Adversarial Machine Learning for Flooding Attacks on 5G Radio Access Network Slicing
Network slicing manages network resources as virtual resource blocks (RBs) for the 5G Radio Access Network (RAN). Each communication request comes with quality of experience (QoE) requirements such as throughput and latency/deadline, which can be met by assigning RBs, communication power, and processing power to the request. For a completed request, the achieved reward is measured by the weight (priority) of this request. Then, the reward is maximized over time by allocating resources, e.g., with reinforcement learning (RL). In this paper, we introduce a novel flooding attack on 5G network slicing, where an adversary generates fake network slicing requests to consume the 5G RAN resources that would be otherwise available to real requests. The adversary observes the spectrum and builds a surrogate model on the network slicing algorithm through RL that decides on how to craft fake requests to minimize the reward of real requests over time. We show that the portion of the reward achieved by real requests may be much less than the reward that would be achieved when there was no attack. We also show that this flooding attack is more effective than other benchmark attacks such as random fake requests and fake requests with the minimum resource requirement (lowest QoE requirement). Fake requests may be detected due to their fixed weight. As an attack enhancement, we present schemes to randomize weights of fake requests and show that it is still possible to reduce the reward of real requests while maintaining the balance on weight distributions.
5G promises unprecedented performance improvements in terms of rate, delay, and energy efficiency compared to 4G systems. An important design aspect towards this goal is resource allocation for network slicing that aims to multiplex and serve multiple virtualized and independent logical networks on the same physical network infrastructure of 5G [2, 1, 3]. 5G radio access network (RAN) employs network slicing to manage its resources as virtual resource blocks (RBs), e.g., an RB may correspond to a frequency band. Then, the network resource allocation problem can be simplified by considering how to allocate virtual RBs without the need to focus on the physical resources to support RBs. We consider a gNodeB that supports downlink communication requests from user equipments (UEs). A UE may generate requests with different Quality of Experience (QoE) requirements for different types of network slices such as Enhanced Mobile Broadband (eMBB), Massive Machine Type Communications (mMTC), and Ultra Reliable Low Latency Communications (URLLC). These QoE requirements are mapped to different requirements on RBs, as well as communication and processing powers at the gNodeB. Each request has its own priority (measured by a weight). If the gNodeB allocates resources to a request to meet its requirements, the reward is the weight of this request. If a request is not served, it is kept in a list of active requests until its deadline. This resource allocation approach aims to maximize the reward over time and can be used in near-real time RAN Intelligent Controller (Near-RT RIC) to support micro-service-based applications called xApps.
Since future requests are unknown, an online algorithm is needed to make decisions based on current network status and requests. Machine learning can be effectively applied to solve complex wireless optimization problems by learning from spectrum data . In particular, deep learning was studied for network slicing in  for application and device specific identification and traffic classification, and in  for management of network load efficiency and network availability. As the training data may not be available, reinforcement learning (RL) was used for network slicing without requiring a prior model [8, 7, 9, 10, 11, 12]. In our setting, the RL approach learns a model to predict the future reward (the weight of selected requests) for each state (available resources) and each action (admission of requests), and determines over time the optimal action to maximize the expected future reward.
With the success of applying machine learning (ML) to network slicing problems, there are also security concerns, specifically due to the attacks built upon adversarial ML. Adversarial ML studies the learning process in the presence of adversaries and expands the attack surface with new wireless attacks, e.g., exploratory (inference) attacks , evasion (adversarial) attacks [14, 15, 16, 17, 18], causative (poisoning) attacks , membership inference attacks , and Trojan attacks . Recently, adversarial ML has been used to launch attacks on 5G such as attack on 5G spectrum sharing with incumbents, attack on 5G UE authentication , covert 5G communications , and attack on 5G network slicing (where the adversary aims to manipulate the underlying RL algorithm) . In this paper, we consider a flooding type of attack that has found applications in the networking domain, such as the TCP flooding attack. For network slicing, we formulate the flooding attack as the case that an adversary generates fake requests to consume network resources. This attack cannot be detected by simply monitoring the reward since the gNodeB can still achieve large reward as in the case of no attack. However, a great portion of this reward is associated with fake requests and the reward by real requests is much less than that without attack. Compared to conventional jamming, the flooding attack is stealthier and more energy-efficient (especially for downlink traffic), since it only requires an adversary to send requests and ACK without a need of long transmissions.
