Scientists have demonstrated a real-time defence framework designed to protect modern mobile networks and future 6G infrastructure from evolving cyber threats.

Researchers at the University of Surrey have developed an artificial intelligence-based defence system capable of identifying and neutralising sophisticated cyber-attacks targeting 5G networks in under 100 milliseconds.

The team says the approach could strengthen the security of next-generation mobile networks, including the future transition to 6G.

As telecommunications infrastructure evolves, modern 5G systems are increasingly built on open, modular architectures.

These designs allow operators to upgrade and expand networks more easily, but they also introduce new cybersecurity challenges. More interconnected components and software-driven functions create additional entry points for attackers.

To address these vulnerabilities, the Surrey researchers developed a security framework called TwinGuard that combines AI with a digital twin of the network.

The digital twin acts as a continuously updated virtual model of the live system, allowing the AI to monitor activity and detect unusual behaviour in near real time.

Digital twin approach enables rapid response

Unlike traditional security tools that rely heavily on predefined attack signatures, the TwinGuard system focuses on recognising patterns of behaviour.

Its digital twin replicates the state of a live 5G network and updates every few milliseconds, giving the AI a detailed view of ongoing operations.

By analysing this virtual environment, the reinforcement learning algorithm can identify suspicious activity and take defensive action before services are disrupted.

Dr Sotiris Moschoyiannis, associate professor in complex systems at the University of Surrey’s Centre for Cyber Security, explained that cyber attackers are increasingly difficult to detect using conventional methods.

According to Moschoyiannis, many modern threats evolve dynamically, adjusting tactics as they probe systems for weaknesses. Systems that rely on fixed rules or previously recorded attack signatures often struggle to recognise these adaptive strategies.

The TwinGuard approach, in contrast, allows the network to learn what normal behaviour looks like over time, making it easier to detect anomalies as they occur.

Testing in realistic 5G environments

To evaluate the system’s effectiveness, the research team tested TwinGuard in two distinct 5G network environments designed to reflect real-world infrastructure.

The first experiment used a simulated multi-cell Open Radio Access Network (O-RAN), a modern architecture where multiple radio base stations cooperate to manage connections across a mobile network.

The second environment involved a virtualised 5G core network built using the open-source OpenAirInterface platform and managed through the FlexRIC real-time control system.

Across both environments, the framework detected and stopped cyber-attacks in less than a tenth of a second.

Among the threats tested were handover flooding attacks, which overwhelm the mechanisms responsible for transferring devices between cell towers, and E2 subscription flooding attacks, where malicious applications send large volumes of requests to network controllers to disrupt normal operations.

Security challenges for future mobile networks

Detecting malicious activity in mobile networks can be particularly difficult because modern 5G infrastructure consists of many interconnected software and hardware components.

Attackers can conceal their actions by imitating legitimate traffic patterns or gradually escalating activity to avoid detection.

Dr Mohammad Shojafar, an associate professor in network security at Surrey’s 5G/6G Innovation Centre, said static security models struggle to keep pace with the rapid pace of change in contemporary telecommunications systems.

He noted that AI systems trained using a digital twin can learn directly from the behaviour of the live network, improving their ability to identify threats before they affect services.

Preparing security for the arrival of 6G

The next generation of wireless technology, 6G, is expected to begin emerging in the early 2030s. Researchers believe that as networks become more complex and software-driven, traditional rule-based cybersecurity systems will become increasingly insufficient.

The TwinGuard project highlights how AI-driven monitoring and digital twin technology could play a central role in protecting future communications infrastructure.