Distributed Ledgers and Security Mechanisms on Radio Access Networks: A Systematic Review

1. Introduction

This section introduces the motivation for conducting this SLR, states the research questions, presents the main contributions, and defines the scope and limitations of the review.

1.1. Motivation

During the development of the fifth generation of wireless technology, also called 5G, the first steps considered the definition of use cases. This stage identified bottlenecks in previous technologies, especially insufficient spectra, the inability to absorb the predicted growing number of connected devices, and new use cases from emerging QoS requirements, characteristics, and mobile applications [1,2]. So, to address this and other issues, the 5G development focuses on three usage scenarios [3,4]:

• Enhanced Mobile Broadband (eMBB) to increase speed and capacity. The expected requirements for this case are a data transmission speed of up to $20Gbps$ and a latency of less than $7ms$.
• Ultra Reliable, Low-Latency Communications (URLLC), which aims to guarantee low latency and high reliability to comply with requirements of vertical market segments such as industrial, health, transportation, and aviation. Their target requirements are a probability of error from ${10}^{-5}$ to ${10}^{-8}$ and a latency of less than $3ms$.
• Massive Machine-Type Communications (mMTC) support a massive number of connected objects, such as Internet of Things (IoT) environments. To reach this use case, it needs a density of up to 1 million devices per square kilometer and a battery life of up to 10 years without recharging.

These scenarios can lead to improved user experiences, more connected environments, and opportunities for innovation and economic growth [5]. Once different functionalities demand different resources, a specific user can use three scenarios at distinct intensities (Figure 1). However, these innovations come with several challenges. Some of them are:

• the necessity of an increasing amount of antennas due to the use of higher frequencies.
• the demand for ensuring compatibility between 5G and previous networks considering latency requirements.
• the growing number of devices.
• and deployment complexity, to name a few.

Furthermore, the evolution of mobile communication brings about not only hardware problems. The most recent mobile networks are immersed in softwarization and virtualization [6]. Softwarization is the possibility of running functionalities in software components instead of hardware, which brings high flexibility and reconfigurability to networks. Virtualization is the software/hardware splitting by creating virtual instances of network resources, which permits software to run on commercial off-the-shelf (COTS) hardware. These new paradigms dissociate the insertion of new functionalities and network updates from the necessity of hardware upgrades, which can introduce a reduction in capital (CAPEX) and operational (OPEX) expenditure when updating or introducing new functions and network configurations, especially due to functional splits and Network Slicing [7] (NS). However, softwarization and virtualization insert new vulnerabilities into the network, for example, network development and deployment could be prone to human errors and their complexity can increase the potential for flaws and bugs [8].

In addition to these and other challenges, one more arises: network security. The intrinsic characteristics of 5G bring another plethora of security challenges [9]. The transition from 4G to 5G demands 5G non-standalone (5GNSA) networks, in short, 5G access networks with a 4G core. However, 5GNSA networks are vulnerable, for example, to Denial of Service (DoS) attacks, as they bring 4G vulnerabilities from the beginning. Even 5G standalone (5GSA, the pure 5G) networks are susceptible to exploitation once they are based on software-defined networking (SDN) and network function virtualization (NFV), which use the HTTP and REST API protocols, well-known and widely used on the Internet, including by malicious agents [10].

Considering the mentioned scenarios, it is necessary to address new 5G cybersecurity issues due to the rising application of cloud computing, edge computing, and the convergence of mobile and traditional IT networks by creating new vulnerabilities. For example, adversaries can maliciously deploy their own devices and applications to exploit the open nature of the mobile edge. This approach could enable traffic to be sniffed without authorization and reach results close to the Man-in-the-Middle attack.

This topic is relevant to policymakers and public sector regulators as well. For instance, the Brazilian Telecommunications Agency (Anatel) [11] established a governance model through the Working Group for Cybersecurity and Critical Infrastructure Risk Management (Cyber WG), which defines Cybersecurity1 as “actions aimed at operational security to ensure that information systems can withstand events in cyberspace capable of compromising the availability, integrity, confidentiality, and authenticity of data stored, processed or transmitted, and the services that these systems offer or make them accessible”.

In this sense, we can mention Distributed Ledger Technologies (DLTs) among the technologies applied to improve security in 5G network components. We observe that the more the 5G technology evolved, considering its requirements and specifications, the more proposals utilize DLTs technology to register different information sources. Among the DLTs, blockchain stands out as a DLT used to register, authenticate, and validate assets, transactions, and interactions. Furthermore, blockchain records data and manages identification in different networks in a trusted, decentralized, and secure manner [12]. Consequently, some studies aim to apply blockchain in radio access networks to leverage 5G networks. One of the main interests of using blockchain in telecommunication networks lies in the Multi-access Edge Computing (MEC) paradigm. Thus, blockchain could supply a decentralized edge computing marketplace matching edge infrastructure vendors with retailers without a single control point [13]. For instance, this approach can help to develop a commercial model to access edge cloud infrastructure. So, we have expanded the scope to investigate possible other DLTs that could enhance RAN security.

Furthermore, we have considered studying how various security mechanisms could enhance RAN security and how these technologies can increase system resilience. In this sense, we speculate DLTs could perform a significant role in RAN security since they function in a trusted, decentralized, and secure manner. We hypothesize that DLTs can improve communication security due to their characteristics. This paper also brings other RAN security approaches discussed in academia to identify which security topics are studied beyond DLTs.

To elaborate this study, we decided to carry out a Systematic Literature Review (SLR) [14,15], which allows us to investigate a specific area by determining and following a systematic process that other researchers can use in the future to validate or update our results and can be applied to study different topics, including those related to this work, such as Distributed Ledger Technologies [16], Access Networks [17], and Cybersecurity [18]. It is important to note that an SLR demands a slow and gradual process to avoid possible issues such as loss of repeatability, impact on stability, risk of bias, and negligence on proper documentation. This established process allows to properly focus on answering the research questions as defined by the SLR protocol.

Therefore, this work presents the results of a systematic review of ways to improve security in RANs to give a structured overview of identified vulnerabilities, threats, attacks, and possible security dimensions applicable to detect and mitigate harmful effects and plan networks less susceptible to different risks and menaces.

1.2. Scope and Limitations

One of the main objectives of this work is to investigate how DLTs are applied to increase security in RANs. Thus, it is important to highlight that DLT is a broader term that refers to any digital ledger maintained across a network of nodes in a decentralized, distributed manner. Some types of ledgers use different mechanisms to achieve agreement among network participants: For example [19,20,21]:

• Blockchain uses a chain of blocks to record and verify transactions. Each block contains a set of transactions validated by a consensus mechanism.
• Directed Acyclic Graph (DAG), a ledger based on a graph structure to record and verify transactions. These transactions are linked in a directed graph rather than a linear chain. DAG ledgers can be more scalable and efficient than linear chains, and they are often used for applications such as IoT and micropayments.
• Distributed Consensus Ledger, a distributed ledger that uses a consensus mechanism to validate transactions and achieve agreement among network participants. It does not necessarily use a chain of blocks to record transactions.
• Federated Ledger, a distributed ledger controlled by a consortium or group of organizations. In this case, participants have a defined level of access and control over the ledger and consensus is reached among participants rather than through a public blockchain or consensus algorithm.
• Hybrid Ledger, that combines different types of DLT.

Considering these definitions, DLTs have a relevant role in this review. However, to establish a comparative reference, the online search considered the term security mechanisms to include other approaches applied to RANs.

Furthermore, we can see other security topics discussed in the accepted papers. Vulnerabilities in Radio Resource Control (RRC) mentioned in some papers, including access control, outdated assets, and authentication, are discussed as the main vulnerabilities of RRC protocols.

Other accepted papers investigate Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Denial of Service (DoS) and Man-in-the-Middle (MitM) attacks are the most relevant risks considered in these papers. In this case, the proposed systems are anomaly detection-based systems with different implementations and hybrid systems that merge IDS and IPS with other technologies.

The Fronthaul (FH) interface that provides connectivity between the radio and the baseband units in the RAN is an attention point in the accepted papers. Suggested ways to deal with the clear-text nature of the FH data include the insertion of security standards and protocols.

Security in the Network Slicing, a feature that creates virtual slices across the RAN to allow unique network access for several enterprises and applications, is also a recurrent topic. The proposals to improve slicing security include a certificateless signature scheme and a virtual private network.

It is important to note that the accepted papers come from the search string developed during the preparation of the SLR protocol; that is, this review focuses on the works brought by the search carried out in the repositories of scientific articles defined in the structuring of the protocol.

1.3. Research Questions

This review studies application security mechanisms that increase privacy and security in RANs by managing access and authentication for entities in these networks. It also evaluates other security mechanisms in the same context Thus, we define the following research questions.

• What are the main threats to the Radio Access Networks (RANs)?
• How are Distributed Ledger Technologies (DLT) applicable to enhancing RANs?
• What do studies apply to increase security in RANs?
• How do studies apply DLTs to increase security in RANs?
• What are the advantages and disadvantages of DLT usage to improve security in RANs?
• What are the proposed future works (open challenges)?

