Journal Pre-proof

Towards secure intelligent O-RAN architecture: vulnerabilities, threats and promising technical solutions
using LLMs

Mojdeh Karbalaee Motalleb, Chafika Benzaid, Tarik Taleb, Marcos Katz, Vahid Shah-Mansouri et al.

PII: S2352-8648(25)00065-3
DOI: https://doi.org/10.1016/j.dcan.2025.05.001
Reference: DCAN 871

To appear in: Digital Communications and Networks

Received date: 16 September 2024

Revised date: 29 April 2025
Accepted date: 6 May 2025

Please cite this article as: M. Karbalaee Motalleb, C. Benzaid, T. Taleb et al., Towards secure intelligent O-RAN architecture: vulnerabilities, threats and
promising technical solutions using LLMs, Digital Communications and Networks, doi: https://doi.org/10.1016/j.dcan.2025.05.001.

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for
readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its
final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which
could affect the content, and all legal disclaimers that apply to the journal pertain.

© 2025 Published by Elsevier.

 Digital Communications and Networks(DCN)

journal homepage: www.elsevier.com/locate/dcan

Towards secure intelligent O-RAN architecture: vulnerabilities, threats and

promising technical solutions using LLMs

Mojdeh Karbalaee Motalleba , Chafika Benzaidb , Tarik Taleb∗cd , Marcos Katzb , Vahid Shah-Mansouri a ,
Jaeho Kim∗d
a Universityof Tehran, Tehran, 14174-66191, Iran
b Universityof Oulu, Oulu, 90014, Finland
c Ruhr University Bochum, Bochum, Germany
d Sejong University, Seoul, 05006, Korea

Abstract
The evolution of wireless communication systems will be fundamentally impacted by an Open Radio Access Network (O-RAN), a new concept
defining an intelligent architecture with enhanced flexibility, openness, and the ability to slice services more efficiently. For all its promises and
like any technological advancement, O-RAN is not without risks that need to be carefully assessed and properly addressed to accelerate its wide
adoption in future mobile networks. In this paper, we present an in-depth security analysis of the O-RAN architecture, discussing the potential
threats that may arise in different O-RAN architecture layers and their impact on the Confidentiality, Integrity, and Availability (CIA) triad. We
also promote the potential of zero trust, Moving Target Defense (MTD), blockchain, and Large Language Models (LLM) technologies in fortifying
O-RAN’s security posture. Furthermore, we numerically demonstrate the effectiveness of MTD in empowering robust deep reinforcement learning
methods for dynamic network slice admission control in the O-RAN architecture. Moreover, we examine the effect of Explainable AI (XAI) based
on Large Language Models (LLM) in securing the system.

© 2025 Published by Elsevier Ltd.

KEYWORDS:
Open radio access network, O-RAN security, Large language models, Blockchain, Moving target defense

1. Introduction For all its promises and like any technological advancement, O-RAN
is not without risks that must be assessed and properly addressed to
Wireless systems are becoming more capable but more complex in the accelerate its widespread adoption in future mobile networks. Recent
next generation of cellular networks. Unlike previous generations, the studies have shown that the O-RAN architecture introduces a new range
next generation will be flexible, agile, modular, supporting heterogene- of security challenges, driven by newly defined components and open
ity in services, multiple technologies, and rapid deployment [1]. Ra- interfaces, the use of open-source software, the disaggregation of hard-
dio Access Networks (RAN) performance is expected to be signifi- ware and software, and the reliance on cloud-native and AI technolo-
cantly improved with O-RAN, which combines and evolves the Cloud gies, among others [5]. Therefore, a comprehensive review of security
RAN (C-RAN) and virtual RAN (vRAN) to enable an open and flex- aspects is necessary, considering potential risks, vulnerabilities, and ap-
ible RAN. In the O-RAN architecture, the components of RANs are plicable solutions. Such an investigation is crucial to strengthening O-
virtualized and decoupled, using compatible open interfaces developed RAN’s security posture at this early stage of its development [6].
for their interconnection. Moreover, the O-RAN’s architecture uti- This paper explores security threats across the layers of the intelligent
lizes Artificial Intelligence and Machine Learning (AI/ML) techniques O-RAN architecture and proposes key technologies to mitigate them,
to develop intelligent RAN layers, allowing to empower intelligent, emphasizing the need for proactive measures to secure next-generation
data-driven closed-loop control for the RAN [2, 3, 4]. These features networks. Unlike previous studies, such as [7], which focus on spe-
bring many benefits to the system, including reduced Capital Expendi- cific vulnerabilities and security methods for 5G, such as Zero Trust,
tures (CAPEX) and Operating Expenses (OPEX), increased agility and our research examines a broader range of vulnerabilities in O-RAN and
flexibility, and enhanced visibility and security. presents innovative solutions to secure both the near-Real-Time RAN
Intelligent Controller (near-RT RIC) and the non-Real-Time RAN In-
∗ Jaeho telligent Controller (non-RT RIC). These controllers integrate AI/ML
Kim and Tarik Taleb are co-corresponding authors.
1 Emails: a
[email protected], [email protected]
methods for system automation, making it essential to safeguard AI/ML
b [email protected], [email protected] models against potential threats [8]. Moreover, the near-RT RIC and
c [email protected] non-RT RIC incorporate third-party applications that leverage AI/ML
d [email protected]. techniques for resource allocation.
2 M. K. Motalleb et al.

