Towards Secure Intelligent O-RAN Architecture:

Vulnerabilities, Threats and Promising Technical

Solutions using LLMs
Mojdeh Karbalaee Motalleb† , Chafika Benzaïd∗ , Tarik Taleb∗+ , Marcos Katz∗ , Vahid Shah-Mansouri† , JaeSeung Song+
†
School of ECE, University of Tehran, Tehran, Iran
∗
School of CWC, University of Oulu, Oulu, Finland
+
Department of Computer and Information Security, Sejong University
Email: {mojdeh.karbalaee, vmansouri}@ut.ac.ir ,{chafika.benzaid, tarik.taleb, marcos.katz}@oulu.fi,{jssong}@sejong.ac.kr
arXiv:2411.08640v1 [cs.CR] 13 Nov 2024

Abstract—The evolution of wireless communication systems assessed and properly addressed to accelerate its wide
will be fundamentally impacted by an open radio access adoption in future mobile networks. Indeed, recent studies
network (O-RAN), a new concept defining an intelligent have shown that the O-RAN architecture is opening the
architecture with enhanced flexibility, openness, and the ability
to slice services more efficiently. For all its promises, and like door to a new breed of security challenges brought by the
any technological advancement, O-RAN is not without risks new components and open interfaces defined, the use of
that need to be carefully assessed and properly addressed to open-source software, the disaggregation between hardware
accelerate its wide adoption in future mobile networks. In this and software, and the reliance on cloud-native and AI
paper, we present an in-depth security analysis of the O-RAN technologies, among others [3]. Thus, a review of the
architecture, discussing the potential threats that may arise
in the different O-RAN architecture layers and their impact security aspects needs to be carried out, considering the
on the Confidentiality, Integrity, and Availability (CIA) triad. potential risks and vulnerabilities, as well as the concrete
We also promote the potential of zero trust, Moving Target solutions to apply. Such an investigation is essential to
Defense (MTD), blockchain, and large language models (LLM) strengthen the security posture of O-RAN at its early stage
technologies in fortifying O-RAN’s security posture. Further- of development.
more, we numerically demonstrate the effectiveness of MTD
in empowering robust deep reinforcement learning methods This paper explores security threats across layers of the
for dynamic network slice admission control in the O-RAN intelligent O-RAN architecture and proposes key technolo-
architecture. Moreover, we examine the effect of explainable gies to mitigate them, highlighting the need for proactive
AI (XAI) based on LLMs in securing the system. measures in securing next-generation networks [2]. Unlike
Index Terms—Open Radio Access Network, O-RAN Secu- prior studies, our research focuses on diverse vulnerabilities
rity, Zero Trust, Blockchain, Moving Target Defense (MTD), in O-RAN, offering an innovative solution for securing
and Large language models (LLM) . near-Real-Time RAN Intelligent Controller (near-RT RIC)
and non-Real-Time RAN Intelligent Controller (non-RT
I. I NTRODUCTION
RIC) that integrate AI/ML methods for system automa-
Wireless systems are becoming more capable but more tion, safeguarding AI/ML models against various potential
complex in the next generation of cellular networks. Unlike threats [1], [4]. Moreover, the near-RT RIC and non-RT
previous generations, the next generation will be flexi- RIC includes third party applications which can use AI/ML
ble, agile, modular, supporting heterogeneity in services, techniques for the resource allocation.
multiple technologies, and rapid deployment [1]. Radio In addition to traditional security mechanisms, we also
access networks (RAN) performance is expected to be propose the novel use of Large Language Models (LLMs)
significantly improved with O-RAN, which combines and to enhance the system’s security, particularly. The LLM
evolves the cloud RAN (C-RAN) and virtual RAN (vRAN) system can analyze data and articulate the situation in
to enable an open and flexible RAN. In the O-RAN ar- human-readable language to assist in detecting vulnerabili-
chitecture, the components of RANs are virtualized and ties within the system. The LLM model can use explainable
decoupled, using compatible open interfaces developed for AI (XAI) to analyze the data pattern and realize if there
their interconnection. Moreover, the O-RAN’s architecture are any significant changes during the time and warn of the
utilizes artificial intelligence and machine learning (AI/ML) vulnerabilities.
techniques to develop intelligent RAN layers, allowing to
Research contributions of this paper are listed as follows:
empower intelligent, data-driven closed-loop control for the
RAN [2]. These features bring many benefits to the system, • An in-depth analysis of vulnerabilities and threats in
including reduced capital expenditures (CAPEX) and oper- the O-RAN architecture arising from the introduction
ating expenses (OPEX), increased agility and flexibility, and of new technologies and common 5G RAN security
enhanced visibility and security. issues.
For all its promises, and like any technological ad- • The proposal of three countermeasure approaches uti-
vancement, O-RAN is not without risks that need to be lizing the zero trust concept, blockchain technology,
 O2 Service Management and Orchestration (SMO)
O1 Design Configuration non-RT RIC Inventory Policy
and the LLM & MTD paradigm.
A1
• Case studies and proof-of-concept demonstrations of
Near-RT RIC
MTD-based robust ML in O-RAN and LLM-based 3rd Party
Radio
Connection Mobility QoS Interference Trained
App Mgmt Mgmt. Mgmt. Model
robust AI/ML in O-RAN, illustrating the effectiveness Mgmt.