1.4. Contributions

This work aims to identify mechanisms to improve RAN security and how they do it. Thus, following the established systematic literature review protocol, we have considered 39 papers published in journals and conferences after the search and selection phases. Our first result is general information regarding the quantitative analyses of the extracted data. Then, we present vulnerabilities, threats, affected security dimensions, and proposed solutions. We could verify trends in the use of DLTs on the RANs and specific security concerns related to the Fronthaul (FH), Network Slicing (NS), and Radio Resource Control (RRC). Furthermore, the remaining contributions of this article are:

• We elaborated the SLR protocol, which can be used to replicate or update this study in the future.
• We defined and reviewed 39 papers considering they explore threats, vulnerabilities, attacks, and solutions for RAN security.
• We analyzed and presented the information extracted from the accepted papers, classifying threats, vulnerabilities, and solutions.
• We presented the state-of-the-art related to security issues in RAN scenarios, discussing important points.

1.5. Review Structure

The remainder of this work is organized as follows. Section 2 briefly introduces some security concepts, Radio Access Networks, and Distributed Ledger Technologies. Section 3 describes the threat model adopted for this work. Section 4 explores the threats, vulnerabilities, and solutions discussed in the accepted papers. We interprets the findings of the papers, discussing the main implications of the results and comparing the identified security solutions, in Section 5. We conclude this study in Section 6. Additionally, Appendix A presents the systematic literature review protocol and Appendix B shows the general results from the collected data, considering quantitative information.

2. Background

This section presents the theoretical basis of this systematic review. It includes security elements, the Radio Access Network framing, and Distributed Ledger Technologies.

2.1. Security Concepts

It is important to define some key security concepts to lay a foundation and contribute insights for this research, helping to classify the accepted papers. This way, based on the Internet Engineering Task Force (IETF) RFC 4949, Internet Security Glossary, Version 2 [22], we can specify:

• Attack: a malicious attempt to collect, disrupt, deny, degrade, or destroy the system information or the system itself.

  -

  Attack Surface [23], in the context of the Radio Access Network (RAN), is the set of potential entry points that adversaries can exploit to gain unauthorized access to the network. For example, we can cite the introduction of Network Slicing (NS), a feature that creates virtual slices across the RAN to allow unique network access for several enterprises and applications [24]. However, malware from a slice may be leveraged to infect another slice in the same hardware. A certificateless signature could be a countermeasure, as discussed in SubSection 5.2.5.

• Security: established and maintained measures to protect the system/component/data. It may involve six functions:

  -

  Deterrence, the threat discouraging.

  -

  Avoidance, reducing the probability of a loss or the value of the potential loss.

  -

  Prevention, countermeasures to minimize possible security violations.

  -

  Detection, identifying occurred or in progress violations.

  -

  Recovery, actions to restore the normal state of a system.

  -

  Correction, updating the security architecture to reduce or eliminate risks.

• Threat: an intentional or accidental danger that might occur if an attacker is successful. The considered threats [25] in this paper are:

  -

  Destruction of information or other resources.

  -

  Corruption or modification of information.

  -

  Theft, removal, or loss of information or other resources.

  -

  Disclosure of information.

  -

  Interruption of services.

• Vulnerability: a security breach, that could be a flaw or weakness in a system’s design, implementation, or operation and management, and could be exploited to violate a system.

As important as the definition of these previous terms is the circumscription of security dimensions [26,27], which are sets of security measures designed to address a particular aspect of network security. According to the references, there are eight sets focused on the protection against the majority of the threats:

• Access control, the protection against unauthorized use of network resources.
• Authentication, the confirmation of entity identities.
• Availability, the ensuring of authorized access and information availability.
• Communication security, the protection against data diversion or interception.
• Data confidentiality, the protection against data unauthorized disclosure.
• Data integrity, the guarantee of correctness or accuracy of the data.
• Non-repudiation, the correctness in the association between actions and actors.
• Privacy, the protection of the information.

It is possible to verify that this approach is more comprehensive than the CIA security triad2, a famous guiding model in information security, which only includes confidentiality, integrity, and availability among its components.

2.2. RAN Architecture

Although this work does not focus on a specific generation, we explain the 5G RAN architecture as a reference in this subsection since this SLR selected 4G, 5G, and generation-agnostic papers. The primary 5G RAN architecture is designed in 3GPP Rel-15 specifications [28] (Figure 2).

The RAN [29,30] is the central part of the wireless communication system as it is responsible for connecting the user equipment (UE) to the core network (CN) and includes a set of base stations and user equipment devices, such as smartphones, routers, or IoT devices [31]. Nonetheless, a typical RAN involves two essential units, the radio unit (RU) and the baseband unit (BBU):

• The Radio Unit (RU) contains radio functions and is located near the antennas.
• The Baseband Unit (BBU) is responsible for radio management, resource utilization, sharing, and other operations like modulation and demodulation, bit-to-symbol mapping, and coding and decoding.

Early cellular systems [32] used integrated BBUs and RUs components. However, this architecture suffered from radio frequency signal propagation loss in the electrical cable feed [33] since some of the signal energy dissipates in the cable and the components [34]. So, the concept of distributed RANs (D-RANs) arose to address this issue by separating the BBU and RU components and connecting them through a common public radio interface (CPRI).

The next step in the RAN evolution was the introduction of Cloud Radio Access Networks (C-RANs), in which some cellular network functions are relocated to the cloud infrastructure. This operation involves migrating the BBU to the cloud while keeping the RU at the base station. The BBU is connected to the RU through a high-speed and low-latency Fronthaul communication channel, activated by the enhanced common public radio interface (eCPRI). This open and Ethernet-based interface has ubiquitous applications and enables different types of traffic [35]. C-RANs offer advantages such as reduced capital and operational expenditures, improved energy efficiency, and dynamic resource allocation.

This evolution paved the virtualization of the RAN functions and their use on generic hardware platforms [36]. Virtualized Radio Access Networks (vRANs) enable telecommunication carriers to perform their base-band functions as software running on not necessarily proprietary hardware.

2.2.1. Protocol Layer Stack

Another relevant step in the RAN evolution is the segregation of the BBU into Centralized Unit (CU) and Distributed Unit (DU). In 5G networks, the 3GPP Release 15 defined this split, which is especially relevant to Open RAN [37]:

• The Centralized Unit (CU) implements the higher layers of the 3GPP stack, namely the Radio Resource Control (RRC) layer, the Service Data Adaptation Protocol (SDAP) layer, and the Packet Data Convergence Protocol (PDCP) layer, among others. It is divided into two interfaced modules, one dedicated to the user plane (UP) and the other to the control plane (CP), due to the Control and User Plane Separation (CUPS) architecture. The CUPS architecture provides flexibility for network improvement compared to the conventional architecture where both planes have a less pronounced separation [38].
• The Distributed Unit (DU) is responsible for some functionalities of the physical layer, the Medium Access Control (MAC), and Radio Link Control (RLC), among others.

The distribution of mobile network services among various protocol layers is essential for efficient and effective communication within the network. This distribution allows for function separation, enabling better management, optimization, and scalability. Each network layer can focus on specific functions, making it easier to understand, maintain, and upgrade the system due to the network service division. Layered architecture also provides interactions between adjacent layers through defined interfaces that simplify the network. Furthermore, network layering brings interoperability, efficient resource allocation, scalability, flexibility, ease of troubleshooting, and generation integration. The generation integration is a relevant service since it allows, for example, handover between different base stations. However, cross-generation handover is not always a smooth transition. For instance, the core network-based integration between 4G and 3G has slow mechanisms that enable hard handovers and access selection [39], a concern that can be addressed by protocol layering.

The RAN protocol stack is divided into three layers [40] (Figure 3). The first one is the Physical (PHY) layer and, in 4G-LTE networks, is based on orthogonal frequency-division multiplexing (OFDM) transmission. It maps logical channels and provides transport channels to the above MAC layer. The 5G-NR PHY layer brings various enhancements to meet IMT-2020 requirements, such as eMBB, URLLC, and mMTC support; scalable numerology to face different deployment scenarios, bandwidth sizes, and carrier frequencies; massive multiple-input multiple-output; dynamic time division duplexing; power efficiency; and waveforms beyond OFDM [41].

The second layer, or the Data Link one, is responsible for data bearing, among other functions. It includes:

• The Medium Access Control (MAC) protocol multiplexes RLC packet-data units (PDUs) through logical channels and performs mapping between logical and transport channels [42]. Other MAC layer functions include uplink and downlink scheduling, scheduling information reporting, hybrid-ARQ processing and retransmissions in 4G-LTE (automatic repeat request, ARQ, is an error-control method based on acknowledgments), and multiplexing/demultiplexing data for carrier aggregation. [41].
• The Radio Link Control (RLC) protocol’s main functions include segmentation and concatenation, retransmission handling, duplicate detection, and in-sequence delivery to upper layers [42]. Regardless of its generation, the RLC layer supports three transmission modes – Transparent Mode (TM) to broadcast data, Unacknowledged Mode (UM) to support data loss-tolerant services such as voice, and Acknowledged Mode (AM) with an ARQ retransmission mechanism for services such as TCP/IP and RRC signaling that require data reliability. RLC UM and AM modes support data segmentation and resegmentation at the transmitter, and AM provides duplicate detection [41].
• The Packet Data Convergence Protocol (PDCP) provides data packet encryption and integrity protection for the control plane and, for the user plane, ciphering/deciphering, header compression/decompression using Robust Header Compression (RoHC) for IP traffic, in-sequence delivery, duplicate detection, and retransmission (continuously in 5G-NR networks, especially during handovers in 4G-LTE ones) [39,41]. The PDCP layer does not have synchronicity constraints with the lower layers, and 3GPP assumes that the 4G dual connectivity functions can be used as a baseline in 4G/5G interworking since PDCP functions are access/service-agnostic [42].