We introduce a novel Moving Target Defense (MTD) technique to the Radio Resource Control (RRC) layer, and the control plane of the
mitigate attacks on this system, demonstrating a significant reduction in PDCP protocol [9]. Fig.1a illustrates O-RAN’s architecture.
adversarial attacks in the results. The O-RAN architecture also includes a management part which
In addition to traditional security mechanisms, we propose the novel comprises Service Management and Orchestration (SMO), Near Real-
use of Large Language Models (LLMs) to enhance the system’s secu- Time RAN Intelligent Controllers (RICs), and O-Clouds blocks. SMO
rity. The LLM system can analyze data in real time and provide human- includes functions such as Non-Real-Time RIC. Generally, the near-RT
readable explanations to assist in detecting vulnerabilities. Using Ex- and non-RT RIC are responsible for AI/ML methods and making the
plainable AI (XAI), the LLM model can identify significant changes in system more intelligent. The AI/ML technologies plays a crucial role
data patterns over time and alert the system to potential vulnerabilities. in the resource allocation within RAN systems. In the O-RAN system,
Research contributions of this paper are listed as follows: near-RT RICs are functions that provide near real-time control and op-
timization of network resources through the E2 interface. This includes
• An in-depth analysis of vulnerabilities and threats in the O-RAN
xApplications (xApps), which are third-party applications that run by
architecture arising from the introduction of new technologies and
leveraging the modules and capabilities of a system for functionalities
common 5G RAN security issues.
such as resource allocation.
• The proposal of four countermeasure approaches utilizing the zero The O-Cloud platform, known as a cloud computing platform, hosts
trust concept, blockchain technology, LLM based XAI and the O-RAN architecture components depicted in Fig. 1b [10]. The RAN
MTD paradigm. network functions can be deployed as Virtualized Network Functions
• Considering the Confidentiality, Integrity, and Availability (CIA) (VNFs) on Virtual Machines (VMs) or as Cloud-native Network Func-
table for the threats and approaches. tions (CNFs) in containers. The O-Cloud platform supports these op-
tions with its virtualization layer, which includes operating systems, hy-
• Case studies and proof-of-concept demonstrations of MTD-based pervisors, and container engines. Additionally, the O-RAN ecosystem
robust ML in O-RAN and LLM-based robust AI/ML in O-RAN, supports and interfaces with bare-metal, hardware-based RAN func-
illustrating the effectiveness of MTD in enhancing the robustness tions. The SMO system connects to the O-Cloud via the O2 interface,
of deep reinforcement learning models. We demonstrate that the enabling efficient resource and workload management [11].
secured MTD system significantly reduced the impact of adver- In the following, we provide a concise overview of the key tech-
sarial attacks, with only a 21.5% decrease in admission rate (Fig. niques and features employed within the O-RAN system, enhancing its
4a) and a 21% decrease in Fig. 4b, compared to a 92% and 87% flexibility and performance.
drop, respectively, in the absence of protection.
The remainder of this paper is as follows: Section II provides an 2.1. Network Slicing in O-RAN
overview of the O-RAN architecture, focusing on its key components:
Network slicing, essential for 5G revenue, dynamically creates cus-
RAN, cloud, and management layers, along with ML and network slic-
tomized virtual networks on shared infrastructure, integrating network
ing. Section III examines vulnerabilities and threats in the O-RAN ar-
functions and resources across RAN, transport, and core networks to
chitecture, analyzing their impact on CIA. Section IV explores emerg-
meet specific service needs. RAN slicing involves the isolation of Phys-
ing technologies such as Zero Trust (ZT), blockchain, Moving Target
ical Resource Blocks (PRBs) and specific Virtual Network Functions
Defense (MTD), and LLMs to enhance O-RAN security. In Section V,
(VNFs) such as MAC, RLC in the O-DU, and PDCP, SDAP in the O-
we propose a novel MTD-based solution demonstrating its effectiveness
CU for various services as illustrated in Figure 1 of [2]. In addition,
in securing Deep Reinforcement Learning (DRL) against adversarial at-
core slicing virtualizes and isolates nodes like UPF and AMF, catering
tacks in the Near-RT RIC. Additionally, we discuss the application of
to the specific needs of each service. Finally, transport slicing creates
LLM-based Explainable AI (XAI) for detecting AI/ML attacks in O-
dedicated pathways across the shared underlay network, ensuring guar-
RAN. Finally, conclusions are drawn in Section 6.
anteed performance for these diverse service connections. By working
together, RAN, core, and transport slicing unlock the full potential of
2. O-RAN Background 5G networks. O-RAN’s virtualization and intelligence are key to ad-
vancing RAN slicing, essential for end-to-end network services [2, 12].
The O-RAN Alliance2 has developed a novel RAN architecture to facil-
itate an open, intelligent, virtualized, and interoperable RAN, essential 2.2. Radio Intelligent Controller (RIC)
for cost-effective, next-generation wireless networks. This architecture
The Near-RT and Non-RT RICs are essential for O-RAN system
integrates the advantages of C-RAN and vRAN, leveraging cloudifica-
management, serving as an open hosting platform and optimizing RAN
tion, centralization, and hardware-software decoupling to address ven-
functions. The RIC consists of Near-RT RIC and Non-RT RIC, facili-
dor lock-in and proprietary issues via standard interfaces. O-RAN de-
tating intelligent RAN optimization on near-real-time (10 − 1000 msec)
veloped a multi-vendor ecosystem and embedded AI/ML for improved
and non-real-time (greater than 1sec) scales, respectively. The Near-RT
network intelligence.
RIC uses xApps for real-time RAN control via E2 interfaces with O-
The O-RAN architecture includes three components in the baseband RAN components, while the Non-RT RIC employs rApps for broader
side: the Radio Unit (O-RU), Distributed Unit (O-DU), and Central RAN optimization and is linked to the Near-RT RIC through the A1 in-
Unit (O-CU). The O-RU contains the Radio Frequency (RF) and low terface for policy and AI/ML model management. The near-RT RIC and
Physical (PHY) layers, while O-DU provides the functionalities of the non-RT RIC are vital components responsible for the AI/ML workflow
high PHY, Medium Access Control (MAC), and Radio Link Control in the O-RAN architecture[11, 13, 1].
(RLC) layers. The Open Fronthaul (Open-FH) is the interface between
the O-RU and the O-DU. The Open-FH interface includes a Control
User Synchronization plane (CUS-plane) and a Management plane (M- 2.3. ML aspect in O-RAN
plane). The O-CU is divided into two logical nodes the user plane (O- The O-RAN architecture incorporates AI/ML to add intelligence
CU-UP) and the control plane (O-CU-CP). The O-CU-UP encompasses across its RAN layers, a move seen as pivotal for highly autonomous
the Service Data Adaptation Protocol (SDAP), and the user plane part RAN functions that improve service quality and lower OPEX. AI/ML is
of the Packet Data Convergence Protocol (PDCP). The O-CU-CP hosts expected to be instrumental in a range of RAN use cases, from resource
allocation to anomaly detection and cybersecurity. Subsequently, we
will outline potential ML techniques applicable to O-RAN and detail
2 https://www.o-ran.org the general ML lifecycle.
Towards Secure Intelligent O-RAN Architecture 3

O2 Service Management and Orchestration (SMO)

SMO
Non-RT RIC
Images
O1 Design Configuration non-RT RIC Inventory Policy
Repository ...
r-App 1 r-App 2 r-App N

A1
O1 A1
Near-RT RIC
O-Cloud
VNF/CNF
Radio
Interference
3rd Party App Connection Mobility Mgmt QoS Mgmt. Trained Model
Mgmt.
Mgmt. Near-RT RIC

E2 E2 E2 E2 x-App 1 x-App 2 ... x-App N

O-CU-UP O-CU-CP
E1 O1 O-DU O-CU
SDAP RRC

PDCP PDCP AAL O-Cloud API

O1
Virtualisation Layer
F1-u F1-c
Containers
O1
O-DU MAC/RLC High PHY
Container
VMs Engine VMs Containers
O-eNB Open FH (CUS-Plane) Open FH (M-Plane)
Guest Guest Hypervisor Container
Open FH (M-Plane) OS OS (Type II) Engine
O-RU LowPHY RF
Hypervisor
Host OS
(Type I)

O-Cloud Hardware resources

(a) (b)

Fig. 1. (a) The O-RAN high-level architecture with components and interfaces, (b) The O-Cloud architecture, which is a set of computing resources and virtualization
infrastructure.

