To address the emerging DDoS threat of Distributed Slice Mobility (DSM) attacks—where malicious actors exploit Inter-Slice Switching (ISS) in 5G networks—this paper proposes a robust anomaly detection method based on Positive and Unlabeled Learning (PU Learning). The approach uniquely integrates an LSTM autoencoder with K-Means clustering, leveraging 3GPP-standardized KPIs and performance counters as features. It achieves reliable detection even under severe label contamination (10%–40% attack samples). Evaluated against baseline models—including One-Class SVM, Random Forest, and XGBoost—our method consistently attains an F1-score exceeding 98.50%, significantly improving detection accuracy and generalization for stealthy DSM attacks. The solution is lightweight and deployable, offering a practical defense mechanism for network slicing security in 5G infrastructure.

Network Slices (NSs) are virtual networks operating over a shared physical infrastructure, each designed to meet specific application requirements while maintaining consistent Quality of Service (QoS). In Fifth Generation (5G) networks, User Equipment (UE) can connect to and seamlessly switch between multiple NSs to access diverse services. However, this flexibility, known as Inter-Slice Switching (ISS), introduces a potential vulnerability that can be exploited to launch Distributed Slice Mobility (DSM) attacks, a form of Distributed Denial of Service (DDoS) attack. To secure 5G networks and their NSs against DSM attacks, we present in this work, PUL-Inter-Slice Defender; an anomaly detection solution that leverages Positive Unlabeled Learning (PUL) and incorporates a combination of Long Short-Term Memory Autoencoders and K-Means clustering. PUL-Inter-Slice Defender leverages the Third Generation Partnership Project (3GPP) key performance indicators and performance measurement counters as features for its machine learning models to detect DSM attack variants while maintaining robustness in the presence of contaminated training data. When evaluated on data collected from our 5G testbed based on the open-source free5GC and UERANSIM, a UE/ Radio Access Network (RAN) simulator; PUL-Inter-Slice Defender achieved F1-scores exceeding 98.50% on training datasets with 10% to 40% attack contamination, consistently outperforming its counterpart Inter-Slice Defender and other PUL based solutions combining One-Class Support Vector Machine (OCSVM) with Random Forest and XGBoost.