The Network layer is the third one and has specificities for each plane. The user-plane third layer includes the Service Data Adaptation Protocol (SDAP), a 5G-NR innovation, which does not exist in 4G-LTE and previous mobile communication generations. Its essential role is to map traffic from quality of service (QoS) flows3 to suitable data radio bearers [43].

The control-plane third layer manages wireless resource allocation assignments, such as signaling, and implements the lower part of the protocol stack. It includes the RRC protocol [44,45], which stands out most for this review, as shown in SubSection 5.2. The RRC is a protocol responsible for connecting the base station and UEs. In addition to managing resource allocation, the RRC protocol tunnels the Non-Access Stratum (NAS), an upper-layer protocol stratum between the core network and UEs, to support the mobility and session management procedures. Up to the 4G-LTE, RRC manages active connections to carry user traffic and idle connections to provide global reachability for UEs. 5G-NR networks introduce a new state named RRC inactive, enabled if there is no activity from UE for a short time. This way, the session is suspended by moving to the RRC inactive state to reduce system access, save power, and optimize mobility [46,47]. It is important to note that, unlike the other protocols mentioned, the RRC is only in the control plane.

The 5G RAN architecture flexibility allows computing hardware pools to handle the higher layer processing of user and control planes. The Baseband Unit (BBU) split between the Centralized Unit (CU) and the Distributed Unit (DU) brings adaptability to the network and permits different protocol implementations. To cite a few, there are the Heterogeneous Cloud Radio Access Networks (HC-RANs) [48], in which architecture combines C-RAN and heterogeneous networks (HetNets) to take advantage of small cells transmitting signals with low power within a traditional macro cell network, and Fog Computing Radio Access Networks (F-RANs) [49], which exploit the edge and storage capabilities of fog computing to address Fronthaul constraints of C-RANs and HC-RANs. Furthermore, open RAN deployments stand on vRAN. However, it is implemented based on disaggregated components, connection through open and standardized interfaces, and interoperability across different vendors.

2.3. Distributed Ledger Technologies

Distributed Ledger Technologies (DLTs) is a comprehensive definition of multi-party networks that aim to reach an agreement over a set of shared data and its validity by consensus. These networks function in a decentralized/distributed manner and do not necessarily have a central operator or authority, although they may not be in a trusted environment [50,51,52]. One example is blockchain technology, a DLT consisting of a chain of data and transaction blocks used by Bitcoin cryptocurrency.

DLTs have three layers: protocol, network, and data. Each layer has one or more components involved in the DLT system creation or operation. A component is a set of related processes for the system’s functioning. A series of actions to achieve a specific goal or goals involved in the operation of a component is called a process. The protocol layer has rules for system operation. The network layer interconnects processes that implement the protocol. The data layer flows the information.

In this work, the network layer is the most relevant since it determines the right of entry to the DLT network. A gatekeeper can restrict access to specific entities in a closed system, since this may have more static membership than open systems. However, access to an open network can be unrestricted and, therefore, there is more dynamicity in membership access granting. There are also semi-open networks, in which prospective participants have their access candidacy evaluated by existing network members.

The greater the network openness, the more likely it is to present vulnerabilities, especially to Sybil attacks, in which the adversary aims to create numerous fake identities to gain influence over the network. The identity of a user or an entity is external-source information, so the DLT network cannot confirm the identity authenticity by itself and, therefore, deal with Sybil attacks alone. To face this issue, open systems usually have a Sybil attack-resistance mechanism. For instance, proof-of-work (PoW) [53], a block proposer method in which the nodes solve puzzles to reach an agreement, was the exclusive Sybil attack-resistance mechanism adopted by early open DLT systems. It is hard to fake register transactions in a PoW-assisted DLT since this mechanism aims to attach a cost to participating in the block producer selection algorithm. PoW, however, increases this additional cost to honest entities, too.

This way, another Sybil attack-resistance mechanism raises to address this extra cost by staking endogenous resources (e.g., native assets) to choose the next transaction register: proof-of-stake (PoS) [53], a mechanism that randomly selects validators for block creation based on the amount that tokens holders stake. PoW-based systems have increased register difficulty, but it is easy to verify. PoS-based systems are less resource-intensive but can be vulnerable to other attacks, such as nothing-at-stake attacks that can record parallel subchains in a blockchain and grinding attacks that can manipulate the stake selection procedure.

The Sybil attack-resistance mechanism helps to achieve network entity unanimity about the system validation. The validation process occurs through:

• the transaction validation, to verify the individual transaction compliance with the established rules;
• the record validation, to verify the record can be done according to the protocol; and
• the transaction finality, to determine if the transaction is finalized and, therefore, immutable.

For this reason, PoW, PoS, and other similar mechanisms are also called Sybil attack-resistance and finality mechanisms. A public DLT needs a way to reach consensus beyond a Sybil attack-resistance and finality mechanism [50]. In the literature, numerous cases cite PoW and PoS as consensus mechanisms [54,55,56,57,58,59,60]. However, a consensus mechanism is a tool to perform frequently secure updates on the distributed ledger, maintaining important properties such as fault tolerance, resilience, and delay perseverance [61]. It aims to guarantee that all network participants agree to register for events. This way, it ensures that all nodes have the same ledger copy. For instance, in the Bitcoin blockchain, the Nakamoto consensus is a simple mechanism that chooses the blocks that form a valid chain with greater difficulty [51]. Closed DLT networks, in turn, have more participant verification. Due to that, they usually take advantage of consensus mechanisms such as:

• Paxos [62] provides a fault-tolerant implementation in an asynchronous message-passing system in which clients send commands to a leader that assigns these commands and, in a second step, a message is sent to a set of acceptor processes.
• Raft [60] elects a leader to coordinate the replication actions of the DLT.
• Practical Byzantine Fault Tolerance (PBFT) [60] is also based on a leader-follower approach but demands agreement among a high percentage of the participants to attach a new transaction.

It is important to note that, even under the protection of Sybil attack-resistance and finality mechanisms, open DLT networks are prone to other different attacks [50]. For instance, if adversaries have the majority of the votes of a system, they can replace records from honest nodes. It is known as a 51% attack in PoW-based DLTs [63] and a similar attack in PoS-based DLTs [64] is called a long-range attack. These attacks rely on the ability to generate the longest chain.

3. Threat Modeling

The 5G RAN architecture flexibility, especially the BBU split between the CU and the DU, brings adaptability to the network and permits different protocol implementations, as explained in SubSection 2.2. Nonetheless, these characteristics could further new vulnerabilities [65]. So, based on this architecture, it is possible to define the attack surfaces. The attack surfaces include the RAN elements and the interfaces in between, and they are:

• User Equipment(UE) is the equipment served by the RAN, which can be a smartphone, a sensor, or anything that can connect to the RAN.
• Air Interface(Air) is the interface between the UE and the RAN.
• Radio Unit(RU) contains radio functions and is located near the antennas.
• Fronthaul(FH) is the interface between the RU and the DU.
• Distributed Unit(DU), where the most decentralized base band functionalities are deployed.
• Midhaul(MH) is the interface between the DU and the CU.
• Centralized Unit(CU), where the high-layered base-band functionalities are deployed.
• Backhaul(BH) is the interface between the RAN and the Core Network.

Another attack surface considered is Network Slicing (NS) [66], which is related to the physical network resources division between different logical networks. Each sliced logical network can be applied to a specific scenario and serve different tenants.

Figure 4 shows the attack surfaces and possible expansions. Our threat model includes the previous attack surfaces, which can be expanded when mobile networks connect or provide services and resources to decentralized networks (DN) since recent access networks, especially 5G RAN, are heavily virtualized [67]. RAN virtualization allows the connection of the mobile networks through some DNs, which, in this case, may share the same threats and vulnerabilities that affect Radio Access Networks since the virtualization of the networks makes the RAN boundaries less precise. Some DNs that could expand the attack surface when connected to or provided by a Radio Access Network are Mobile ad-hoc networks (MANET) [68], Peer-to-Peer (P2P) networks [69], Device-to-Device (D2D) networks [70], and Machine-to-Machine (M2M) networks [71], to cite a few.

Virtualized RANs can benefit from Multi-Access Edge Computing (MEC) [72], the decentralized computing concept that can use computing resources of the Radio Access Network and permits users to access the closest servers, taking advantage of low latency, for example. When MEC is associated with access networks, which occurs more frequently in 5G networks, the MEC servers also expand the attack surface.

