RAID: In-Network RA Signaling Storm Detection for 5G Open RAN
Mohamed Rouili, Yang Xiao, Sihang Liu, Raouf Boutaba
TL;DR
RAID tackles RA signaling storms in 5G Open RAN by moving ML-based detection into the data plane, embedding a Random Forest classifier in a P4-programmable Tofino switch to achieve line-rate, deterministic per-flow inference around $3.4~\mu s$ and protection within the CRT window ($8$–$64$ ms). The approach is 3GPP/O-RAN compliant, using a flow-based, identifier-agnostic detection scheme encoded via Planter-inspired RF encoding, with a lightweight controller for deployment. Empirical results show detection accuracy above $94\%$ across loads and significant latency advantages over near-RT RIC/xApp baselines, effectively preserving QoS during signaling storms. This work demonstrates the practicality and scalability of in-network ML for time-sensitive control-plane security in disaggregated O-RAN and paves the way for tracing malicious flows to their sources for active blocking.
Abstract
The disaggregation and virtualization of 5G Open RAN (O-RAN) introduces new vulnerabilities in the control plane that can greatly impact the quality of service (QoS) of latency-sensitive 5G applications and services. One critical issue is Random Access (RA) signaling storms where, a burst of illegitimate or misbehaving user equipments (UEs) send Radio Resource Control (RRC) connection requests that rapidly saturate a Central Unit's (CU) processing pipeline. Such storms trigger widespread connection failures within the short contention resolution window defined by 3GPP. Existing detection and mitigation approaches based on near-real-time RAN Intelligent Controller (n-RT RIC) applications cannot guarantee a timely reaction to such attacks as RIC control loops incur tens to hundreds of milliseconds of latency due to the non-deterministic nature of their general purpose processor (GPP) based architectures. This paper presents RAID, an in-network RA signaling storm detection and mitigation system that leverages P4-programmable switch ASICs to enable real-time protection from malicious attacks. RAID embeds a lightweight Random Forest (RF) classifier into a programmable Tofino switch, enabling line-rate flow classification with deterministic microsecond-scale inference delay. By performing ML-based detection directly in the data plane, RAID catches and filters malicious RA requests before they reach and overwhelm the RRC. RAID achieves above 94% detection accuracy with a fixed per-flow inference delay on the order of 3.4 microseconds, effectively meeting strict O-RAN control-plane deadlines. These improvements are sustained across multiple traffic loads, making RAID a fast and scalable solution for the detection and mitigation of signaling storms in 5G O-RAN.