E2 E2 E2 E2
of MTD in enhancing the robustness of deep reinforce- O-CU-UP O-CU-CP
E1 O1
ment learning models. SDAP
PDCP
RRC
PDCP
O1
The remainder of this paper is as follows: Section II pro- F1-u F1-c
O1
vides an overview of the O-RAN architecture, focusing on O-DU MAC/RLC High PHY

its key components: RAN, cloud, and management layers, O-eNB Open FH (CUS-Plane) Open FH (M-Plane)

along with ML and network slicing. Section III examines O-RU LowPHY RF
Open FH (M-Plane)

vulnerabilities and threats in the O-RAN architecture, ana-

O-Cloud
lyzing their impact on confidentiality, integrity, and avail-
ability (CIA). Section IV explores emerging technologies
(a)
such as zero-trust (ZT), blockchain, moving target defense
(MTD), and LLMs to enhance O-RAN security. In Section
Non-RT RIC SMO
V, we propose a novel MTD-based solution demonstrating Images
Repository r-App 1 r-App 2 ... r-App N
its effectiveness in securing deep reinforcement learning
(DRL) against adversarial attacks in the Near-RT RIC. O1 A1
O-Cloud VNF/CNF
Additionally, we discuss the application of LLM-based
Near-RT RIC
explainable AI (XAI) for detecting AI/ML attacks in O- x-App 1 x-App 2 ... x-App N
RAN. Finally, conclusions are drawn in Section VI.
O-DU O-CU

AAL O-Cloud API

II. O-RAN BACKGROUND Virtualisation Layer
Containers

The O-RAN Alliance1 has developed a novel RAN ar- VMs

Container
Engine VMs Containers
chitecture to facilitate an open, intelligent, virtualized, Guest Guest Hypervisor Container
OS OS (Type II) Engine
and interoperable RAN, essential for cost-effective, next- Hypervisor
Host OS
(Type I)
generation wireless networks. This architecture integrates
Hardware resources
the advantages of C-RAN and vRAN, leveraging cloudifi-
cation, centralization, and hardware-software decoupling to
(b)
address vendor lock-in and proprietary issues via standard
interfaces. O-RAN developed a multi-vendor ecosystem and Fig. 1: (a) The O-RAN high-level architecture with components
embedded AI/ML for improved network intelligence. and interfaces, (b) The O-Cloud architecture, which is a set of
The O-RAN architecture includes three components in computing resources and virtualization infrastructure.
the baseband side: the Radio Unit (O-RU), Distributed Unit
(O-DU), and Central Unit (O-CU). The O-RU contains system more intelligent. The AI/ML technologies plays a
the radio frequency (RF) and low physical (PHY) layers, crucial role in the resource allocation within RAN systems.
while O-DU provides the functionalities of the high PHY, In the O-RAN system, near-RT RICs are functions that
Medium Access Control (MAC), and Radio Link Control provide near real-time control and optimization of network
(RLC) layers. The open fronthaul (Open-FH) is the interface resources through the E2 interface. This includes xAppli-
between the O-RU and the O-DU. The Open-FH interface cations (xApps), which are third-party applications that run
includes a control user synchronization plane (CUS-plane) by leveraging the modules and capabilities of a system for
and a management plane (M-plane). The O-CU is divided functionalities such as resource allocation.
into two logical nodes the user plane (O-CU-UP) and the The O-Cloud platform, known as a cloud computing
control plane (O-CU-CP). The O-CU-UP encompasses the platform, hosts O-RAN architecture components depicted in
service data adaptation protocol (SDAP), and the user plane Fig. 1(b) [5]. The RAN network functions can be deployed
part of the packet data convergence protocol (PDCP). The as virtualized network functions (VNFs) on virtual ma-
O-CU-CP hosts the radio resource control (RRC) layer, and chines (VMs) or as cloud-native network functions (CNFs)
the control plane of the PDCP protocol. Fig.1(a) illustrates in containers. The O-Cloud platform supports these op-
O-RAN’s architecture. tions with its virtualization layer, which includes operating
The O-RAN architecture also includes a management systems, hypervisors, and container engines. Additionally,
part which comprises Service management and Orchestra- the O-RAN ecosystem supports and interfaces with bare-
tion (SMO), Near Real-Time RAN Intelligent Controllers metal, hardware-based RAN functions. The SMO system
(RICs), and O-Clouds blocks. SMO includes functions such connects to the O-Cloud via the O2 interface, enabling
as Non-Real-Time RIC. Generally, the near-RT and non-RT efficient resource and workload management [6].
RIC are responsible for AI/ML methods and making the In the following, we provide a concise overview of the
key techniques and features employed within the O-RAN
1 https://www.o-ran.org system, enhancing its flexibility and performance.
A. Network Slicing in O-RAN
Upload
trained Training SMO
Network slicing, essential for 5G revenue, dynamically model Model
Data Broker ML Model Package
the
4 Non RT- RIC model
creates customized virtual networks on shared infrastruc- ML Training Host
6

ture, integrating network functions and resources across Submit model

to Non-RT RIC
Submit to
near RT RIC
RAN, transport, and core networks to meet specific ser- 5 7
Deploy
vice needs. RAN slicing involves the isolation of Physi- ML Designer
model
2
A1

