Search

WO-2026095970-A1 - REAL-TIME SECURITY THREAT DETECTION AND DYNAMIC RESPONSE AT EDGE SECURITY OPERATIONS CENTER IN O-RAN SYSTEMS

WO2026095970A1WO 2026095970 A1WO2026095970 A1WO 2026095970A1WO-2026095970-A1

Abstract

Embodiments disclosed herein provide a method and system for detecting real-time security threats by a security management engine deployed at an edge network entity in an open radio access network (O-RAN) system and implementing dynamic security policy in real-time and isolating services or components at system level. The method includes receiving input data from one or more target network entities by the security management engine deployed at the edge network entity. The security management engine compares one or more parameters of the input data with pre-defined reference parameters to identify anomalies. Based on the comparison, the method includes detecting an anomaly corresponding to at least one target network entity, in real-time by the security management engine. Upon detecting an anomaly, a real-time response may be implemented by applying a dynamic policy on an affected component and isolating the affected component.

Inventors

  • RAMIYA, Raghavendran Surendran
  • KALISWAMY, Prabhu
  • PANDARLAPALLI, Sunil Kumar Reddy

Assignees

  • Rakuten Mobile, Inc.
  • RAKUTEN SYMPHONY USA LLC

Dates

Publication Date
20260507
Application Date
20250107
Priority Date
20241030

Claims (19)

  1. 1. A method comprising: receiving, by a security management engine deployed at an edge network entity, input data from at least one target network entity associated with a communications network; comparing, by the security management engine, one or more parameters of the input data with one or more corresponding reference parameters from a plurality of reference parameters, wherein the reference parameters are pre-defined by the network entity associated with the communications network; detecting, by the security management engine and based on the comparison, an anomaly corresponding to the at least one target network entity, in real-time; and implementing, in real-time and corresponding to the anomaly, at least one of (i) a dynamic policy associated with the anomaly on the component and (ii) an isolation of the component.
  2. 2. The method as claimed in claim 1, wherein the input data comprises real-time input data comprising at least one of a plurality of security events, logs and performance metrics, and wherein the plurality of security events comprises at least one of process execution events, file system events, network events, resource consumption events, and cloud specific events.
  3. 3. The method as claimed in claim 1, wherein the method further comprises: transmitting, by the security management engine and to a central security management engine, non-real-time input data from the at least one target network entity, wherein the central security management engine is deployed at a base-station Central Unit (CU) associated with the communications network, wherein, the non- real-time input data is transmitted to the central security management engine for analyzing the non-real-time input data based on the one or more corresponding reference parameters and perform a non-real-time detection of an anomaly corresponding to the at least one target network entity.
  4. 4. The method as claimed in claim 1, wherein the method further comprises: generating a report comprising information associated with the anomaly, wherein the information comprises at least on of a timestamp corresponding to the anomaly, a description of a type of the anomaly, a severity level of the anomaly, an alert notification, and data relevant for secondary analysis by a base-station Central Unit (CU) associated with the communications network.
  5. 5. The method as claimed in claim 4, wherein the method further comprises: training a machine learning (ML) model by providing historical data pertaining to the security management engine, wherein the historical data comprises at least one of input data, reference parameters, deviations, anomalies, components associated with the anomalies and dynamic policies; and predicting the anomaly and the component corresponding to the anomaly and dynamically generating a dynamic policy associated with the anomaly to be implemented using trained machine learning model.
  6. 6. The method as claimed in claim 5, wherein the method further comprises: evaluating, by the security management engine, the dynamic policy corresponding to the anomaly, wherein the dynamic policy is to be implemented by applying predefined security policies stored at the edge network entity.
  7. 7. The method as claimed in claim 1, wherein the at least one target network entity comprises at least one of: one or more distributed units (DUs), and one or more radio units (RUs).
  8. 8. The method as claimed in claim 1, wherein the edge network entity comprises one of: one or more distributed units (DUs), a Service Management and Orchestration (SMO) layer entity, a near real-time Radio Access Network Intelligent Controller (Near-RT RIC), and a Radio Access Network (RAN) node, wherein the SMO layer entity comprises a non-real-time Radio Access Network Intelligent Controller (Non-RT RIC).
  9. 9. The method as claimed in claim 1, wherein the central security management engine comprises one of: a security information and event management (SIEM) component or a security orchestration, automation and response (SOAR).
  10. 10. An apparatus configured to: receive, by a security management engine deployed at an edge network entity, input data from at least one target network entity associated with a communications network; compare, by the security management engine, one or more parameters of the input data with one or more corresponding reference parameters from a plurality of reference parameters, wherein the reference parameters are pre-defined by the network entity associated with the communications network; detect, by the security management engine and based on the comparison, an anomaly corresponding to the at least one target network entity, in real-time; and implement, in real-time and corresponding to the anomaly, at least one of (i) a dynamic policy associated with the anomaly on the component and (ii) an isolation of the component.
  11. 11. The apparatus as claimed in claim 10, wherein the input data comprises realtime input data comprising at least one of a plurality of security events, logs and performance metrics, and wherein the plurality of security events comprises at least one of process execution events, file system events, network events, resource consumption events, and cloud specific events.
  12. 12. The apparatus as claimed in claim 10, further configured to: transmit, by the security management engine and to a central security management engine, non-real-time input data from the at least one target network entity, wherein the central security management engine is deployed at a base-station Central Unit (CU) associated with the communications network, wherein, the non- real-time input data is transmitted to the central security management engine for analyzing the non-real-time input data based on the one or more corresponding reference parameters and perform a non-real-time detection of an anomaly corresponding to the at least one target network entity.
  13. 13. The apparatus as claimed in claim 10, further configured to: generate a report comprising information associated with the anomaly, wherein the information comprises at least on of a timestamp corresponding to the anomaly, a description of a type of the anomaly, a severity level of the anomaly, an alert notification, and data relevant for secondary analysis by a base-station Central Unit (CU) associated with the communications network.
  14. 14. The apparatus as claimed in claim 13, further configured to: train a machine learning (ML) model by providing historical data pertaining to the security management engine, wherein the historical data comprises at least one of input data, reference parameters, deviations, anomalies, components associated with the anomalies and dynamic policies; and predict the anomaly and the component corresponding to the anomaly and dynamically generating a dynamic policy associated with the anomaly to be implemented using trained machine learning model.
  15. 15. The apparatus as claimed in claim 14, further configured to: evaluate, by the security management engine, the dynamic policy corresponding to the anomaly, wherein the dynamic policy is to be implemented by applying predefined security policies stored at the edge network entity .
  16. 16. The apparatus as claimed in claim 10, wherein the at least one target network entity comprises at least one of: one or more distributed units (DUs), and one or more radio units (RUs).
  17. 17. The apparatus as claimed in claim 10, wherein the edge network entity comprises one of: one or more distributed units (DUs), a Service Management and Orchestration (SMO) layer entity, a near real-time Radio Access Network Intelligent Controller (RIC), and a Radio Access Network (RAN) node, wherein the SMO layer entity comprises a non-real-time Radio Access Network Intelligent Controller (Non-RT RIC).
  18. 18. The apparatus as claimed in claim 10, wherein the central security management engine comprises one of: a security information and event management (SIEM) component or a security orchestration, automation and response (SOAR).
  19. 19. A non-transitory computer-readable medium having program instructions stored thereon, executed by an apparatus for wireless communication, for: receiving, by a security management engine deployed at an edge network entity, input data from at least one target network entity associated with a communications network; comparing, by the security management engine, one or more parameters of the input data with one or more corresponding reference parameters from a plurality of reference parameters, wherein the reference parameters are pre-defined by the network entity associated with the communications network; detecting, by the security management engine and based on the comparison, an anomaly corresponding to the at least one target network entity, in real-time; and implementing, in real-time and corresponding to the anomaly, at least one of (i) a dynamic policy associated with the anomaly on the component and (ii) an isolation of the component.

