Cross-Layer Intrusion Detection in 5G O-RAN: Gains and Limits of Fusing Radio Telemetry with Network Flow Records

Abstract

Open RAN disaggregation enables joint analysis of DU radio telemetry and CU-side network-flow records, motivating cross-layer intrusion detection. We evaluate whether fusing these two modalities improves over each individually across seven architectures, using run-disjoint splits over ten seeds on a live 5G O-RAN dataset. Radio features match or outperform network flows on ROC-AUC and run-level detection rate across all architectures. Fusion yields selective ROC-AUC gains but at a one-percent false-positive operating point improves detection rate only for GRU and Transformer, reducing it for the other five models. The benefit is confined to architectures where both single-modality detection rates fall below 0.75. A DoS-to-Benign confusion of 27 to 46 percent persists across all 42 tested configurations of architecture, modality, and window duration, pointing to a limitation in the tested windowed statistical aggregation rather than in model capacity. Code is publicly available.