1 Near RT- RIC

cal Resource Blocks (PRBs) and specific Virtual Network
E2
Functions (VNFs) such as MAC, RLC in the O-DU, and
Select Training
PDCP, SDAP in the O-CU for various services as illustrated 3
Data
O-CU-CP O-CU-UP
F1
in Figure 1 of [2]. In addition, core slicing virtualizes and Collect Data
Data Lake O-DU
isolates nodes like UPF and AMF, catering to the specific 8
O-fronthaul
needs of each service. Finally, transport slicing creates Real time Data
O-RU
Collector
dedicated pathways across the shared underlay network,
ensuring guaranteed performance for these diverse service
connections. By working together, RAN, core, and transport Fig. 2: ML Model Life Cycle in the O-RAN Architecture.
slicing unlock the full potential of 5G networks. O-RAN’s
virtualization and intelligence are key to advancing RAN the O-RAN architecture. Moreover, integrating LLMs with
slicing, essential for end-to-end network services [2]. existing ML methods can significantly improve the system’s
overall intelligence and efficiency.
B. Radio Intelligent Controller (RIC) In O-RAN architecture, Non-RT RIC and Near-RT RIC
are responsible for AI/ML techniques, where they can play
The Near-RT and Non-RT RICs are essential for O-RAN the role of ML training host and/or ML model host/actor
system management, serving as an open hosting platform [7]. The ML training host VNF trains models within the
and optimizing RAN functions. The RIC consists of Near- Non-RT RIC, while the ML model host/actor VNF, for
RT RIC and Non-RT RIC, facilitating intelligent RAN inference, may reside in either Non-RT or Near-RT RIC. In
optimization on near-real-time (10 − 1000 msec) and non- RL, Near-RT RIC conducts online training and inference,
real-time (greater than 1s) scales, respectively. The Near- while Non-RT RIC is for offline training and Near-RT RIC
RT RIC uses xApps for real-time RAN control via E2 for inference. FL uses Non-RT RIC as the central server
interfaces with O-RAN components, while the Non-RT RIC and Near-RT RIC for distributed training.
employs rApps for broader RAN optimization and is linked 2) ML Life Cycle Procedure: Despite the variety of
to the Near-RT RIC through the A1 interface for policy ML techniques supported and the deployment scenarios
and AI/ML model management. The near-RT RIC and non- considered for placing the ML training hosts and ML
RT RIC are vital components responsible for the AI/ML model hosts/actors, a general ML lifecycle in the O-RAN
workflow in the O-RAN architecture [1], [6], [7]. architecture can be described as follows (See Fig. 2) [1],
[7]:Firstly, the ML Designer, deoployed the model (stage 1
C. ML aspect in O-RAN and 2). The data is selected for training (stage 3) and fed
into the ML model during the training and inference stages.
The O-RAN architecture incorporates AI/ML to add
The data are typically collected over E2, O1, and A1, from
intelligence across its RAN layers, a move seen as piv-
O-CU, O-DU, and RICs (stage 8). The collected data are
otal for highly autonomous RAN functions that improve
prepared in the RICs to fit the ML models by performing
service quality and lower OPEX. AI/ML is expected to be
data pre-processing operations, including dataset balancing,
instrumental in a range of RAN use cases, from resource
normalization, and removing noise, among others. The ML
allocation to anomaly detection and cybersecurity. Subse-
model goes first through the training process, where the ML
quently, we will outline potential ML techniques applicable
designer or SMO/Non-RT RIC will select and implement
to O-RAN and detail the general ML lifecycle.
the ML algorithm to train in the ML training host. The
1) ML techniques: In the O-RAN system, various ML
trained model is then uploaded (stage 4) and validated
techniques are utilized: (1) supervised learning for model
to ensure its reliability and accuracy. Once the model is
training with labeled data and subsequent prediction on new
validated, it is stored and published in the SMO/Non-RT
data; (2) unsupervised learning to find patterns in unlabeled
RIC catalog (stage 5). After a model has been validated
data; (3) reinforcement learning (RL) and deep RL (DRL)
(stage 6), it can be deployed and executed (stage 7).
for learning optimal actions through interaction with the
environment; and (4) federated learning (FL) for privacy-
preserving collaborative model training across distributed III. V ULNERABILITIES AND T HREATS IN O-RAN
entities without data exchange, using a central server to A RCHITECTURE
aggregate local model updates. In addition, LLMs can also O-RAN architecture’s openness and disaggregation facil-
be incorporated to enhance communication performance itate compliance with security standards and enable im-
and the decision-making processes by analyzing and gen- proved security agility, adaptability, and resiliency for future
erating human-like text, providing valuable insights within mobile networks. In addition to those benefits, O-RAN
architecture introduces the potential for an increased attack data (e.g., UE identification and location) is another men-
surface [8]. The O-RAN Alliance’s Security Work Group ace that could stem from malicious/compromised xApps.
11 focuses on securing O-RAN, but their measures are The disclosure of sensitive information will not only pose
insufficient, particularly against malicious AI/ML methods. privacy violation issues but may also lead to the launch
Therefore, additional security perspectives are necessary. of other attacks, such as impersonation and UE tracking
This section discusses key vulnerabilities and threats to attacks. The xApps cannot operate independently from the
O-RAN, including the new O-RAN technologies security components of the Near-RT RIC. They need to interact
issues. with these components to access their functionalities. For
instance, they communicate with the App Manager during
registration and the Sub Manager to subscribe to data from
A. O-RAN System Vulnerabilities
E2 nodes. Due to this communication, a malicious xApp
As previously discussed, the O-RAN system comprises can affect other components of Near-RT RIC too. This
three different sides (radio, management, cloud), each with could happen by exploiting shared resources, manipulating
its own vulnerabilities tied to their respective roles and func- control messages, disrupting event processing, compromis-
tions. This section delves into the vulnerabilities inherent ing security credentials, introducing hidden logic bombs, or
to the different sides of the O-RAN architecture. exfiltrating sensitive data through communication channels
1) O-RU/O-DU and Open-FH Vulnerabilities: In radio within the framework. Additionally, resources such as CPU
communication, the O-RAN architecture and other RAN and RAM limits can be specified in the xApp descriptors
generations have inherent vulnerabilities. This section out- to prevent resource exhaustion, which is enforced by Ku-
lines these vulnerabilities, particularly focusing on O-RAN. bernetes. Hence, a malicious xApp can use more resources
One key threat is the false base station (FBS) attack, than it needs.
where an attacker poses as a legitimate base station to
execute a Man-in-the-Middle (MiTM) attack. Three FBS The indefinite functional split between Near-RT RIC and
attack scenarios on an O-RU include hijacking fronthaul, E2 nodes, which depends on the available xApps and the
recruiting a standalone O-RU, and gaining unauthorized capabilities of E2 nodes, may result in conflicts between
physical access. These attacks can compromise both O- decisions taken by the Near-RT RIC and the E2 nodes.
RAN and other RAN systems [8]. Moreover, developing multiple xApps with overlapping
There are several risks associated with FBSs in the objectives within the same RAN may lead to conflicting
network, including stealing subscriber information, altering actions between xApps. Those conflicts can degrade the
and redirecting transmitted data, and compromising sub- system’s performance or may cause a Denial-of-Service
scriber privacy. The FBS attacks may help in penetrating (DoS) attack intentionally or unintentionally in the O-RAN
O-DU and beyond in the CN and launching DoS attacks to architecture.
cause loss of service or degradation of its performance.
Given that the O-DU and O-RU can be from different The lack of proper isolation between an xApp and the
