Open Radio Access Network (O-RAN) 下一代 RAN 提供了更靈活開發 與部署的開放式 RAN 架構，同時為了能更有效的管理數量龐大的基 地台及多元化的 UE 設備，O-RAN 引入了智慧控制器 Radio Intelligent Controller (RIC)，開發人員將 xAPP 上傳至近即時的智慧控制器 (NearRT RIC) 透過收集位在 O-RAN 上的 O-CU 及 O-DU 節點的數據，並利 用 xAPP 上的機器學習模型來對收集到的數據進行分析並產生決策後透過 O-RAN 聯盟所制定的標準介面將決策回傳給 O-CU 及 O-DU 執行，以 對 O-RAN 節點效能及資源分配進行優化，提升 UE 端的使用品質。然 而 O-RAN 聯盟對於開發人員上傳 xAPP 至 Near-RT RIC 的流程並沒有 提供任何的檢測機制，這意味著未來開發人員能將具有惡意行為程式的 xAPP 上傳至 Near-RT RIC 上為 O-RAN 系統埋下後門，使 xAPP 可以未 經授權的對 O-CU、O-DU 或 Near-RT RIC 上的服務進行存取，這將會 對 O-RAN 架構上的安全性有很嚴重的影響。我們提出能相容於 O-RAN Software Community (O-RAN SC) 提出的 xAPP 部署流程的檢測機制。 們的檢測機制提供惡意程式檢測，並同時提供 O-RAN 沙盒環境，目標為 檢測具有惡意或異常行為的 xAPP，以提升 O-RAN 架構的安全性和可靠 性。實驗表明，我們的 xAPP 檢測器能夠有檢測出 O-RAN 架構中的惡意 和異常 xAPP。

The Open Radio Access Network (O-RAN) is a next-generation RAN architecture that provides a more flexible and open architecture for development and deployment. To effectively manage a large number of cells and heterogeneous UE, O-RAN introduces the Radio Intelligent Controller (RIC). Third-party developer can upload xAPP to the Near-RT RIC, which collects data from O-CU and O-DU nodes located in the O-RAN. Using machine learning models employed in xAPP, the collected data is analyzed, and decisions are generated. These decisions are then returned to O-CU and O-DU for execution through standard interfaces defined by the O-RAN Alliance. This optimization of O-RAN node performance and resource allocation enhances the Quality of Experience (QoE) for UE users. However, the O-RAN Alliance does not provide any detection mechanism for developers to upload xAPP to the Near Real Time (Near-RT) RIC. This means that in the future, developers could upload xAPP with malicious behavior to the Near-RT RIC, creating backdoors in the O-RAN system. This unauthorized access could allow the xAPP to access services on O-CU, O-DU, or the Near-RT RIC, which would have a serious impact on the security of the O-RAN architecture. To address this issue, we propose a detection mechanism that is compatible with the xAPP deployment process proposed by the O-RAN Software Community (O-RAN SC). Our detection mechanism provides malware detection, and the O-RAN sandbox environment aims to detect malicious and anomalous xAPP, enhancing the security and reliability of the O-RAN architecture. The experiments show that our xAPP detector can effectively identify and detect malicious and anomalous xAPP within the O-RAN architecture.

[1] O-RAN ALLIANCE Use Cases and Overall Architecture Workgroup, “O-RAN architecture description 8.0,” Technical Specification, O-RAN ALLIANCE.
[2] M. Polese, L. Bonati, S. D’Oro, S. Basagni, and T. Melodia, “Understanding O-RAN: Architecture,
interfaces, algorithms, security, and research challenges,” IEEE Commun. Surveys Tuts., Jan. 2023.
[3] S. K. Singh, R. Singh, and B. Kumbhani, “The evolution of radio access network towards Open-RAN:
challenges and opportunities,” in Proc. IEEE WCNC 2020 Workshops, Apr. 2020.
[4] L. Bonati, S. D’Oro, M. Polese, S. Basagni, and T. Melodia, “Intelligence and learning in O-RAN for
data-driven NextG cellular networks,” IEEE Commun. Mag., vol. 59, pp. 21–27, Oct. 2021.
[5] S. Niknam et al., “Intelligent O-RAN for beyond 5G and 6G wireless networks,” in Proc. IEEE Globecom 2022 Workshops, pp. 215–220, Dec. 2022.
[6] D. Mimran, R. Bitton, Y. Kfir, E. Klevansky, O. Brodt, H. Lehmann, Y. Elovici, and A. Shabtai,
“Evaluating the security of open radio access networks,” arXiv preprint arXiv:2201.06080, Jan. 2022.
