From Description to Detection: LLM based Extendable O-RAN Compliant Blind DoS Detection in 5G and Beyond
Thusitha Dayaratne, Ngoc Duy Pham, Viet Vo, Shangqi Lai, Sharif Abuadbba, Hajime Suzuki, Xingliang Yuan, Carsten Rudolph
TL;DR
This work tackles the detection of Blind Denial of Service attacks in 5G/RRC-NAS control-plane communications by deploying a zero-shot Large Language Model (LLM) based detector within the O-RAN framework. It processes unordered RRC/NAS messages by converting them into natural-language prompts that include concise attack descriptions, enabling near-real-time classification without labeled training data. The study shows that semantic completeness of the attack description drives detection quality, with robust results when a previous message sharing the same TMSI is provided, and demonstrates practical viability within Near-RT RIC timing constraints. The framework is extensible to other Layer-3 attacks, and the authors discuss dynamic prompt construction and threat-intelligence driven updates to maintain adaptability in evolving network security landscapes.
Abstract
The quality and experience of mobile communication have significantly improved with the introduction of 5G, and these improvements are expected to continue beyond the 5G era. However, vulnerabilities in control-plane protocols, such as Radio Resource Control (RRC) and Non-Access Stratum (NAS), pose significant security threats, such as Blind Denial of Service (DoS) attacks. Despite the availability of existing anomaly detection methods that leverage rule-based systems or traditional machine learning methods, these methods have several limitations, including the need for extensive training data, predefined rules, and limited explainability. Addressing these challenges, we propose a novel anomaly detection framework that leverages the capabilities of Large Language Models (LLMs) in zero-shot mode with unordered data and short natural language attack descriptions within the Open Radio Access Network (O-RAN) architecture. We analyse robustness to prompt variation, demonstrate the practicality of automating the attack descriptions and show that detection quality relies on the semantic completeness of the description rather than its phrasing or length. We utilise an RRC/NAS dataset to evaluate the solution and provide an extensive comparison of open-source and proprietary LLM implementations to demonstrate superior performance in attack detection. We further validate the practicality of our framework within O-RAN's real-time constraints, illustrating its potential for detecting other Layer-3 attacks.