vendors, they may have varying security levels. The O-DU’s other Near-RT RIC components may be a source of serious
role in managing traffic between the management system security breaches. In fact, with the recent trend to evolve
and the O-RU increases the risk of unauthorized access to VNFs into CNFs, complete isolation between co-hosted
other systems, such as RICs, via the Open-FH interface. CNFs is hard to realize due to the lack of strong hard-
An unprotected Open-FH interface can also enable Man- ware isolation in the emerging cloud-native platforms (e.g.,
in-the-Middle (MiTM) attacks, allowing data tampering, Kubernetes). Thus, an xApp with compromised isolation
disclosure, and DoS attacks. For instance, an unauthorized can be exploited to escalate the privilege granted to it,
device on the Open-FH Ethernet L1 interface could launch carry out shared resource exhaustion attacks, steal secrets
a flooding attack, causing unavailability or performance and sensitive information from memory, and conduct DoS
degradation of legitimate network elements. attacks against co-hosted xApps and the Near-RT RIC
2) Near-RT RIC Vulnerabilities: Through standardized platform.
interfaces and hardware support, the Near-RT RIC provides
a safe and reliable platform for hosting xApps. The xApps 3) SMO Vulnerabilities: SMO security is critical because
are independent of the Near-RT RIC and may be supplied a vulnerability can allow attacks on O-RAN components
by a third-party vendor. The Near-RT RIC and xApps can and lateral movement within the network. Weak authenti-
be sources of different security threats [8]. cation and authorization can let attackers access and alter
A malicious or compromised xApp has the potential to SMO data, control O-RAN components, and steal sensitive
negatively impact the service delivery for a subscriber, a information. For example, unauthorized access to Non-RT
group of subscribers, or a specific geographic area by ma- RIC via SMO can lead to UE tracking or issuing false
nipulating data collected from E2 nodes (i.e., O-DU, O-CU- policies to Near-RT RIC. Additionally, SMO and Non-
CP and O-CU-UP) and A1 interface. It introduces also the RT RIC are susceptible to DoS attacks, which can impair
risk of obtaining unauthorized access to E2 nodes and Near- network monitoring and control functions. The security
RT RIC, exploiting the RAN functions and engendering concerns for rApps in Non-RT RIC are similar to those
harmful effects to the overall system. Leakage of sensitive for xApps [8].
B. O-Cloud Vulnerabilities jamming attacks, which consist of blocking radio signals;
The O-Cloud platform in O-RAN architecture faces com- for example by introducing intentional interference in the
mon cloud security risks, including software flaws, valid ac- communication channels; (ii) sniffing attacks, which focus
count access, and lack of interface authentication. Malicious on observing and collecting data packets with the purpose
actors can exploit VMs and containers running O-RAN of extracting sensitive information (e.g., UE location and
components, leading to privilege escalation, malware con- cell configuration) as well as using the extract information
tamination, unauthorized deployment of VMs/containers, to craft new attacks; and (iii) spoofing attacks, which refer
root server access, and system destruction. They can also to creating a fake signal that is hard to distinguish from
access and manipulate sensitive data. Deploying vulnerable the actual signal, allowing an attacker to impersonate a
VMs/containers risks DoS attacks on shared resources, base station, cause a DoS, or bypass physical-layer signal
which can be economically damaging if turned into an authentication [9], among others.
EDoS attack. Supply chain attacks can inject malicious code
or extract private keys from VM/container images. Addi-
tionally, an unprotected O2 interface between O-Cloud and F. Physical Threats
SMO is vulnerable to MiTM attacks, allowing tampering
and disclosure of services and requests. Physical threats, though not unique to O-RAN, are crucial
to understanding its vulnerabilities. The physical infrastruc-
ture, including cell sites and data centers, faces risks from
C. Open Source Code Vulnerabilities unauthorized access, power outages, natural disasters, and
Open-source software is crucial for building the software- hardware failures. Intruders can sabotage hardware or alter
based O-RAN architecture, used in both cloud infrastructure settings to provoke DoS, inject malware, or access other
and O-RAN components. It accelerates development, pro- network components. Natural disasters like snow, floods,
motes vendor independence, and reduces costs. However, earthquakes, and lightning can damage physical compo-
it also poses security challenges. The open source code nents. Lack of proper procedures for hardware failures and
allows attackers to find and exploit vulnerabilities. Without power outages increases the risk of unavailability. Physical
an accurate, up-to-date inventory of open-source codes and security is more challenging in O-RAN due to the higher
dependencies, managing and mitigating high-risk vulnera- number of cell sites, data centers, and vendors.
bilities becomes difficult due to the volume, variety, and Table I summarizes the main security threats discussed
lack of standard naming conventions. above, highlighting their impact on the CIA triad. Note that
the threats marked with the (✓) sign affect a CIA principle,
D. ML System Vulnerabilities while those marked with (x) do not. Moreover, (✓) and (x)
Integrating ML techniques into O-RAN enhances au- indicate whether the potential mitigation of vulnerabilities
tonomous RAN functions but also introduces significant through Zero Trust (ZT), Blockchain (BC), Moving Target
security challenges. ML models are vulnerable to adver- Defense (MTD), and LLM investigated in Section IV is
sarial attacks that manipulate decisions, compromise model applicable or not, respectively.
integrity, or reveal private information. Attacks include
altering training datasets, injecting fake data during on-
line learning, or crafting inputs to deceive models during IV. S ECURITY S OLUTIONS IN O-RAN
operation. Collaborative learning methods like FL face
model poisoning attacks, where malicious agents tamper There are different possible solutions for security threats
with local model parameters to compromise the global and vulnerabilities [10]. This section discusses several key
model. FL is also susceptible to inference attacks, allowing emerging technologies that can be leveraged to improve the
attackers to deduce private training data using local model security of the O-RAN architecture.
parameters [3], [9].
Based on accessibility, attacks on ML models can be
categorized into white-box, black-box, and gray-box at- A. Zero Trust
tacks [9]. Indeed, the adversarial attack is considered as
Zero trust (ZT) is a valuable security model for enhancing
a white box, gray box, or black box when the attacker can
O-RAN security. Based on "never trust, always verify," it
have full, partial, or no access to the training data and the
assumes breaches can occur anytime from internal or exter-
targeted model’s parameters and architecture, respectively.
nal threats. ZT principles include continuous identification
The white-box attack is deemed less realistic due to the
and authentication, enforcing least-privilege access, main-
assumption of an attacker with full knowledge, which is
taining risk-based policies, checking communication chan-
hard to achieve in real-world scenarios.
nels, and continuous security monitoring. Implementing ZT
protects the entire O-RAN architecture, from hardware to
E. Threats against 5G Radio Networks applications. AI/ML techniques and Security-as-a-Service
Common threats to traditional RAN architectures are (SECaaS) enable ZT by allowing instant threat identification
also applicable to O-RAN architecture. This includes (i) and automated security adjustments [11].
TABLE I: Impact of threats and vulnerabilities in O-RAN system on Confidentiality (C), Integrity (I) and Availability (A); and the Potential Mitigation of
Vulnerabilities through Zero Trust (ZT), Blockchain (BC), Moving Target Defense (MTD), Large Language Model (LLM).

