In the rapidly evolving landscape of telecommunications, the shift towards Open Radio Access Networks (Open RAN) is transforming how networks are built and managed. However, this transition also introduces new security challenges, particularly in safeguarding near-real-time (near-RT) control operations. Researchers have recently proposed a multi-layer defence framework designed to address these emerging threats, offering a robust solution to secure the RAN Intelligent Controller (RIC) operations.
The research, led by Hamed Alimohammadi, Samara Mayhoub, Sotiris Chatzimiltis, Mohammad Shojafar, and Muhammad Nasir Mumtaz Bhutta, identifies three primary categories of operational-time threats: message-level, data-level, and control logic-level. Each category requires a dedicated detection and mitigation strategy to ensure comprehensive protection. The proposed framework includes a signature-based E2 message inspection module that performs structural and semantic validation of signalling exchanges, a telemetry poisoning detector that uses temporal anomaly scoring via an LSTM network, and a runtime xApp attestation mechanism based on execution-time hash challenge-response.
The E2 message inspection module is crucial for detecting anomalies in the signalling exchanges that occur between different network components. By validating both the structure and semantics of these messages, the module can identify and mitigate potential threats before they disrupt network operations. This layer of defence ensures that only legitimate and correctly formatted messages are processed, reducing the risk of malicious interference.
The telemetry poisoning detector leverages machine learning techniques to monitor network telemetry data for signs of anomalies. Using an LSTM (Long Short-Term Memory) network, the detector can score temporal anomalies, identifying unusual patterns that may indicate a security breach. This proactive approach allows for the early detection of potential threats, enabling swift mitigation actions to prevent further damage.
The runtime xApp attestation mechanism adds an additional layer of security by verifying the integrity of executing applications within the RIC. Through execution-time hash challenge-response, the mechanism ensures that only trusted and unaltered applications are running, thereby safeguarding the control logic from tampering and malicious activities.
The researchers evaluated their framework on an O-RAN testbed comprising FlexRIC and a commercial RAN emulator. The results demonstrated effective detection rates, low latency overheads, and practical integration feasibility. The framework was able to operate within the stringent time constraints of near-RT operations while significantly improving protection against runtime attacks. Notably, the proposed safeguards introduced less than 80 milliseconds of overhead for a network supporting 500 User Equipment (UEs), highlighting its efficiency and practicality.
This research lays the foundation for deployable, layered, and policy-driven runtime security architectures for the near-RT RIC control loop in Open RAN. The proposed framework is not only effective in current security scenarios but also extensible, allowing for the integration of future mitigation policies and threat-specific modules. As Open RAN continues to gain traction, the need for robust security measures becomes increasingly critical. This multi-layer defence framework offers a promising solution to address the evolving threats in near-real-time control operations, ensuring the integrity and reliability of modern telecommunications networks. Read the original research paper here.