Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TIMESAFE: Timing Interruption Monitoring and Security Assessment for Fronthaul Environments

Joshua Groen, Simone Di Valerio, Imtiaz Karim, Davide Villa, Yiewi Zhang, Leonardo Bonati, Michele Polese, Salvatore D'Oro, Tommaso Melodia, Elisa Bertino, Francesca Cuomo, Kaushik Chowdhury

TL;DR

This work addresses the critical risk of timing interruption in open fronthaul networks by demonstrating that PTP-based synchronization can be catastrophically disrupted through spoofing and replay attacks in production-grade O-RAN setups. It introduces TIMESAFE, a transformer- and CNN-enabled ML-based detection pipeline that operates on traffic patterns to identify malicious timing activity in real time, outperforming heuristic approaches and achieving up to $>$99% detection accuracy in production scenarios. The authors validate the approach through a production-ready private 5G testbed and a Digital Twin, revealing substantial outage risks and providing a practical, open-source framework for attack analysis, detection model training, and dataset sharing. The study highlights the need for adaptive security in disaggregated fronthaul, suggesting that combining detection with preventive measures (e.g., authentication and redundancy) offers cost-effective resilience for 5G and beyond.

Abstract

5G and beyond cellular systems embrace the disaggregation of Radio Access Network (RAN) components, exemplified by the evolution of the fronthaul (FH) connection between cellular baseband and radio unit equipment. Crucially, synchronization over the FH is pivotal for reliable 5G services. In recent years, there has been a push to move these links to an Ethernet-based packet network topology, leveraging existing standards and ongoing research for Time-Sensitive Networking (TSN). However, TSN standards, such as Precision Time Protocol (PTP), focus on performance with little to no concern for security. This increases the exposure of the open FH to security risks. Attacks targeting synchronization mechanisms pose significant threats, potentially disrupting 5G networks and impairing connectivity. In this paper, we demonstrate the impact of successful spoofing and replay attacks against PTP synchronization. We show how a spoofing attack is able to cause a production-ready O-RAN and 5G-compliant private cellular base station to catastrophically fail within 2 seconds of the attack, necessitating manual intervention to restore full network operations. To counter this, we design a Machine Learning (ML)-based monitoring solution capable of detecting various malicious attacks with over 97.5% accuracy.

TIMESAFE: Timing Interruption Monitoring and Security Assessment for Fronthaul Environments

TL;DR

This work addresses the critical risk of timing interruption in open fronthaul networks by demonstrating that PTP-based synchronization can be catastrophically disrupted through spoofing and replay attacks in production-grade O-RAN setups. It introduces TIMESAFE, a transformer- and CNN-enabled ML-based detection pipeline that operates on traffic patterns to identify malicious timing activity in real time, outperforming heuristic approaches and achieving up to 99% detection accuracy in production scenarios. The authors validate the approach through a production-ready private 5G testbed and a Digital Twin, revealing substantial outage risks and providing a practical, open-source framework for attack analysis, detection model training, and dataset sharing. The study highlights the need for adaptive security in disaggregated fronthaul, suggesting that combining detection with preventive measures (e.g., authentication and redundancy) offers cost-effective resilience for 5G and beyond.

Abstract

5G and beyond cellular systems embrace the disaggregation of Radio Access Network (RAN) components, exemplified by the evolution of the fronthaul (FH) connection between cellular baseband and radio unit equipment. Crucially, synchronization over the FH is pivotal for reliable 5G services. In recent years, there has been a push to move these links to an Ethernet-based packet network topology, leveraging existing standards and ongoing research for Time-Sensitive Networking (TSN). However, TSN standards, such as Precision Time Protocol (PTP), focus on performance with little to no concern for security. This increases the exposure of the open FH to security risks. Attacks targeting synchronization mechanisms pose significant threats, potentially disrupting 5G networks and impairing connectivity. In this paper, we demonstrate the impact of successful spoofing and replay attacks against PTP synchronization. We show how a spoofing attack is able to cause a production-ready O-RAN and 5G-compliant private cellular base station to catastrophically fail within 2 seconds of the attack, necessitating manual intervention to restore full network operations. To counter this, we design a Machine Learning (ML)-based monitoring solution capable of detecting various malicious attacks with over 97.5% accuracy.

Paper Structure

This paper contains 40 sections, 19 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Fronthaul S-plane
  4. PTP Overview
  5. PTP Security
  6. Related Work
  7. Threat model
  8. Attack Methods
  9. Spoofing Attack
  10. Replay Attack
  11. Experimental Test Beds
  12. Production-Ready Network
  13. Digital Twin Environment
  14. Impact of the Attacks
  15. Production-ready Network Impact
  16. ...and 25 more sections

Figures (19)

  • Figure 1: The Open Fronthaul employs PTP to synchronize the master clock with distributed base station components over a switched network. In this scenario, an attacker compromises a device on the network and, at time A, initiates a Spoofing Attack. This leads to gradual synchronization drift (B), first degrading performance (C) and then causing the base station to crash at time D.
  • Figure 2: The fronthaul connects the Distributed Unit (DU) to the Radio Unit (RU). There are four Synchronization Plane topologies based on the location of the clock source and switched network. Any topology where the timing information of a single clock has to be synchronized via a packet switch network (e.g. LLS-C2 and LLS-C3) is especially vulnerable to attacks because the switched network is used to transport the timing messages.
  • Figure 3: The black (solid/dotted) lines represent normal traffic, while the red (dashed) on the left side illustrates the flow of messages during a Spoofing Attack, where an attacker manipulates the to become the master. The red (dashed) on the right side illustrates the flow of messages during a Replay Attack, showing the re-transmission of Sync and FollowUp messages.
  • Figure 4: Downlink throughput to a during a spoofing attack with the switch port set to master. Approximately 60 seconds into the experiment, the spoofing attack is initiated. Around second 440 there is a 50% drop in throughput, progressing to a 75% drop by second 510, and ultimately causing the base station to crash at around second 580.
  • Figure 5: Downlink throughput to a during a spoofing attack with switch ports set to dynamic role. Throughput remains stable at around 350 Mbps initially. About 40 seconds in, the spoofing attack begins, causing the 5G cell to drop and the to lose connectivity.
  • ...and 14 more figures