Threats and Vulnerabilities C I A ZT BC MTD LLM

Conflicts among xApps or rApps x x ✓ x x ✓ ✓
Accessing a misconfigured x/rApps ✓ x x x ✓ x ✓
Altering Data through malicious x/rApps attacks ✓ ✓ x ✓ ✓ x ✓
Conflicts between Near-RT RIC and O-gNB/eNB x x ✓ x x ✓ ✓
FBS attacks on O-RU ✓ ✓ x ✓ ✓ x x
Eavesdropping on air interfaces ✓ x x x x x x
Accessing the O-RU/DU/CU and degrading the O-RAN’s performance x x ✓ x x ✓ x
MITM attack from the Open-FH over M-plane or CUS-plane ✓ ✓ x ✓ ✓ x x
Misconfiguration, lack of isolation and security in the O-Cloud ✓ ✓ ✓ ✓ ✓ ✓ ✓
Open-source code vulnerabilities ✓ ✓ ✓ ✓ ✓ ✓ ✓
Adversarial attacks against ML ✓ ✓ ✓ ✓ ✓ ✓ ✓
Jamming attacks x x ✓ x x ✓ ✓
Spoofing attacks ✓ ✓ ✓ ✓ ✓ ✓ ✓
Physical threats ✓ ✓ ✓ x x x x

