To mitigate traffic analysis attacks—such as video or user identification—exploiting Downlink Control Information (DCI) messages in cellular networks, this paper proposes Saflo, an eBPF-driven cross-kernel–user-space scheduler. Saflo innovatively decouples security and real-time performance by implementing Multipath TCP (MPTCP) path scheduling in the eBPF kernel for ultra-low latency, while offloading machine learning–based DCI anomaly detection to user space. It is deeply integrated with LTE/5G protocol stacks and supports programmable path decisions. Evaluated on a private 5G/LTE testbed, Saflo reduces the identification accuracy of two representative DCI-based traffic analysis attacks by over 72% and 68%, respectively, with less than 8% throughput degradation and bounded end-to-end latency increase—significantly outperforming baseline approaches.

This paper presents the $underline{ extbf{saf}}$e sub$underline{ extbf{flo}}$w (Saflo) eBPF-based multipath TCP (MPTCP) scheduler, designed to mitigate traffic analysis attacks in cellular networks. Traffic analysis attacks, which exploit vulnerabilities in Downlink Control Information (DCI) messages, remain a significant security threat in LTE/5G networks. To counter such threats, the Saflo scheduler employs multipath communication combined with additional security-related tasks. Specifically, it utilizes eBPF tools to operate in both kernel and user spaces. In the kernel space, the eBPF scheduler performs multipath scheduling while excluding paths disabled by the user-space programs. The user-space programs conduct security-related computations and machine learning-based attack detection, determining whether each path should be enabled or disabled. This approach offloads computationally intensive tasks to user-space programs, enabling timely multipath scheduling in kernel space. The Saflo scheduler was evaluated in a private LTE/5G testbed. The results demonstrated that it significantly reduces the accuracy of video identification and user identification attacks in cellular networks while maintaining reasonable network performance for users.