[7] H. Kumar, V. Sapru, and S. K. Jaisawal, “O-RAN based proactive ANR optimization,” in Proc. IEEE
GLOBECOM Workshop 2020, pp. 1–4, Dec. 2020.
[8] B. Agarwal, M. A. Togou, M. Ruffini, and G.-M. Muntean, “QoE-driven optimization in 5G O-RAN
enabled HetNets for enhanced video service quality,” IEEE Commun. Mag., Sept. 2022.
[9] Y. Cao, S.-Y. Lien, Y.-C. Liang, K.-C. Chen, and X. Shen, “User access control in open radio access networks: A federated deep reinforcement learning approach,” IEEE Transactions on Wireless
Communications, 2021.
[10] O. Orhan, V. N. Swamy, T. Tetzlaff, M. Nassar, H. Nikopour, and S. Talwar, “Connection management
xAPP for O-RAN RIC: A graph neural network and reinforcement learning approach,” in Proc. IEEE
ICMLA 2021, pp. 936–941, Dec. 2021.
[11] J. Thaliath, S. Niknam, S. Singh, R. Banerji, N. Saxena, H. S. Dhillon, J. H. Reed, A. K. Bashir,
A. Bhat, and A. Roy, “Predictive closed-loop service automation in O-RAN based network slicing,”
arXiv preprint arXiv:2202.01966, Feb. 2022.
[12] L. Baldesi, F. Restuccia, and T. Melodia, “ChARM: NextG spectrum sharing through data-driven
real-time O-RAN dynamic control,” arXiv preprint arXiv:2201.06326, Jan. 2022.
[13] A. Filali, B. Nour, S. Cherkaoui, and A. Kobbane, “Communication and computation O-RAN resource
slicing for URLLC services using deep reinforcement learning,” arXiv preprint arXiv:2202.06439,
Feb. 2022.
[14] M. Polese, L. Bonati, S. D’Oro, S. Basagni, and T. Melodia, “ColO-RAN: Developing machine
learning-based xApps for Open RAN closed-loop control on programmable experimental platforms,”
IEEE Trans. Mobile Comput., 2022. accepted for publication.
[15] D. Johnson, D. Maas, and J. V. D. Merwe, “NexRAN: Closed-loop ran slicing in POWDER-a top-tobottom open-source open-RAN use case,” in Proc. ACM WiNTECH’21 2022, p. 17–23, Jan. 2022.
[16] T. Karamplias, S. T. Spantideas, A. E. Giannopoulos, P. Gkonis, N. Kapsalis, and P. Trakadas, “Towards closed-loop automation in 5G open RAN: Coupling an open-source simulator with xApps,” in
Proc. IEEE EuCNC/6G Summit 2022, June 2022.
[17] M. Kouchaki and V. Marojevic, “Actor-critic network for O-RAN resource allocation: xapp design,
deployment, and analysis,” in Proc. IEEE GLOBECOM Workshop 2022, pp. 968–973, Dec. 2022.
[18] M. Eskandari, S. Kapoor, K. Briggs, A. Shojaeifard, H. Zhu, and A. Mourad, “Smart interference
management xapp using deep reinforcement learning,” arXiv preprint arXiv:2204.09707, Apr. 2022.
[19] A. Lacava, M. Polese, R. Sivaraj, R. Soundrarajan, B. S. Bhati, T. Singh, T. Zugno, F. Cuomo, and
T. Melodia, “Programmable and customized intelligence for traffic steering in 5G networks using open
RAN architectures,” IEEE Trans. Mobile Comput., Apr. 2023.
[20] P. S. Upadhyaya, A. S. Abdalla, V. Marojevic, J. H. Reed, and V. K. Shah, “Prototyping nextgeneration O-RAN research testbeds with SDRs,” arXiv preprint arXiv:2205.13178, May 2022.
[21] “On-boarding and deploying xapps.” https://wiki.o-ran-sc.org/display/RICA/
On-boarding+and+Deploying+xApps.
[22] A. S. Abdalla et al., “Toward next generation open radio access network – what O-RAN can and
cannot do!,” arXiv preprint arXiv:2111.13754, Nov. 2021.
[23] F. Klement, S. Katzenbeisser, V. Ulitzsch, J. Krämer, S. Stanczak, Z. Utkovski, I. Bjelakovic, and
G. Wunder, “Open or not open: Are conventional radio access networks more secure and trustworthy
than Open-RAN?,” arXiv preprint arXiv:2204.12227, May 2022.
[24] J. Groen, S. D’Oro, U. Demir, L. Bonati, M. Polese, T. Melodia, and K. Chowdhury, “Implementing and evaluating security in O-RAN: Interfaces, intelligence, and platforms,” arXiv preprint
arXiv:2304.11125, Apr. 2023.
