To address security threats—including eavesdropping, data hijacking, and service disruption—posed by fake base stations (FBS) and their induced multi-step attacks (MSA) in cellular networks, this paper proposes FBSDetector, a lightweight edge-side detection system. FBSDetector operates solely on UE-side L3 network flow data and introduces a multi-granularity detection framework integrating stateful attention-based LSTM (packet-level) and graph neural networks (trace-level). We release FBSAD/MSAD, the first large-scale real-world dataset for FBS and MSA detection, and deploy the first ML-driven, real-time FBS+MSA joint detection system within a commercial smartphone application. Experimental results demonstrate an FBS detection accuracy of 96.0% (2.96% false positive rate) and MSA identification accuracy of 86.0% (3.28% false positive rate), significantly outperforming existing heuristic approaches.

Fake base stations (FBSes) pose a significant security threat by impersonating legitimate base stations (BSes). Though efforts have been made to defeat this threat, up to this day, the presence of FBSes and the multi-step attacks (MSAs) stemming from them can lead to unauthorized surveillance, interception of sensitive information, and disruption of network services. Therefore, detecting these malicious entities is crucial to ensure the security and reliability of cellular networks. Traditional detection methods often rely on additional hardware, rules, signal scanning, changing protocol specifications, or cryptographic mechanisms that have limitations and incur huge infrastructure costs. In this paper, we develop FBSDetector-an effective and efficient detection solution that can reliably detect FBSes and MSAs from layer-3 network traces using machine learning (ML) at the user equipment (UE) side. To develop FBSDetector, we create FBSAD and MSAD, the first-ever high-quality and large-scale datasets incorporating instances of FBSes and 21 MSAs. These datasets capture the network traces in different real-world cellular network scenarios (including mobility and different attacker capabilities) incorporating legitimate BSes and FBSes. Our novel ML framework, specifically designed to detect FBSes in a multi-level approach for packet classification using stateful LSTM with attention and trace level classification and MSAs using graph learning, can effectively detect FBSes with an accuracy of 96% and a false positive rate of 2.96%, and recognize MSAs with an accuracy of 86% and a false positive rate of 3.28%. We deploy FBSDetector as a real-world solution to protect end-users through a mobile app and validate it in real-world environments. Compared to the existing heuristic-based solutions that fail to detect FBSes, FBSDetector can detect FBSes in the wild in real-time.