The quality and experience of mobile communication have significantly improved with the introduction of 5G, and these improvements are expected to continue beyond the 5G era. However, vulnerabilities in control-plane protocols, such as Radio Resource Control (RRC) and Non-Access Stratum (NAS), pose significant security threats, such as Blind Denial of Service (DoS) attacks. Despite the availability of existing anomaly detection methods that leverage rule-based systems or traditional machine learning methods, these methods have several limitations, including the need for extensive training data, predefined rules, and limited explainability. Addressing these challenges, we propose a novel anomaly detection framework that leverages the capabilities of Large Language Models (LLMs) in zero-shot mode with unordered data and short natural language attack descriptions within the Open Radio Access Network (O-RAN) architecture. We analyse robustness to prompt variation, demonstrate the practicality of automating the attack descriptions and show that detection quality relies on the semantic completeness of the description rather than its phrasing or length. We utilise an RRC/NAS dataset to evaluate the solution and provide an extensive comparison of open-source and proprietary LLM implementations to demonstrate superior performance in attack detection. We further validate the practicality of our framework within O-RAN's real-time constraints, illustrating its potential for detecting other Layer-3 attacks.

翻译：随着5G的引入，移动通信的质量和体验已显著提升，且这些改进有望延续至5G之后的时代。然而，控制面协议（如无线资源控制（RRC）与非接入层（NAS））中的漏洞带来了严重的安全威胁，例如盲拒绝服务（DoS）攻击。尽管现有的异常检测方法可利用基于规则的系统或传统机器学习方法，但这些方法存在若干局限，包括需要大量训练数据、预定义规则以及可解释性有限。为应对这些挑战，我们提出了一种新颖的异常检测框架，该框架利用大语言模型（LLM）在零样本模式下处理无序数据及简短自然语言攻击描述的能力，并适配开放无线接入网络（O-RAN）架构。我们分析了提示词变化的鲁棒性，论证了自动化生成攻击描述的实用性，并证明检测质量依赖于描述的语义完整性而非其措辞或长度。我们利用RRC/NAS数据集评估该方案，并通过开源与专有LLM实现的广泛对比，展示了其在攻击检测方面的卓越性能。我们进一步验证了该框架在O-RAN实时性约束下的实用性，阐明了其检测其他第三层攻击的潜力。