arxiv: 2605.14032 · v1 · submitted 2026-05-13 · 💻 cs.NI · cs.CR

Recognition: no theorem link

StormShield: Fingerprint-Based Detection and Mitigation of RRC Signaling Storms in O-RAN 5G RANs

Noemi Giustini , Andrea Lacava , Leonardo Bonati , Stefano Maxenti , Michele Polese , Tommaso Melodia , Francesca Cuomo

Authors on Pith no claims yet

Pith reviewed 2026-05-15 02:34 UTC · model grok-4.3

classification 💻 cs.NI cs.CR

keywords RRC signaling storms5G securityO-RANDoS mitigationfingerprintingxAppnear-RT RICgNB protection

0 comments

The pith

StormShield fingerprints malicious UEs to block RRC signaling storms in O-RAN 5G before gNB resources are exhausted.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper evaluates how RRC signaling storms allow malicious user equipment to exhaust gNB resources and prevent legitimate connections in 5G networks. It presents StormShield as an xApp running on the O-RAN near-RT RIC that fingerprints and blocks these malicious UEs early in the attack. The system was built and tested on an over-the-air testbed using OpenAirInterface with two different gNB setups, one using an SDR with 8.1 split and one using a commercial radio unit with 7.2 split. Experiments show it stops resource exhaustion by identifying and blocking attackers with 97.6 percent average accuracy inside 106.5 milliseconds. This approach improves on prior methods that were limited to simulations, could not separate attacks from normal high load, and ignored mobility.

Core claim

StormShield, implemented as an xApp on the O-RAN near-RT RIC, fingerprints malicious UEs from their RRC signaling behavior and blocks them to prevent gNB resource exhaustion, achieving an average detection accuracy of 97.6 percent within 106.5 ms from the start of the attack across OTA testbeds with OpenAirInterface, NVIDIA Aerial, and two distinct gNB hardware configurations.

What carries the argument

The xApp on the near-RT RIC that extracts fingerprints from RRC signaling patterns of MUEs and issues block commands to the gNB.

If this is right

gNB resources stay available for legitimate UEs even during active signaling storm attacks.
Attackers are blocked before they can exhaust control-plane capacity.
The mitigation runs in real time within the O-RAN architecture without requiring changes to the core 5G protocol stack.
Detection accuracy holds across both SDR-based and commercial radio-unit gNB deployments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same fingerprinting logic could be reused to detect other control-plane flooding attacks in 5G.
Coordination between multiple xApps on the RIC could combine StormShield with traffic steering or load balancing for layered defenses.
Extending the testbed to include more UE vendors and higher mobility scenarios would reveal whether the current accuracy generalizes.

Load-bearing premise

The fingerprint remains reliable under real-world mobility, varying traffic loads, and UE implementations beyond the two gNB setups tested in the OTA testbed.

What would settle it

An experiment in which detection accuracy drops below 90 percent when UEs move at vehicular speeds or use previously unseen device implementations while generating signaling storms.

Figures

Figures reproduced from arXiv: 2605.14032 by Andrea Lacava, Francesca Cuomo, Leonardo Bonati, Michele Polese, Noemi Giustini, Stefano Maxenti, Tommaso Melodia.

**Figure 2.** Figure 2: Clustering Results: Denser Clusters during an At [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: Architectures of the OTA Testbed Setups used to Prototype and Evaluate StormShield [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 5.** Figure 5: Floor Map with Positions of gNBs, MUEs, and VUE [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗

**Figure 6.** Figure 6: Resource Depletion Time vs. Max. #UEs Connected [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗

**Figure 7.** Figure 7: Success Rate Across Positions P1-P5 ous experiments in Tab. 4 to provide a comprehensive overview of StormShield capabilities. To evaluate fingerprint robustness and RSSI stability, we conduct additional experiments to (i) assess the separability of the fingerprint across multiple locations and (ii) quantify its stability under fixed transmission conditions. We place the VUE at 8 distinct fixed positions … view at source ↗

**Figure 9.** Figure 9: Detection and Mitigation vs Depletion Times [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗

**Figure 8.** Figure 8: Aging Timeout Evolution vs. Windows Δ Finally, we measure different time metrics to assess the performance of the detection and mitigation process: the detection time, i.e., the time required by the xApp to recognize an ongoing attack and detect the presence of a MUE; the mitigation time, namely the time needed to apply countermeasures once detection occurs; and the depletion time, defined as the time unt… view at source ↗

read the original abstract

5G networks provide low-latency, high throughput, and massive connectivity, yet the control plane remains exposed to several security threats. Among the most common and impactful threats are Denial-of-Service (DoS) attacks, with Radio Resource Control (RRC) signaling storms being particularly effective and difficult to mitigate. In this attack, a malicious User Equipment (UE) aims to exhaust Next Generation Node Base (gNB) resources, preventing legitimate UEs from establishing a connection. Existing defenses are typically limited to detection, only evaluated through numerical simulations, and cannot discern between high-load network conditions and attacks. Most of them also assume static setups and do not take mobility into account. In this paper, we first evaluate the feasibility of the signaling storm attack by using the OpenAirInterface(OAI) 5G protocol stack. Then, we propose StormShield, a signaling storm attack detection and mitigation technique implemented as an xApp on an O-RAN Near-Real-Time (near-RT) RAN Intelligent Controller (RIC). It fingerprints and blocks Malicious UEs (MUEs) before gNB resources are exhausted. We prototyped our solution on an Over-The-Air (OTA) testbed with OAI, NVIDIA Aerial, and two different gNB setups. The first one leverages an USRP X410 Software-defined Radio (SDR) with 8.1 functional split; the second a commercial Foxconn Radio Unit (RU) with 7.2 functional split. Our experimental evaluation demonstrates that StormShield effectively prevents gNB resource exhaustion, identifying and blocking MUEs with an average detection accuracy of 97.6% within 106.5 ms from the beginning of the attack.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

StormShield delivers a working O-RAN xApp that fingerprints and blocks RRC storms in real OTA hardware tests on two gNB splits, but the fingerprint's behavior outside those exact setups remains untested.

read the letter

The core contribution here is a practical implementation: the authors first reproduce the RRC signaling storm attack on OpenAirInterface, then build StormShield as an xApp on the near-RT RIC that fingerprints malicious UEs from RRC patterns and blocks them before gNB resources run out. They report this on an over-the-air testbed using both an 8.1 split with USRP X410 and a 7.2 split with a commercial Foxconn RU, claiming 97.6% average detection accuracy and 106.5 ms mitigation latency from attack start. That moves the discussion from simulation-only detection papers to something that actually runs on real radios and two different functional splits, which is useful for anyone trying to deploy similar controls in O-RAN environments. The experimental numbers come from independent testbed measurements against the attack traffic rather than fitted models, so the central claim has some grounding. The main limitation is scope. The fingerprint features are validated only on the two hardware configurations and UE implementations in their lab; nothing in the reported results shows how those patterns hold up with other commercial UEs, under mobility, or when background traffic loads vary. If the discriminative signals are tied to the specific testbed radios or channel conditions, false-negative rates would rise and the resource-exhaustion guarantee would weaken in broader deployments. This paper is aimed at researchers and engineers working on 5G RAN security and O-RAN xApp development. A reader looking for concrete testbed details and an end-to-end mitigation flow would find it worth reading, even if they need to do their own generalization checks. I would send it to peer review. The hardware validation is a clear step past prior work, and the open questions on robustness are the sort referees can address with targeted revisions.

Referee Report

1 major / 1 minor

Summary. The manuscript proposes StormShield, an xApp running on the O-RAN near-RT RIC that fingerprints RRC signaling patterns to detect and block malicious UEs (MUEs) launching signaling-storm DoS attacks against the gNB. After demonstrating attack feasibility with OpenAirInterface, the authors implement and evaluate the scheme on an OTA testbed using two gNB configurations (USRP X410 with 8.1 split and Foxconn RU with 7.2 split), reporting 97.6% average detection accuracy and 106.5 ms mitigation latency from attack onset, thereby preventing resource exhaustion.