B. Blockchain resources to allocate to UE, we can use the AI/ML method

Blockchain (BC) is a promising solution for securing O- for the admission control system. This AI/ML system can
RAN architecture with a zero trust mindset. Its features be protected using MTD by considering different AI/ML
of decentralization, immutability, transparency, auditability, training models with different configurations that are chosen
and smart contract auto-execution support various secu- randomly by MTD.
rity controls in O-RAN. These controls include privacy-
enhanced identity management, mutual authentication, dy-
D. Large Language Models
namic access control, integrity and non-repudiation of data
and software, and secure resource sharing. For example, The deployment of Large Language Models (LLMs)
in AI security, blockchain can ensure the integrity and within O-RAN networks can significantly enhance cy-
provenance of data in a ML pipeline and protect against bersecurity measures by capitalizing on their exceptional
poisoning attacks on FL models [10], [11]. data processing and pattern recognition capabilities. In the
context of O-RAN, where a diverse array of virtualized
network functions operates across open interfaces, LLMs
C. MTD can meticulously monitor and analyze network traffic and
MTD has recently emerged as an effective approach to system logs. This enables the early detection of anomalous
enable proactive security. The core principle of MTD is behaviors that could signal a security breach, such as
to constantly and dynamically modify the configuration unusual login patterns or unexpected changes in data flow,
of the network and services to increase uncertainty and which are critical in the multi-vendor O-RAN environment.
complexity for attackers. In fact, the dynamicity introduced LLMs can dynamically adjust security policies for each
by MTD reduces the attacker’s opportunities to gather O-RAN network slice by analyzing data to make smart
useful information on vulnerabilities of the target environ- access choices, fine-tune encryption, and improve intrusion
ment, preventing their exploitation. To this end, different detection, resulting in personalized security. We can fine-
MTD techniques can be applied, which are broadly catego- tune LLM system for specific tasks based on our require-
rized into shuffling (e.g., network topology, VMs/containers ments for the next generation of RAN system [12]. For
placement), diversity (e.g., in underlying technology used instance, we can fine-tune the LLM system to analyse the
to implement or run a service), and redundancy (e.g., by data and diagnosis to early warnings.
providing multiple replicas of a network component or let’s consider a specific scenario: in the event of a sudden
service). In O-RAN, the MTD approach can be used to surge in traffic indicating a potential DDoS attack within a
prevent intrusions, mitigate DoS attacks, and increase the network slice, an LLM equipped with real-time analytics
robustness of ML models to adversarial attacks (Table I), can autonomously adjust traffic rules and resource alloca-
among others. For example, the resiliency of ML models tions to mitigate the threat. This proactive approach not
can be strengthened by continuously changing the ML only ensures uninterrupted service but also enhances overall
algorithm, the features used for its training, or the model’s security by continuously monitoring for vulnerabilities and
parameters [9]. Moreover, to determine whether we have updating configurations.
 In the realm of O-RAN, where AI/ML-driven solutions V. S ECURE O-RAN C ASE S TUDIES
are paramount, LLMs can also contribute to the secure
orchestration of network elements by generating and up- In this section, we investigate two case studies: MTD-based
dating security configurations and orchestrating responses Robust ML and LLM-based XAI Robust AI/ML in O-RAN.
to threats in collaboration with the SMO framework. This The first study explores the application of the MTD ap-
not only streamlines the management of complex O-RAN proach in enhancing deep reinforcement learning methods
architectures but also fortifies them against sophisticated for dynamic network slice admission control within the O-
cyber threats, ensuring the network’s integrity and the trust RAN architecture. The second study focuses on the use of
of its users. an LLM XAI system for diagnosing and explaining aberrant
By integrating LLMs into the O-RAN security strategy, behavior.
network operators can leverage the full potential of AI to
maintain a robust, adaptive, and intelligent defense system,
keeping pace with the evolving cyber-security landscape A. MTD-based Robust ML in O-RAN
while supporting the continuous growth and innovation
This section presents a practical study corroborating the
inherent to O-RAN networks.
capabilities of the MTD approach in empowering robust
Also, LLMs can be used to enhance XAI systems in O-
DRL methods for dynamic network slice admission control
RAN by providing human-like explanations for the deci-
in the O-RAN architecture [4]. While AI/ML is essential in
sions and predictions made by various AI/ML components.
the O-RAN for functions like resource allocation and net-
As a result, XAI reduces the risk of false positives and im-
work slicing, its security is vital for ensuring the reliability
proves the accuracy of security AI/ML. When the systems
of 5G and 6G networks. Therefore, MTD is chosen for the
or operators understand the reasoning behind AI decisions,
study due to its agility in reconfiguring ML systems within
they can fine-tune the system to be more precise, leading to
O-RAN, effectively disrupting attack vectors and fortifying
better detection of genuine threats and fewer mistakes. In
against the complex threats of future wireless networks.
other words, XAI with the help of LLMs not only makes AI
more transparent but also smarter and more reliable when 1) System Scenario: We consider a scenario of service
it comes to keeping the network safe [13]. admission control, as shown in Fig. 3, in which we have
two different services in the O-RAN architecture. In order
E. Effect of Security Solutions on different Vulnerabilities to provide a service requirement, a specific amount of
This section examines the impact of ZT, BC, MTD, resources is needed. Each service is assigned to its slices
and LLM on the vulnerabilities listed in Table I. Conflicts based on the network slicing technique in the O-RAN
among xApps or rApps, and between Near-RT RIC and O- architecture. Each slice contains VNFs in the O-DU and O-
gNB/eNB, and accessing the O-RU/DU/CU and degrading CU layers. In this study, we implement a simulation for the
the O-RAN’s performance can be prevented and resolved by O-RAN architecture by considering the O-DU and O-CU as
implementing the MTD method which constantly changes specific VNFs with memory requirements. For simplicity,
the configuration and environment of the system. Moreover, we assume that O-DU and O-CU use the same processors.
MTD could potentially mitigate jamming attacks by dynam- Additionally, in the near-RT RIC, the AI/ML models are
ically changing frequencies or communication patterns. trained to solve the resource allocation problem. This model
BC can prevent misconfigured x/rApps from being ac- is implemented as an xApp within the system. We suppose
cessed by ensuring configurations are recorded immutably, that the system has enough CPU and storage resources
making misconfigurations easier to detect. When malicious while it has restricted memory resources. We consider a
x/rApps attacks alter data, BC ensures data integrity, while dynamic resource allocation model for VNFs of O-DU and
Zero Trust prevents unauthorized access, mitigating risk. O-CU slices for service admission control problems. Our
In addition, in order to prevent FBS attacks on O-RU and goal is to maximize the total service admission rate. We
MITM attacks from the Open-FH over M-plane or CUS- suppose that services have the same priority in this system
plane, BC could provide a secure and transparent method model. In this service, we assume the system is dynamic,
for firmware distribution and communication channel, while and in each time slot, we have service requests from
Zero Trust could prevent unauthorized access to the system. the two services that arrive following a Poisson process.
Misconfiguration, open-source code vulnerabilities, and Additionally, we assume that these two services have a
adversarial attacks against machine learning can be se- service departure rate that has an exponential distribution.
cured by employing Blockchain for immutable logging Suppose we have a tuple that represents the required
and verification, Zero Trust for rigorous access control resources for VNF m in the O-DU or O-CU (mz , z ∈ c, d)
z
mz mz mz
and continuous authentication, and MTD to dynamically within slice s, denoted as ψ̄sm = {ψC,s , ψS,s , ψM,s }. Here,
m m m m
alter the system’s attack surface, complicating potential ψC,s , ψS,s , ψB,s , and ψM,s indicate the required amounts of
exploitation efforts. Moreover, LLM can help in detecting CPU, storage, bandwidth, and memory, respectively, for the
many threats shown in Table I such as adversarial attacks VNFs of the O-DU (d) or O-CU (c).
against AI/ML using XAI, open-source code vulnerabilities, Assume there are N data centers designated for the VNFs
jamming and spoofing using various analyses, and pattern of the O-DU and O-CU. Each data center n possesses a
recognitions. memory resource capacity denoted as χns .
 0.8 92% 21.5% Normal System
Malicious System
0.7 Secured MTD System
RIC MTD-based Service Admission Control

Service Admission Rate

0.6

0.5

0.4
Inputs Output 0.3

MTD 0.2
Service
0.1

0
6 8 10 12
VNF-11 VNF-21 Server Service Arrival Rate
O-CU CPU
VNF-1c VNF-2c (a)
Memory
VNF-11 VNF-21
O-DU Storage 1 87%
VNF-1d VNF-2d Normal System 21%
Malicious System
Secured MTD System
0.8

