{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,31]],"date-time":"2025-12-31T18:53:13Z","timestamp":1767207193791,"version":"3.48.0"},"reference-count":56,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"National Natural Science Foundation of China under Grants","award":["62001055"],"award-info":[{"award-number":["62001055"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Netw. Serv. Manage."],"published-print":{"date-parts":[[2026]]},"DOI":"10.1109\/tnsm.2025.3626804","type":"journal-article","created":{"date-parts":[[2025,10,30]],"date-time":"2025-10-30T18:02:25Z","timestamp":1761847345000},"page":"1028-1042","source":"Crossref","is-referenced-by-count":0,"title":["Adaptive Target Device Model Identification Attack in 5G Mobile Network"],"prefix":"10.1109","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-6503-944X","authenticated-orcid":false,"given":"Shaocong","family":"Feng","sequence":"first","affiliation":[{"name":"School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6937-4068","authenticated-orcid":false,"given":"Baojiang","family":"Cui","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2445-1987","authenticated-orcid":false,"given":"Junsong","family":"Fu","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9815-868X","authenticated-orcid":false,"given":"Meiyi","family":"Jiang","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-9469-0387","authenticated-orcid":false,"given":"Shengjia","family":"Chang","sequence":"additional","affiliation":[{"name":"School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"year":"2015","key":"ref1","article-title":"IMT Vision\u2014Framework and overall objectives of the future development of IMT for 2020 and beyond"},{"year":"2023","key":"ref2","article-title":"Security architecture and procedures for 5G system, version 17.8.0"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00038"},{"key":"ref4","first-page":"3475","article-title":"Instructions unclear: Undefined behaviour in cellular network specifications","volume-title":"Proc. 32nd USENIX Security Symp. USENIX Security","author":"Klischies"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00006"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3304840"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2023.3313557"},{"volume-title":"5GHoul: Unleashing chaos on 5G edge devices","year":"2024","author":"Garbelini","key":"ref8"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.23919\/SPECTS52716.2021.9639276"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3372224.3380885"},{"key":"ref11","first-page":"1325","article-title":"DolTest: In-depth downlink negative testing framework for LTE devices","volume-title":"Proc. 31st USENIX Security Symp.","author":"Park"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24416"},{"volume-title":"Operation triangulation: What you get when attack iPhones of researchers","year":"2024","author":"Larin","key":"ref13"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590196"},{"volume-title":"SJ001A wavejudge wireless analyzer toolset.","year":"2024","key":"ref15"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179353"},{"volume-title":"Airscope","year":"2024","key":"ref17"},{"key":"ref18","first-page":"1291","article-title":"LTrack: Stealthy tracking of mobile phones in LTE","volume-title":"Proc. 31st USENIX Security Symp.","author":"Kotuliak"},{"year":"2023","key":"ref19","article-title":"Procedures for the 5G system (5GS), version 17.7.0"},{"year":"2023","key":"ref20","article-title":"Numbering, addressing and identification, version 17.10.0"},{"volume-title":"AMF Authentication and GUTI Reallocation Configuration Control","year":"2024","key":"ref21"},{"year":"2023","key":"ref22","article-title":"Non-access-stratum (NAS) protocol for 5G system (5GS); stage 3; version 17.12.0"},{"year":"2023","key":"ref23","article-title":"Non-access-stratum (NAS) protocol for evolved packet system (EPS); Stage 3, version 17.11.0"},{"year":"2023","key":"ref24","article-title":"Evolved universal terrestrial radio access (E-UTRA); radio resource control (RRC); protocol specification, version 17.3.0"},{"year":"2023","key":"ref25","article-title":"NR; radio resource control (RRC); protocol specification, version 17.5.0"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23349"},{"volume-title":"Open5Gs","year":"2025","author":"Lee","key":"ref27"},{"volume-title":"srsRAN Project","year":"2025","key":"ref28"},{"volume-title":"Cellular-pro","year":"2025","key":"ref29"},{"volume-title":"SCAT: Signaling collection and analysis tool","year":"2025","key":"ref30"},{"key":"ref31","first-page":"17","article-title":"Seeing the forest for the trees: Understanding security hazards in the 3gpp ecosystem through intelligent analysis on change requests","volume-title":"Proc. 31st USENIX Security Symp.","author":"Chen"},{"year":"2022","key":"ref32","article-title":"Telecommunication management; Performance measurement: Abstract syntax notation 1 (ASN.1) file format definition, version 17.0.0"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SPIRE.2000.878178"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1007\/BF00264437"},{"volume-title":"USRP B210","year":"2025","key":"ref35"},{"volume-title":"sysmoISIM-SJA2 programmable SIM\/USIM\/ISIM cards","year":"2024","key":"ref36"},{"year":"2017","key":"ref37","article-title":"Technical Specification Group Services and System Aspects; Study on the security aspects of the next generation system (Version 1.3.0, Release 14)"},{"year":"2023","key":"ref38","article-title":"Technical specification group services and system aspects; study on 5G security enhancements against false base stations (FBS) (Release 18, Version 18.1.0)"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3317549.3319728"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/DSC54232.2022.9888899"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23442"},{"key":"ref42","first-page":"1","article-title":"Location leaks on the GSM air interface","volume-title":"Proc. ISOC NDSS","author":"Kune"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2656470"},{"key":"ref44","first-page":"2151","article-title":"Freaky leaky SMS: Extracting user locations by analyzing SMS timings","volume-title":"Proc. 32nd USENIX Security Symp.","author":"Bitsikas"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.23188"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3322267"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23236"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3495243.3560525"},{"key":"ref49","first-page":"55","article-title":"Hiding in plain signal: Physical signal overshadowing attack on LTE","volume-title":"Proc. 28th USENIX Security Symp.","author":"Yang"},{"key":"ref50","first-page":"3899","article-title":"A stealthy location identification attack exploiting carrier aggregation in cellular networks","volume-title":"Proc. 30th USENIX Security Symp.","author":"Lakshmanan"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354263"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485388"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590194"},{"key":"ref54","first-page":"4481","article-title":"SIMurai: Slicing through the complexity of SIM card security research","volume-title":"Proc. 33rd USENIX Security Symp. (USENIX Security)","author":"Lisowski"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24365"},{"key":"ref56","first-page":"3063","article-title":"Logic gone astray: A security analysis framework for the control plane protocols of 5G basebands","volume-title":"Proc. 33rd USENIX Security Symp.","author":"Tu"}],"container-title":["IEEE Transactions on Network and Service Management"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/4275028\/11319294\/11222827.pdf?arnumber=11222827","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,31]],"date-time":"2025-12-31T18:44:25Z","timestamp":1767206665000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11222827\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"references-count":56,"URL":"https:\/\/doi.org\/10.1109\/tnsm.2025.3626804","relation":{},"ISSN":["1932-4537","2373-7379"],"issn-type":[{"type":"electronic","value":"1932-4537"},{"type":"electronic","value":"2373-7379"}],"subject":[],"published":{"date-parts":[[2026]]}}}