4. Vulnerabilities, Threats, Attacks, and Solutions

In this section, we present the review’s technical findings. These include an overview of the security threats, attacks, and vulnerabilities identified in Radio Access Networks and a description of the existing security solutions and countermeasures. We aim to analyze the research trends and identify possible gaps in the current body of knowledge.

4.1. Overview of Security Threats and Vulnerabilities in Access Networks

We start this subsection by listing all the accepted papers, in Table 1, according to their main subjects: Blockchain (BC), Fronthaul (FH), Intrusion Detection System (IDS) / Intrusion Prevention System (IPS), Radio Resource Control (RRC), and Network Slicing (NS). The remaining papers are arranged as Others since they cannot be classified into these previous themes and study various topics.

Then, we list the main vulnerabilities of each paper in Table 2. These vulnerabilities are arranged according to the following four classes [109]:

• Process: when the vulnerability is related to common processes.

  -

  Authentication issues, such as lack of, weak, or broken authentication. If RAN nodes are not properly authenticated, attackers could impersonate legitimate devices, carry out brute-force attacks, or decrypt communications.

  -

  Broken access control or lack of its validation. In this case, adversaries can access sensitive network functions and exploit misconfigured interfaces to inject malicious traffic or disrupt services.

  -

  Data storage problems, i.e., unprotected storage. This may result in leakage of private data and network settings.

• Code: when the vulnerability is related to the software and development process. In this sense, it is important to highlight the difference between coding and development. While development focuses on managing actions and overseeing the software creation process, coding is focused on implementation, translating ideas into actionable code using programming languages [110]. Since analyzing these details is beyond the scope of this work, it was decided to consider them under the same heading for the sake of simplicity. In this context, we can cite encryption mechanisms that are both conceptual (designed through development) and practical (implemented via coding) and, so, can then be viewed at different implementation layers.

  -

  Lack of cryptography, which attackers can exploit to lack private data or set up a rogue BTS.

  -

  Codification or development problems, such as the absence of secure coding practices. Vulnerabilities in the software running on the network or in the UE can arise from poor coding practices, such as buffer overflows, injection flaws, improper error handling, lack of input validation, which could allow attackers to inject malicious commands or data.

  -

  Cryptographic algorithm lag or weakness. Weak or deprecated cryptographic algorithms can make RANs susceptible to attacks, i.e., brute-force attacks.

• Communication: when the vulnerability is related to protocols or data transmission. This class of vulnerability may affect RANs due to loss of confidentiality if an attacker exposes sensitive user and network data, loss of integrity if adversaries modify communications or inject malicious data, loss of availability due to jamming attacks or physical tampering, and reputation damage, that can reduce user trust and lead to regulatory penalties.

  -

  Lack or weakness of security mechanisms, such as resistance to tampering.

  -

  Communication problems can include unreliable communication channels, ease of UE impersonation, and susceptibility to eavesdropping due to the openness of the wireless interface.

• Operation: when the vulnerability is related to the nodes’ use or configuration.

  -

  Outdated assets can include lack of updates, network exposure, incorrect software configuration, and bad user practices, to name a few.

The reference paper [109] presents a Device category. However, it is not used in this work since it does not apply to Radio Access Network environments.

Although there may be more than one vulnerability in each accepted paper, and each vulnerability could be categorized into more than one class, we consider one main vulnerability per article and allocate it into a single class. However, we also list other vulnerabilities we identified in the accepted papers beyond the main vulnerability, and inserted them in the Other works column of Table 2.

Table 3 presents the identified threats and the corresponding security dimensions that these threats can affect, as defined in subSection 2.1.

Figure 5 shows the relationship between the threats identified in the articles and the security dimensions [27], with the horizontal axis representing the security dimensions and the vertical axis representing the threats. We can see that not all dimensions are related to all threats, which conforms with the ITU-T Recommendation X.805 [27]. This Recommendation, discussed in Section 2.1, considers that Non-repudiation security dimension needs to be considered to face all the defined threats. However, in the accepted papers, Non-repudiation security dimension was especially remembered to face Interruption of Service threats. On the other hand, other dimensions were applied to face a wider range of threats. Access control security dimension is an example since it was considered to deal with four different threats.

We then classify these papers by their main threats and vulnerabilities, as seen in Table 4. This Table shows, for example, that Fronthaul issues are related to Communication vulnerabilities and threats associated with Theft, Removal, or Loss of Information or Other Resources, and blockchain is a recurrent subject to treat Process vulnerabilities and Corruption or Modification of Information threats.

In this research, we could identify the different attack surfaces considered in each accepted paper. Table 5 summarizes these findings, in which we can note that the most considered surface is the User Equipment (UE). Other recurrent surfaces considered are the Centralized Unit (CU), Decentralized Networks (DN), and Multi-access Edge Computing (MEC). We found an average of 1.7 considered attack surfaces per article.

4.2. Considered Attacks

Various attacks can menace Radio Access Networks. Table 6 shows 29 attacks we identified in the accepted papers, summarizes these attacks, and lists the documents in which we find them. Due to their similarities, DoS and DDoS attacks are analyzed together, as are Flooding and Signaling attacks.

We can see in Table 6 that the most recurrent attacks cited are DoS/DDoS, MitM, false data injection, eavesdropping, identity theft, and flooding/signaling. The identified attacks have various purposes and intrusion methodologies. To simplify RAN attack analysis and help future works, we propose a novel RAN attack classification into five categories:

• Network unavailability (NU) attacks make it impossible for the user to access the network.
• Data corruption (DC) attacks aim to intercept, inject, corrupt, delete, or steal data to manipulate communication.
• Unauthorized access (UA) attacks include malicious actions to gain unauthorized access.
• Data leakage (DL) attacks aim to acquire and steal confidential and sensitive information.
• Physical resource spoliation (PR) attacks are the ones that menace hardware and other physical resources.

This attack categorization will be detailed in future work.

Furthermore, concerning the vulnerability [109], threat, and security dimension [27] classifications discussed in this review, we identified which vulnerabilities these attacks exploit and which threats they pose to RANs. In addition, we could verify which security dimensions need to be applied to face these attacks.

ITU-T Recommendation X.805 security dimensions were defined to address different aspects of network security. In addition, it provides a mapping of security dimensions to the security threats. This mapping shows that not all security dimensions are applicable to address all possible threats. For example, the privacy security dimension protects information that may derive from the observation of the network activity and it is indicated to protect communications against disclosure of information threats only. However, the non-repudiation security dimension is designated to address all ITU-T Recommendation X.805 threats. Consequently, we can identify the non-repudiation security dimension to face all defined attack classes. One possible inference from this finding is that implementing tools to prevent an individual or entity from denying having performed a particular action related to data by making available proof of various network-related actions [27] is a good starting point to deploy RAN security measures.

Beyond the non-repudiation security dimension, access control was identified as relevant to avoid network unavailability, unauthorized access, data leakage, and physical resource spoliation attacks. As defined in ITU-T Recommendation X.805, the access control security dimension ensures that only authorized personnel or devices are allowed access to network elements, stored information, information flows, services, and applications. In this way, user and entity identification is important to enhance RAN security in a broader definition, as well-established access control politics can help prevent agents with hidden interests from penetrating the network.

Related papers show that strategies based on the communication security security dimension can face data corruption attacks by ensuring that the information is not diverted or intercepted as it flows between authorized end points [27]. In addition, availability security dimension helps address issues related to network unavailability attacks since this security dimension ensures that there is no denial of authorized access to network elements, stored information, information flows, services, and applications due to events impacting the network.

Our findings exposed in Table 7 detail Table 6 and show that regardless of the attack class, adversaries take advantage mainly of access control, data storage, and lack or weakness of security mechanism vulnerabilities. In addition, the main threats identified in the accepted papers (Table 3) are disclosure of information and interruption of services. Based on these data, we can infer that adversaries may have two main purposes when attacking access networks: intercepting private information and disrupting communications.

Data breach costs are increasing continuously. The average global cost of a data breach in 2024 increased by $10\%$ from the previous year, reaching $US\$4.88$ million [111]. This is the highest total ever. Network outages can cause major troubles. Cloud platform issues [112] disrupted networks and harmed various businesses and institutions worldwide, from healthy services to airline and train companies. These examples show that academic concerns identified in this review are connected with current issues. Furthermore, recognizing possible aggression targets can help optimize resources to increase Radio Access Network security.

Papers in which blockchain is the main subject consider unauthorized access and physical resource spoliation attacks as the focus menaces. Fronthaul-subjected papers consider data corruption and physical resource spoliation attacks as the main fronthaul menaces. Papers considering IDS and IPS as focal topics bring greater concerns about network unavailability, unauthorized access, and physical resource spoliation attacks. RRC-focused papers understand data leakage and physical resource spoliation attacks are the main RAN menaces. Papers studying slicing security consider physical resource spoliation attacks the main RAN security concerns. These findings are detailed in Table 8, which shows the attack classes from Table 7 and the subjects and the number of papers per subject from Table 1.

