The study aims at identifying key issues and solutions in order to address the security aspects of employing AI/ML techniques in RAN. The motivation of this study is to provide potential security handling for the procedures of the NG-RAN AI/ML framework [2]. The NG-RAN AI/ML framework includes functional entities and information flows between functions in order to realize an AI/ML architecture for data collection, model training, data inference and actions/feedback for the NG-RAN and UEs. The NG-RAN AI/ML framework is also accompanied by three RAN-related use cases.
The study aims at studying the following aspects:
The applicability of existing security mechanisms for the NG-RAN AI/ML framework.
Whether user privacy issues exist for the selected use cases in the related RAN group studies, not disrupting the current system designs. Use cases not selected in AI/ML for NG RAN by RAN groups are out of scope of this study. The need for alignment with the study of privacy of identifiers over radio access would also be assessed.
Security aspects of the RAN use cases from the point of view of AI/ML robustness in the face of AI/ML adversaries in AI/ML for NG-RAN.
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
For the purposes of the present document, the terms given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
AI
The NG-RAN AI/ML framework has been described in clause 4.2 of TR 37.817 and the related use cases which are captured in clause 5 of TR 37.817. This document aims at studying the potential security handling of the NG-RAN AI/ML framework and the selected use cases.
The selected use cases in TR 37.817 are briefly described below.
Network Energy Saving: This use case is about cell activation/deactivation which is an energy saving scheme in the spatial domain that exploits traffic offloading in a layered structure to reduce the energy consumption of the whole radio access network (RAN). When the expected traffic volume is lower than a fixed threshold, the cells may be switched off, and the served UEs may be offloaded to a new target cell.
Load Balancing: The use case is to distribute the load evenly among cells and among areas of cells, or to transfer part of the traffic from congested cells or from congested areas of cells, or to offload users from one cell, cell area, carrier or RAT to improve network performance. This can be done by means of optimization of handover parameters and handover actions.
Mobility Optimization: The use case is to minimize performance loss due to unsuccessful or erroneous mobility management events. Mobility management is expected to guarantee the service-continuity during the mobility by minimizing the call drops, Radio Link Failures (RLFs), unnecessary handovers, and ping-pong. In the future, it is expected that handovers will be increasing in numbers as the coverage of a single node decreases and UE mobility gets higher and higher. In addition, for the applications characterized with the stringent QoS requirements such as reliability, latency etc., the Quality of Experience (QoE) is sensitive to the handover performance, so that mobility management should avoid unsuccessful handovers and reduce the latency during the handover procedures.
The RAN AI/ML framework studied in TR 37.817 and specified in RAN specifications (e.g., TS 38.423) includes several network entities exchanging AI/ML related information for the purposes of data collection, data inference, output and feedback. These network entities are UEs, RAN nodes and potentially OAM nodes depending on the architecture. The RAN AI/ML framework specifies three use cases, namely Network Energy Saving, Load Balancing and Mobility Optimization for which the UEs and RAN nodes provide input and inference data and the RAN AI/ML framework on RAN and potentially OAM nodes provides output and feedback data to relevant nodes.
An OAM and /or NG-RAN node may train a model or perform inference using UE related information acquired by the RAN node (e.g., UE location information and UE trajectory prediction), and the information obtained from neighbouring RAN nodes (e.g., UE mobility history information).
The RAN AI/ML framework includes information transfer procedures from UEs and RAN nodes. UE-related data are annotated with temporary UE identifiers or UE measurement identifiers. Moreover, the UE and RAN node generated information stays within the 3GPP network and is not exposed to third parties.
The source, inferred, output and feedback data used for RAN AI/ML use cases can contain UE related information such as UE location information, UE trajectory predictions, etc. which may compromise user privacy.
The RAN AI/ML framework studied in TR 37.817 and specified in RAN specifications (e.g., TS 38.423) includes several network entities exchanging AI/ML related information for the purposes of data collection, data inference, output and feedback. These network entities are UEs, RAN nodes and potentially OAM nodes depending on the architecture.
The input data from UEs and RAN nodes are used to train AI/ML models which are in turn used to generate inferred data and actions on the behaviour of the RAN. As a result, there is a potential information path from an adversary to network entities. Moreover, specifically since the RAN AI/ML framework includes the realization of three use cases (Energy Saving. Load Balancing, Mobility Optimization) an attacker has a potential control knob to affect the energy consumption of a network, the load distribution across the network and mobility performance.
The AI/ML model or algorithm is out of scope of 3GPP, only the inputs, outputs, inferred data and feedback information is standardized and the types of data provided by the UE and RAN node, assuming an attacker can eavesdrop (and deduce the type of data) is generic and based on existing specifications. However, an attacker may have some knowledge of the use case or cases that the network has decided to support. As a result, the adversary operates with the grey box assumption with respect to data poisoning.
The RAN AI/ML framework uses input and inference data from network entities, some of which may be under the control of adversaries which could disrupt the AI/ML model and potentially cause network outages (availability attacks), denial of service and poor performance (resource consumption) to the network depending on the use case.
The RAN AI/ML framework studied in TR 37.817 and specified in RAN specifications (e.g., TS 38.423) includes several network entities exchanging AI/ML related information for the purposes of data collection, data inference, output and feedback. These network entities are UEs, RAN nodes and potentially OAM nodes depending on the architecture.
The RAN AI/ML framework specifies three use cases, namely Network Energy Saving, Load Balancing and Mobility Optimization for which the UEs and RAN nodes provide input and inference data and the RAN AI/ML framework on RAN and potentially OAM nodes provides output and feedback data to relevant nodes.
If the information transferred between the UE and RAN nodes, the RAN nodes and the RAN nodes and OAM nodes is not protected, an attacker can modify, eavesdrop, or replay input, inference, output and feedback data provided and generated by the different data providers and consumers in the RAN AI/ML framework.
Therefore, any information transfer between the relevant network entities (UE, RAN nodes, OAM nodes) in the RAN AI/ML procedures needs to be secure.
For the use cases of Network Energy Saving, Load Balancing and Mobility Optimization of the RAN AI/ML framework the 5G System shall support integrity, confidentiality, and replay protection for the information transfer between the relevant network entities for the purposes of the RAN AI/ML framework.
The specification re-uses existing interfaces (e.g. Xn) while specifying new requests/responses for the purposes of the RAN AI/ML framework. As a result, existing security mechanisms can be supported with respect to the information transfer security in the RAN AI/ML framework.
Therefore no normative work is necessary.