RAID: In-Network RA Signaling Storm Detection for 5G Open RAN

The disaggregation and virtualization of 5G Open RAN (O-RAN) introduces new vulnerabilities in the control plane that can greatly impact the quality of service (QoS) of latency-sensitive 5G applications and services. One critical issue is Random Access (RA) signaling storms where, a burst of illegitimate or misbehaving user equipments (UEs) send Radio Resource Control (RRC) connection requests that rapidly saturate a Central Unit's (CU) processing pipeline. Such storms trigger widespread connection failures within the short contention resolution window defined by 3GPP. Existing detection and mitigation approaches based on near-real-time RAN Intelligent Controller (n-RT RIC) applications cannot guarantee a timely reaction to such attacks as RIC control loops incur tens to hundreds of milliseconds of latency due to the non-deterministic nature of their general purpose processor (GPP) based architectures. This paper presents RAID, an in-network RA signaling storm detection and mitigation system that leverages P4-programmable switch ASICs to enable real-time protection from malicious attacks. RAID embeds a lightweight Random Forest (RF) classifier into a programmable Tofino switch, enabling line-rate flow classification with deterministic microsecond-scale inference delay. By performing ML-based detection directly in the data plane, RAID catches and filters malicious RA requests before they reach and overwhelm the RRC. RAID achieves above 94% detection accuracy with a fixed per-flow inference delay on the order of 3.4 microseconds, effectively meeting strict O-RAN control-plane deadlines. These improvements are sustained across multiple traffic loads, making RAID a fast and scalable solution for the detection and mitigation of signaling storms in 5G O-RAN.