ARGOS: Anomaly Recognition and Guarding through O-RAN Sensing

TL;DR

ARGOS is an O-RAN compliant intrusion detection system that detects RBS downgrade attacks in real time using unsupervised machine learning on cross-layer UE telemetry, achieving high accuracy with minimal false positives.

Contribution

This work introduces ARGOS, the first O-RAN compliant IDS for real-time RBS downgrade attack detection utilizing enhanced UE-level telemetry and unsupervised ML models.

Findings

VAE model achieves 99.5% accuracy

False positive rate is only 0.6%

System operates with minimal overhead

Abstract

Rogue Base Station (RBS) attacks, particularly those exploiting downgrade vulnerabilities, remain a persistent threat as 5G Standalone (SA) deployments are still limited and User Equipment (UE) manufacturers continue to support legacy network connectivity. This work introduces ARGOS, a comprehensive O-RAN compliant Intrusion Detection System (IDS) deployed within the Near Real-Time RIC, designed to detect RBS downgrade attacks in real time, an area previously unexplored within the O-RAN context. The system enhances the 3GPP KPM Service Model to enable richer, UE-level telemetry and features a custom xApp that applies unsupervised Machine Learning models for anomaly detection. Distinctively, the updated KPM Service Model operates on cross-layer features extracted from Modem Layer 1 (ML1) logs and Measurement Reports collected directly from Commercial Off-The-Shelf (COTS) UEs. To evaluate system performance under realistic conditions, a dedicated testbed is implemented using Open5GS, srsRAN, and FlexRIC, and validated against an extensive real-world measurement dataset. Among the evaluated models, the Variational Autoencoder (VAE) achieves the best balance of detection performance and efficiency, reaching 99.5% Accuracy with only 0.6% False Positives and minimal system overhead.