In 5G Open RAN, random access (RA) signaling storms cause control-plane overload and massive RRC connection failures. Existing n-RT RIC-based detection methods suffer from non-deterministic latency (tens to hundreds of milliseconds) inherent to general-purpose processors, failing to meet microsecond-level response requirements. Method: We propose the first lightweight Random Forest classifier deployed directly on the P4-programmable data plane, enabling deterministic, microsecond-scale ML inference—specifically, a fixed 3.4 μs per flow—on Barefoot Tofino switching ASICs. By tightly integrating line-rate flow classification with in-line ML-based detection, the system identifies and filters malicious RRC requests in real time within the data plane. Contribution/Results: Our approach achieves 94.2% detection accuracy, significantly enhancing QoS assurance while breaking the latency bottleneck of conventional RIC architectures. It offers high scalability and practical deployability in production Open RAN environments.

The disaggregation and virtualization of 5G Open RAN (O-RAN) introduces new vulnerabilities in the control plane that can greatly impact the quality of service (QoS) of latency-sensitive 5G applications and services. One critical issue is Random Access (RA) signaling storms where, a burst of illegitimate or misbehaving user equipments (UEs) send Radio Resource Control (RRC) connection requests that rapidly saturate a Central Unit's (CU) processing pipeline. Such storms trigger widespread connection failures within the short contention resolution window defined by 3GPP. Existing detection and mitigation approaches based on near-real-time RAN Intelligent Controller (n-RT RIC) applications cannot guarantee a timely reaction to such attacks as RIC control loops incur tens to hundreds of milliseconds of latency due to the non-deterministic nature of their general purpose processor (GPP) based architectures. This paper presents RAID, an in-network RA signaling storm detection and mitigation system that leverages P4-programmable switch ASICs to enable real-time protection from malicious attacks. RAID embeds a lightweight Random Forest (RF) classifier into a programmable Tofino switch, enabling line-rate flow classification with deterministic microsecond-scale inference delay. By performing ML-based detection directly in the data plane, RAID catches and filters malicious RA requests before they reach and overwhelm the RRC. RAID achieves above 94% detection accuracy with a fixed per-flow inference delay on the order of 3.4 microseconds, effectively meeting strict O-RAN control-plane deadlines. These improvements are sustained across multiple traffic loads, making RAID a fast and scalable solution for the detection and mitigation of signaling storms in 5G O-RAN.