5GC PFCP Intrusion Detection Dataset

Citation Author(s):
K3Y Ltd
K3Y Ltd
K3Y Ltd
K3Y Ltd
K3Y Ltd
K3Y Ltd
K3Y Ltd
K3Y Ltd
Submitted by:
Panagiotis Rado...
Last updated:
Tue, 05/09/2023 - 09:51
Data Format:
Research Article Link:
0 ratings - Please login to submit your rating.


The advancements in the field of telecommunications have resulted in an increasing demand for robust, high-speed, and secure connections between User Equipment (UE) instances and the Data Network (DN). The implementation of the newly defined 3rd Generation Partnership Project 3GPP (3GPP) network architecture in the 5G Core (5GC) represents a significant leap towards fulfilling these demands. This architecture promises faster connectivity, low latency, higher data transfer rates, and improved network reliability. 5GC has been designed to support a wide range of critical Next Generation Internet of Things (NG-IoT) and industrial use cases that require reliable end-to-end communication services. However, this evolution raises severe security issues. In the context of the SANCUS project, a set of cyberattacks were investigated and emulated by K3Y against the Packet Forwarding Control Protocol (PFCP) between the Session Management Function (SMF) and the User Plane Function (UPF). Based on these attacks, an intrusion detection dataset was generated: 5GC PFCP Intrusion Detection Dataset that can support the development of Artificial Intelligence (AI)-powered Intrusion Detection Systems (IDS) that use Machine Learning (ML) and Deep Learning (DL) techniques. The goal of this report is to describe this dataset.


The 5GC PFCP Intrusion Detection Dataset was implemented following relevant methodological frameworks, including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata. A 5GC architecture was emulated, including the Network Slice Selection Function (NSSF), the Network Exposure Function (NEF), the Network Repository Function (NRF), the Policy Control Function (PCF), the User Data Management (UDM), the Access and Mobility Management Function (AF), the Authentication Server Function (AUSF), the Access Management Function (AMF), SMF, and UPF, in addition to a virtualised UE device, a virtualised gNodeB (gNB), and a cyberattacker impersonating a maliciously instantiated SMF. In particular, the following cyberattacks were performed:

  • On Wednesday, October 05, 2022, the PFCP Session Establishment DoS Attack was implemented for 4 hours.
  • On Thursday, October 13, 2022, the PFCP Session Deletion DoS Attack was implemented for four hours.
  • On Tuesday, November 01, 2022, the PFCP Session Modification DoS Attack (DROP Apply Action Field Flags) was implemented for 4 hours.
  • On Tuesday, November 22, 2022, the PFCP Session Modification DoS Attack (DUPL Apply Action Field Flag) was implemented for 4 hours.

The previous PFCP-related cyberattacks were executed, utilising penetration testing tools, such as Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a Comma-Separated Values (CSV) format and (c) the PFCP flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the PFCP flow statistics were generated based on a Custom PFCP Flow Generator, taking full advantage of Scapy.

The users of this dataset are kindly asked to cite the following paper(s).

G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, W. Mallouli, A. Cavalli, D. Klonidis, E. Markakis, and P. Sarigiannidis, “Threatening the 5G core via PFCP DOS attacks: The case of blocking UAV Communications”, EURASIP Journal on Wireless Communications and Networking, vol. 2022, no. 1, 2022, doi: 10.1186/s13638-022-02204-5.

Funding Agency: 
Horizon 2020 Research and Innovation Programme
Grant Number: 



Submitted by Adil Hannoune on Tue, 06/20/2023 - 11:43

Dear Sir/Madam,

I would like to inquire about the corresponding IP addresses associated with specific network functions, particularly SMF, UPF, and MSMF.

I find it perplexing that, upon examining the PCAP files "MSMF.pcap" and "UPF.pcap" from the "PFCP Session Deletion DoS Attack/20221310_PFCP_PFCP_Sess_Deletion_DoS_Test_07_4h" directory, I observed that the IP address sending the "pfcp_deletion_request" appears to be "" However, the files "PFCP Session Deletion DoS Attack/20221310_PFCP_PFCP_Sess_Deletion_DoS_Test_07_4h/CiCFlowMeter Flows/240-sec-CSV/MSMF.csv" indicate that " ->" or " ->" are labeled as malicious.

I am keen to understand the rationale behind this discrepancy. Is the IP address of MSMF indeed ""? If so, what is the reason behind labeling "" as malicious in the CSV file generated by CiCFlowMeter?

Thank you for your assistance.

Submitted by Shi Huang Tseng on Tue, 11/07/2023 - 08:45