Significance. If the fingerprint generalizes, the work would constitute a practical, O-RAN-native defense against a well-known control-plane DoS vector, moving beyond simulation-only detection to hardware-validated mitigation with sub-100 ms response. The dual-setup OTA evaluation with distinct functional splits is a clear strength relative to prior numerical studies.

major comments (1)

[§5 (Experimental Evaluation)] §5 (Experimental Evaluation): The headline claims of 97.6% detection accuracy and 106.5 ms mitigation latency rest exclusively on experiments with two specific gNB hardware setups and the UE implementations present in the OTA testbed. No results are reported for other commercial UE stacks, mobility-induced channel conditions, or varying background traffic loads; because the fingerprint features are not shown to remain discriminative outside these conditions, the assertion that StormShield 'effectively prevents gNB resource exhaustion' in realistic deployments is not yet supported.

minor comments (1)

[Abstract] Abstract: The reported 'average detection accuracy' is given without the number of trials, variance, or precise definition of the 106.5 ms interval (e.g., time from first RRC message to block decision).

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback, which highlights important considerations for the generalizability of our results. We address the major comment point by point below and have revised the manuscript to better qualify our claims based on the evaluated conditions.

read point-by-point responses

Referee: The headline claims of 97.6% detection accuracy and 106.5 ms mitigation latency rest exclusively on experiments with two specific gNB hardware setups and the UE implementations present in the OTA testbed. No results are reported for other commercial UE stacks, mobility-induced channel conditions, or varying background traffic loads; because the fingerprint features are not shown to remain discriminative outside these conditions, the assertion that StormShield 'effectively prevents gNB resource exhaustion' in realistic deployments is not yet supported.

Authors: We agree that the evaluation is limited to the specific OTA testbed conditions described in §5, using OAI-based UEs and the two gNB setups (USRP X410 8.1 split and Foxconn RU 7.2 split). The fingerprint features are derived from standardized 3GPP RRC signaling sequences and timing patterns, which are protocol-level and independent of particular UE hardware or stacks in principle. However, we acknowledge that we have not demonstrated invariance under mobility, varying background loads, or additional commercial UE implementations. In the revised manuscript, we have added a new Limitations subsection (5.5) that explicitly qualifies the scope of the results and states that they apply to the tested OTA scenarios. We have also revised the abstract, introduction, and conclusion to replace the general claim of preventing resource exhaustion 'in realistic deployments' with 'in the evaluated OTA testbed scenarios.' These textual changes ensure the claims are supported by the presented evidence. Additional experiments with mobility and other UE stacks are planned for future work but could not be completed within the revision timeline. revision: partial

Circularity Check

0 steps flagged

No circularity: experimental results are independent testbed measurements

full rationale

The paper's core contribution is an experimental prototype of StormShield as an xApp that fingerprints and blocks MUEs on an OTA testbed using OAI, NVIDIA Aerial, USRP X410 (8.1 split), and Foxconn RU (7.2 split). Claims of 97.6% detection accuracy and 106.5 ms mitigation latency are reported directly from measurements against real signaling-storm traffic; no equations, fitted parameters, or derivations are presented that reduce to the inputs by construction. No self-citation load-bearing steps, uniqueness theorems, or ansatzes appear in the abstract or described evaluation chain. The work is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The work relies on standard assumptions about O-RAN interfaces and UE behavior patterns but introduces no new free parameters, axioms, or invented entities beyond the fingerprinting mechanism itself.

pith-pipeline@v0.9.0 · 5638 in / 1083 out tokens · 55500 ms · 2026-05-15T02:34:16.667328+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

22 extracted references · 22 canonical work pages

[1]

2025.ETSI TS 138 331 V18.6.0: 5G; NR; Radio Resource Control (RRC); Protocol specification

3GPP. 2025.ETSI TS 138 331 V18.6.0: 5G; NR; Radio Resource Control (RRC); Protocol specification. Technical Report ETSI TS 138 331 V18.6.0. European Telecommuni- cations Standards Institute (ETSI). https://www.etsi.org/deliver/etsi_ts/138300_ 138399/138331/18.06.00_60/ts_138331v180600p.pdf Available online

work page 2025
[2]

Chafika Benzaïd, Fahim Muhtasim Hossain, Tarik Taleb, Pedro Merino Gómez, and Michael Dieudonne. 2024. A Federated Continual Learning Framework for Sustainable Network Anomaly Detection in O-RAN. In2024 IEEE Wireless Communications and Networking Conference (WCNC). IEEE, 3 Park Avenue, New York, NY 10016-5997, USA, 1–6. doi:10.1109/WCNC57260.2024.10570951

work page doi:10.1109/wcnc57260.2024.10570951 2024
[3]

