KPI Poisoning: An Attack in Open RAN Near Real-Time Control Loop

TL;DR

This paper introduces a novel KPI poisoning attack in Open RAN's near real-time control loops, demonstrating its potential impact and proposing an LSTM-based detection method with high accuracy improvements.

Contribution

It identifies a new security threat in Open RAN, analyzes its effects, and develops an ML-based detection approach using LSTM neural networks.

Findings

Detection rates improved from 62% to 99% with more report sequences.

Amplified injected values are easier to detect.

KPI poisoning can significantly disrupt Open RAN operations.

Abstract

Open Radio Access Network (Open RAN) is a new paradigm to provide fundamental features for supporting next-generation mobile networks. Disaggregation, virtualisation, closed-loop data-driven control, and open interfaces bring flexibility and interoperability to the network deployment. However, these features also create a new surface for security threats. In this paper, we introduce Key Performance Indicators (KPIs) poisoning attack in Near Real-Time control loops as a new form of threat that can have significant effects on the Open RAN functionality. This threat can arise from traffic spoofing on the E2 interface or compromised E2 nodes. The role of KPIs is explored in the use cases of Near Real-Time control loops. Then, the potential impacts of the attack are analysed. An ML-based approach is proposed to detect poisoned KPI values before using them in control loops. Emulations are conducted to generate KPI reports and inject anomalies into the values. A Long Short-Term Memory (LSTM) neural network model is used to detect anomalies. The results show that more amplified injected values are more accessible to detect, and using more report sequences leads to better performance in anomaly detection, with detection rates improving from 62% to 99%.