[25] O-RAN ALLIANCE Security Work Group, “O-RAN study on security for near real time RIC and
xapps 2.0,” Technical Specification, O-RAN ALLIANCE.
[26] O-RAN ALLIANCE Security Work Group, “O-RAN security threat modeling and remediation analysis 5.0,” Technical Specification, O-RAN ALLIANCE.
[27] R. Bitton, D. Avraham, E. Klevansky, D. Mimran, O. Brodt, H. Lehmann, Y. Elovici, and A. Shabtai, “Adversarial machine learning threat analysis in Open Radio Access Networks,” arXiv preprint
arXiv:2201.06093, Mar. 2023.
[28] T. O. Atalay, S. Maitra, D. Stojadinovic, A. Stavrou, and H. Wang, “Securing 5G openRAN with a
scalable authorization framework for xapps,” arXiv preprint arXiv:2212.11465, Dec. 2022.
[29] B. Tang, V. K. Shah, V. Marojevic, and J. H. Reed, “AI testing framework for next-g O-RAN networks:
Requirements, design, and research opportunities,” IEEE Wireless Communications, vol. 30, no. 1,
pp. 70–77, 2023.
[30] L. Bonati, M. Polese, S. D’Oro, S. Basagni, and T. Melodia, “Openran gym: Ai/ml development,
data collection, and testing for O-RAN on PAWR platforms,” arXiv preprint arXiv:2207.12362, Dec.
2022.
[31] L. Bonati, M. Polese, S. D’Oro, S. Basagni, and T. Melodia, “Intelligent closed-loop RAN control
with xApps in openRAN gym,” arXiv preprint arXiv:2208.14877, Aug. 2022.
[32] L. Bonati, M. Polese, S. D’Oro, S. Basagni, and T. Melodia, “OpenRAN gym: An open toolbox for
data collection and experimentation with AI in O-RAN,” in Proc. IEEE WCNC 2022, pp. 518–523,Apr. 2022.
[33] A. Lacava, M. Bordin, M. Polese, R. Sivaraj, T. Zugno, F. Cuomo, and T. Melodia, “ns-O-RAN:
Simulating O-RAN 5G systems in ns-3,” arXiv preprint arXiv:2305.06906, May 2023.
[34] L. Bonati, S. D’Oro, S. Basagni, and T. Melodia, “SCOPE: An open and softwarized prototyping
platform for nextg systems,” in Proc. ACM MobiSys 2021, June 2021.
[35] E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. Nicholas, “Malware detection by
eating a whole EXE,” in Proc. AAAI 2018, June 2018.
[36] J. Saxe and K. Berlin, “Deep neural network based malware detection using two dimensional binary
program features,” in Proc. IEEE MALWARE 2015, pp. 11–20, Oct. 2015.
[37] J. Su, D. V. Vasconcellos, S. Prasad, D. Sgandurra, Y. Feng, and K. Sakurai, “Lightweight classification of IoT malware based on image recognition,” in Proc. IEEE COMPSAC 2018, pp. 664–669, July
2018.
[38] M. Alhanahnah, Q. Lin, Q. Yan, N. Zhang, and Z. Chen, “Efficient signature generation for classifying
cross-architecture IoT malware,” in Proc. IEEE CNS 2018, May 2018.
[39] Y.-T. Lee, T. Ban, T.-L. Wan, S.-M. Cheng, R. Isawa, T. Takahashi, and D. Inoue, “Cross platform IoTmalware family classification based on printable strings,” in Proc. IEEE TrustCom 2020, pp. 775–784,
Dec. 2020.
[40] H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A deep recurrent neural network based approach for internet of things malware threat hunting,” Future Generation Computer
Systems, pp. 88–96, Aug. 2018.
[41] F. Shahzad and M. Farooq, “ELF-Miner: Using structural knowledge and data mining methods to detect new Linux malicious executables,” Knowledge and Information Systems, vol. 30, pp. 589–612,Mar. 2012.
[42] H. S. Anderson and P. Roth, “EMBER: an open dataset for training static PE malware machine learning
models,” arXiv preprint arXiv:1804.04637, Apr. 2018.
[43] T.-L. Wan, T. Ban, S.-M. Cheng, Y.-T. Lee, B. Sun, R. Isawa, T. Takahashi, and D. Inoue, “An efficient
approach to detect and classify IoT malware based on byte sequences from executable files,” IEEE
Open Journal of the Computer Society, vol. 1, p. 262—275, Nov. 2020.
[44] E. M. Dovom, A. Azmoodeh, A. Dehghantanha, D. E. Newton, R. M. Parizi, and H. Karimipour,
“Fuzzy pattern tree for edge malware detection and categorization in IoT,” Journal of Systems Architecture, pp. 1–7, Aug. 2019.