2.3.1. ML techniques
In the O-RAN system, various ML techniques are utilized: (1) su-
pervised learning for model training with labeled data and subsequent
prediction on new data; (2) unsupervised learning to find patterns in
unlabeled data; (3) Reinforcement Learning (RL) and Deep RL (DRL)
for learning optimal actions through interaction with the environment;
and (4) Federated Learning (FL) for privacy-preserving collaborative Upload SMO
trained
model training across distributed entities without data exchange, using model
4 Training
a central server to aggregate local model updates. In addition, LLMs Data Broker ML Model Package
Model
the
can also be incorporated to enhance communication performance and ML Training Host Non RT- RIC model
6
the decision-making processes by analyzing and generating human-like
text, providing valuable insights within the O-RAN architecture. More- Submit model to Submit to near RT
Non-RT RIC RIC
over, integrating LLMs with existing ML methods can significantly im- 5 7
Deploy
prove the system’s overall intelligence and efficiency. model
In O-RAN architecture, Non-RT RIC and Near-RT RIC are respon- ML Designer 2 A1

sible for AI/ML techniques, where they can play the role of ML train- 1 Near RT- RIC

ing host and/or ML model host/actor [13]. The ML training host VNF E2
trains models within the Non-RT RIC, while the ML model host/actor Select Training Data Text

VNF, for inference, may reside in either Non-RT or Near-RT RIC. In 3 O-CU-CP O-CU-UP

RL, Near-RT RIC conducts online training and inference, while Non- F1

RT RIC is for offline training and Near-RT RIC for inference. FL uses Data Lake
O-DU
Collect Data
Non-RT RIC as the central server and Near-RT RIC for distributed train- 8
O-fronthaul
ing.
Real time Data Collector
O-RU

2.3.2. ML Life Cycle Procedure

Despite the variety of ML techniques supported and the deployment 1- ML Designer Initilaze ML Model
2- Model is deployed
scenarios considered for placing the ML training hosts and ML model 3- Data is selected for training
4- Trained Model is uploaded
hosts/actors, a general ML lifecycle in the O-RAN architecture can be 5- Model is submitted to non-RT RIC
described as follows (See Fig. 2) [1, 13]:Firstly, the ML Designer, de- 6- Packaged the Model
7- Model is submitted to Near RT RIC
ployed the model (stage 1 and 2). The data is selected for training (stage 8- Data from next time step is Collected
3) and fed into the ML model during the training and inference stages.
The data are typically collected over E2, O1, and A1, from O-CU, O-
DU, and RICs (stage 8). The collected data are prepared in the RICs
Fig. 2. ML Model Life Cycle in the O-RAN Architecture.
to fit the ML models by performing data pre-processing operations, in-
cluding dataset balancing, normalization, and removing noise, among
others. The ML model goes first through the training process, where
the ML designer or SMO/Non-RT RIC will select and implement the
ML algorithm to train in the ML training host. The trained model is
4 M. K. Motalleb et al.

then uploaded (stage 4) and validated to ensure its reliability and ac- xApps cannot operate independently from the components of the Near-
curacy. Once the model is validated, it is stored and published in the RT RIC. They need to interact with these components to access their
SMO/Non-RT RIC catalog (stage 5). After a model has been validated functionalities. For instance, they communicate with the App Manager
(stage 6), it can be deployed and executed (stage 7). during registration and the Sub Manager to subscribe to data from E2
nodes. Due to this communication, a malicious xApp can affect other
components of Near-RT RIC too.
3. Vulnerabilities and Threats in O-RAN Architecture This could happen by exploiting shared resources, manipulating con-
trol messages, disrupting event processing, compromising security cre-
The openness and disaggregation of the O-RAN architecture facili-
dentials, introducing hidden logic bombs, or exfiltrating sensitive data
tate compliance with security standards and enable improved security
through communication channels within the framework. Additionally,
agility, adaptability, and resiliency for future mobile networks. In addi-
resources such as CPU and RAM limits can be specified in the xApp
tion to these benefits, the O-RAN architecture introduces the potential
descriptors to prevent resource exhaustion, which is enforced by Kuber-
for an increased attack surface [14]. The O-RAN Alliance’s Security
netes. Hence, a malicious xApp can use more resources than it needs.
Work Group 11 focuses on securing O-RAN, but their measures are in-
The indefinite functional split between Near-RT RIC and E2 nodes,
sufficient, particularly against malicious AI/ML methods. Therefore,
which depends on the available xApps and the capabilities of E2 nodes,
additional security perspectives are necessary. This section discusses
may result in conflicts between decisions taken by the Near-RT RIC
key vulnerabilities and threats to O-RAN, including the new security
and the E2 nodes. Moreover, developing multiple xApps with overlap-
issues of O-RAN technologies.
ping objectives within the same RAN may lead to conflicting actions
between xApps. Those conflicts can degrade the system’s performance
3.1. O-RAN System Vulnerabilities
or may cause a Denial-of-Service (DoS) attack intentionally or uninten-
As previously discussed, the O-RAN system comprises three differ- tionally in the O-RAN architecture.
ent sides (radio, management, cloud), each with its own vulnerabilities The lack of proper isolation between an xApp and the other Near-
tied to their respective roles and functions. This section delves into the RT RIC components may be a source of serious security breaches. In
vulnerabilities inherent to the different sides of the O-RAN architecture. fact, with the recent trend to evolve VNFs into CNFs, complete isola-
tion between co-hosted CNFs is hard to realize due to the lack of strong
3.1.1. O-RU/O-DU and Open-FH Vulnerabilities hardware isolation in the emerging cloud-native platforms (e.g., Kuber-
In radio communication, the O-RAN architecture and other RAN netes). Thus, an xApp with compromised isolation can be exploited to
generations have inherent vulnerabilities. This section outlines these escalate the privilege granted to it, carry out shared resource exhaus-
vulnerabilities, particularly focusing on O-RAN. One key threat is the tion attacks, steal secrets and sensitive information from memory, and
False Base Station (FBS) attack, where an attacker poses as a legit- conduct DoS attacks against co-hosted xApps and the Near-RT RIC
imate base station to execute a Man-in-The-Middle (MiTM) attack. platform.
Three FBS attack scenarios on an O-RU include hijacking fronthaul,
recruiting a standalone O-RU, and gaining unauthorized physical ac- 3.1.3. SMO Vulnerabilities
cess. These attacks can compromise both O-RAN and other RAN sys- SMO security is critical because a vulnerability can allow attacks on
tems [14, 15, 16]. O-RAN components and lateral movement within the network. Weak
There are several risks associated with FBSs in the network, includ- authentication and authorization can let attackers access and alter SMO
ing stealing subscriber information, altering and redirecting transmitted data, control O-RAN components, and steal sensitive information. For
data, and compromising subscriber privacy. The FBS attacks may help example, unauthorized access to Non-RT RIC via SMO can lead to UE
in penetrating O-DU and beyond in the CN and launching DoS attacks tracking or issuing false policies to Near-RT RIC. Additionally, SMO
to cause loss of service or degradation of its performance. and Non-RT RIC are susceptible to DoS attacks, which can impair net-
Given that the O-DU and O-RU can be from different vendors, they work monitoring and control functions. The security concerns for rApps
may have varying security levels. The O-DU’s role in managing traf- in Non-RT RIC are similar to those for xApps [14].
fic between the management system and the O-RU increases the risk of
unauthorized access to other systems, such as RICs, via the Open-FH
3.2. O-Cloud Vulnerabilities
interface. An unprotected Open-FH interface can also enable MiTM
attacks, allowing data tampering, disclosure, and DoS attacks. For in- The O-Cloud platform in O-RAN architecture faces common cloud
stance, an unauthorized device on the Open-FH Ethernet L1 interface security risks, including software flaws, valid account access, and lack
could launch a flooding attack, causing unavailability or performance of interface authentication. Malicious actors can exploit VMs and con-
degradation of legitimate network elements. tainers running O-RAN components, leading to privilege escalation,
malware contamination, unauthorized deployment of VMs/containers,
3.1.2. Near-RT RIC Vulnerabilities root server access, and system destruction. They can also access and
manipulate sensitive data. Deploying vulnerable VMs/containers risks
Through standardized interfaces and hardware support, the Near-RT
DoS attacks on shared resources, which can be economically damaging
RIC provides a safe and reliable platform for hosting xApps. The xApps
if turned into an EDoS attack. Supply chain attacks can inject malicious
are independent of the Near-RT RIC and may be supplied by a third-
code or extract private keys from VM/container images. Additionally,
party vendor. The Near-RT RIC and xApps can be sources of different
an unprotected O2 interface between O-Cloud and SMO is vulnerable
security threats [14].
to MiTM attacks, allowing tampering and disclosure of services and
A malicious or compromised xApp has the potential to negatively
requests.
impact the service delivery for a subscriber, a group of subscribers,
or a specific geographic area by manipulating data collected from E2
nodes (i.e., O-DU, O-CU-CP and O-CU-UP) and A1 interface. It in- 3.3. Open Source Code Vulnerabilities
troduces also the risk of obtaining unauthorized access to E2 nodes and Open-source software is crucial for building the software-based O-
Near-RT RIC, exploiting the RAN functions and engendering harmful RAN architecture, used in both cloud infrastructure and O-RAN com-
effects to the overall system. Leakage of sensitive data (e.g., UE iden- ponents. It accelerates development, promotes vendor independence,
tification and location) is another menace that could stem from mali- and reduces costs. However, it also poses security challenges. The
cious/compromised xApps. The disclosure of sensitive information will open source code allows attackers to find and exploit vulnerabilities.
not only pose privacy violation issues but may also lead to the launch Without an accurate, up-to-date inventory of open-source codes and de-
of other attacks, such as impersonation and UE tracking attacks. The pendencies, managing and mitigating high-risk vulnerabilities becomes
Towards Secure Intelligent O-RAN Architecture 5