The design challenge of flooding attack is how to generate fake requests for resources. If there is no limitation, the adversary can generate many requests to maximize its impact, but it can be easily detected and blocked. Thus, we assume an upper bound on the number of fake requests. The adversary needs to carefully design its requests for network resources and rewards such that the impact of these requests is maximized. For that purpose, we design an RL solution for the adversary that uses network resources as the state, the generated fake requests as the action, and the reward achieved by fake requests as the reward for RL. This solution aims to maximize the total reward for fake requests over time, which in turn minimizes the remaining reward for real requests. We show that this flooding attack reduces the reward for real requests significantly more than two benchmark attacks, namely random fake requests and fake requests with lowest QoE requirement (or minimum resource requirement). Although we mainly launch the flooding attack on an RL based network slicing scheme, we show that it can also target other network slicing schemes such as myopic, first come first served (FCFS), or random selection.
The best strategy (in terms of minimizing the reward of real requests) is to generate fake requests with large weights, but they may be easily detected by checking their weights over time. To overcome this defense, we design attack schemes with variable weights and show that we can set a close to uniform weight distribution on fake requests such that they cannot be easily detected based on their weights and the reward of real requests can still be reduced significantly.
The rest of the paper is organized as follows. Section II describes the resource allocation schemes for network slicing. Section III presents the flooding attack that aims to minimize the gNodeB’s performance for real communication requests. Section IV evaluates the attack performance under different settings and designs. Section V concludes this paper.
Ii Resource Allocation for Network Slicing
Resource allocation for network slicing can be optimized by RL. We follow the RL approach in  as an example. Fig. 1 shows multiple 5G UEs sending requests over time with different rate, processing power, latency (deadline) and lifetime requirements and priority weights. The 5G gNodeB selectively serves some of these requests competing for resources. If a request is selected, resources are allocated to meet the requirements. Otherwise, it will be kept in a waiting list until its deadline expires. The 5G gNodeB selects requests to maximize the reward, i.e., the total weight of served requests over a time period. An adversary launches the flooding attack to generate fake requests such that the total weight of served real requests over a time period can be minimized. Denote the set of active requests (newly arrived requests and previously arrived requests that stay in the waiting list) at time as for each time . RBs, communication and processing powers are allocated to meet the requirements of admitted requests in . The rate and processing power requirements of UE for its request are given by
where is the achieved data rate, is the minimum required rate, is the assigned processing power, is the minimum required processing power (measured by the percentage of CPU usage), and is the binary indicator on whether UE ’s request is satisfied at time . At any time, the total of selected requests is no more than . measured in bps depends on the assigned bandwidth and the modulation coding scheme used for communications from gNodeB to UE , and is approximated as , where is the number of allocated RBs and is the bit error rate of UE for its request , and constant is approximately when a single-antenna UE uses QPSK modulation, kHz subcarrier spacing and MHz bandwidth. The constraints of RB assignments are
where represents the available RBs of the gNodeB at time (resources that are assigned previously to some requests and not released yet become temporarily unavailable). By considering the optimization problem for a time horizon, the resources are updated from time to time as
where and are released and allocated resources on frequency at time . Each request has a lifetime and if it is selected at time (namely, the service starts at time ), this request will end at time . The released and allocated resources at time are given by
respectively, where denotes the set of requests ending at time . Then, the optimization problem is given by
subject to (1)–(4), where is the weight for UE ’s request to reflect its priority. Without knowing future requests, the model-free RL algorithm solves (5) by making decisions using an online learned policy that determines an action for current state for the gNodeB. In this paper, we consider Q-learning from . The reward at time is if UE ’s request is satisfied, i.e., . Actions assign resources to each request at time . Multiple actions can be taken at the same time instance if there are sufficient resources. The states at are the remaining RBs and communication and processing powers. Given by (3)-(4), state transition at time is driven by allocating resources for requests granted at time and releasing resources after lifetimes of some active services expire at time . Note that the flooding attack can be also launched on other network slicing schemes. We consider the following schemes for comparison purposes. The myopic scheme aims to maximize the reward for the current time (without considering future rewards). The FCFS scheme aims to allocate resources based on the arrival time of requests. The random scheme allocates resources to some randomly selected requests.