It is interesting to note that, according to Table 8, the most comprehensive attack class is physical resource spoliation. Regardless of the subject, we can infer that the open-air interface is an important aggression door against radio access networks due to its physical openness. Nonetheless, network slicing papers bring concerns about physical resource spoliation since radio resource allocation is one of its main features [98,99].

Beyond physical resource spoliation attacks, the remaining subjects assign attention to different attack classes. Blockchain works pay attention to unauthorized access attacks since the decentralization of network functions and their influence on the QoS are some of the main motivations to adopt blockchain in RANs [113,114].

Fronthaul-related papers [35,85,86,87] focus on data corruption attacks. This concern comes from the clear-text nature of the Control, User, Synchronization, and Management (CUSM) planes and their direct encapsulation over Ethernet, which could expose the FH to different menaces.

Papers that study IDS and IPS focus on anomaly detection systems, which can evaluate traffic overwhelm by, for example, monitoring resources. This way, it is understandable that these papers target their efforts to study ways to understate the effects of network unavailability and unauthorized access attacks [81,88].

RRC and data leakage are related topics in some papers as well. It is important to note that the RRC protocol is responsible for connection establishment, maintenance, handover, reselection, and release. This way, an attacker with some control over the RRC protocol can access all kinds of data [31,46,93,94,95,96,97].

4.3. Description of Suggested Security Solutions

Table 9 lists the proposed solutions for each paper, sorting them by class and purpose [109]. We can verify that there are 12 DLT-based proposed solutions among the 39 accepted papers, but the only DLT considered is Blockchain. The considered solution classes are:

• Approach/Mechanism.
• Architecture.
• Framework.
• Methodology/Method.
• Model/Algorithm.
• Protocol.
• Scheme.

The purposes of the different solutions listed in the accepted papers are:

• Detect.
• Detect/Mitigate.
• Mitigate.
• Planning.

Most solutions are related to the Framework class and target their efforts to mitigate threats. Figure 6, which is generated from Table 2 and Table 9, shows the relationship between the vulnerabilities and the applied solution classes to oppose them. The horizontal axis represents the solution classes, and the vertical axis represents the vulnerabilities. Although the solution classes are diffusely applied to the vulnerabilities studied, we can see that the Framework class was widely used in different vulnerabilities, especially to reinforce security in Access Control. Likewise, the Protocol class was more applied for the vulnerability Lack or Weakness of Security Mechanisms.

The discussions in the accepted papers emphasize various threat mitigation strategies to enhance security in RANs and related systems. These strategies include addressing security threats in edge-based IoT networks, developing defense systems against threats in 5G networks, improving security in multi-access edge computing networks, and detecting and preventing attacks such as DoS, Botnet, Network intrusion, and MitM attacks.

While vulnerability detection is also discussed in the accepted papers, generally the focus is on implementing measures to mitigate threats and strengthen the security posture of RANs. Threat mitigation strategies such as real-time detection of core IDS and development of AI/ML-based algorithms for intrusion detection in 5G and future 6G networks [90], and evaluation of trust values of devices in cloud-based networks [103] are highlighted as possible approaches to enhance security.

Therefore, it can be inferred that the collection of papers presents more threat mitigation strategies than vulnerability detection measures among their proposed solutions. This can be confirmed by checking Table 9 and Table 10. The collected data shows that 18 papers focused on mitigating threats, 10 embraced vulnerability detection and threat mitigation, 10 were orientated to detect vulnerabilities, and one was concerned with planning RAN security.

The accepted papers discuss various threat mitigation strategies to enhance RAN security. Some of the key threat mitigation approaches mentioned in the document include:

• Implementing security principles during state transitions and mobility to protect sensitive personal data and ensure network confidentiality [35,79,99].
• Mitigating threats and addressing vulnerabilities in edge-based IoT networks such as authentication issues, network attacks, and user-to-root attacks to safeguard data [103].
• Developing defense systems against threats in 5G networks, including malware, phishing, hacking, DoS, DDoS, SQL injections, and MitM attacks [88].
• Detecting and preventing attacks such as DoS, Botnet attacks, Network intrusion, MitM attacks, and Quantum attacks to mitigate risks related to theft or loss of information and resource threats [86].

These mitigation strategies aim to strengthen the security posture of RANs and related networks by addressing potential threats and vulnerabilities. Furthermore, these papers provide insights into vulnerability detection strategies to verify and address potential weaknesses in RANs. Some important points regarding vulnerability detection discussed in these papers include the evaluation of trust values of devices in cloud-based networks to prevent security attacks and study other security threats beyond DoS attacks and detection of security threats in edge-based IoT networks to prevent network security compromising [103]; detection and prevention of DDoS attacks by the proposed network topology for enhanced attack detection [88]; and development of AI/ML-based algorithms for intrusion detection in 5G and 6G networks to provide cybersecurity measures and protect users [90].

These discussions highlight the importance of proactive vulnerability detection measures to strengthen the security infrastructure of RANs and ensure the resiliency of network communications. Nonetheless, it is important to underline that detection and mitigation are crucial for a comprehensive RAN security strategy. Detection and mitigation measures are essential for catching and addressing these issues before they can be exploited. New threats and attack vectors emerge constantly, so detection and mitigation are relevant tools to deal with them.

We could verify attackers take advantage mainly of access control, data storage, and lack or weakness of security mechanism vulnerabilities (Table 2), and, the main threats identified in the accepted papers (Table 3) are disclosure of information and interruption of services, regardless of the attack class. Although security in access networks requires a broader approach, given the variety of possible attacks, it may be a relevant initiative to develop and implement security tools in RANs considering these vulnerabilities and threats mentioned. Furthermore, according to ITU-T Recommendation X.805, the non-repudiation security dimension is useful to face all defined attack classes, and we could corroborate this by analyzing the accepted articles. So, ensuring the authorship of acts and actions and recording them for future reference can help deploy security tools in access networks.

Unfortunately, we did not identify many papers focusing on planning RAN security from the ground up. We have identified only one work on security planning [96]. This proactivity can offer a holistic approach to security issues in a RAN environment [115]. Proactive security measures built into the design phase can prevent vulnerabilities from arising in the first place, possibly making it difficult to carry out attacks. Minimizing the RAN attack surface is possible since we consider security during the RAN planning stage. Automated processes for security tasks and pre-configured responses to potential threats can optimize personnel activities. Furthermore, a secure foundation sets the stage for future RAN expansion or technology incorporation, reducing the risk of vulnerabilities being introduced later. This way, efficient RAN planning involves architectural flexibility, security measures, and smart resource management.

It is possible to approach RAN security planning with the Security by Design concept [116], which emphasizes integrating security measures into the design and architecture of systems from the outset. It can be useful by reducing the risk of vulnerabilities, ensuring a more robust network, addressing security requirements holistically, and allowing for risk assessment and mitigation strategies. Secure design principles can enhance the network’s resilience against attacks and can implement standard compliance. Another relevant point is that considering security throughout the lifecycle can ensure ongoing protection against evolving threats. Finally, other approaches that can enrich RAN security include Zero Trust Architecture [117] and Decryption of Network Traffic [118], which we can leave for future work.

5. Discussion

In this section, we summarize the answers to research questions, aim to interpret the paper’s findings, discuss the key implications of the results, and compare the different identified security solutions. We also target to address the challenges in future research.

5.1. Answers to Research Questions

5.1.1. RAN Threats

Focusing now on the research questions to list the approaches present in the accepted papers, we begin by identifying threats to the security of access networks. These RAN issues underscore the importance of implementing comprehensive security measures to mitigate risks and safeguard the integrity, confidentiality, and availability of Radio Access Networks. So, we verified the most cited possible RAN attacks and referred these cited attacks to various RAN threats considering the ITU-R X.805 [27] threat classification.

MitM, where an attacker can impersonate some RAN node, inject false packets, intercept legitimate packets, introduce delays, and perform passive wiretapping [31,35,74,79,82,85,86,87,88,90,93,96,98,101,104]. These attacks can lead to network disruption and interruption of services [31,35,74,79,85,87,88]. Considering the ITU-R X.805 threat classification, MitM attacks are more related to Theft, Removal, or Loss of Information or Other Resources, Disclosure of Information, and Interruption of Service threats, as we have discussed in previous sections.

Attackers can inject fake control messages or replay intercepted legitimate control messages to disrupt some RAN component operation and affect network functionality [87]. According to the ITU-R X.805 threat classification, we can relate it to Theft, Removal, or Loss of Information or Other Resources threat.

DoS, DDoS, and flooding attacks on communication between the core network and RAN, as well as the radio frontend, pose threats to RAN security by overwhelming network resources and disrupting services [31,35,46,74,78,79,85,87,88,89,91,92,102,103,105,106,108]. We can infer these attacks are correlated to the ITU-R X.805 Interruption of Service threat.

Active eavesdropping on the 2G radio interface is possible due to the lack of mutual authentication between users and the network. So, it motivates bidding-down attacks, which aims to force the connection to a less secure standard [35,76,82,85,86,87,102]. In this case, Disclosure of Information and Interruption of Service are the main ITU-R X.805 threats.

