Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards a Multi-Layer Defence Framework for Securing Near-Real-Time Operations in Open RAN

Hamed Alimohammadi, Samara Mayhoub, Sotiris Chatzimiltis, Mohammad Shojafar, Muhammad Nasir Mumtaz Bhutta

TL;DR

This work tackles runtime security for near-real-time RIC in Open RAN by introducing a modular, threat-guided defence framework. It implements three complementary components—a signature-based E2 message inspector, an LSTM-based KPM poisoning detector, and a runtime xApp attestation engine—with policy-driven mitigation. Evaluations on an O-RAN testbed (FlexRIC and RAN emulator) demonstrate high detection accuracy and low latency overhead, keeping near-RT timing within constraints even at higher UE counts. The framework offers a practical, extensible foundation for layered runtime security across the near-RT RIC control loop and outlines directions for broader applicability and enhanced protection.

Abstract

Securing the near-real-time (near-RT) control operations in Open Radio Access Networks (Open RAN) is increasingly critical, yet remains insufficiently addressed, as new runtime threats target the control loop while the system is operational. In this paper, we propose a multi-layer defence framework designed to enhance the security of near-RT RAN Intelligent Controller (RIC) operations. We classify operational-time threats into three categories, message-level, data-level, and control logic-level, and design and implement a dedicated detection and mitigation component for each: a signature-based E2 message inspection module performing structural and semantic validation of signalling exchanges, a telemetry poisoning detector based on temporal anomaly scoring using an LSTM network, and a runtime xApp attestation mechanism based on execution-time hash challenge-response. The framework is evaluated on an O-RAN testbed comprising FlexRIC and a commercial RAN emulator, demonstrating effective detection rates, low latency overheads, and practical integration feasibility. Results indicate that the proposed safeguards can operate within near-RT time constraints while significantly improving protection against runtime attacks, introducing less than 80 ms overhead for a network with 500 User Equipment (UEs). Overall, this work lays the foundation for deployable, layered, and policy-driven runtime security architectures for the near-RT RIC control loop in Open RAN, and provides an extensible framework into which future mitigation policies and threat-specific modules can be integrated.

Towards a Multi-Layer Defence Framework for Securing Near-Real-Time Operations in Open RAN

TL;DR

This work tackles runtime security for near-real-time RIC in Open RAN by introducing a modular, threat-guided defence framework. It implements three complementary components—a signature-based E2 message inspector, an LSTM-based KPM poisoning detector, and a runtime xApp attestation engine—with policy-driven mitigation. Evaluations on an O-RAN testbed (FlexRIC and RAN emulator) demonstrate high detection accuracy and low latency overhead, keeping near-RT timing within constraints even at higher UE counts. The framework offers a practical, extensible foundation for layered runtime security across the near-RT RIC control loop and outlines directions for broader applicability and enhanced protection.

Abstract

Securing the near-real-time (near-RT) control operations in Open Radio Access Networks (Open RAN) is increasingly critical, yet remains insufficiently addressed, as new runtime threats target the control loop while the system is operational. In this paper, we propose a multi-layer defence framework designed to enhance the security of near-RT RAN Intelligent Controller (RIC) operations. We classify operational-time threats into three categories, message-level, data-level, and control logic-level, and design and implement a dedicated detection and mitigation component for each: a signature-based E2 message inspection module performing structural and semantic validation of signalling exchanges, a telemetry poisoning detector based on temporal anomaly scoring using an LSTM network, and a runtime xApp attestation mechanism based on execution-time hash challenge-response. The framework is evaluated on an O-RAN testbed comprising FlexRIC and a commercial RAN emulator, demonstrating effective detection rates, low latency overheads, and practical integration feasibility. Results indicate that the proposed safeguards can operate within near-RT time constraints while significantly improving protection against runtime attacks, introducing less than 80 ms overhead for a network with 500 User Equipment (UEs). Overall, this work lays the foundation for deployable, layered, and policy-driven runtime security architectures for the near-RT RIC control loop in Open RAN, and provides an extensible framework into which future mitigation policies and threat-specific modules can be integrated.

Paper Structure

This paper contains 21 sections, 7 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. System Architecture
  4. Threat Categorisation Framework and Implementation Mapping
  5. Architectural Overview and Deployment Strategy
  6. Integrated Runtime Defence Components
  7. Signature-Based E2 Message Inspection
  8. KPM Poisoning Detection
  9. Runtime xApp Attestation
  10. Implementation Details and Experimental Results
  11. E2 Message Inspector
  12. KPM Poisoning Detection
  13. Runtime xApp Attestation
  14. Test Use Case: Putting It All Together
  15. Discussion and Future Directions
  16. ...and 6 more sections

Figures (7)

  • Figure 1: Architecture of the proposed runtime security framework for the near-RT RIC.
  • Figure 2: E2 message inspection and associated mitigation.
  • Figure 3: KPM poisoning detection and mitigation.
  • Figure 4: xApp attestation and integrity violation mitigation
  • Figure 5: RIC Indication message inspection latency
  • ...and 2 more figures