Published May 2, 2023 | Version v1
Dataset Open

5GC PFCP Intrusion Detection Dataset


The 5GC PFCP Intrusion Detection Dataset was implemented following relevant methodological frameworks, including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata. A 5GC architecture was emulated, including the Network Slice Selection Function (NSSF), the Network Exposure Function (NEF), the Network Repository Function (NRF), the Policy Control Function (PCF), the User Data Management (UDM), the Access and Mobility Management Function (AF), the Authentication Server Function (AUSF), the Access Management Function (AMF), SMF, and UPF, in addition to a virtualised UE device, a virtualised gNodeB (gNB), and a cyberattacker impersonating a maliciously instantiated SMF. In particular, the following cyberattacks were performed:

  • On Wednesday, October 05, 2022, the PFCP Session Establishment DoS Attack was implemented for 4 hours.
  • On Thursday, October 13, 2022, the PFCP Session Deletion DoS Attack was implemented for four hours.
  • On Tuesday, November 01, 2022, the PFCP Session Modification DoS Attack (DROP Apply Action Field Flags) was implemented for 4 hours.
  • On Tuesday, November 22, 2022, the PFCP Session Modification DoS Attack (DUPL Apply Action Field Flag) was implemented for 4 hours.

The previous PFCP-related cyberattacks were executed, utilising penetration testing tools, such as Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a Comma-Separated Values (CSV) format and (c) the PFCP flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the PFCP flow statistics were generated based on a Custom PFCP Flow Generator, taking full advantage of Scapy.

The users of this dataset are kindly asked to cite the following paper(s).

G. Amponis, P. Radoglou-Grammatikis, T. Lagkas, W. Mallouli, A. Cavalli, D. Klonidis, E. Markakis, and P. Sarigiannidis, “Threatening the 5G core via PFCP DOS attacks: The case of blocking UAV Communications”, EURASIP Journal on Wireless Communications and Networking, vol. 2022, no. 1, 2022, doi: 10.1186/s13638-022-02204-5.



Files (107.6 MB)

Name Size Download all
482.4 kB Preview Download
186.1 kB Preview Download
4.4 MB Preview Download
22.2 MB Preview Download
31.1 MB Preview Download
49.2 MB Preview Download

Additional details


SANCUS – SANCUS: analysis software scheme of uniform statistical sampling, audit and defence processes 952672
European Commission