To address the security threat of RRC signaling storm attacks in O-RAN—causing gNB resource exhaustion and service degradation—this paper proposes a lightweight, real-time detection and mitigation method based on RRC-layer features. The approach introduces a non-intrusive detection mechanism tailored for the O-RAN xApp architecture, requiring no modifications to the underlying protocol stack or UE behavior, thereby enabling precise differentiation between malicious attacks and legitimate high-load scenarios. It models fine-grained features—including RRC message timing, type distribution, and connection establishment patterns—and employs adaptive thresholding for dynamic decision-making. Detection latency is ≤90 ms, with a 60-ms response window. Evaluated on the OpenAirInterface platform, the solution incurs only 1.2% system overhead and imposes zero additional CPU or memory utilization.

The Open Radio Access Network (O-RAN) marks a significant shift in the mobile network industry. By transforming a traditionally vertically integrated architecture into an open, data-driven one, O-RAN promises to enhance operational flexibility and drive innovation. In this paper, we harness O-RAN's openness to address one critical threat to 5G availability: signaling storms caused by abuse of the Radio Resource Control (RRC) protocol. Such attacks occur when a flood of RRC messages from one or multiple User Equipments (UEs) deplete resources at a 5G base station (gNB), leading to service degradation. We provide a reference implementation of an RRC signaling storm attack, using the OpenAirInterface (OAI) platform to evaluate its impact on a gNB. We supplement the experimental results with a theoretical model to extend the findings for different load conditions. To mitigate RRC signaling storms, we develop a threshold-based detection technique that relies on RRC layer features to distinguish between malicious activity and legitimate high network load conditions. Leveraging O-RAN capabilities, our detection method is deployed as an external Application (xApp). Performance evaluation shows attacks can be detected within 90ms, providing a mitigation window of 60ms before gNB unavailability, with an overhead of 1.2% and 0% CPU and memory consumption, respectively.