Service Admission Rate

UE1 UES2 UE1 UES2
Service 1 Service 2 0.6

Fig. 3: MTD-based dynamic VNF placement scenario based on 0.4

service request.
0.2

Assume xmzs ,n ∈ 0, 1 is a binary variable indicating 0

whether the VNF mzs in layer O-DU/O-CU (z ∈ c, d) within 20 30 40
Service Departure Rate
50

slice s is being hosted by data center n. (b)

In this system model, PN we PM aim to maximize the ser-
vice admission rate ( n=1 mss=1 xms ,n ) with the con- Fig. 4: Service admission rate vs. (a) mean service arrival rate and
straint that xms ,n is a binary variable. Additionally, (b) mean service departure rate.
PS PMs z,tot n
s=1 ms =1 xms ,n ψ̄M,s ≤ χM,s ∀n, meaning that the
total memory used by the VNFs hosted on server n must Therefore, we assume that in each time step, the state of
not exceed the server’s total memory. This problem was the system, which is the remaining memory and the service
modeled and solved in Python using the PPO model which arrival rate of two services, is perturbed. In our simulations,
is a DRL method. we altered the service arrival rates of two services and
2) Proposed Service Admission Algorithm: To solve this converted them to the uniform random variable between
service admission control problem, we consider a DRL zero and the service arrival rate. Therefore, we blocked part
method that is implemented in the Near-RT RIC. More- of service arrival rates in these simulations based on the
over, we assume the memory is quantized. Therefore, we weak adversary attack in [14].
have discrete action and space. The DRL method adopted
is Proximal Policy Optimization (PPO); an actor-critic 4) MTD technique: To tackle the adversarial attack issue,
method. Two models have been developed in the Actor- we adopt the MTD approach, where the defender has
Critic system, namely: the Actor and the Critic. The Actor multiple configurations for the ML models. In this scenario,
decides to take which action, and it updates the policy as shown in Fig 3, we use four different PPO models
network for the selected agent. The Critic corresponds to with varying configurations for learning. We assume that
the value function. During updating the Actor, the Critic the adversarial attacker can randomly affects one of these
modifies the network parameters for the value function. In models during the training. After the models are trained,
this system, the state is the remaining memory we have a random model is selected among the four models to run
in each time step, appended to the service arrival rate for each input and returns the output generated by that model.
two services which are random variables with a Poisson Thanks to the dynamicity introduced by the proposed MTD
distribution, while the actions are the service admission for method, attackers will have less impact on the system
the two services. Moreover, the reward is the function of because they attack one of the models and do not know
the service admission rate and the remaining memory. A which model is selected.
reward is a negative number if the remaining memory is In this scenario, we delve into the O-RAN near-RT RIC
less than zero. architecture, specifically employing the AI/ML approach,
3) Attack Model: This section describes a malicious ad- notably the PPO model, for resource allocation. The RIC
versarial attack on the proposed PPO method. We consider layer, constituting the new AI/ML controller within the O-
a black-box poisoning attack against the PPO-based DRL RAN system, plays a pivotal role in the service admission
agent. To this end, we use a weak adversary attack as in control and resource allocation. As elucidated in the O-RAN
[14] to attack the system. Suppose the attacker determines white papers, RL methods find implementation within the
to attack the time step t, it generates an arbitrary state near-RT RIC for the resource allocation. In this context, we
ŝt and the associated reward function r̂(ŝt , .). When the explore the integration of MTD for fortifying the system.
agent observes the altered state ŝt , it applies action at and To accomplish this, we trained four distinct models, each
observes r̂(ŝt , at ), rather than r(st , at ). configured as an individual xApp in the near RT RIC.
 5) Performance Results: To evaluate the efficiency of advanced MTD system that integrates the LLM model and
the PPO-based dynamic service admission control solution XAI to analyze and clarify attacks, subsequently removing
and the effectiveness of the proposed MTD method in with- the affected model from the MTD system. Suppose one of
standing adversarial attacks against DRL, we consider three the four models is targeted in an attack. When the system
scenarios. The first scenario is a regular system without selects this xApp, the data pattern for service admission
any attack with one PPO model. The second scenario is differs from that of other xApps (i.e., service admission is
where we have an attack in the system with one PPO notably lower for this specific xApp compared to others).
model. In the third scenario, we use the proposed MTD The LLM system can analyze the data pattern, identify the
technique with four PPO models. For the three scenarios, attacked model based on the pattern, describe it in human-
the average service admission rate is measured in terms readable language, and then request action, which could be
of the mean service arrival rate and the mean service performed by either the system operator or the SMO, to
departure rate. Fig. 4(a) and Fig. 4(b) report the comparative remove the specific xApp from the O-RAN system [15].
results. It is observed that the service admission rate of the 2) Proposed method: We studied Fig. 4 (where service
system decreases with the increase of the service arrival arrival rate is 12) whenever one of the 4 trained models
rate, which is attributed to the limited available resources. was attacked. We used GPT-4’s data analyst with isolation
Furthermore, as the service departure rate increased, the forest to spot unusual patterns in the outputs of these four
service admission rate increased due to the release of mem- models over time.
ory. We can also notice a significant enhancement in the We provided the data to GPT-4 for malicious activity
system’s performance under adversarial attacks after using detection within the system. The service admission rates
the MTD technique. Fig. 4(a) shows that the secured MTD for models x1, x2, and x4 were similar, averaging around
system experienced only 21.5% lower admission rate under 60%, whereas model x3 averaged approximately 15%.
adversarial attack, compared to 91% drop-in admission rate The results reveal significant differences and potential
when the system is not secured. Similar observations hold issues among the series analyzed. Series x1 and x4 display
true in Fig. 4(b), where we can see that the secured MTD consistent values with moderate variation typical of time
system limited the attacker’s impact to 21% decrease in the series data. Series x2 shows higher peaks (e.g., 63) and
admission rate, compared to 87% without protection from slightly more variability, which seems contextually normal.
adversarial attacks. In contrast, series x3 stands out with consistently lower
and less varied values. Identified as an anomaly by the
B. LLM-based XAI Robust AI/ML in O-RAN Isolation Forest algorithm, x3 exhibits significantly lower
In a previous scenario, the AI/ML component responsible mean and variance compared to x1, x2, and x4. This
for service admission control was managed using the PPO deviation suggests poisoning attack or any error in the
model. We assumed a weak adversarial attack was in play. system. Further investigation, including system log reviews,
To diagnose and explain this unusual behavior, an LLM configuration checks, or security audits, is essential to
XAI system could take action. For example, the LLM could identify and address potential malicious activity or technical
analyze the model’s decision-making process and generate faults in x3.
a plain-language report: "The service admission model has
rejected 15 devices in the last 15 minutes, a significant VI. C ONCLUSION
difference from its normal pattern of one rejection per 15 This paper investigated the threat landscape applying to the
minutes." emerging O-RAN architecture. After briefly introducing the
The LLM system employs XAI techniques to identify the O-RAN architecture, we discussed the main vulnerabilities
malicious model. Using the Isolation Forest technique, an and threats against the O-RAN system. As a result, and
unsupervised ML algorithm for anomaly detection, the sys- in view of bolstering the security posture of O-RAN,
tem can detect outlier data based on features such as mean we recommended and discussed the potential of three
and variance. The LLM then explains these anomalies in emerging approaches, namely the ZT concept, blockchain
a human-readable format. This insight enables the O-RAN technology, LLM and MTD paradigm. A proof of concept
system to quickly recognize malicious interference with the has been presented, showing the effectiveness of MTD in
PPO model. An immediate investigation is recommended to strengthening the robustness of DRL models to adversarial
confirm the nature of the detected anomaly and take steps poisoning attacks. Moreover, we also studied the effect of
to remove that model from the system. LLM in detecting the attack in the O-RAN AI/ML system
By leveraging the capabilities of the LLM-based XAI using an example. Despite the merits of the four advocated
system, network operators can gain a deeper understanding approaches, their adoption in securing O-RAN is still fac-
of the underlying issues affecting AI/ML-driven service ing different challenges, including (i) enabling continuous
admission control. This will ensure that the integrity and monitoring and assessment of risks; a key requirement for
security of the O-RAN system are maintained. ZT, with reduced impact on network performances; (ii)
1) System Scenario: In this scenario, we demonstrate solving the scalability, performance and privacy challenges
how the LLM system can analyze data and translate it into for blockchain; (ii) developing advanced MTD strategies
human-readable language to assist in detecting and miti- that can meet the desired trade-off between robustness, per-
gating attacks within the MTD system. This represents an formance and moving cost; and (iii) introducing the LLM
system to automate the system, bringing XAI techniques,
decreasing the risk of threats in AI/ML techniques.

