Robust Anomaly Detection in O-RAN: Leveraging LLMs against Data Manipulation Attacks

TL;DR

This paper explores using Large Language Models (LLMs) for anomaly detection in O-RAN networks, demonstrating their robustness against data manipulation attacks like hypoglyphs and their suitability for real-time deployment.

Contribution

The study introduces LLM-based anomaly detection methods for O-RAN, showing improved robustness against data manipulation attacks compared to traditional ML approaches.

Findings

LLMs maintain operational performance under data manipulation attacks.

LLMs process manipulated messages without crashing, unlike traditional ML methods.

Detection latency of LLMs is under 0.07 seconds, suitable for Near-RT RIC deployments.

Abstract

The introduction of 5G and the Open Radio Access Network (O-RAN) architecture has enabled more flexible and intelligent network deployments. However, the increased complexity and openness of these architectures also introduce novel security challenges, such as data manipulation attacks on the semi-standardised Shared Data Layer (SDL) within the O-RAN platform through malicious xApps. In particular, malicious xApps can exploit this vulnerability by introducing subtle Unicode-wise alterations (hypoglyphs) into the data that are being used by traditional machine learning (ML)-based anomaly detection methods. These Unicode-wise manipulations can potentially bypass detection and cause failures in anomaly detection systems based on traditional ML, such as AutoEncoders, which are unable to process hypoglyphed data without crashing. We investigate the use of Large Language Models (LLMs) for anomaly detection within the O-RAN architecture to address this challenge. We demonstrate that LLM-based xApps maintain robust operational performance and are capable of processing manipulated messages without crashing. While initial detection accuracy requires further improvements, our results highlight the robustness of LLMs to adversarial attacks such as hypoglyphs in input data. There is potential to use their adaptability through prompt engineering to further improve the accuracy, although this requires further research. Additionally, we show that LLMs achieve low detection latency (under 0.07 seconds), making them suitable for Near-Real-Time (Near-RT) RIC deployments.