Vulnerabilities in protocols such as Signaling System 7 (SS7) [101,102] in 3G networks and GPRS Tunnelling Protocol (GTP) [102] in 3G and 4G networks can be exploited for eavesdropping, financial theft, data interception, and privacy leaks, closer to the ITU-R X.805 Disclosure of Information threat.

These cited RAN issues underscore the importance of implementing comprehensive security measures to mitigate risks and safeguard the Access Control, Authentication, Non-repudiation, Data Confidentiality, Communication Security, Data Integrity, Availability, and Privacy, all the security dimensions of Radio Access Networks.

5.1.2. DLT Usage to Enhance RANs

The accepted papers show that DLTs can enhance access networks in various ways. Some of the key applications of DLTs in RAN security and functionality are:

• DLT-based intrusion detection can be employed to detect and prevent intrusions. Furthermore, it can ensure trusted communications [81].
• The use of consensus algorithms in the RAN environment could help to ensure the integrity and security of transactions and communications by preventing malicious insider threats [73,74,75,79,80,81,84].
• A decentralized monitoring framework can build trust between nodes and track distributed transactions to guarantee integrity and security [74,76,77,79,80,81,83].
• Decentralized networks can enhance RAN performance, and the use of consensus mechanisms and job offload functions can reduce the computational burden [74,76,77,78,79,80,81,82].
• Furthermore, DLTs can facilitate traceability of transactions [73], collect user-level application information to develop distributed learning models [80], and improve resource planning by using smart contracts [79].

So, DLTs, particularly blockchain technology, can be leveraged to enhance trust, data sharing, and network performance in Radio Access Networks, offering innovative solutions to address various security and operational challenges in RAN environments. Nonetheless, resource allocation stands the most among possible DLT applications on RANs, as we can see in SubSection 5.2.1.

5.1.3. Approaches to Increase RAN Security

The most comprehensive topic covered in this review is increasing security in access networks. So, several approaches are suggested in the accepted papers to enhance RAN security. Mentioned key strategies include:

• Use of security protocols, such as MACSec, to provide authentication, integrity, confidentiality, and replay protection, to the Fronthaul. However, it may face challenges in meeting security standards [35,86,87].
• The adoption of secure communication frameworks to support SDN controllers and provide reliable and flexible network management to resist internal and external attacks [75,80,103].
• Establishing edge super data centers comprising BBUs and edge servers with technologies like blockchain, artificial intelligence, and big data to ensure safety, facilitate secure access control, tracking, and supervision of mobile equipment [74,79].

These approaches aim to strengthen RAN security by incorporating trust mechanisms, secure communication frameworks, ledger safeguard mechanisms, and advanced contract mechanisms. Furthermore, integrating technologies can enhance overall network security and resilience.

5.1.4. DLTs to Increase RAN Security

Focusing on the use of DLTs, it is possible to note that they permit various ways to improve security in access networks. The accepted papers show some DLT uses to enhance RAN security, and examples of RAN security enhancement due to DLT use are:

• RANs can reach secure and transparent resource allocation and transactions due to the ability of DLTs to increase resource trading since they enforce participants to behave honestly and follow predefined rules [82].
• DLTs may lead to increased measures such as encryption to protect assets, prevent cheating, and safeguard legitimate interests [75,76,78,82,83].
• Some papers argue that integrating DLTs into RANs can result in better load balance, service latency, and resource utilization if, for example, subnetworks are used to enhance processing rates and throughput performance [74,77,78,80,83,84].
• Distributed ledgers can provide scalability and flexibility while ensuring security by combining permissioned and permissionless elements [74,76,77,79,83,84].
• RANs can reach the safety and integrity of transaction data by using a DLT-based decentralized environment to monitor network resources and trust between nodes [74,76,77,79,80,81,83].
• The combined use of DLTs and Zero-Trust framework may provide stronger secure authentication and deliver a software-defined security perimeter, for example, in IoT systems [76,78].

These examples demonstrate that DLTs, especially blockchain technology, can improve security in Radio Access Networks in various contexts ways.

5.1.5. Advantages and Disadvantages of DLT Usage to Improve Security in RANs

Cited advantages of using DLTs to improve RAN security include:

• Decentralization through the use of DLTs can improve security by distributing control and minimizing single points of failure. [74,76,77,79,80,81,83].
• DLTs can offer features like transparency, immutability, traceability, and resiliency to create trustworthy and secure RAN environments [73,74,75,80,82,83,84].
• Distributed ledgers bring trust mechanisms for intrusion detection and authentication [73,74,76,78,81,82,83].
• Using smart contracts on DLTs furthers resource planning, privacy control, and secure transactions in RAN environments [75,79,80].
• DLTs permit improvement of fault tolerance, performance, and scalability in RANs due to consensus algorithms [73,74,75,79,80,81,84].
• DLTs also can facilitate secure data sharing and traceability enhancement in RANs [73,80].

However, the listed disadvantages of using DLTs in RANs are summarized as follows:

• Consensus algorithms in DLTs can introduce communication overhead and impact network efficiency [73,76,80].
• DLT-based architecture may increase implementation costs due to enhanced infrastructure and expertise [75,78,82,84].
• DLT brings scalability limitations that may harm, for example, throughput requirements and capacity of handling RAN operations [80,83,84].
• Consensus algorithms can insert into the RAN its weaknesses such as limitations in resisting certain attack models [81,84].
• Using DLTs in RANs provokes a trade-off between latency and security [74,80].

So, DLTs can offer relevant advantages in enhancing security and trust in RANs. However, it is necessary to consider the potential drawbacks such as communication overhead, complexity, scalability issues, and trade-offs between security and performance when implementing DLTs in RAN environments.

5.1.6. Future Work Suggestions

Future work suggestions emphasize the importance of further research in areas such as emerging technology integration, performance analysis, security enhancements, optimization, and practical testing of blockchain solutions in diverse network applications. The most recurring future work suggestions and topics considered for future study in the accepted papers include:

• Incorporating blockchain and IoT technologies in mobile networks with, for example, artificial intelligence techniques to accelerate towards decentralized networks in smart cities and other applications and analyzing the performance of blockchain/mobile network combination for improved efficiency and scalability [73,79,84].
• Developing analytical models to explore the characteristics of Blockchain Radio Access Networks in terms of latency, security, and other aspects to provide guidelines for real-world implementations, and evaluating performance, scalability, and security in different use cases [74,77,84].
• Testing Fronthaul security protocols with redundancy paths to identify better configurations [35,85,86,87].
• Testing isolation and authentication of network slicing [75,98,99].
• Improving RRC security issue identification tools [31,46,93,94,95,96,97].
• Testing authentication, encryption, and integrity over the wireless link in Femtocells [100].

Other future research topics include comparing alternative approaches to combining permissionless and permissioned elements in consensus algorithms [84], testing blockchain protocols in decentralized applications such as vehicle-to-everything (V2X) and wireless sensor networks (WSN) within access networks [77], and testing authentication, encryption, and integrity over the wireless links [100].

Moreover, future work can study advances in the application of Large Language Model (LLM) to increase RAN security, a topic that has been considered for different purposes, for example the management of radio resources in OpenRAN. [119].

5.2. Key Findings and Implications

The review was prepared chronologically to verify the items considered important by the academia over time. This way, it was possible to perceive that the academia turned its attention to the security of the Radio Resource Control (RRC) protocols in 2018 [46,93,94,95]. Among others, one of the concerns is that the RRC release can instruct the UE to re-select a cell, which could be used for redirection attacks to target a rogue base station for a downgrade attack.

The concern on RRC protocols security was overwhelmed by security within the Radio Access Network (RAN) edge at the turn of the decade, which led to the development of approaches using Distributed Ledger Technologies (DLTs), especially Blockchain, to increase security at the network edge [74,75,76,80,81,82]. Around the same time, in early 2021, there was an increase in interest in DLTs, as a technology company announced a significant purchase of bitcoins [120].

There are different concerns about blockchain security since its adoption has been more frequently considered. This way, it is possible to infer that the use of DLTs, especially blockchain, addresses main network security issues, but brings its security vulnerabilities, as well as new attention points such as latency [73,77,78,79,83,84]. However, this review did not identify the use of DLTs other than blockchain applied to RANs.

Blockchain may raise latency concerns but be useful for less dynamic information security points, such as resource allocation. However, other DLTs may better deal with these issues, so further studies in this area are needed to confirm.

Nonetheless, some of the most recent works turned their attention to the security of RRC protocols again [31,96,97]. If, at the beginning of the evaluated period, RRC concerns focused on the vulnerability classes of process and operation and the security dimensions of access control and non-repudiation, in more recent works attention has turned to the vulnerability class of process and the security dimensions of access control and authentication.

5.2.1. Blockchain

5G technologies are a catalyzer to function decentralization, first from the core to the RAN, then to the edge, and decentralized networks (DNs). This decentralization is mainly encouraged by latency issues [113], which is highly influenced by resource allocation.