Iii Reinforcement Learning based Flooding Attack for Network Slicing
An adversary attacks the 5G RAN network slicing by generating fake requests for network slices. If these fake requests are selected and network resources are allocated to them, fewer resources will be left for real requests from legitimate users. As a consequence, although a gNodeB may still achieve a high reward for many granted requests, the actual reward corresponding to real requests may be a smaller option of it. We consider a practical constraint that the adversary has a limited rate of generating fake requests to avoid being detected. In particular, we can set the same rate of request generation for the adversary and legitimate users. Thus, it is important for the adversary to generate fake requests with two objectives:
Objective 1: fake requests are satisfied (namely, resources are allocated to them) with high probability.
Objective 2: fake requests occupy resources in a way that real requests cannot be satisfied due to the unavailability of resources.
For the first objective, a fake request should ask for a smaller portion of resources (to avoid being rejected due to insufficient resources) and have the maximum reward (to have high priority). For the second objective, a fake request should consume the majority of the resources such that the remaining resources are not sufficient for real requests. Thus, the ideal setting on weights in fake requests is the maximum weight while the required resource should not be too large (to ensure that a fake request can be satisfied) or too small (to ensure that a significant portion of the total resources can be occupied by fake requests). Therefore, the key step in the flooding attack is determining resources to be specified by fake requests.
The resources include the number of available RBs, the remaining processing power (memory), and the remaining communication (transmit) power. The adversary may sense the spectrum and aim to detect available RBs. However, it cannot know the remaining processing and communication powers. There is no need to consume all of these resources to prevent serving real requests, since a request cannot be satisfied if any of its resource requirements is not met. Thus, the adversary can request minimum processing and communication powers such that its requests will not be rejected due to the lack of these resources. On the other hand, the adversary needs to determine RB requirements in its requests. To make decisions, we design a Q-learning algorithm for the adversary as follows.
The state is the number of available RBs.
The action is to select how many RBs to be assigned in a fake request ( means no request is made). The number of potential actions is , where is the number of available RBs.
The reward is the number of served fake requests (or the total reward of served fake requests).
The Q-table maps (state, action) to reward. To initialize this table, if a fake request is generated, the corresponding entry is set as , otherwise the entry is set as . The adversary applies Q-learning to update this table and take actions based on this table. The adversary generates a fake request only if the rate of fake requests so far is below the expected rate, which can be set the same as the rate of real requests from other (legitimate) users. Under the flooding attack, we measure both the total reward (including the reward for both real and fake requests) and the real reward (including the reward for real requests only).
Iv Performance Evaluation
Suppose that the gNodeB receives requests from three UEs. For each UE, requests arrive with rate of per slot. The adversary also generates fake requests at this rate. Here, a slot corresponds to each time block which is ms long with kHz subcarrier spacing. For each request, weight, lifetime, and deadline are randomly assigned in , slots, and slots, respectively. The signal-noise-ratio (SNR) is selected randomly from . The total frequency is MHz and is split into bands, i.e., there are RBs. In addition to the Q-learning-based attack, we also consider the case of no attack and two benchmark attacks:
Random attack: The adversary generates fake requests with random requirements on RBs.
Minimum resource (MinRes) attack: The adversary generates fake requests with the lowest QoE requirement, which in turn requires the minimum number of RBs, i.e., always one RB is required.
|Algorithm||Total reward||Real reward|
We assume that the adversary launches its attack (Q-learning, MinRes, or Random) over slots. The benchmark of no attack case is also run over slots. The achieved reward is measured for the last slots. For network slicing, we first consider the RL based scheme. Table I shows the performance of different attacks and the case of no attack. If there is no attack, i.e., all requests are real, the total reward and the real portion of it are the same. All attacks increase the total reward, since there are some additional fake requests with high reward, but the real portion of the reward is less than the total (all real) reward achieved under no attack. The random attack does not work well and only slightly reduces the real reward (from to ). The MinRes attack always generates fake requests with the minimum required resource. Although this increases the probability of being selected by the gNodeB for service, the occupied resource is also minimized. Hence, it significantly reduces the real reward to but it is not as effective as the Q-learning attack, which reduces the real reward to .
