To address security threats—including message tampering, telemetry poisoning, and malicious xApp hijacking—against the Open RAN near-real-time (near-RT) control loop at runtime, this paper proposes the first three-layer runtime threat model targeting E2 interface control flows: message layer, data layer, and control logic layer. We design a lightweight, multi-layered defense framework comprising: (i) E2-semantics-aware message signing and verification; (ii) LSTM-based modeling of telemetry time-series features for poisoning attack detection; and (iii) execution-state hash challenge-response for remote, runtime xApp authentication. Evaluated on a real-world O-RAN testbed, our solution incurs an average latency of <80 ms under 500 UE load, achieves high detection accuracy, imposes low system overhead, and supports policy-driven deployment and scalable integration—demonstrating strong practical deployability.

Securing the near-real-time (near-RT) control operations in Open Radio Access Networks (Open RAN) is increasingly critical, yet remains insufficiently addressed, as new runtime threats target the control loop while the system is operational. In this paper, we propose a multi-layer defence framework designed to enhance the security of near-RT RAN Intelligent Controller (RIC) operations. We classify operational-time threats into three categories, message-level, data-level, and control logic-level, and design and implement a dedicated detection and mitigation component for each: a signature-based E2 message inspection module performing structural and semantic validation of signalling exchanges, a telemetry poisoning detector based on temporal anomaly scoring using an LSTM network, and a runtime xApp attestation mechanism based on execution-time hash challenge-response. The framework is evaluated on an O-RAN testbed comprising FlexRIC and a commercial RAN emulator, demonstrating effective detection rates, low latency overheads, and practical integration feasibility. Results indicate that the proposed safeguards can operate within near-RT time constraints while significantly improving protection against runtime attacks, introducing less than 80 ms overhead for a network with 500 User Equipment (UEs). Overall, this work lays the foundation for deployable, layered, and policy-driven runtime security architectures for the near-RT RIC control loop in Open RAN, and provides an extensible framework into which future mitigation policies and threat-specific modules can be integrated.