5G resource allocation process divvy up the network’s resources among multiple users efficiently and fairly, and meets individual needs [114]. Resource allocation is integral to both user-facing and internal network management in 5G, so it includes radio spectrum, power, channeling, and Network Slicing, to name a few. While user-facing allocation ensures efficient delivery of services, internal allocation can customize and optimize the network infrastructure for diverse service needs, guaranteeing quality of service (QoS) and maximizing network efficiency.

The relationship between resource allocation and decentralization of network functions, and their influence on the QoS, especially latency, are the environment in which the accepted papers that study the application of blockchain in Radio Access Networks bloom. It is alleged the implementation of blockchain in RANs can improve resource-sharing efficiency and enhance network trust and security [74,75,76,80,82].

Nonetheless, the RAN Intelligent Controller (RIC) was introduced in the O-RAN Alliance specifications for providing control and management [121] by using artificial intelligence (AI) and analytics to enhance the access network. This way, a resource allocation scheme that supports latency requirements can be made available by the RIC [121,122,123,124]. A future research line can focus on comparing blockchain and AI/analytics applied to resource allocation.

Additionally, blockchain is considered to be used to implement IDS [81,83]. These works do not exhaust concerns about the latency and other QoS parameters. These papers study anomaly detection at the edge using different approaches, an edge blockchain that provides a secure and decentralized platform for data exchange and collaboration, and a machine learning/quantum computing decentralized environment that monitors network resources and builds trust between entrusted nodes, dedicated to optical network infrastructure. IDS/IPS systems are highlighted in SubSection 5.2.3.

However, the use of blockchain in RANs brings issues. The chain-based structure of this DLT and the use of a consensus algorithm and Sybil attack-resistance mechanism may introduce heavy communication traffic, which could affect QoS parameters, especially latency. DLTs have their vulnerabilities; blockchain, for instance, is susceptible to tampering and Sybil attacks. To face this matter, studied papers suggest solutions parallel to blockchain such as a tri-chain structure of blockchain [73]; an anonymous communication protocol [77]; the use of a Zero-Trust (ZT) security architecture [78]; data center-implemented artificial intelligence (AI) and big data [79]; quantum computing cryptanalysis through a federated blockchain model [83]; and mix of different consensus algorithms [84]. It is possible to note that the chronological approach to investigating blockchain-based improvements shows a transition in academia’s concern over time, focusing on improving RANs by ledgering some network aspects, especially resource allocation, then showing that implementing blockchain in access networks brings its own vulnerabilities.

5.2.2. RRC

The vulnerabilities mentioned in the first papers [46,93,94,95] about Radio Resource Control security were access control and outdated assets. However, the most recent papers [31,96,97] indicate authentication and access control as the main vulnerabilities of RRC protocols. According to these articles, RRC protocols are vulnerable especially to bidding-down attacks, DDoS attacks, and MitM attacks. Bidding-down attacks aim, in general, to force a phone into a connection with an older generation to exploit legitimate protocol functionality, and allow them to eavesdrop on calls or text messages. Distributed Denial of Service (DDoS) is the tentative to flood the network servers to prevent users from accessing the network, online spots, or services. Man-in-the-Middle (MitM) is a class of attacks executed by the opponent to eavesdrop or impersonate one of the communication parties by positioning him or herself between the user and the application.

One of the main RRC features is the RRC connection release. Its message is used to command the RAN/UE connection release. The RRC connection release procedure with redirection information can also be used for re-selecting a cell in an older generation network, which makes all the mobile network generations, including 5G, prone to bidding-down attacks. This generation downgrade can be provoked by using a jammer to interfere with the frequency channel and force the UE to attach to another cell or another frequency channel used by an older generation. This action furthers the use of a rogue base station, for instance, to attract a UE into initiating a registration procedure, which can be used to perform MitM and DDoS attacks.

It is important to perceive that some works present security testing frameworks [31,46,95], which focus on identifying security issues, such as vulnerabilities. This way, further studies about the security improvement of RRC protocols are needed to develop proposals and tools.

5.2.3. IDS/IPS

The papers that investigate IDS and IPS consider, in general, Denial of Service (DoS) and Man-in-the-Middle (MitM) attacks as the most relevant risks. The proposed systems are anomaly-detection-based ones with different implementations. A network-based IDS (NIDS), that verifies whether traffic highly exceeds its normal amount and whether the exceeding time lasts long enough, is considered by a couple of papers [81,88].

Hybrid systems, that can merge different elements, are proposed as well. They are:

• a fault management module and a cyber-security management module [89];
• a pattern-detection, firewall, and IDS/IPS arrangement [90]; and
• a framework composed of a signature-based and an anomaly-based intrusion detection [91].

Blockchain-based systems, that have more specific goals, such as Edge Computing (EC)-based NIDS architecture using various monitored edge network datasets [81] and a machine learning and quantum computing decentralized environment that monitors network resources and builds trust between untrusted nodes, dedicated to optical network infrastructure [83], also make up the IDS/IPS set.

An IoT-oriented IDS focused on patterns classification to discover attacks [92] is also part of the proposed solutions. It is possible to perceive that the core of the identified systems is the anomaly-detection system, which could infer that this is an attention point for future research.

5.2.4. Fronthaul

The Fronthaul (FH) provides the connectivity between the RAN Radio Unit (RU), which implements the lower physical functions, and the RAN Distributed Unit (DU), which implements the higher physical functions. This information is divided into four planes, Control, User, Synchronization, and Management planes. The enhanced Common Public Radio Interface (eCPRI) interface is used between the RU and DU for radio control and user data since it is Ethernet-based, which has ubiquitous applications and enables different types of traffic.

The clear-text nature of the four cited planes and their direct encapsulation over Ethernet could expose the FH to different attacks. The most cited in the papers identified in this research that deal with Fronthaul security [35,85,86,87] is the Man-in-the-Middle attack, which could impersonate a legitimate synchronization message and inject a false clock into the network causing degradation of the time service, resulting in a Denial-of-Service of the network. To face the cited threats, the majority of these papers [35,86,87] suggest the adoption of the Media Access Control Security (MACSec) standard, which its features of authentication, integrity, confidentiality, and replay protection, satisfies the Fronthaul security requisites. However, it is highlighted that MACSec possesses implementation challenges to fulfill mandated Fronthaul requirements of latency, bandwidth, and synchronization accuracy. The remaining paper [85] suggests the adoption of the WireGuard. This solution is a communication protocol that implements encrypted virtual private networks (VPNs) and is designed to reach ease of use, high-speed performance, and low attack surface. It is important to note that this work does not evaluate the security itself, but focuses its value judgment on throughput and latency.

5.2.5. Network Slicing

Network Slicing is a recurrent feature in the accepted papers. In SubSection 5.2.1 we see that blockchain can improve the security of resource allocation, including Network Slicing. However, there are other papers [98,99] that study slicing security without the use of blockchain technology. These works cite DoS, MitM, and replay attacks as possible risks to Network Slicing. The proposals to enhance slicing security include a certificateless signature scheme based on a cryptographic tool to provide data integrity and identity authentication and the use of an enhanced Virtual Private Network (VPN), which can improve the security of Radio Access Networks by providing a secure and isolated communication channel between the 4G/5G core networks and the RAN.

6. Conclusions

This systematic literature review aimed to study findings about improving security in RANs and evaluating DLTs and other security mechanisms used in RANs. The RAN security evaluation is not a simple task since it is a complex telecommunications network element. This is made of different hardware and software modules, virtualized functions, and standardized and non-standardized interfaces, and it is accessible to external users.

Notwithstanding, cybersecurity is not a tight concept. A network cannot guarantee security since new threats and vulnerabilities are discovered 24/7. So, cybersecurity is a continuous process and involves different players, such as vendors, operators, and users. This way, it is necessary to apply various approaches to increase network security such as user education, access limiting, hardware, software, personnel training updates, technology development monitoring, user activity monitoring, and more.

One innovation in this review to help increase access network security was the definition of five RAN attack classes, in which we could identify the most relevant vulnerabilities and threats. Furthermore, we related the different attack classes to the accepted papers’ subjects. Regardless of the subject, the open-air interface is a possible avenue for various attacks. To attack Radio Access Networks, adversaries can take advantage mainly of access control, data storage, and lack or weakness of security mechanism vulnerabilities and target a myriad of menaces, which we have classified following what is established by ITU-T Recommendation X.805. So, attackers’ main threats identified in the accepted papers are disclosure of information and interruption of services, regardless of the attack class. Besides, according to ITU-T Recommendation X.805, and confirmed by accepted papers’ analysis, non-repudiation security dimension is useful to help face all defined attack classes, but remembering that security in access networks needs to be thought of holistically.

In this review, we identified different approaches studied to enhance RAN security. Different interest points, such as RRC, Fronthaul, and resource allocation were cited in the investigated papers and received proposals to increase their security. Furthermore, we verified different suggestions, like blockchain and anomaly detection, to increase RAN security, which includes its components and interfaces between them. However, the accepted papers do not study proactive RAN security planning as much as threat mitigation and vulnerability detection. It is a challenge to academia but also an opportunity since concepts such as Security by Design, Zero Trust Architecture, and Decryption of Network Traffic could be considered to enhance security in access networks throughout their lifecycle.

