NSF Convergence Accelerator Track: G: The Security-Enhanced Radio Access Network (SE-RAN)

SRI International, Ohio State University (OSU), and AccuKnox Inc. will develop innovative edge-to-core security services for the next generation of the Open Radio Access Network (O-RAN) compliant 5G+ mobile architecture. This collaborative project, named Security-Enhanced Radio Access Network (SE-RAN), will fortify 5G mobile infrastructures against a wide range of attacks that target vulnerabilities within 5G networks, protocols, and their control-layer services.

The project's centerpiece is a transformative network management service, offering 5G operators an unprecedented level of threat identification, policy enforcement, and compliance monitoring throughout their entire 5G network infrastructures. Project SE-RAN specifically focuses on safeguarding mission-critical 5G networks, providing a comprehensive protection architecture against sophisticated mobile-network adversaries.

Project SE-RAN will deliver an O-RAN compliant 5G-Native Application Protection Platform (5GNAPP) for monitoring and inline policy enforcement across mobile devices, base stations, RAN operations, and the 5G control plane. It will substantially enhance the trustworthiness of 5G networks, including security with respect to mobile device privacy, 5G communications confidentiality and integrity, resistance to attacks, including attempts at control-plane infiltration, and live detection of attacks against the mobile infrastructure and its users.

The project involves collaboration with key open-source stakeholders to integrate security specifications and modules with top-tier 5G open-source O-RAN projects. The project will also work with 5G integrators throughout the government to transition modular security services to address various mission-critical use cases. Finally, the project will foster sustainable impacts on the U.S. information technology industries by transitioning SE-RAN technologies through strategic relationships with startups, industry leaders, and investors actively involved in the development of novel and disruptive 5G security and privacy technologies.

Project SE-RAN will foster a community that creates modular O-RAN-compliant security components to enhance the deployment and runtime management of mobile network infrastructures. These solutions will extend the existing O-RAN consortium’s open software architecture to tackle at least two fundamental problems. The first problem is the extensive attack surface that arises from the migration of the mobile network control plane into a cloud-based operating environment.

While the integration of the RAN Intelligent Controller (RIC) into a Kubernetes framework dramatically increases the scalability and extensibility of control logic, it also exposes the control plane to the breadth of adversarial tactics and open-source supply chain vulnerabilities that plague existing cloud ecosystems. The second problem is the existing lack of visibility into core 5G network operations: one cannot secure the mobile network if one cannot observe its operations with sufficient granularity.

Project SE-RAN represents the first security-focused, base-station-internal telemetry stream that will facilitate runtime security monitoring within the O-RAN compliant 5G Open-Source Software (OSS) ecosystem.

SE-RAN is based on four groundbreaking innovations. First, SE-RAN will deliver a modular base station extension (i.e., an O-RAN service model) that delivers advanced 5G-protocol layer-3 security auditing designed to transform the ability of 5G operators to track the security-relevant state of every user equipment (UE) device and base station in the network.

Second, SE-RAN will deliver the first runtime 5G-IDS (intrusion detection system) control plane application for malicious radio frequency (RF)-based exploit and anomaly detection. Third, SE-RAN will introduce 5G-KubeArmor, the first near real-time RAN Intelligent Controller (nRT-RIC) security policy generation and enforcement engine, enabling 5G administrators to secure the 5G control plane using application-layer least-permissive security policies.

Finally, it will introduce the first 5GNAPP management service that integrates all three technologies under a unified security incident and event management (SIEM) system. The overall benefit of this project will be a transformative security framework that provides 5G operators with unprecedented threat identification, policy enforcement, and compliance monitoring that spans the entire 5G network infrastructure.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.