difficult due to the volume, variety, and lack of standard naming con- 4.1. Zero Trust
ventions. Zero Trust (ZT) is a valuable security model for enhancing O-RAN
security. Based on "never trust, always verify," it assumes breaches can
occur anytime from internal or external threats. ZT principles include
3.4. ML System Vulnerabilities
continuous identification and authentication, enforcing least-privilege
access, maintaining risk-based policies, checking communication chan-
Integrating ML techniques into O-RAN enhances autonomous RAN
nels, and continuous security monitoring. Implementing ZT protects the
functions but also introduces significant security challenges. ML mod-
entire O-RAN architecture, from hardware to applications. AI/ML tech-
els are vulnerable to adversarial attacks that manipulate decisions, com-
niques and Security-as-a-Service (SECaaS) enable ZT by allowing in-
promise model integrity, or reveal private information. Attacks include
stant threat identification and automated security adjustments [19, 20].
altering training datasets, injecting fake data during online learning, or
crafting inputs to deceive models during operation. Collaborative learn-
ing methods like FL face model poisoning attacks, where malicious 4.2. Blockchain
agents tamper with local model parameters to compromise the global Blockchain (BC) is a promising solution for securing O-RAN ar-
model. FL is also susceptible to inference attacks, allowing attackers to chitecture with a zero trust mindset. Its features of decentraliza-
deduce private training data using local model parameters [5, 17]. tion, immutability, transparency, auditability, and smart contract auto-
Based on accessibility, attacks on ML models can be categorized into execution support various security controls in O-RAN. These con-
white-box, black-box, and gray-box attacks [17]. Indeed, the adversar- trols include privacy-enhanced identity management, mutual authenti-
ial attack is considered as a white box, gray box, or black box when the cation, dynamic access control, integrity and non-repudiation of data
attacker can have full, partial, or no access to the training data and the and software, and secure resource sharing. For example, in AI se-
targeted model’s parameters and architecture, respectively. The white- curity, blockchain can ensure the integrity and provenance of data
box attack is deemed less realistic due to the assumption of an attacker in a ML pipeline and protect against poisoning attacks on FL mod-
with full knowledge, which is hard to achieve in real-world scenarios. els [18, 19, 21, 22, 23].

4.3. MTD
3.5. Threats against 5G Radio Networks
MTD has recently emerged as an effective approach to enable proac-
tive security. The core principle of MTD is to constantly and dynami-
Common threats to traditional RAN architectures are also applicable
cally modify the configuration of the network and services to increase
to O-RAN architecture. This includes (i) jamming attacks, which con-
uncertainty and complexity for attackers. In fact, the dynamicity intro-
sist of blocking radio signals; for example by introducing intentional
duced by MTD reduces the attacker’s opportunities to gather useful in-
interference in the communication channels; (ii) sniffing attacks, which
formation on vulnerabilities of the target environment, preventing their
focus on observing and collecting data packets with the purpose of ex-
exploitation. To this end, different MTD techniques can be applied,
tracting sensitive information (e.g., UE location and cell configuration)
which are broadly categorized into shuffling (e.g., network topology,
as well as using the extract information to craft new attacks; and (iii)
VMs/containers placement), diversity (e.g., in underlying technology
spoofing attacks, which refer to creating a fake signal that is hard to
used to implement or run a service), and redundancy (e.g., by providing
distinguish from the actual signal, allowing an attacker to impersonate
multiple replicas of a network component or service). In O-RAN, the
a base station, cause a DoS, or bypass physical-layer signal authentica-
MTD approach can be used to prevent intrusions, mitigate DoS attacks,
tion [17], among others.
and increase the robustness of ML models to adversarial attacks (Ta-
ble 1), among others. For example, the resiliency of ML models can be
3.6. Physical Threats strengthened by continuously changing the ML algorithm, the features
used for its training, or the model’s parameters [17]. Moreover, to de-
termine whether we have resources to allocate to UE, we can use the
Physical threats, though not unique to O-RAN, are crucial to under-
AI/ML method for the admission control system. This AI/ML system
standing its vulnerabilities. The physical infrastructure, including cell
can be protected using MTD by considering different AI/ML training
sites and data centers, faces risks from unauthorized access, power out-
models with different configurations that are chosen randomly by MTD.
ages, natural disasters, and hardware failures. Intruders can sabotage
hardware or alter settings to provoke DoS, inject malware, or access
other network components. Natural disasters like snow, floods, earth- 4.4. Large Language Models
quakes, and lightning can damage physical components. Lack of proper The deployment of Large Language Models (LLMs) within O-RAN
procedures for hardware failures and power outages increases the risk networks can significantly enhance cybersecurity measures by capital-
of unavailability. Physical security is more challenging in O-RAN due izing on their exceptional data processing and pattern recognition capa-
to the higher number of cell sites, data centers, and vendors. bilities. In the context of O-RAN, where a diverse array of virtualized
Table 1 summarizes the main security threats discussed above, high- network functions operates across open interfaces, LLMs can meticu-
lighting their impact on the CIA triad. Note that the threats marked with lously monitor and analyze network traffic and system logs. This en-
the (✓) sign affect a CIA principle, while those marked with (x) do not. ables the early detection of anomalous behaviors that could signal a se-
Moreover, (✓) and (x) indicate whether the potential mitigation of vul- curity breach, such as unusual login patterns or unexpected changes in
nerabilities through Zero Trust (ZT), Blockchain (BC), Moving Target data flow, which are critical in the multi-vendor O-RAN environment.
Defense (MTD), and LLM investigated in Section 4 is applicable or not, LLMs can dynamically adjust security policies for each O-RAN net-
respectively. work slice by analyzing data to make smart access choices, fine-tune
encryption, and improve intrusion detection, resulting in personalized
security. We can fine-tune the LLM system for specific tasks according
4. Security Solutions in O-RAN to our requirements for the next generation of RAN system [24, 25].
For instance, we can fine-tune the LLM system to analyze the data and
diagnosis to early warnings.
There are different possible solutions for security threats and vulnerabil- Let us consider a specific scenario: in the event of a sudden surge
ities [18]. This section discusses several key emerging technologies that in traffic indicating a potential DDoS attack within a network slice, an
can be leveraged to improve the security of the O-RAN architecture. LLM equipped with real-time analytics can autonomously adjust traffic
6 M. K. Motalleb et al.
Table 1
Impact of threats and vulnerabilities in O-RAN system on Confidentiality (C), Integrity (I) and Availability (A); and the Potential Mitigation of Vulnerabilities through
Zero Trust (ZT), Blockchain (BC), Moving Target Defense (MTD), Large Language Model (LLM).

