DAST: A VLM-LLM Framework for Cross-Interface Anomaly Detection in O-RAN
Researchers present DAST, a zero-shot AI framework combining Vision Language Models and Large Language Models to detect anomalies and denial-of-service attacks in O-RAN (Open Radio Access Network) infrastructure. The system achieved 0.910 F1-Score by converting network telemetry into visual representations and cross-referencing them against domain knowledge, addressing critical security gaps in disaggregated 5G/6G networks.
O-RAN architecture represents a fundamental shift in telecom infrastructure by enabling multi-vendor interoperability through standardized open interfaces. This disaggregation creates efficiency gains but simultaneously expands the attack surface across logically decoupled network tiers. Traditional anomaly detection methods struggle with this environment because labeled training data is scarce, threat patterns evolve rapidly, and the high-dimensional multivariate telemetry from distributed components overwhelms conventional inference models.
DAIT's multi-stage VLM-LLM pipeline addresses these detection gaps through a novel approach: converting Key Performance Indicator streams into visual heatmaps, scoring textual interface descriptions against O-RAN domain knowledge, and verifying suspicious patterns on high-resolution visualizations. This zero-shot methodology eliminates dependency on labeled baselines, making it adaptive to emerging threat classes without constant retraining cycles. The framework outputs not just anomaly flags but also temporal intervals, problematic interfaces, and operational impact ratings aligned with O-RAN working group standards.
For telecom operators and equipment vendors, this development has significant implications. The telecom industry faces increasing pressure to adopt O-RAN deployments for cost savings and flexibility, but security concerns have tempered adoption rates. DAST demonstrates that AI-driven, domain-aware anomaly detection can bridge this security gap without requiring extensive historical data, potentially accelerating O-RAN deployments globally. The 0.910 F1-Score outperforms existing time-series methods, suggesting enterprise-grade deployability.
Industry watchers should monitor whether DAST sees integration into commercial O-RAN management platforms and whether similar VLM-LLM chaining approaches prove effective for other critical infrastructure domains facing similar detection challenges.
- βDAST combines Vision Language Models and Large Language Models in a zero-shot framework designed to detect performance-degradation and denial-of-service attacks in O-RAN networks
- βThe system converts multivariate KPI telemetry into visual representations, enabling anomaly detection without requiring labeled training baselines
- βDAST achieved 0.910 F1-Score and 0.843 Accuracy, outperforming traditional time-series anomaly detection methods in real O-RAN testbed evaluations
- βThe framework provides actionable intelligence including problematic interfaces, anomalous time intervals, and WG11-aligned operational impact ratings
- βZero-shot architecture enables rapid adaptation to evolving threats without continuous model retraining cycles, addressing a critical gap in current telecom security practices