To address the expanded attack surface in O-RAN dynamic network slicing scenarios—exacerbated by modular, open architectures—this paper proposes the first LLM-driven, xApp-level intrusion detection framework. Our method jointly leverages UE-level time-series traffic feature extraction, network slice security policies, and fine-grained traffic semantic understanding, supporting both zero-shot and domain-adapted inference. It is deeply integrated into the O-RAN architecture via the RIC interface. Innovatively, we deploy foundation LLMs (e.g., LLaMA, Qwen) within the near-real-time RIC environment to enable real-time anomaly detection and generate interpretable, actionable security responses. Evaluated on a production-grade O-RAN testbed, the domain-finetuned model achieves 98.7% attack detection accuracy with an average response latency of only 118 ms—significantly outperforming conventional IDS solutions. This work establishes a novel, high-accuracy, low-latency, and explainable *intrinsic security* paradigm for open wireless networks.

The Open Radio Access Network (O-RAN) architecture is reshaping telecommunications by promoting openness, flexibility, and intelligent closed-loop optimization. By decoupling hardware and software and enabling multi-vendor deployments, O-RAN reduces costs, enhances performance, and allows rapid adaptation to new technologies. A key innovation is intelligent network slicing, which partitions networks into isolated slices tailored for specific use cases or quality of service requirements. The RAN Intelligent Controller further optimizes resource allocation, ensuring efficient utilization and improved service quality for user equipment (UEs). However, the modular and dynamic nature of O-RAN expands the threat surface, necessitating advanced security measures to maintain network integrity, confidentiality, and availability. Intrusion detection systems have become essential for identifying and mitigating attacks. This research explores using large language models (LLMs) to generate security recommendations based on the temporal traffic patterns of connected UEs. The paper introduces an LLM-driven intrusion detection framework and demonstrates its efficacy through experimental deployments, comparing non fine-tuned and fine-tuned models for task-specific accuracy.