Threats and Vulnerabilities C I A ZT BC MTD LLM

Conflicts among xApps or rApps x x ✓ x x ✓ ✓
Accessing a misconfigured x/rApps ✓ x x x ✓ x ✓
Altering Data through malicious x/rApps attacks ✓ ✓ x ✓ ✓ x ✓
Conflicts between Near-RT RIC and O-gNB/eNB x x ✓ x x ✓ ✓
FBS attacks on O-RU ✓ ✓ x ✓ ✓ x x
Eavesdropping on air interfaces ✓ x x x x x x
Accessing the O-RU/DU/CU and degrading the O-RAN’s performance x x ✓ x x ✓ x
MiTM attack from the Open-FH over M-plane or CUS-plane ✓ ✓ x ✓ ✓ x x
Misconfiguration, lack of isolation and security in the O-Cloud ✓ ✓ ✓ ✓ ✓ ✓ ✓
Open-source code vulnerabilities ✓ ✓ ✓ ✓ ✓ ✓ ✓
Adversarial attacks against ML ✓ ✓ ✓ ✓ ✓ ✓ ✓
Jamming attacks x x ✓ x x ✓ ✓
Spoofing attacks ✓ ✓ ✓ ✓ ✓ ✓ ✓
Physical threats ✓ ✓ ✓ x x x x

rules and resource allocations to mitigate the threat. This proactive ap- a secure and transparent method for firmware distribution and commu-
proach not only ensures uninterrupted service, but also enhances over- nication channel, while Zero Trust could prevent unauthorized access to
all security by continuously monitoring for vulnerabilities and updating the system.
configurations. In the realm of O-RAN, where AI/ML-driven solutions Misconfiguration, open-source code vulnerabilities, and adversar-
are paramount, LLMs can also contribute to the secure orchestration of ial attacks against machine learning can be secured by employing
network elements by generating and updating security configurations Blockchain for immutable logging and verification, Zero Trust for rig-
and orchestrating responses to threats in collaboration with the SMO orous access control and continuous authentication, and MTD to dy-
framework. This not only streamlines the management of complex O- namically alter the system’s attack surface, complicating potential ex-
RAN architectures, but also fortifies them against sophisticated cyber ploitation efforts. Moreover, LLM can help in detecting many threats
threats, ensuring the network’s integrity and the trust of its users. shown in Table 1 such as adversarial attacks against AI/ML using XAI,
By integrating LLMs into the O-RAN security strategy, network op- open-source code vulnerabilities, jamming and spoofing using various
erators can leverage the full potential of AI to maintain a robust, adap- analyses, and pattern recognition techniques.
tive, and intelligent defense system, keeping pace with the evolving
cyber-security landscape while supporting the continuous growth and
innovation inherent to O-RAN networks. 5. Secure O-RAN Case Studies
In addition, LLMs can be used to enhance XAI systems in O-RAN
by providing human-like explanations for the decisions and predictions In this section, we investigate two case studies: MTD-based Robust
made by various AI/ML components. As a result, XAI reduces the risk ML and LLM-based XAI Robust AI/ML in O-RAN. MTD and LLM-
of false positives and improves the accuracy of AI / ML security [26, based XAI were preferred over ZT and blockchain for securing the O-
27]. When systems or operators understand the reasoning behind AI RAN architecture with ML techniques due to their flexibility and ef-
decisions, they can fine-tune the system to be more precise, leading to ficiency. MTD provides dynamic protection against evolving threats,
better detection of genuine threats and fewer mistakes. In other words, while LLM-based XAI enables real-time anomaly detection and ex-
XAI with the help of LLMs not only makes AI more transparent but plainability. In contrast, ZT and blockchain face challenges related to
also smarter and more reliable when it comes to keeping the network scalability, complexity, and performance, making them less suitable for
safe [28]. the high-performance needs of O-RAN.
The first study explores the application of the MTD approach in
4.5. Effect of Security Solutions on different Vulnerabilities enhancing deep reinforcement learning methods for dynamic network
slice admission control within the O-RAN architecture. The second
This section examines the impact of ZT, BC, MTD, and LLM study focuses on the use of an LLM XAI system for diagnosing and
on the vulnerabilities listed in Table 1. Conflicts among xApps or explaining aberrant behavior.
rApps, and between Near-RT RIC and O-gNB/eNB, and accessing the
O-RU/DU/CU and degrading the O-RAN’s performance can be pre- 5.1. MTD-based Robust ML in O-RAN
vented and resolved by implementing the MTD method, which con-
stantly changes the configuration and environment of the system. More- This section presents a practical study, corroborating the capabilities
over, MTD could potentially mitigate jamming attacks by dynamically of the MTD approach in empowering robust DRL methods for dynamic
changing frequencies or communication patterns. network slice admission control in the O-RAN architecture [8]. While
BC can prevent misconfigured x/rApps from being accessed by en- AI/ML is essential in the O-RAN for functions such as resource allo-
suring that configurations are recorded immutably, making misconfigu- cation and network slicing, its security is vital to ensure the reliability
rations easier to detect. When malicious x/rApps attacks alter data, BC of 5G and 6G networks. Therefore, MTD is chosen for the study due
ensures data integrity, while Zero Trust prevents unauthorized access, to its agility in reconfiguring ML systems within O-RAN, effectively
mitigating risk. In order to prevent FBS attacks on O-RU and MiTM at- disrupting attack vectors and fortifying against the complex threats of
tacks from the Open-FH over M-plane or CUS-plane, BC could provide future wireless networks.
Towards Secure Intelligent O-RAN Architecture 7

5.1.1. System Scenario

RIC
We consider a scenario of service admission control, as shown in Fig. MTD-based Service Admission Control

3, in which we have two different services in the O-RAN architecture.