As we have preluded, we investigate how various security mechanisms are studied to improve RAN security. To enhance Fronthaul security, it is proposed to implement a new security stage, which can be a security pattern (e.g., MACSec) or a communication protocol (e.g., WireGuard). For Network Slicing, a certificateless signature and VPN were proposed. Furthermore, different RRC concerns were raised since it has a relevant role in the RAN/UE connection. Papers studying RRC are focused on identifying security issues, such as vulnerabilities, so it is a challenge and an opportunity to dig deep into security enhancements for the RRC.

Blockchain also attracts attention in accepted papers. Our results show blockchain is the only DLT used to develop Radio Access Networks and its main goal is to manage resource allocation. Besides, it is recurrently considered to be used to implement IDS, especially through anomaly detection. However, blockchain use in RANs brings challenges, including latency.

Beyond summarizing and evaluating found vulnerabilities, threats, and security suggestions, this systematic literature review recognizes challenges and recommendations for future research. The use of DLTs other than blockchain is not explored in the accepted papers, so the role of these DLTs in resource allocation and IDS/IPS can be investigated. In the same way, a comparison between blockchain-based and RIC-based resource allocation in terms of security and latency requirements could considered for future work. Besides, DLTs that better deal with latency may take place in future studies to investigate increasing security in access control, one of the vulnerabilities most investigated in the accepted papers.

This review discusses and answers the defined research questions, as we can see in Section 5. We could identify distributed ledgers applied to increase resource sharing, intrusion detection, and intrusion prevention. It is important to highlight that consensus algorithms may help to ensure the integrity and security of transactions and communications in RANs. Nonetheless, our findings show that resource allocation is the main interest in applying DLTs on RANs, as shown in SubSection 5.2.1.

Furthermore, it is proposed the adoption of security protocols, frameworks to support SDN controllers, and super edge data center establishment to increase RAN security. These tools can be based on technologies like blockchain, artificial intelligence, and big data for full potential.

When we specifically study the use of DLTs applied to network security, the accepted papers bring some examples such as transparent resource allocation and transactions, better load balance, scalability, flexibility, and a decentralized environment for network monitoring.

So, DLT usage in radio access networks brings advantages, however, it also could insert challenges that need to be considered before its implementation. Positive points discussed in the accepted papers include distributing control, reducing single points of failure, offering transparency, immutability, traceability, resiliency, improvement of fault tolerance, and facilitating data sharing. Possible drawbacks may be communication overhead, network complexity, scalability issues, and trade-offs between security and performance.

Finally, the accepted papers present different proposals for future work. These include emerging technology integration, performance analysis, and practical testing of blockchain solutions. Among DLT solutions, it is cited comparing permissioned/permissionless-merged elements in consensus algorithms and testing DLT protocols in decentralized applications.

So, DLTs can improve RAN security, however, the studied papers show that the main usage of DLT in access networks is resource allocation. Nevertheless, other solutions can be applied to better secure RANs, including combined and customized solutions. To this end, it is necessary to address the drawbacks found in this review.

Appendix A.1. Search Strategy

We used the Population, Intervention, Context, and Outcome (PICO) framework to delimit the scope of the papers selected for this systematic review since it can also guide in the search string definition[125]. Thus, the selected PICO terms are:

• Population: Radio Access Network, RAN, Open Radio Access Network, OpenRAN, Open RAN, Open-RAN, O-RAN.
• Intervention: Distributed Ledger Technology, Distributed Ledger, DLT, Security Mechanisms, IOTA, Blockchain, Distributed Consensus Ledger, Federated Ledger.
• Context: Security, Privacy, Confidentiality, Integrity, Trustworthiness, Protection, Availability.
• Outcome: Solution, Technique, Tool, Approach, Method, Mechanism, Advantage, Benefit, Positive Point, Disadvantage, Drawback, Negative Point.

Appendix A.2. Search String

We defined the search string based on the keywords and PICO terms (SubAppendix A.1), using the boolean operators (AND and OR) to link them, as follows:

(Radio Access Network OR OpenRAN OR Open RAN OR Open-RAN OR O-RAN)

AND

(Distributed Ledger OR DLT OR Security Mechanisms OR IOTA OR Blockchain OR Distributed Consensus Ledger OR Federated Ledger)

AND

(Solution OR Technique OR Tool OR Approach OR Method OR Mechanism OR Advantage OR Benefit OR Positive Point OR Disadvantage OR Drawback OR Negative Point)

AND

(Security OR Privacy OR Confidentiality OR Integrity OR Trustworthiness OR Protection OR Availability)

It is important to highlight that we avoided the term RAN since it is equal to the past tense of the verb run, which interferes with the search results.

Appendix A.3. Search Repositories

To search for relevant papers, we defined the scientific repositories listed in Table A1, which gather articles from different conferences and journals.

Table A1. Selected repositories.

Repository	URL
ACM Digital Library	https://dl.acm.org/
EI Compendex	https://www.engineeringvillage.com/
IEEE Digital Library	https://ieeexplore.ieee.org/
Scopus	https://www.scopus.com/
Springer Link	https://link.springer.com/

Table A1. Selected repositories.

Repository	URL
ACM Digital Library	https://dl.acm.org/
EI Compendex	https://www.engineeringvillage.com/
IEEE Digital Library	https://ieeexplore.ieee.org/
Scopus	https://www.scopus.com/
Springer Link	https://link.springer.com/

It is important to highlight that we conducted the online search in the repositories on September 15, 2023.

Appendix A.4. Selection Criteria

We determine the selection criteria for exclusion and inclusion of papers. The exclusion criteria, which aim to eliminate works not relevant to the research, are duplicate results, white papers, short papers, papers that don’t answer the research questions, papers about lower layers of interconnection, book chapters, master and PhD theses, papers not written in English, papers published before 2010, secondary and tertiary studies, and full content not available in the repositories. We have defined 2010 as the cutoff point since it is the beginning of the 4G network implementation [126]. As there is no complete break during the evolution of mobile networks, works that study 3G networks after the defined cutoff date were considered for this review.

As important as the exclusion criteria, we have the inclusion ones, which can improve the probability of selecting papers that can help answer the research questions. The defined inclusion criteria are papers published in journal and conference papers and results that answer the research questions.

Appendix A.5. Selection Procedure

To select relevant papers, we defined the following steps based on the selection criteria:

• Exclusion of duplicate papers.
• Exclusion of white papers, short papers, and book chapters.
• Exclusion of papers that don’t answer the research questions.
• Exclusion of papers about lower layers of interconnection.
• Exclusion of master and PhD theses.
• Exclusion of papers not written in English.
• Exclusion of papers published before 2010.
• Exclusion of secondary and tertiary studies.
• Exclusion of papers not published in journal or conference papers.
• Exclusion of papers whose full content is not available.
• Exclusion of papers not related to the topics.
• Deep analysis of the remaining papers to identify irrelevant ones.

Appendix A.6. Quality Assessment

We defined the paper quality assessment to guarantee that the most relevant articles are considered for this work. To assess the quality of the selected documents, we established quality assessment questions to rate the papers and evaluated them by answering all the questions. The possible answers for each question are yes, partially, or no, and each of them is scored as follows:

• Yes = 1
• Partially = 0.5
• No = 0

Below, we list the quality assessment questions with a guideline for the answers:

• Has the paper been peer-reviewed and published in a reputable journal?

  -

  Only receives 1 if the paper was published in a vehicle with a minimum impact factor of 2.

• Is the methodology used in the paper appropriate and clearly explained?

  -

  Only receives 1 if the paper has a clear methodology and is well written.

• Does the paper provide a thorough and balanced review of the literature on RAN or DLTs?

  -

  Only receives 1 if the paper has a broad approach to evaluating the formal literature on RAN or DLTs.

• Are the research results presented and supported by the data?

  -

  Only receives 1 if the paper validates the results in a well-structured way.

• Are the conclusions of the paper supported by the evidence presented?

  -

  Only receives 1 if the conclusion is coherent with the results and the argumentation.

• Are any potential limitations or biases in the research acknowledged and discussed?

  -

  Only receives 1 if the structure of the paper respects the scientific method.

• Does the paper contribute new and relevant information to the field of RAN or DLTs?

  -

  Only receives 1 if the paper is innovative.

• Are the references cited in the paper current and relevant to RAN or DLTs?

  -

  Only receives 1 if the paper is well-grounded, with good, related references.

The score range is from zero to eight, as there are eight quality assessment questions. Using this classification, we defined the quality level as follows:

• High quality, if the paper scored above 5.
• Medium quality, if the paper scored between 3.5 and 5.
• Low quality if the paper scored up to 3.

Appendix A.7. Data Extraction

We defined the following data to be extracted from the accepted papers:

• Title
• Authors
• Abstract
• Year
• Type of paper
• Conference/journal name
• Country(ies) where the research was carried out
• Number of pages
• Number of citations
• Quality
• Identified RAN threats
• DLT employment to enhance RANs
• Approaches to increase RAN security
• DLT usage to increase RAN security
• Pros and cons of DLT to improve RAN security
• Future work suggestions