Description

REAL-TIME SECURITY THREAT DETECTION AND DYNAMIC RESPONSE AT EDGE SECURITY OPERATIONS CENTER IN O-RAN SYSTEMS [0001] CROSS-REFERENCE TO RELATED APPLICATION (S) This application claims priority to Indian non-provisional application No. 202441083323, filed on October 30, 2024, the entire contents of which is incorporated herein by reference. TECHNICAL FIELD [0002] The present disclosure relates to real-time security threat detection and dynamic response at edge security operations center in open radio access network (O- RAN) systems. BACKGROUND [0003] The information disclosed in this background section is only for enhancement of understanding of the general background of the disclosure and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art. [0004] In an open radio access network (O-RAN) system, a security operations center (SOC) plays an important role in ensuring the security of the network infrastructure and its components. The O-RAN system includes various data centers, edge data centers, far edge data centers (DCs), and regional DCs. All data related to security logs and events across the various DCs are collected, processed, and transferred to a central SOC. The central SOC monitors security events, conducts threat detection, and executes remediation plans. [0005] The central SOC enables centralized control over security operations, allowing the network administrators to have a comprehensive view of the entire network’s security posture. The analysis, threat detection, and remediation are all performed from this central point, streamlining operations. The data collection of security events or logs from various data centers before analysis can cause delays, and the transfer of logs increases the reaction time, potentially allowing critical events to go unnoticed for extended periods. [0006] The 0-RAN system supports network slicing, enabling multiple network functions to run on shared physical or cloud infrastructure. However, the lack of robust isolation and security between network slices can lead to unauthorized access and cross-slice attacks. The central SOC may struggle to prevent unauthorized access and cross-slice attacks in real-time, leaving the system vulnerable to such exploits. [0007] Accordingly, there is a need to detect real-time security threats and implement dynamic security policy in real-time at system level. SUMMARY [0008] The present disclosure relates to a method comprising the steps of receiving input data by a security management engine deployed at an edge network entity from at least one target network entity associated with a communications network. Further, one or more parameters of the input data are compared with one or more corresponding reference parameters from a plurality of reference parameters by the security management engine. The reference parameters are pre-defined by the edge network entity associated with the communications network. Based on the comparison, an anomaly, corresponding to the at least one target network entity, is detected in realtime by the security management engine. Further, at least one of (i) a dynamic policy associated with the anomaly on a component and (ii) an isolation of the component is implemented corresponding to the anomaly in real-time. [0009] The present disclosure also relates to an apparatus configured to receive, by a security management engine deployed at an edge network entity, input data from at least one target network entity associated with a communications network. Further, one or more parameters of the input data is compared with one or more corresponding reference parameters from a plurality of reference parameters by the security management engine. The reference parameters are pre-defined by the edge network entity associated with the communications network. Based on the comparison, an anomaly corresponding to the at least one target network entity, is detected in real- time by the security management engine. Further, at least one of (i) a dynamic policy associated with the anomaly on a component and (ii) an isolation of the component is implemented corresponding to the anomaly in real-time. [0010] In an embodiment, there is a non-transitory computer readable medium including instructions stored thereon that when processed by at least one processor, causes the at least one processor to perform operations of receiving, by a security management engine deployed at an edge network entity, input data from at least one target network entity associated with a communications network. Further, one or more parameters of the input data is compared with one or more corresponding reference parameters from a plurality of reference parameters by the security management engine. The reference parameters are pre-defined by the edge network entity associated with the communications network. Based on the comparison, an anomaly correspondi