In order to provide a service requirement, a specific amount of resources
is needed. Each service is assigned to its slices based on the network
slicing technique in the O-RAN architecture. Each slice contains VNFs Inputs Output
in the O-DU and O-CU layers.
MTD
In this study, we implement a simulation for the O-RAN architecture Service
by considering the O-DU and O-CU as specific VNFs with memory re-
quirements. For simplicity, we assume that O-DU and O-CU use the
same processors. Additionally, in the near-RT RIC, the AI/ML models Server
VNF-11 VNF-21
are trained to solve the resource allocation problem. This model is im- O-CU
plemented as an xApp within the system. We suppose that the system VNF-1c VNF-2c CPU

has enough CPU and storage resources while it has restricted memory Memory
VNF-11 VNF-21
resources. We consider a dynamic resource allocation model for VNFs O-DU
of O-DU and O-CU slices for service admission control problems. Our Storage
VNF-1d VNF-2d

goal is to maximize the total service admission rate. We suppose that

services have the same priority in this system model. In this service, we
UE1 UES2 UE1 UES2
assume the system is dynamic, and in each time slot, we have service
Service 1 Service 2
requests from the two services that arrive following a Poisson process.
Additionally, we assume that these two services have a service depar-
ture rate that has an exponential distribution.
Fig. 3. MTD-based dynamic VNF placement scenario based on service request.
Suppose we have a tuple that represents the required resources for
VNF m in the O-DU or O-CU (mz , z ∈ c, d) within slice s, denoted as
z z z z
ψ̄sm = {ψmC,s , ψmS,s , ψmM,s }. Here, ψmC,s , ψmS,s , ψmB,s , and ψmM,s indicate the 5.1.3. Attack Model
required amounts of CPU, storage, bandwidth, and memory, respec-
This section describes a malicious adversarial attack on the proposed
tively, for the VNFs of the O-DU (d) or O-CU (c). Assume there are
PPO method. We consider a black-box poisoning attack against the
N data centers designated for the VNFs of the O-DU and O-CU. Each
PPO-based DRL agent. To this end, we use a weak adversary attack as
data center n possesses a memory resource capacity denoted as χns . As-
in [30] to attack the system. Suppose the attacker determines to attack
sume xmzs ,n ∈ 0, 1 is a binary variable indicating whether the VNF mzs
the time step t, it generates an arbitrary state ŝt and the associated reward
in layer O-DU/O-CU (z ∈ c, d) within slice s is being hosted by data
function r̂( ŝt , .). When the agent observes the altered state ŝt , it applies
center n. In this system model, we aim to maximize the service ad-
PN P M s action at and observes r̂( ŝt , at ), rather than r(st , at ).
mission rate ( n=1 m s =1 xm s ,n ) with the constraint that xm s ,n is a binary Therefore, we assume that in each time step, the state of the sys-
variable. Additionally, Ss=1 mMss=1 xms ,n ψ̄z,tot ≤ χnM,s ∀n, meaning that
P P
M,s tem, which is the remaining memory and the service arrival rate of two
the total memory used by the VNFs hosted on server n must not exceed services, is perturbed. In our simulations, we altered the service arrival
the server’s total memory. Hence the main problem is rates of two services and converted them to the uniform random variable
between zero and the service arrival rate. Therefore, we blocked part of
Ms
N X
X service arrival rates in these simulations based on the weak adversary
max xms ,n (1a)
X,M
n=1 m s =1
attack in [30].

xms ,n ψ̄z,tot ≤ χnM,s ∀n

PS P M s
subject to s=1 m s =1 M,s
(1b) 5.1.4. MTD technique
xms ,n ∈ {0, 1} ∀n, ∀s, ∀m s (1c) To tackle the adversarial attack issue, we adopt the MTD approach,
where the defender has multiple configurations for the ML models. In
This problem was modeled and solved in Python using the PPO model this scenario, as shown in Fig 3, we use four different PPO models
which is a DRL method. with varying configurations for learning. We assume that the adversarial
attacker can randomly affects one of these models during the training.
After the models are trained, a random model is selected among the four
5.1.2. Proposed Service Admission Algorithm models to run each input and returns the output generated by that model.
To solve this service admission control problem, we consider a DRL Thanks to the dynamicity introduced by the proposed MTD method,
method that is implemented in the Near-RT RIC. Moreover, we as- attackers will have less impact on the system because they attack one of
sume the memory is quantized [29]. Therefore, we have discrete action the models and do not know which model is selected.
and space. The DRL method adopted is Proximal Policy Optimization In this scenario, we delve into the O-RAN near-RT RIC architecture,
(PPO); an actor-critic method. Two models have been developed in the specifically employing the AI/ML approach, notably the PPO model,
Actor-Critic system, namely: the Actor and the Critic. The Actor de- for resource allocation. The RIC layer, constituting the new AI/ML
cides to take which action, and it updates the policy network for the controller within the O-RAN system, plays a pivotal role in service ad-
selected agent. The Critic corresponds to the value function. During mission control and resource allocation. As elucidated in the O-RAN
updating the Actor, the Critic modifies the network parameters for the white papers, RL methods find implementation within the near-RT RIC
value function. In the DRL models, we need to consider three aspects for the resource allocation. In this context, we explore the integration
to solve the optimization problem, namely state, action, and reward. In of MTD for fortifying the system. To accomplish this, we trained four
this system, the state is the remaining memory we have in each time distinct models, each configured as an individual xApp in the near RT
step, appended to the service arrival rate for two services which are ran- RIC.
dom variables with a Poisson distribution, while the actions are the ser-
vice admission for the two services that we considered. Moreover, the 5.1.5. Performance Results
reward is the function of the service admission rate and the remaining Here, we consider two different services with varying memory re-
memory. A reward is a huge negative number if the remaining memory quirements for the admission control problem (1). To evaluate the ef-
is less than zero. ficiency of the PPO-based dynamic service admission control solution
8 M. K. Motalleb et al.

0.8 92%
1 87%
21.5% Normal System Normal System 21%
Malicious System Malicious System
0.7 Secured MTD System Secured MTD System
0.8

Service Admission Rate

Service Admission Rate

0.6

0.5 0.6
0.4

0.3 0.4

0.2
0.2
0.1

0 0
6 8 10 12 20 30 40 50
Service Arrival Rate Service Departure Rate

(a) (b)

Fig. 4. Service admission rate vs. (a) mean service arrival rate and (b) mean service departure rate.

