Towards a Multi-Layer Defence Framework for Securing Near-Real-Time Operations in Open RAN

TL;DR

This paper introduces a multi-layer security framework for near-real-time Open RAN control operations, combining detection modules for message, data, and control logic threats to enhance runtime security with minimal latency impact.

Contribution

It presents a novel multi-layer defence framework with specific detection and mitigation modules tailored for near-RT RIC security in Open RAN environments.

Findings

Effective threat detection with low latency overheads

Framework operates within 80 ms delay for 500 UEs

Demonstrated practical integration on testbed

Abstract

Securing the near-real-time (near-RT) control operations in Open Radio Access Networks (Open RAN) is increasingly critical, yet remains insufficiently addressed, as new runtime threats target the control loop while the system is operational. In this paper, we propose a multi-layer defence framework designed to enhance the security of near-RT RAN Intelligent Controller (RIC) operations. We classify operational-time threats into three categories, message-level, data-level, and control logic-level, and design and implement a dedicated detection and mitigation component for each: a signature-based E2 message inspection module performing structural and semantic validation of signalling exchanges, a telemetry poisoning detector based on temporal anomaly scoring using an LSTM network, and a runtime xApp attestation mechanism based on execution-time hash challenge-response. The framework is evaluated on an O-RAN testbed comprising FlexRIC and a commercial RAN emulator, demonstrating effective detection rates, low latency overheads, and practical integration feasibility. Results indicate that the proposed safeguards can operate within near-RT time constraints while significantly improving protection against runtime attacks, introducing less than 80 ms overhead for a network with 500 User Equipment (UEs). Overall, this work lays the foundation for deployable, layered, and policy-driven runtime security architectures for the near-RT RIC control loop in Open RAN, and provides an extensible framework into which future mitigation policies and threat-specific modules can be integrated.