MobiLLM: An Agentic AI Framework for Closed-Loop Threat Mitigation in 6G Open RANs
Prakhar Sharma, Haohuang Wen, Vinod Yegneswaran, Ashish Gehani, Phillip Porras, Zhiqiang Lin
TL;DR
The paper addresses the lack of closed-loop, automated threat mitigation in 6G O-RAN by introducing MobiLLM, a knowledge-grounded, multi-agent AI framework. It combines Threat Analysis, Threat Classification anchored to MITRE FiGHT via Retrieval-Augmented Generation, and a two-layer Response Planning/Execution pipeline that uses safe, predefined network APIs with human oversight. Key contributions include the first end-to-end agentic architecture for cellular threat analysis, planning, and response; evaluation across five real-world 6G threat scenarios; and a discussion of guardrails and safety to prevent hallucinations or unsafe actions. Findings show strong FiGHT retrieval (Top-3 accuracy ~94%) but mixed remediation action success (~64%), underscoring the need for telecom-specific fine-tuning; the work demonstrates the feasibility of autonomous security operations in 6G and provides a blueprint for trustworthy AI-driven network defenses.
Abstract
The evolution toward 6G networks is being accelerated by the Open Radio Access Network (O-RAN) paradigm -- an open, interoperable architecture that enables intelligent, modular applications across public telecom and private enterprise domains. While this openness creates unprecedented opportunities for innovation, it also expands the attack surface, demanding resilient, low-cost, and autonomous security solutions. Legacy defenses remain largely reactive, labor-intensive, and inadequate for the scale and complexity of next-generation systems. Current O-RAN applications focus mainly on network optimization or passive threat detection, with limited capability for closed-loop, automated response. To address this critical gap, we present an agentic AI framework for fully automated, end-to-end threat mitigation in 6G O-RAN environments. MobiLLM orchestrates security workflows through a modular multi-agent system powered by Large Language Models (LLMs). The framework features a Threat Analysis Agent for real-time data triage, a Threat Classification Agent that uses Retrieval-Augmented Generation (RAG) to map anomalies to specific countermeasures, and a Threat Response Agent that safely operationalizes mitigation actions via O-RAN control interfaces. Grounded in trusted knowledge bases such as the MITRE FiGHT framework and 3GPP specifications, and equipped with robust safety guardrails, MobiLLM provides a blueprint for trustworthy AI-driven network security. Initial evaluations demonstrate that MobiLLM can effectively identify and orchestrate complex mitigation strategies, significantly reducing response latency and showcasing the feasibility of autonomous security operations in 6G.