and the effectiveness of the proposed MTD method in withstanding ad- By leveraging the capabilities of the LLM-based XAI system, net-
versarial attacks against DRL, we consider three scenarios, as shown in work operators can gain a deeper understanding of the underlying issues
Fig. 4. In the first scenario, we have a normal system without any at- affecting AI/ML-driven service admission control. This will ensure that
tack. The system is trained using the PPO model to admit services based the integrity and security of the O-RAN system are maintained.
on their resource requirements. The system is implemented in Python,
considering two different services with distinct requirements. At each 5.2.1. System Scenario
time step, a varying number of requests arrive from these two services, In this system scenario, we show how the LLM-based XAI system
and we solve equation (1) using the PPO model, implemented via the can analyze the output data coming from the models (which can be the
Stable-Baselines3 library in Python. In the second scenario, the system service admission rate) and translate it into human-readable language
is under attack while using a single PPO model. In this case, the attacker to help the mobile operators to detect any attack to any trained mod-
manipulates the system state, specifically the remaining memory, and els of the MTD system. This represents an advanced MTD system that
alters its values. In the third scenario, we employ the proposed MTD integrates the LLM model and XAI to analyze and clarify attacks, sub-
technique with four PPO models. These four models are implemented sequently removing the affected model from the MTD system. Suppose
by varying hyperparameters, including the discount factor, batch size, one of the four models is targeted in an attack. When the system se-
learning rate, and others. We assume that the attacker targets one of lects this xApp, the data pattern for service admission differs from that
these PPO models. At each step in the MTD system, one of the models of other xApps (i.e., service admission is notably lower for this spe-
is selected for the admission control task. cific xApp compared to others). The LLM system can analyze the data
For the three scenarios, the average service admission rate is mea- pattern, identify the attacked model based on the pattern, describe it in
sured in terms of the mean service arrival rate and the mean service human-readable language, and then request action, which could be per-
departure rate. Fig. 4a and Fig. 4b report the comparative results. It is formed by either the system operator or the SMO, to remove the specific
observed that the service admission rate of the system decreases with xApp from the O-RAN system [31].
the increase of the service arrival rate, which is attributed to the lim-
ited available resources. Furthermore, as the service departure rate 5.2.2. Analyzing the system using LLM based on XAI
increased, the service admission rate increased due to the release of We studied Fig. 4-a (where service arrival rate is 12) whenever one
memory. We can also notice a significant enhancement in the system’s of the 4 trained models was attacked. We used GPT-4’s data analyst
performance under adversarial attacks after using the MTD technique. with isolation forest to spot unusual patterns in the outputs of these four
Fig. 4a shows that the secured MTD system experienced only 21.5% models over time. We provided the data to GPT-4 for the detection of
lower admission rate under adversarial attack, compared to 92% drop- malicious activity within the system. The service admission rates for
in admission rate when the system is not secured. Similar observations models x1, x2, and x4 were similar, averaging around 60%, whereas
hold true in Fig. 4b, where we can see that the secured MTD system model x3 averaged approximately 15%. We analyzed it using LLM
limited the attacker’s impact to 21% decrease in the admission rate, based on XAI. The LLM based XAI used the Isolation Forest algorithm
compared to 87% without protection from adversarial attacks. to analyze whether there is any anomaly detection in our system.
5.2. LLM-based XAI Robust AI/ML in O-RAN The results reveal significant differences and potential issues among
In a previous scenario, the AI/ML component responsible for service the series analyzed. Series x1 and x4 display consistent values with
admission control was managed using the PPO model. We assumed a moderate variation typical of time-series data. Series x2 shows higher
weak adversarial attack was in play. To diagnose and explain this un- peaks (e.g., 63) and slightly more variability, which seems contextually
usual behavior, an LLM XAI system could take action. For example, the normal. In contrast, series x3 stands out with consistently lower and
LLM could analyze the model’s decision-making process and generate less varied values. Identified as an anomaly by the Isolation Forest al-
a plain-language report: "The service admission model has rejected 15 gorithm, x3 exhibits significantly lower mean and variance compared to
devices in the last 15 minutes, a significant difference from its normal x1, x2, and x4. This deviation suggests poisoning attack or any error
pattern of one rejection per 15 minutes." in the system. Further investigation, including system log reviews, con-
The LLM system employs XAI techniques to identify the malicious figuration checks, or security audits, is essential to identify and address
model. Using the Isolation Forest technique, an unsupervised ML al- potential malicious activity or technical faults in x3.
gorithm for anomaly detection, the system can detect outlier data based
on features such as mean and variance. The LLM then explains these 6. Conclusion
anomalies in a human-readable format. This insight enables the O-RAN
system to quickly recognize malicious interference with the PPO model. In this paper, we first examined the O-RAN architecture, focusing on
An immediate investigation is recommended to confirm the nature of the the integration of network slicing and ML techniques within this sys-
detected anomaly and take steps to remove that model from the system. tem. We then conducted a detailed analysis of key vulnerabilities and
Towards Secure Intelligent O-RAN Architecture 9