Leonardo Bonati, Michele Polese, Salvatore D’Oro, Stefano Basagni, and Tommaso Melodia. 2020. Open, Programmable, and Virtualized 5G Networks: State-of-the- Art and the Road Ahead.Computer Networks182 (December 2020), 1–28

work page 2020
[4]

Martin Ester, Hans-Peter Kriegel, Jörg Sander, and Xiaowei Xu. 1996. A Density- Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. InProceedings of the Second International Conference on Knowledge Discovery and Data Mining(Portland, Oregon)(KDD’96). AAAI Press, 601 Pennsylvania Ave, NW Suite 900 Washington, DC, 226–231

work page 1996
[5]

Ferlinda Feliana, Ting–Wei Hung, Binbin Chen, and Ray–Guang Cheng. 2024. Evaluation of Control/User-Plane Denial-of-Service (DoS) Attack on O-RAN Fronthaul Interface. InIEEE INFOCOM 2024 - IEEE Conference on Computer Com- munications Workshops (INFOCOM WKSHPS). IEEE, 3 Park Avenue, New York, NY 10016-5997, USA, 01–06. doi:10.1109/INFOCOMWKSHPS61880.2024.10620824

work page doi:10.1109/infocomwkshps61880.2024.10620824 2024
[6]

Marcin Hoffmann and Pawel Kryszkiewicz. 2023. Signaling Storm Detec- tion in IIoT Network based on the Open RAN Architecture. InIEEE INFO- COM 2023 - IEEE Conference on Computer Communications Workshops (INFO- COM WKSHPS). IEEE, 3 Park Avenue, New York, NY 10016-5997, USA, 1–2. doi:10.1109/INFOCOMWKSHPS57453.2023.10226043

work page doi:10.1109/infocomwkshps57453.2023.10226043 2023
[7]

Cheng-Feng Hung, You-Run Chen, Chi-Heng Tseng, and Shin-Ming Cheng. 2024. Security Threats to xApps Access Control and E2 Interface in O-RAN.IEEE Open Journal of the Communications Society5 (2024), 1197–1203

work page 2024
[8]

Leon Janzen, Lucas Becker, Colin Wiesenäcker, and Matthias Hollick. 2024. Oh No, My RAN! Breaking Into an O-RAN 5G Indoor Base Station. In18th USENIX WOOT Conference on Offensive Technologies (WOOT 24). USENIX Association, Philadel- phia, PA, 101–115. https://www.usenix.org/conference/woot24/presentation/ janzen

work page 2024
[9]

Florian Kaltenberger, Tommaso Melodia, Irfan Ghauri, Michele Polese, Raymond Knopp, Tien Thinh Nguyen, Sakthivel Velumani, Davide Villa, Leonardo Bonati, Robert Schmidt, Sagar Arora, Mikel Irazabal, and Navid Nikaein. 2025. Driving in- novation in 6G wireless technologies: The OpenAirInterface approach.Computer Networks269 (2025), 111410. doi:10.1016/j.co...

work page doi:10.1016/j.comnet.2025.111410 2025
[10]

Anupa Kelkar and Chris Dick. 2021. NVIDIA Aerial GPU Hosted AI-on-5G. In 2021 IEEE 4th 5G World Forum (5GWF). IEEE, 3 Park Avenue, New York, NY 10016-5997, USA, 64–69. doi:10.1109/5GWF52925.2021.00019

work page doi:10.1109/5gwf52925.2021.00019 2021
[11]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the Un- touchables: Dynamic Security Analysis of the LTE Control Plane. In2019 IEEE Symposium on Security and Privacy (SP). IEEE, 3 Park Avenue, New York, NY 10016-5997, USA, 1153–1168. doi:10.1109/SP.2019.00038

work page doi:10.1109/sp.2019.00038 2019
[12]

Felix Klement, Alessandro Brighente, Anup Kiran Bhattacharjee, Stefano Cec- conello, Fernando Kuipers, Georgios Smaragdakis, Mauro Conti, and Stefan Katzenbeisser. 2025. Endless Subscriptions: Open RAN is Open to RIC E2 Sub- scription Denial of Service Attacks. InIEEE European Symposium on Security and Privacy (EuroS&P) 2025. IEEE, Venice, Italy, 755–770....

work page doi:10.1109/eurosp63326 2025
[13]

