The ENSURE-6G consortium is proud to share that our collaborative research paper has been awarded the Best Paper Award at the IEEE Conference on Communications and Network Security (CNS) 2025, held in Avignon, France, from 8–11 September.
📖 Title: Securing xApps in Open RAN: A Hierarchical Approach to Authentication and Authorisation
👥 Authors: Pramitha Fernando (Vrije Universiteit Brussel, Belgium), Pawani Porambage (VTT Technical Research Centre of Finland, Finland), Madhusanka Liyanage (University College Dublin, Ireland), Kris Steenhaut (Vrije Universiteit Brussel, Belgium), and An Braeken (Vrije Universiteit Brussel, Belgium).
Assoc. Prof. Madhusanka Liyanage from UCD (center) receiving the Best Paper Award on behalf of the NetsLab team at IEEE CNS 2025 in Avignon, France.
Why This Research Matters
The global telecom industry is rapidly transitioning towards Open Radio Access Networks (Open RAN). Unlike traditional RAN architectures that rely on proprietary vendor-specific solutions, Open RAN promotes openness, interoperability, and innovation by allowing third-party developers to create and deploy intelligent applications—known as xApps (near-real-time) and rApps (non-real-time)—within the RAN Intelligent Controllers (RICs).
However, this openness introduces new security risks. With multiple stakeholders, open interfaces, and third-party software running inside critical network infrastructure, the attack surface grows dramatically. Ensuring trustworthy authentication, authorisation, and monitoring of these applications is therefore essential to safeguard 5G and beyond networks.
This award-winning paper provides a practical, scalable, and future-ready solution to these challenges.
Key Contributions of the Paper
- Hierarchical Security Framework
- Proposes a tiered security architecture aligned with the layered operation of Open RAN (dApps → xApps → rApps).
- Introduces dedicated security apps at each layer to continuously monitor, authenticate, and authorise third-party applications.
- Ensures efficient division of responsibilities, reducing overhead at lower layers while leveraging more powerful analysis at higher layers.
- Enhanced Token Management
- Extends the existing xApp Repository Function (XRF) framework with OAuth 2.0 access tokens, refresh tokens, and token rotation.
- This improves resilience against token leakage and hijacking attacks, while keeping authentication delays low.
- Robust Experimental Validation
- Evaluated across multiple deployment scenarios (XRF in near-RT RIC vs. non-RT RIC) and three authentication modes (access tokens only, access+refresh, access+refresh with rotation).
- Tested with hundreds of concurrent clients, measuring authentication delay, refresh delay, request overhead, and bandwidth consumption.
- Results confirm that the framework is scalable and lightweight, adding only minimal delays even under heavy load.
- Resilience Against Realistic Threats
- Simulated malicious token reuse attacks to demonstrate how the system detects compromised tokens and forces re-authentication.
- This strengthens Open RAN against insider threats, misconfigured apps, and external attackers.
Impact for ENSURE-6G and Beyond
This work directly supports the ENSURE-6G mission of building trustworthy, secure, and resilient 6G networks by:
- Providing blueprints for Zero-Trust principles in next-generation telecom systems.
- Offering a scalable, cloud-native implementation aligned with microservice-based Open RAN deployments.
- Ensuring that security enhancements do not compromise latency, bandwidth efficiency, or network performance—which are crucial for 6G use cases like autonomous mobility, critical IoT, and immersive communications.
By aligning with the O-RAN Alliance specifications and addressing real-world security gaps, this research bridges the gap between academic innovation and industry adoption.
Acknowledgements
This research was conducted within the framework of the EU-funded Marie Skłodowska-Curie Staff Exchange project ENSURE-6G (Grant ID: 101182933).
Additional support was provided by:
- EU COST Action CA22104 (Behavioural Next Generation in Wireless Networks for Cyber Security)
- Cybersecurity Research Program Flanders – Second Cycle (VOEWICS02)
- CONFIDENTIAL-6G project (Grant ID: 101096435)
- Science Foundation Ireland CONNECT Centre Phase 2 (Grant No. 13/RC/2077_P2)
Read the Full Paper
📄 The full text is openly available here:
👉 Read on ResearchGate
🏆 Winning the Best Paper Award at IEEE CNS 2025 is a testament to the high-impact research being carried out within ENSURE-6G. This achievement highlights the importance of cross-border collaboration and the project’s contribution to shaping the future of secure and intelligent 6G communication systems.
