Long-Term Evolution (LTE), which is the latest mobile communication network technology, has been deployed for 10 years and many LTE vulnerabilities have been studied. Although much research on the vulnerability of control plane managing user mobility and sessions were also conducted, most of the studies focused on finding User Equipment (UE) vulnerabilities. In recent years, a few studies published that found vulnerabilities in LTE network components but these studies have at least one of the following limitations. First, only LTE standard analysis was performed, so it could not identify vulnerabilities in implementation flaws. Second, the security analysis was performed only on a few of the many states that could occur on the protocol.By complementing limitations of existing research, in this thesis, we present a fault detector that can identify unknown faults in LTE network components by performing security analysis in various states that could occur during control plane procedures of actual components' implementation. While performing the control plane procedure as UE, the fault detector identifies faults by sending variants of the message to LTE network components and checking subsequent messages coming down from the network. The detector sent message variants for the 8 uplink message types used in LTE attach procedure and produced a total of 171 variants. Testing two environments that were set up the same as the commercial environment found that 11 and 12 ineffective message variants in each environment were not handled properly. The invalid messages found are the messages that cause the fault, and by chaining these messages, we were able to construct the impersonation attack that an attacker who is not subscribed to the carrier can use LTE service by impersonating a normal subscriber.

배포된 지 10년이 지난 LTE는 많은 취약점 연구가 이뤄졌다. 제어 평면 취약점도 많이 연구되었지만 대부분 단말 취약점을 찾은 연구였다. 최근 네트워크 취약점 연구들이 발표됐으나 다음의 한계점을 가진다: 표준만 분석하여 구현 결함을 찾지 못함, 프로토콜 상태 중 일부에서만 분석. 본 연구에서는 실제 네트워크의 다양한 제어 평면 절차 상태에서 분석함으로써 네트워크 결함을 식별하는 탐지기를 제안한다. 탐지기는 제어 평면 절차 중 네트워크에 메시지 변종을 전송하고 내려오는 후속 메시지를 확인하여 결함 여부를 식별한다. 탐지기는 접속 절차에 사용되는 메시지 8개에 대한 변종을 전송하며 총 171 개의 변종을 생성했다. 두 개의 환경에서 실험했고 각각 11과 12개의 유효하지 않은 변종이 잘못 처리되었다. 이 변종들은 결함으로 간주되고 이를 조합하여 서비스에 가입하지 않은 공격자가 가입자로 가장하여 LTE 서비스를 받을 수 있는 공격을 구성할 수 있었다.