threats affecting O-RAN, including risks associated with the RAN, O- [4] T. Taleb, C. Benzaïd, R. A. Addad, K. Samdanis, AI/ML for beyond 5G
Cloud, open-source code, ML, radio networks, and physical security. systems: Concepts, technology enablers & solutions, Computer Networks
To address these challenges, we explored four promising approaches: 237 (2023) 110044.
[5] D. Mimran, R. Bitton, Y. Kfir, E. Klevansky, O. Brodt, H. Lehmann,
the ZT concept, blockchain technology, LLMs, and MTD paradigms.
Y. Elovici, A. Shabtai, Evaluating the Security of Open Radio Access Net-
We also considered the CIA framework to evaluate both the attacks works, arXiv preprint arXiv:2201.06080.
and the proposed approaches. Additionally, we presented a proof of [6] H. Park, T.-H. Nguyen, L. Park, An investigation on open-ran specifi-
concept demonstrating the effectiveness of MTD in enhancing the re- cations: Use cases, security threats, requirements, discussions., CMES-
silience of DRL models against adversarial poisoning attacks. Computer Modeling in Engineering & Sciences (2024) 141 (1).
Furthermore, we examined a service admission control system within [7] H. A. Kholidy, A. Karam, J. Sidoran, M. A. Rahman, M. Mahmoud,
M. Badr, M. Mahmud, A. F. Sayed, Toward zero trust security in 5G open
the O-RAN architecture and addressed it using a PPO model. Three
architecture network slices, in: MILCOM 2022-2022 IEEE Military Com-
scenarios were analyzed: a normal system, a system under attack, and munications Conference (MILCOM), IEEE, 2022, pp. 577–582.
an MTD-enabled system with four PPO models operating under attack. [8] M. K. Motalleb, C. Benzaïd, T. Taleb, V. Shah-Mansouri, Moving target
Our findings demonstrate that the MTD approach significantly improves defense based secured network slicing system in the O-RAN architecture,
the system’s reliability in: GLOBECOM 2023-2023 IEEE Global Communications Conference,
We studied the impact of LLM-based Explainable AI (XAI) in de- IEEE, 2023, pp. 6358–6363.
tecting attacks within the O-RAN AI/ML system to enhance the MTD [9] M. K. Motalleb, V. Shah-Mansouri, S. N. Naghadeh, Joint power al-
location and network slicing in an open ran system, arXiv preprint
technique. Using ChatGPT-4o, we analyzed data to identify malicious
arXiv:1911.01904 (2019).
activity. The LLM successfully detected an attack and issued a warning [10] O-RAN Security Focus Group (SFG) Study on Security for O-Cloud
to isolate the affected system from the MTD framework . v01.00, https://www.o-ran.org/o-ran-resources (2022), (ac-
cessed 01 November 2024).
6.1. Limitations and Future Research Directions [11] O-RAN Alliance Working Group 1, O-RAN-Architecture-Description-
v06.00, https://www.o-ran.org/o-ran-resources (2022), (ac-
While the four proposed approaches offer significant benefits, secur-
cessed 01 November 2024).
ing O-RAN still faces several challenges: (i) maintaining continuous [12] A. Javadpour, F. Ja’fari, T. Taleb, C. Benzaïd, Reinforcement learning-
risk monitoring without impacting network performance for ZT, (ii) ad- based slice isolation against DDOS attacks in beyond 5G networks, IEEE
dressing scalability, performance, and privacy issues in blockchain, (iii) Transactions on Network and Service Management 20 (3) (2023) 3930–
developing MTD strategies that balance security, performance, and cost, 3946.
and (iv) leveraging LLMs to automate tasks, enhance explainable AI [13] ORAN ALLIANCE Working Group 2 Study AI/ML Workflow
(XAI), and reduce risks in AI/ML systems. Moreover, a key limitation Description and Requirements v01.03, https://www.o-ran.org/
o-ran-resources (2021), (accessed 01 November 2024).
of LLM-based XAI system is its dependence on accurate anomaly de- [14] ORAN ALLIANCE- Security Focus Group (SFG), O-RAN Security
tection, which can be affected by false positives. Additionally, evolving Threat Modeling and Remediation Analysis v03.00, https://www.
threat patterns may reduce the model’s ability to adapt in real-time. o-ran.org/o-ran-resources (2022), (accessed 01 November 2024).
In addition, To enhance system security through MTD, it is crucial to [15] D. Dik, M. S. Berger, Open-ran fronthaul transport security architecture
deploy and train multiple models, despite inherent limitations. Future and implementation, IEEE Access 11 (2023) 46185–46203.
MTD strategies should focus on developing an optimal selection mech- [16] J. Groen, S. D’Oro, U. Demir, L. Bonati, M. Polese, T. Melodia, K. Chowd-
hury, Implementing and evaluating security in O-RAN: Interfaces, intelli-
anism based on model probability. For example, if an XAI-based model
gence, and platforms, IEEE Network 2024.
is identified as an anomaly-prone model, its selection probability within [17] C. Benzaïd, T. Taleb, AI for Beyond 5G Networks: A Cyber-Security De-
the MTD system can be progressively reduced with each iteration until fense or Offense Enabler?, IEEE Network 34 (6) (2020) 140 – 147.
it is eventually excluded from the model pool. [18] C. Benzaid, T. Taleb, M. Z. Farooqi, Trust in 5G and Beyond Networks,
IEEE Network Magazine 35 (3) (2021) 212 – 222.
[19] C. Benzaid, T. Taleb, J. Song, AI-based autonomic and scalable security
7. Acknowledgements management architecture for secure network slicing in B5G, IEEE Net-
work 36 (6) (2022) 165–174.
Prof. Jaeho Kim was supported by the Institute of Informa- [20] H. Jiang, H. Chang, S. Mukherjee, J. Van der Merwe, Oztrust: An o-ran
tion & Communications Technology Planning & Evaluation (IITP)- zero-trust security system, in: 2023 IEEE Conference on Network Function
Information Technology Research Center (ITRC) grant funded by the Virtualization and Software Defined Networks (NFV-SDN), IEEE, 2023,
Korea government(IITP-2025-RS-2021-II211816) and by the Technol- pp. 129–134.
[21] S. K. Poorazad, C. Benzaïd, T. Taleb, Blockchain and deep learning-based
ogy Innovation Program (RS-2022-00154678) funded By the Ministry
IDS for securing SDN-Enabled industrial iot environments, in: GLOBE-
of Trade, Industry & Energy (MOTIE, South Korea). In addition, COM 2023-2023 IEEE Global Communications Conference, IEEE, 2023,
this work was partly conducted at ICTFICIAL Oy, Finland. It was pp. 2760–2765.
partly funded by the European Union’s HORIZON-JUSNS-2023 HE re- [22] X. Wang, B. Wang, Y. Wu, Z. Ning, S. Guo, F. R. Yu, A survey on trust-
search and innovation program (6G Path project, Grant No. 101139172) worthy edge intelligence: From security and reliability to transparency and
and the European Union’s Horizon Europe research and innovation sustainability, IEEE Communications Surveys & Tutorials 2024.
[23] L. Giupponi, F. Wilhelmi, Blockchain-enabled network sharing for O-
programme HORIZON-JU-SNS-2022 under the RIGOUROUS project
RAN, arXiv preprint arXiv:2107.02005.
(GrantNo. 101095933). The views expressed are solely those of the [24] Z. Lin, G. Qu, Q. Chen, X. Chen, Z. Chen, K. Huang, Pushing large lan-
authors, and the European Commission is not responsible for any use of guage models to the 6g edge: Vision, challenges, and opportunities, arXiv
this information. preprint arXiv:2309.16739.
[25] T. Senevirathna, V. H. La, S. Marchal, B. Siniarski, M. Liyanage, S. Wang,
A Survey on XAI for 5G and Beyond Security: Technical Aspects, Chal-
References lenges and Research Directions, IEEE Communications Surveys & Tutori-
als (2024).
[1] M. Polese, L. Bonati, S. D’oro, S. Basagni, T. Melodia, Understanding [26] E. Cambria, L. Malandri, F. Mercorio, N. Nobani, A. Seveso, XAI meets
O-RAN: Architecture, interfaces, algorithms, security, and research chal- llms: A survey of the relation between explainable AI and large language
lenges, IEEE Communications Surveys & Tutorials 25 (2) (2023) 1376– models, arXiv preprint arXiv:2407.15248 (2024).
1411. [27] X. Wu, H. Zhao, Y. Zhu, Y. Shi, F. Yang, T. Liu, X. Zhai, W. Yao, J. Li,
[2] M. K. Motalleb, V. Shah-Mansouri, S. Parsaeefard, O. L. A. López, Re- M. Du, et al., Usable XAI: 10 strategies towards exploiting explainability
source allocation in an open ran system using network slicing, IEEE Trans- in the LLM era, arXiv preprint arXiv:2403.08946 (2024).
actions on Network and Service Management 20 (1) (2022) 471–485. [28] T. Datta, J. P. Dickerson, Who’s thinking? a push for human-centered eval-
[3] S. Nouri, M. K. Motalleb, V. Shah-Mansouri, S. P. Shariatpanahi, Semi-
uation of LLMs using the XAI playbook, arXiv preprint arXiv:2303.06223
supervised learning approach for efficient resource allocation with network
(2023).
slicing in O-RAN, arXiv preprint arXiv:2401.08861.
10 M. K. Motalleb et al.

[29] A. Javadpour, F. Ja’fari, T. Taleb, C. Benzaïd, Enhancing 5G network slic- Conference on Machine Learning, PMLR, 2021, pp. 11296–11306.
ing: Slice isolation via actor-critic reinforcement learning with optimal [31] A. J. Dave, T. N. Nguyen, R. B. Vilim, Integrating LLMs for explainable
graph features, in: GLOBECOM 2023-2023 IEEE Global Communica- fault diagnosis in complex systems, arXiv preprint arXiv:2402.06695.
tions Conference, IEEE, 2023, pp. 31–37.
[30] T. Wu, Y. Yang, S. Du, L. Wang, On Reinforcement Learning with Ad-
versarial Corruption and its Application to Block MDP, in: International
Declaration of interests

☐ The authors declare that they have no known competing financial interests or personal
relationships that could have appeared to influence the work reported in this paper.

☐ The authors declare the following financial interests/personal relationships which may
be considered as potential competing interests:

Author’s name Affiliation

Mojdeh Karbalaee Motalleb University of Tehran
Chafika Benzaid University of Oulu
Tarik Taleb Ruhr University Bochum
Marcos Katz University of Oulu
Vahid Shah-Mansouri University of Tehran
Jaeho Kim Sejong University