Interpretable Anomaly-Based DDoS Detection in AI-RAN with XAI and LLMs

TL;DR

This paper introduces an interpretable anomaly detection system for DDoS attacks in 5G RANs, combining LSTM models with LLM-based explanations to improve security and transparency in next-generation networks.

Contribution

It proposes a novel LLM-assisted, interpretable DDoS detection framework using multivariate time series data from 5G networks, integrating explainability methods for better user understanding.

Findings

High detection accuracy with F1-score > 0.96

Effective use of LIME and SHAP for model interpretability

Natural language explanations accessible to non-experts

Abstract

Next generation Radio Access Networks (RANs) introduce programmability, intelligence, and near real-time control through intelligent controllers, enabling enhanced security within the RAN and across broader 5G/6G infrastructures. This paper presents a comprehensive survey highlighting opportunities, challenges, and research gaps for Large Language Models (LLMs)-assisted explainable (XAI) intrusion detection (IDS) for secure future RAN environments. Motivated by this, we propose an LLM interpretable anomaly-based detection system for distributed denial-of-service (DDoS) attacks using multivariate time series key performance measures (KPMs), extracted from E2 nodes, within the Near Real-Time RAN Intelligent Controller (Near-RT RIC). An LSTM-based model is trained to identify malicious User Equipment (UE) behavior based on these KPMs. To enhance transparency, we apply post-hoc local explainability methods such as LIME and SHAP to interpret individual predictions. Furthermore, LLMs are employed to convert technical explanations into natural-language insights accessible to non-expert users. Experimental results on real 5G network KPMs demonstrate that our framework achieves high detection accuracy (F1-score > 0.96) while delivering actionable and interpretable outputs.