Shu-Hua Liao, Chih-Wei Lin, Fransiscus Asisi Bimo, and Ray-Guang Cheng. 2022. Development of C-plane DoS attacker for O-RAN FHI. InProceedings of the 28th Annual International Conference on Mobile Computing And Networking(Sydney, NSW, Australia)(MobiCom ’22). Association for Computing Machinery, New York, NY, USA, 850–852. doi:10.1145/3495243.3558259

work page doi:10.1145/3495243.3558259 2022
[14]

Stefano Maxenti, Ravis Shirkhani, Maxime Elkael, Leonardo Bonati, Salvatore D’Oro, Tommaso Melodia, and Michele Polese. 2026. AutoRAN: Automated and Zero-Touch Open RAN Systems.IEEE Transactions on Mobile Computing(2026), 1–18. doi:10.1109/TMC.2026.3656056

work page doi:10.1109/tmc.2026.3656056 2026
[15]

Dang Kien Nguyen, Rim El Malki, and Filippo Rebecchi. 2025. RRC Signaling Storm Detection in O-RAN. In2025 IEEE Symposium on Computers and Commu- nications (ISCC). 1–7. doi:10.1109/ISCC65549.2025.11326128

work page doi:10.1109/iscc65549.2025.11326128 2025
[16]

O-RAN Alliance. 2024. O-RAN WG1 Use Cases Analysis Report v17.00. O- RAN.WG1.TR.Use-Cases-Analysis-Report-R004-v17.00. Section 4.15

work page 2024
[17]

Michele Polese, Leonardo Bonati, Salvatore D’Oro, Stefano Basagni, and Tommaso Melodia. 2023. Understanding O-RAN: Architecture, Interfaces, Algorithms, Security, and Research Challenges.IEEE Communications Surveys & Tutorials25, 2 (2023), 1376–1411. doi:10.1109/COMST.2023.3239220

work page doi:10.1109/comst.2023.3239220 2023
[18]

Robert Schmidt, Mikel Irazabal, and Navid Nikaein. 2021. FlexRIC: an SDK for next-generation SD-RANs. InProceedings of the 17th International Confer- ence on Emerging Networking EXperiments and Technologies(Virtual Event, Ger- many)(CoNEXT ’21). Association for Computing Machinery, New York, NY, USA, 411–425. doi:10.1145/3485983.3494870

work page doi:10.1145/3485983.3494870 2021
[19]

Theodoros Tsourdinis, Nikos Makris, Thanasis Korakis, and Serge Fdida. 2024. AI-Driven Network Intrusion Detection and Resource Allocation in Real-World O- RAN 5G Networks. InProceedings of the 30th Annual International Conference on Mobile Computing and Networking(Washington D.C., DC, USA)(ACM MobiCom ’24). Association for Computing Machinery, New York, ...

work page doi:10.1145/3636534.3697311 2024
[20]

Jornet, Tommaso Melodia, Michele Polese, and Dimitrios Kout- sonikolas

Davide Villa, Imran Khan, Florian Kaltenberger, Nicholas Hedberg, Rúben Soares da Silva, Stefano Maxenti, Leonardo Bonati, Anupa Kelkar, Chris Dick, Eduardo Baena, Josep M. Jornet, Tommaso Melodia, Michele Polese, and Dimitrios Kout- sonikolas. 2025. X5G: An Open, Programmable, Multi-Vendor, End-to-End, Private 5G O-RAN Testbed With NVIDIA ARC and OpenAir...

work page doi:10.1109/tmc.2025.3580764 2025
[21]

Haohuang Wen, Phillip Porras, Vinod Yegneswaran, Ashish Gehani, and Zhiqiang Lin. 2024. 5G-SPECTOR: An O-RAN Compliant Layer-3 Cellular Attack Detection Service. InProceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), Vol. 24. Internet Society, Reston, VA, USA, 1-20 pages. doi:10. 14722/ndss.2024.24527

work page arXiv 2024
[22]

Haohuang Wen, Prakhar Sharma, Vinod Yegneswaran, Phillip Porras, Ashish Gehani, and Zhiqiang Lin. 2024. 6G-XSec: Explainable Edge Security for Emerging OpenRAN Architectures. InProceedings of the 23rd ACM Workshop on Hot Topics in Networks(Irvine, CA, USA)(HotNets ’24). Association for Computing Machinery, New York, NY, USA, 77–85. doi:10.1145/3696348.3696881

work page doi:10.1145/3696348.3696881 2024