We also measure the total reward of all fake requests generated under the Q-learning attack, which is . The total reward of served fake requests is , i.e., most of fake requests are served and occupy some resources. Thus, the Q-learning attack is efficient in terms of the ratio between served and generated requests. The total reward asked for real requests is , while the total reward of served real requests is only under the Q-learning attack, i.e., only a small portion of real requests are served under the flooding attack, showing that the flooding attack is highly successful.
|Network slicing||No attack||Flooding attack|
|scheme||Total reward||Real reward|
This flooding attack can be launched against other network slicing schemes including the myopic, FCFS, and random schemes described in Section II. Table II shows that the (reward) performance of all these schemes drop significantly under the flooding attack. In particular, the FCFS and random schemes have worse performance than the Q-learning based scheme regardless there is a flooding attack, or not. One interesting result is that the myopic scheme has worse performance compared to the Q-learning based scheme when there is no attack, but under the flooding attack, the myopic scheme achieves better reward, namely , compared to the reward achieved by Q-learning based scheme. The reason is that the Q-learning based scheme aims to maximize the expected total reward, including both current reward and future reward. When there are fake requests with high rewards, the Q-learning algorithm tends not to allocate resources to real requests if their reward is not high. On the other hand, there is no such issue in the myopic scheme since it only considers the current reward.
The flooding attack that we consider so far generates fake requests with the maximum weight to maximize the probability that they are selected by the gNodeB. A defense scheme may detect the increase in weights of network slicing requests. Against such a defense, we extend the flooding attack with the following schemes to increase randomness of weights.
Random weight (RW): Weights in fake requests are uniformly randomly assigned.
Non-uniform weight (NUW): The flooding attack is most effective when remaining resources are small, since any occupation of fake requests may make remaining resources insufficient for real requests. Thus, the adversary can generate more fake requests with large weight if remaining resources are small. Otherwise, the adversary can generate more fake requests with small weights. These non-uniform distributions are selected such that the overall weight distribution remains uniform, i.e., , where is the number of total available RBs, is the probability of weight is when the number of remaining RBs is , and is the number of different weights. One such distribution is shown in Table III.
1 2 3 4 5 1 0.5 0.4 0.1 0 0 2 0.5 0.4 0.1 0 0 3 0.4 0.4 0.2 0 0 4 0.4 0.4 0.2 0 0 5 0.2 0.3 0.4 0.1 0 6 0.2 0.2 0.2 0.2 0.2 7 0 0.1 0.4 0.3 0.2 8 0 0 0.2 0.4 0.4 9 0 0 0.2 0.4 0.4 10 0 0 0.1 0.4 0.5 11 0 0 0.1 0.4 0.5 TABLE III: Distribution of weights in network slicing requests.
Non-uniform high weight (NUHW): We limit the weights in fake requests to a high value, namely or , and choose non-uniform distributions such that for or . One such distribution is shown in Table IV.
1 2 3 4 5 1 0 0 0 1 0 2 0 0 0 0.9 0.1 3 0 0 0 0.9 0.1 4 0 0 0 0.8 0.2 5 0 0 0 0.8 0.2 6 0 0 0 0.5 0.5 7 0 0 0 0.2 0.8 8 0 0 0 0.2 0.8 9 0 0 0 0.1 0.9 10 0 0 0 0.1 0.9 11 0 0 0 0 1 TABLE IV: Distribution for high weight.
Random high reward (RHW): Weights in fake requests are randomly assigned as or .
Adjusted weight (AW): The adversary adjusts weights dynamically based on whether a fake request is selected or not. If a fake request is selected, the adversary wants to have another fake request being selected to occupy resources, otherwise there is no such need. Thus, the weight in requests should be increased (bounded by the largest reward) if a fake request is selected, otherwise the weight should be decreased (bounded by the smallest reward). We consider three adjustment approaches.
Adjusted 1: increase the weight in fake requests by 1 if a fake request is selected or decrease it by 1 otherwise,
Adjusted 2: increase the weight in fake requests to the maximum value if a fake request is selected or decrease it by 1 otherwise, or
Adjusted 3: set a probability for reducing the weight in fake requests by 1 if a fake request is not selected.
