Anomaly Detection for Mitigating xApp and E2 Interface Threats in O-RAN Near-RT RIC

As 5G networks advance, the Open Radio Access Network (O-RAN) is crucial in enabling openness and fostering collaboration across the telecom industry. O-RAN enhances flexibility, scalability, and interoperability through open interfaces, reducing dependence on a single vendor and promoting interoperability among vendors and solutions. The Near-Real-Time Radio Intelligent Controller (Near-RT RIC) is crucial for optimizing network resources and improving user experience. However, the openness of O-RAN also introduces security challenges, particularly from third-party developed xApps and E2 nodes that may exploit vulnerabilities to launch attacks. This paper proposes an anomaly traffic detector to protect the Near-RT RIC from threats on the E2 interface. The anomaly traffic detector verifies the legality of signaling through an internal state machine analysis module and checks packet fields through a conformance check module while monitoring network traffic in real time to detect and mitigate Denial of Service attacks. Additionally, we designed a fuzzer to simulate random attacks, testing the capability of the anomaly traffic detector. The anomaly traffic detector not only successfully passes the test cases highlighted in the O-RAN Security Test Specifications, effectively detecting unauthorized traffic and signaling, but also identifies real-world vulnerability exploits, including CVE-2023-40997, CVE-2023-40998, CVE-2023-41627, and CVE-2023-41628, thereby significantly enhancing the security of the Near-RT RIC.