R EFERENCES
[1] M. Polese, L. Bonati, S. D’Oro, S. Basagni, and T. Melodia, “Un-
derstanding O-RAN: Architecture, Interfaces, Algorithms, Security,
and Research Challenges,” arXiv preprint arXiv:2202.01032, 2022.
[2] M. K. Motalleb, V. Shah-Mansouri, S. Parsaeefard, and O. L. A.
López, “Resource Allocation in an Open RAN System using Network
Slicing,” IEEE Transactions on Network and Service Management,
pp. 1–1, 2022.
[3] D. Mimran, R. Bitton, Y. Kfir, E. Klevansky, O. Brodt, H. Lehmann,
Y. Elovici, and A. Shabtai, “Evaluating the Security of Open Radio
Access Networks,” arXiv preprint arXiv:2201.06080, 2022.
[4] M. K. Motalleb, C. Benzaïd, T. Taleb, and V. Shah-Mansouri,
“Moving target defense based secured network slicing system in
the o-ran architecture,” in GLOBECOM 2023-2023 IEEE Global
Communications Conference. IEEE, 2023, pp. 6358–6363.
[5] O. A.-S. F. G. (SFG), “O-RAN Security Focus Group (SFG) Study
on Security for O-CLOUD v01.00,” White paper, July 2022.
[6] O.-R. A. W. G. 1, “O-RAN-Architecture-Description-v06.00,” White
paper, July 2022.
[7] O. A. W. G. 2, “AI/ML Workflow Description and Requirements
v01.03,” White paper, October 2021.
[8] O. A.-S. F. G. (SFG), “O-RAN Security Threat Modeling and
Remediation Analysis v03.00,” White paper, July 2022.
[9] C. Benzaïd and T. Taleb, “AI for Beyond 5G Networks: A Cyber-
SecurityDefense or Offense Enabler?” IEEE Network, vol. 34, no. 6,
pp. 140 – 147, Nov./Dec. 2020.
[10] C. Benzaid, T. Taleb, and M. Z. Farooqi, “Trust in 5G and Beyond
Networks,” IEEE Network Magazine, vol. 35, no. 3, pp. 212 – 222,
May 2021.
[11] C. Benzaid, T. Taleb, and J. Song, “AI-based Autonomic & Scalable
Security Management Architecture for Secure Network Slicing in
B5G,” IEEE Network, pp. 1–9, 2022.
[12] Z. Lin, G. Qu, Q. Chen, X. Chen, Z. Chen, and K. Huang, “Pushing
large language models to the 6g edge: Vision, challenges, and
opportunities,” arXiv preprint arXiv:2309.16739, 2023.
[13] T. Datta and J. P. Dickerson, “Who’s thinking? a push for human-
centered evaluation of llms using the xai playbook,” arXiv preprint
arXiv:2303.06223, 2023.
[14] T. Wu, Y. Yang, S. Du, and L. Wang, “On Reinforcement Learning
with Adversarial Corruption and its Application to Block MDP,” in
International Conference on Machine Learning. PMLR, 2021, pp.
11 296–11 306.
[15] A. J. Dave, T. N. Nguyen, and R. B. Vilim, “Integrating llms
for explainable fault diagnosis in complex systems,” arXiv preprint
arXiv:2402.06695, 2024.