🤖 AI Summary
This study addresses the vulnerability of TDD mobile networks to synchronization attacks due to their reliance on GNSS timing and the absence of standardized GNSS spoofing detection and reporting mechanisms in existing 3GPP frameworks. The work proposes the first integration of GNSS spoofing detection into the 3GPP standardization体系, leveraging existing specifications TS 28.111 and TS 28.552 for alarms and performance counters without introducing new interfaces or compromising multi-generation network compatibility. By analyzing the topological correlation between grandmaster clocks and gNB-DUs, a lightweight detection and monitoring framework is established, seamlessly interfacing with fault management and SECHAND event handling. In well-configured PTP networks, the approach achieves over 95% detection accuracy for spoofing attacks with drift rates ≥0.5 ns/s, maintains a false alarm rate below 1%, and effectively discriminates between signal loss, hardware faults, and transient maintenance events.
📝 Abstract
Time Division Duplex (TDD) mobile networks require synchronization accuracy of $\pm$1.5 $μ$s (3GPP TS 38.104), with GNSS-disciplined grandmaster clocks as the predominant timing source. GNSS spoofing -- now a documented operational threat -- can corrupt timing across all downstream base stations, yet neither the 3GPP management framework (SA5) nor the security framework (SA3) provides standardized mechanisms to detect or report such attacks. This paper proposes a detection and monitoring framework operating within existing 3GPP management structures. The framework introduces GNSS timing alarms and performance counters aligned with TS 28.111 and TS 28.552, a topology-aware correlation mechanism that classifies anomalies by grouping gNB-DUs by serving grandmaster, and a security event bridging fault management with SECHAND incident handling (TR 33.894). Monte Carlo simulation demonstrates detection probability exceeding 95% for drift rates above 0.5 ns/s with false positive rates below 1% under well-provisioned PTP network conditions. The framework requires no new interfaces, is generation-agnostic, and is validated through scenario analysis distinguishing spoofing from signal loss, equipment faults, and maintenance transients.