[45] Y. Qiao, Y. Yang, L. Ji, and Jie, “Analyzing malware by abstracting the frequent itemsets in api call
sequences,” in Proc. IEEE TrustCom 2013, pp. 265–270, July 2013.
[46] D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and
explainable detection of android malware in your pocket,” in Proc. NDSS 2014, pp. 23–26, Feb. 2014.
[47] L. Onwuzurike, E. Mariconti, P. Andriotis, E. D. Cristofaro, G. Ross, and G. Stringhini, “MaMaDroid:
Detecting android malware by building markov chains of behavioral models (extended version),”
ACM Trans. Priv. Secur., vol. 22, pp. 1–34, Apr. 2019.
[48] S. Zhao, X. Ma, W. Zou, and B. Bai, “DeepCG: classifying metamorphic malware through deep learning of call graphs,” in Proc. SecureComm 2021, p. 171–190, Dec. 2019.
[49] C.-Y. Wu, T. Ban, S.-M. Cheng, B. Sun, and T. Takahashi, “IoT malware detection using functioncall-graph embedding,” in Proc. PST 2021, pp. 1–9, Dec. 2021.
[50] R. Kawasoe, C. Han, R. Isawa, T. Takahashi, and J. Takeuchi, “Investigating behavioral differences
between IoT malware via function call sequence graphs,” in Proc. ACM SAC’21 2021, pp. 1674–1682,Apr. 2021.
[51] H.-T. Nguyen, Q.-D. Ngo, and V.-H. Le, “A novel graph-based approach for IoT botnet detection,”
International Journal of Information Security, vol. 19, no. 5, pp. 567–577, 2020.
[52] H.-T. Nguyen, Q.-D. Ngo, D.-H. Nguyen, and V.-H. Le, “PSI-rooted subgraph: A novel feature for
IoT botnet detection using classifier algorithms,” ICT Express, vol. 6, no. 2, pp. 128–138, 2020.
[53] Y. Xue, Z. Xu, M. Chandramohan, and Y. Liu, “Accurate and scalable cross-architecture cross-OS
binary code search with emulation,” IEEE Trans. Softw. Eng., vol. 45, pp. 1125–1149, Nov. 2019.
[54] Z. Ma, H. Ge, Y. Liu, M. Zhao, and J. Ma, “A combination method for android malware detection
based on control flow graphs and machine learning algorithms,” IEEE Access, vol. 7, pp. 21235–21245, Jan. 2019.
[55] H. Alasmary, A. Khormali, A. Anwar, J. Park, J. Choi, A. Abusnaina, A. Awad, D. Nyang, and A. Mohaisen, “Analyzing and detecting emerging Internet of Things malware: A graph-based approach,”
IEEE Internet Things J., vol. 6, pp. 8977–8988, Oct. 2019.
[56] A. Abusnaina, A. Khormali, H. Alasmary, J. Park, A. Anwar, and A. Mohaisen, “Adversarial learning
attacks on graph-based IoT malware detection systems,” in Proc. IEEE ICDCS 2019, pp. 1296–1305,July 2019.
[57] T. N. Phu, L. Hoang, N. N. Toan, N. D. Tho, and N. N. Binh, “C500-CFG: A novel algorithm to
extract control flow-based features for IoT malware detection,” in Proc. ISCIT 2019, pp. 568–573,Sept. 2019.
[58] H. Alasmary, A. A. Abusnaina, R. Jang, M. Abuhamad, A. Anwar, D. Nyang, and D. A. Mohaisen, “Soteria: Detecting adversarial examples in control flow graph-based malware classifiers,” in Proc. IEEE ICDCS 2020, pp. 888–898, Nov. 2020.
[59] D. Kim, E. Kim, S. K. Cha, S. Son, and Y. Kim, “Revisiting binary code similarity analysis using interpretable feature engineering and lessons learned,” arXiv preprint arXiv:2011.10749, Nov. 2020.
[60] J. Yan, G. Yan, and D. Jin, “Classifying malware represented as control flow graphs using deep graph convolutional neural network,” in Proc. IEEE/IFIP DSN 2019, pp. 52–63, June 2019.
[61] L.-B. Ouyang, “Robustness evaluation of graph-based malware detection using code-level adversarial attack with explainability,” master, NTUST, Taipei, Taiwan, July 2021.
[62] R. Schmidt, M. Irazabal, and N. Nikaein, “FlexRIC: an SDK for next-generation SD-RANs,” in Proc. ACM CoNEXT ’21 2021, pp. 411–425, Dec. 2021