Table V shows results for these attack extensions. First of all, since the adversary aims to sustain uniform distribution among different weights in its requests, the probability of selecting a fake request is reduced and thus the real reward under all these attacks is larger than the previous attack case where we set the weight in fake requests as the maximum value. We then check each attack scenario as follows. Under the flooding attack with RW, the real reward is . The real reward achieved under the flooding attack with NUW is , which is still much higher than the real reward when we fix the reward as its maximum value. To improve the performance, we can limit weight in fake requests to or . The real reward under the flooding attack with RHW is . The real reward under the flooding attack with BHR is , which is close to when we fix reward as . For the flooding attack with AJ, Adjusted 1 yields a real reward , which is high, as most weights for fake requests are selected as 1. When Adjusted 2 is used, the real reward becomes . We find that the distribution of weights is almost a uniform distribution. When we use Adjusted 3 with the probability set as , which also yields an approximately equal distribution for reward in fake requests, the achieved real reward is . Overall, the flooding attack can reduce the real reward significantly while keeping close to uniform weight distribution such that it is difficult to detect fake requests by checking their weights.
|Algorithm||Total reward||Real reward|
Next, we check the effect of system parameters on the flooding attack performance. Table VI shows the results when we vary the rate of fake requests, . The total reward increases first with due to high reward of fake requests, while the real reward decreases due to the increasing portion of fake requests. If request per slot, the total or real reward does not change, i.e., is sufficient for the best attack.
|Total reward||Real reward|
Table VII shows the results when we vary the number of RBs, . The reward when there is no attack increases first with due to more RBs, and then changes within certain range due to randomness in limited number of user requests. The total reward under attack shows the same trend. The real reward under attack first decreases with and then stays within certain range. To understand the trend better, we assess the ratio between real reward under attack and the reward when there is no attack. By increasing , this ratio first decreases as a fake request can attack more RBs, and then stays within certain range since (i) the number of fake requests is limited and (ii) there is some randomness in generated fake requests.
|No attack||Flooding attack||Ratio (%)|
|Total reward||Real reward|
Table VIII shows the results when we vary the number of users, . By increasing , the reward when there is no attack increases due to more requests to be selected for service. The total reward and the real reward under attack show the same trend. When is large, the total reward under attack is less than the reward when there is no attack. The reason is that the adversary generates fake requests with non-minimum RBs while with many users it is likely that there are requests with the same reward and minimum RBs. Then, the total reward by selecting some fake requests may be less than the case of not selecting fake requests. The ratio of real reward over reward under no attack increases with due to more real requests competing with fake requests.
|User||No attack||Flooding attack||Ratio (%)|
|Total reward||Real reward|
Table IX shows the results when we vary the SNR for users. By increasing the SNR, all rewards (real or total) increase with and without flooding attack. In particular, the ratio of real reward over the reward under no attack increases due to better channels available for users. In this case, it is easier to serve a real request by meeting rate requirements, i.e., it is more challenging for the attack to deny service to a real request by consuming resources.
|SNR||No attack||Flooding attack||Ratio (%)|
|Total reward||Real reward|
Finally, we evaluate the effect of the adversary’s observation error on available RBs, in terms of false alarm (available RBs are detected as unavailable) and misdetection (unavailable RBs are detected as available). We find that this effect is not significant. Even for significant errors up to %, the change on real reward is at most %. Hence, the flooding attack is not very sensitive to errors in spectrum sensing.
We presented a flooding attack on 5G RAN slicing, where an adversary generates fake network slicing requests to consume available resources and thus minimize the reward for real requests. We developed an RL based attack to generate fake requests and showed it is more effective than generating fake requests randomly or with minimum resource requirement. Although we focused on attacking an RL based network slicing scheme, we showed that the flooding attack is effective against other network slicing schemes. We also designed weight distribution schemes such that fake requests cannot be detected by their weights, and showed that using a close to uniform distribution for weights can still reduce the real portion of the reward significantly. Overall, our results indicate that 5G RAN slicing is highly vulnerable to flooding attacks and the reward of real requests can be significantly reduced by starving the available resources with fake requests.
- thanks: This effort is supported by the U.S. Army Research Office under contract W911NF-20-C-0055. The content of the information does not necessarily reflect the position or the policy of the U.S. Government, and no official endorsement should be inferred.
- X. Foukas, G. Patounas, A. Elmokashfi, and M. K. Marina, “Network slicing in 5G: Survey and challenges,” IEEE Communications Magazine, May 2017.
- A. Kaloxylos, “A survey and an analysis of network slicing in 5G networks,” IEEE Communications Standards Magazine, Apr. 2018.
