Table of Contents
Fetching ...

KPI Poisoning: An Attack in Open RAN Near Real-Time Control Loop

Hamed Alimohammadi, Sotiris Chatzimiltis, Samara Mayhoub, Mohammad Shojafar, Seyed Ahmad Soleymani, Ayhan Akbas, Chuan Heng Foh

TL;DR

This work addresses KPI poisoning threats in Open RAN by targeting Near-Real-Time RIC control loops through falsified KPI reports via the E2 interface or compromised E2 nodes. It proposes an LSTM-based anomaly-detection framework with a KPI report extraction workflow to tag poisoned data before policy enforcement by xApps. The study analyzes impact across six Near-RT RIC use cases, showing significant potential damage to traffic steering, QoS, SLA, MIMO, QoE, and energy saving, and demonstrates detection performance with DR between 62% and 99% and latency around 40–50 ms in emulated experiments. The findings advance secure Near-RT RIC operations and highlight directions for broader scenario coverage and stronger mitigation strategies.

Abstract

Open Radio Access Network (Open RAN) is a new paradigm to provide fundamental features for supporting next-generation mobile networks. Disaggregation, virtualisation, closed-loop data-driven control, and open interfaces bring flexibility and interoperability to the network deployment. However, these features also create a new surface for security threats. In this paper, we introduce Key Performance Indicators (KPIs) poisoning attack in Near Real-Time control loops as a new form of threat that can have significant effects on the Open RAN functionality. This threat can arise from traffic spoofing on the E2 interface or compromised E2 nodes. The role of KPIs is explored in the use cases of Near Real-Time control loops. Then, the potential impacts of the attack are analysed. An ML-based approach is proposed to detect poisoned KPI values before using them in control loops. Emulations are conducted to generate KPI reports and inject anomalies into the values. A Long Short-Term Memory (LSTM) neural network model is used to detect anomalies. The results show that more amplified injected values are more accessible to detect, and using more report sequences leads to better performance in anomaly detection, with detection rates improving from 62% to 99%.

KPI Poisoning: An Attack in Open RAN Near Real-Time Control Loop

TL;DR

This work addresses KPI poisoning threats in Open RAN by targeting Near-Real-Time RIC control loops through falsified KPI reports via the E2 interface or compromised E2 nodes. It proposes an LSTM-based anomaly-detection framework with a KPI report extraction workflow to tag poisoned data before policy enforcement by xApps. The study analyzes impact across six Near-RT RIC use cases, showing significant potential damage to traffic steering, QoS, SLA, MIMO, QoE, and energy saving, and demonstrates detection performance with DR between 62% and 99% and latency around 40–50 ms in emulated experiments. The findings advance secure Near-RT RIC operations and highlight directions for broader scenario coverage and stronger mitigation strategies.

Abstract

Open Radio Access Network (Open RAN) is a new paradigm to provide fundamental features for supporting next-generation mobile networks. Disaggregation, virtualisation, closed-loop data-driven control, and open interfaces bring flexibility and interoperability to the network deployment. However, these features also create a new surface for security threats. In this paper, we introduce Key Performance Indicators (KPIs) poisoning attack in Near Real-Time control loops as a new form of threat that can have significant effects on the Open RAN functionality. This threat can arise from traffic spoofing on the E2 interface or compromised E2 nodes. The role of KPIs is explored in the use cases of Near Real-Time control loops. Then, the potential impacts of the attack are analysed. An ML-based approach is proposed to detect poisoned KPI values before using them in control loops. Emulations are conducted to generate KPI reports and inject anomalies into the values. A Long Short-Term Memory (LSTM) neural network model is used to detect anomalies. The results show that more amplified injected values are more accessible to detect, and using more report sequences leads to better performance in anomaly detection, with detection rates improving from 62% to 99%.
Paper Structure (11 sections, 11 figures, 2 tables)

This paper contains 11 sections, 11 figures, 2 tables.

Figures (11)

  • Figure 1: Open RAN overall architecture.
  • Figure 2: Detection/Mitigation architecture.
  • Figure 3: DR as a function of sequence length for different amplification factors.
  • Figure 4: FPR(%) as a function of sequence length for different amplification factors.
  • Figure 5: FNR(%) as a function of sequence length for different amplification factors.
  • ...and 6 more figures