Time-sensitive networking (TSN) and Precision Time Protocol (PTP)-based time synchronization in 5G fronthaul (FH) networks lacks robust security mechanisms, rendering it vulnerable to spoofing and replay attacks—attacks that can disable O-RAN base stations within two seconds. Method: We propose the first machine learning–driven anomaly detection framework tailored for FH timing security, integrating LSTM and Random Forest models with deep PTP protocol parsing, timestamp behavioral modeling, and real-time streaming feature extraction. Contribution/Results: Evaluated on a production-grade O-RAN testbed, our framework achieves >97.5% accuracy in multi-class synchronization attack detection, with millisecond-scale response latency and full support for operational deployment. Key contributions include (i) the first identification of critical PTP security vulnerabilities specific to FH environments, and (ii) the design and implementation of a lightweight, efficient, and deployable timing-security monitoring system.

5G and beyond cellular systems embrace the disaggregation of Radio Access Network (RAN) components, exemplified by the evolution of the fronthaul (FH) connection between cellular baseband and radio unit equipment. Crucially, synchronization over the FH is pivotal for reliable 5G services. In recent years, there has been a push to move these links to an Ethernet-based packet network topology, leveraging existing standards and ongoing research for Time-Sensitive Networking (TSN). However, TSN standards, such as Precision Time Protocol (PTP), focus on performance with little to no concern for security. This increases the exposure of the open FH to security risks. Attacks targeting synchronization mechanisms pose significant threats, potentially disrupting 5G networks and impairing connectivity. In this paper, we demonstrate the impact of successful spoofing and replay attacks against PTP synchronization. We show how a spoofing attack is able to cause a production-ready O-RAN and 5G-compliant private cellular base station to catastrophically fail within 2 seconds of the attack, necessitating manual intervention to restore full network operations. To counter this, we design a Machine Learning (ML)-based monitoring solution capable of detecting various malicious attacks with over 97.5% accuracy.