- S. D’Oro, F. Restuccia, A. Talamonti, and T. Melodia, “The slice is served: Enforcing radio access network slicing in virtualized 5G systems,” IEEE INFOCOM, 2019.
- T. Erpek, T. O’Shea, Y. E. Sagduyu, Y. Shi, and T. C. Clancy, “Deep learning for wireless communications,” Development and Analysis of Deep Learning Architectures, Springer, 2019.
- A. Nakao, and P. Du, “Toward in-network deep machine learning for identifying mobile applications and enabling application specific network slicing,” IEICE Transactions on Communications, 2018.
- A. Thantharate, R. Paropkari, V. Walunj, C. Beard, “DeepSlice: A deep learning approach towards an efficient and reliable network slicing in 5G networks,” IEEE UEMCON, 2019.
- R. Li, Z. Zhao, Q. Sun, C.-L. I, C. Yang, X. Chen, M. Zhao, and H. Zhang, “Deep reinforcement learning for resource management in network slicing,” IEEE Access, Nov. 2018.
- J. Koo, M. R. Rahman, V. B. Mendiratta, and A. Walid, “Deep reinforcement learning for network slicing with heterogeneous resource requirements and time varying traffic dynamics,” arXiv prePrint, arXiv:1908.03242, 2019.
- H. Wang, Y. Wu, G. Mina, J. Xu, and P. Tang, “Data-driven dynamic resource scheduling for network slicing: A deep reinforcement learning approach,” Information Sciences, 2019.
- Z. Xu, Y. Wang, J. Tang, J. Wang, and M. C. Gursoy, “A deep reinforcement learning based framework for power-efficient resource allocation in cloud RANs,” IEEE ICC, 2017.
- Y. Shi, Y. E. Sagduyu, and T. Erpek, “Reinforcement learning for dynamic resource optimization in 5G radio access network slicing,â IEEE CAMAD, 2020.
- A. Nassar and Y. Yilmaz, “Deep reinforcement learning for adaptive network slicing in 5G for intelligent vehicular systems and smart cities,” arXiv prePrint, arXiv:2010.09916 (2020).
- T. Erpek, Y. E. Sagduyu, and Y. Shi, “Deep learning for launching and mitigating wireless jamming attacks, IEEE Transactions on Cognitive Communications and Networking, Mar. 2019.
- M. Sadeghi and E. G. Larsson, “Adversarial attacks on deep-learning based radio signal classification,” IEEE Communications Letters, Feb. 2019.
- M. Z. Hameed, A. Gyorgy, and D. Gunduz, “The best defense is a good offense: Adversarial attacks to avoid modulation detection,” IEEE Transactions on Information Forensics and Security, Sept. 2020.
- B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Over-the-air adversarial attacks on deep learning based modulation classifier over wireless channels,â IEEE CISS, 2020.
- B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Channel-aware adversarial attacks against deep learning-based wireless signal classifiers,” arXiv prePrint, arXiv:2005.05321, 2020.
- B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Adversarial attacks with multiple antennas against deep learning-based modulation classifiers,” IEEE GLOBECOM, 2020.
- Y. E. Sagduyu, T. Erpek, and Y. Shi, “Adversarial deep learning for over-the-air spectrum poisoning attacks,” IEEE Transactions on Mobile Computing, Feb. 2021.
- Y. Shi, K. Davaslioglu, and Y. E. Sagduyu, “Over-the-air membership inference attacks as privacy threats for deep learning-based wireless signal classifiers,” ACM WiseML, 2020.
- K. Davaslioglu and Y. E. Sagduyu, “Trojan attacks on wireless signal classification with adversarial machine learning,” IEEE DySPAN, 2019.
- Y. E. Sagduyu, T. Erpek, and Y. Shi, “Adversarial machine learning for 5G communications security,” arXiv preprint arXiv:2101.02656, 2021.
- B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “How to make 5G communications “invisible”: adversarial machine learning for wireless privacy,” Asilomar Conf. Sig., Sys. and Comp., 2020.
- Y. Shi, Y. E. Sagduyu, T. Erpek, M. C. Gursoy, “How to attack and defend 5G radio access network slicing with reinforcement learning,” 2020, available on arXiv:2101.05768.
- 3GPP TS 38.306: “NR; User Equipment (UE) radio access capabilities”.