Search papers, labs, and topics across Lattice.
This paper introduces ORAN-DEFEND, a novel approach that sanitizes potentially compromised deep reinforcement learning (DRL) xApps in Open RAN by projecting key performance indicator (KPI) telemetry onto a safe subspace using singular value decomposition (SVD). The method effectively mitigates backdoor attacks by ensuring that harmful triggers do not concentrate in the orthogonal complement of the safe subspace, achieving a remarkable 100% return recovery and over 99.5% defense success rate across various attack scenarios. The findings highlight a critical limitation of linear projection defenses, revealing that when triggers overlap with legitimate signals, recovery becomes increasingly dependent on the trigger's energy distribution.
A linear projection defense can fail catastrophically when backdoor triggers coincide with legitimate signals, exposing a critical vulnerability in DRL xApps.
Open Radio Access Networks (O-RAN) increasingly delegate near-real-time control to deep reinforcement learning (DRL) xApps obtained from third-party vendors, creating a new supply-chain attack surface. A backdoor policy behaves optimally until an adversary injects a covert trigger into the observed key performance indicator (KPI) telemetry, at which point it issues harmful control actions that degrade quality of service (QoS). We present ORAN-DEFEND, a retraining-free wrapper that sanitizes a frozen, potentially compromised xApp by projecting each KPI window onto a safe subspace estimated from a small number of trusted clean rollouts via singular value decomposition (SVD). We establish, both analytically and empirically, a precise recovery condition: the defense succeeds if the trigger energy concentrates in the orthogonal complement of the safe subspace, and we quantify this boundary through the trigger's $\Eperp$ energy fraction. On the Colosseum COLORAN dataset, we evaluate four structurally distinct DRL backdoor attacks, like TrojDRL, SleeperNets, BadRL, and Q-Incept, spanning inner-loop and outer-loop poisoning regimes and demonstrate $100\%$ return recovery and $\geq99.5\%$ defense success rate across all four when the subspace assumption holds. A geometry ablation reveals an intrinsic and previously uncharacterized limit of any linear projection defense: when the trigger collocates with the legitimate signal, the $\Eperp$ energy fraction governs recovery monotonically, and the linear residual detector collapses to chance even while a nonlinear classifier retains perfect separability.