← Book home
Part 7 · Advanced and Future Security
31

AI/ML for 5G Security

A powerful detection aid — and a new attack surface of its own

"Machine learning is excellent at finding the anomaly you didn't write a rule for — and excellent at confidently flagging the wrong thing. Use it as a sense, not a judge." — THE ML-IN-SECURITY BALANCE

5G generates more signaling telemetry than any human can watch. Machine learning helps — spotting anomalies in authentication, signaling, and API behavior that no static rule anticipated. NWDAF brings analytics natively into the architecture. But ML is not magic: it produces false positives, can be attacked (poisoning, evasion), and must stay a decision aid, not an unaccountable judge. This chapter covers where ML fits, where NWDAF helps, and the risks.

🎯 Learning objectives
📘 Standards reference box — Chapter 31
ReferenceTitleNote
TS 23.288NWDAF — network data analyticsRel-18/19 edition
TR 33.8xxAI/ML security studies (SA3)Rel-18/19 (verify)
NIST AI RMFAI risk management frameworkcurrent

Checked June 2026 — Rel-18/19 AIML security evolving; verify against the latest 3GPP version.

31.1 Where ML Fits

FIGURE 31.1Where ML Fits — Detection, Not Enforcement
telemetry (Ch26)signaling, auth, API ML detectionanomaly scoring"unusual" not "rule X" human triageanalyst confirms responseplaybook (Ch27)human/automation ML is a SENSE that surfaces candidates; humans/playbooks JUDGE and ACT — don't wire ML directly to enforcement
Purpose: the safe placement of ML. It surfaces anomalies a rule would miss; humans and playbooks judge and act. Wiring ML straight to enforcement risks automated false-positive damage.
FIGURE 31.2Signaling Anomaly Detection Pipeline
signaling featuresrates, sequences, mix model normalper cell/slice/time score deviationanomaly score alert→ SOC triage ML shines on NOVEL signaling patterns — a storm or recon shape no one wrote a rule for (complements Ch26 rules)
Purpose: ML's home turf. Signaling anomaly detection catches novel patterns (a new storm or recon shape) that static rules (Chapter 26) would miss.
FIGURE 31.3Authentication Anomaly Model — Features and Signals
auth anomaly modelflags unusual patterns failure-cause mix (Ch6) geo/temporal clustering identity-type anomalies detectsFBS, credential abuse
Purpose: ML on authentication. Combining failure-cause mix, geo/time clustering, and identity anomalies, a model can flag a false base station or credential abuse earlier than a fixed threshold.
FIGURE 31.4API Abuse Detection Architecture
per-AF behavior (Ch12)call mix, rate, targets ML baseline + scoredeviation = abuse? flagsscraping, surveillance SOC (Ch27)
Purpose: ML on exposure. A per-AF behavioral baseline flags the entitled-but-abusive pattern (Chapter 12) — like a partner whose calls drift into surveillance — that a fixed quota might not catch.
FIGURE 31.5NWDAF Analytics for Security
NWDAF (TS 23.288)native analytics: abnormal behavior, expected UE behavior, load network datafrom NFs security consumersSOC, SIEM, automation NWDAF is 3GPP-native analytics — including an "abnormal behaviour" analytic directly usable for security (complement, not replace, your SIEM)
Purpose: the in-network analytics function. NWDAF provides standardized analytics — including abnormal-behavior detection — that security can consume, complementing an external SIEM (Chapter 26).
FIGURE 31.6Adversarial ML — Poisoning and Evasion
poisoning attacker corrupts training data → model learns the attack as "normal" → blind spot built in defense: data provenance, validation evasion attacker shapes traffic to stay just under the anomaly threshold → "low and slow" evades defense: ensembles, rules + ML, retrain
Purpose: ML is itself attackable. Poisoning builds blind spots; evasion stays under thresholds — which is why ML must complement (not replace) rules, and why model security matters.
FIGURE 31.7Human-in-the-Loop Triage Design
ML scoresranked candidates analyst triageconfirm / dismiss action (Ch27) confirmations retrain the model feedback loop
Purpose: the responsible design. Analysts confirm or dismiss ML candidates and their decisions retrain the model — keeping a human accountable and improving accuracy over time.
FIGURE 31.8AI Governance Checklist for Telecom Security
AI/ML SECURITY GOVERNANCE ☑ model + training-data provenance & validation (anti-poisoning) ☑ ML complements rules (ensemble), never sole judge ☑ human-in-the-loop for enforcement decisions ☑ explainability for analyst trust + audit ☑ retraining cadence + drift monitoring ☑ adversarial testing (evasion/poisoning) ☑ false-positive budget (avoid alert fatigue, Ch26) ☑ regulatory/privacy alignment (data used to train)
Purpose: AI in security needs its own governance. Provenance, ensembles, human oversight, explainability, and adversarial testing keep ML a trustworthy aid rather than an unaccountable risk.

31.2 The Practical Operator View

31.3 Threats and Mitigations

ThreatVectorDefense
Model poisoningcorrupted training datadata provenance/validation
Evasion (low-and-slow)traffic shaped under thresholdensembles, rules+ML, retrain
Automated FP damageML wired to enforcementhuman-in-the-loop
Model driftchanging baselinesdrift monitoring, retraining
Privacy/regulatorytraining on sensitive datagovernance, minimization (Ch19)

31.4 Terminology

TermMeaning
NWDAFNetwork Data Analytics Function (3GPP-native analytics)
poisoning / evasionCorrupting training data / shaping inputs to avoid detection
human-in-the-loopHuman confirms ML decisions before action
driftModel accuracy degrading as conditions change

Real network example. An operator deployed an ML anomaly detector on signaling and, impressed by early results, wired it directly to an automated mitigation that throttled "anomalous" sources. During a major sporting event, the legitimate, never-before-seen traffic pattern of tens of thousands of fans triggered the model, and the automation throttled real subscribers at the worst possible time — an automated false-positive outage. The fix wasn't to abandon ML but to put a human in the loop: the model now surfaces ranked candidates to the SOC (Chapter 27), analysts confirm before any throttling, and the event's pattern was added to training. ML is a superb sense and a dangerous sole judge — keep it advisory, keep a human accountable.

Chapter Summary

? Review Questions

  1. Why should ML aid detection rather than drive enforcement directly?
  2. Where does ML add the most value over static rules?
  3. What is NWDAF and how does it support security analytics?
  4. Explain poisoning and evasion attacks on security ML.
  5. Why ensemble ML with rules?
  6. What is the role of human-in-the-loop triage?
  7. Name four AI governance controls for telecom security ML.
  8. An ML detector wired to auto-mitigation causes an outage during an event. Diagnose and fix.
🧪 Mini lab — anomaly detection, responsibly

Using captured/simulated 5G signaling data: (1) Build a simple baseline of "normal" registration/auth rates per cell/time. (2) Add an anomaly score for deviations and test it on an injected signaling storm — does it flag the storm? (3) Now inject a benign but unusual pattern (e.g., an event surge) and observe the false positive. (4) Design the human-in-the-loop: how would an analyst confirm before any action, and how would the event pattern be fed back to retrain? (5) List two ways an attacker could evade your detector (low-and-slow) and how an ensemble with a rule would catch it. You've now experienced both ML's power and its failure mode — and the governance that makes it safe to use.

← Chapter 30 Chapter 31 Chapter 32 →