N32 interface, which is split into two parts: N32-c (for capability negotiation) and N32-f (for control message forwarding). While N32-c is secured using end-to-end Transport Layer Security (TLS), N32-f can either use TLS or a new protocol called PRotocol for N32 INterconnect Security (PRINS).
PRINS is designed to provide application-layer security using the Javascript Object Signing and Encryption (JOSE) framework, while still allowing intermediate IP Exchange Network (IPX) providers to route messages. This hybrid approach introduces new security challenges, especially in the presence of potentially untrusted intermediaries.
This thesis aims to conduct a formal security analysis of the PRINS protocol using the Tamarin Prover, a state-of-the-art tool for symbolic protocol verification. The goal is to model PRINS, define its security goals (e.g., confidentiality, integrity, authentication), and verify whether these goals are met under realistic threat models.
Objectives:
1. Study the PRINS protocol as defined in 3GPP specifications (e.g.,TS 29.573 and TS 33.501).
2. Model the protocol in Tamarin, including key exchange, message protection, and verification steps.
3. Define formal security properties, such as secrecy, authentication, and replay protection.
4. Analyze the protocol under different attacker models (e.g., compromised IPX, key leakage).
5. Compare PRINS with TLS-based N32-f in terms of formal guarantees.
6. Optionally, extend the model to include protocol variants or optimizations.
Prerequisites
• Basic understanding of 5G architecture, especially the core network and roaming.
– Motivation and willingness to learn are sufficient.
• Interest in security protocols and formal verification.
• Familiarity with logic, formal methods, or cryptography is helpful.
• Experience with Tamarin Prover, ProVerif, or similar tools is a plus (but not required).
• Programming experience (e.g., Python, functional languages) is useful for modeling.
Contact
Oliver Zeidler oliver.zeidler@tum.de