DAST framework detects O-RAN anomalies zero-shot via VLM-LLM pipeline
Researchers Francesco Spinelli, Esteban Municio, and Pau Baguer introduce DAST, a zero-shot multi-agent framework that chains a VLM→LLM→VLM pipeline to detect cross-interface anomalies in O-RAN networks, achieving an F1-Score of 0.910 and Accuracy of 0.843 on real network traces — outperforming state-of-the-art TSAD baselines.
Score breakdown
Practitioners securing multi-vendor O-RAN deployments gain a zero-shot detection approach that requires no labelled baselines and produces explainable, WG11-aligned impact ratings — directly addressing the retraining bottleneck that makes traditional TSAD methods impractical in fast-evolving threat environments.
- 01DAST is a zero-shot multi-agent framework for cross-interface anomaly detection in O-RAN networks.
- 02It chains a three-stage VLM→LLM→VLM pipeline to process multivariate KPI telemetry.
- 03The framework converts KPI streams into visual representations, scores textual per-interface descriptions against O-RAN domain knowledge, and verifies suspects on high-resolution heatmaps.
Francesco Spinelli, Esteban Municio, and Pau Baguer introduce DAST, a zero-shot multi-agent anomaly detection framework designed for the unique security challenges of Open Radio Access Networks (O-RAN). O-RAN's disaggregated baseband stack communicates over standardized open interfaces, and while this openness enables multi-vendor composition, it also expands the attack surface across logically decoupled tiers. Denial-of-Service and performance-degradation attacks — which account for the majority of catalogued O-RAN threats — are especially hard to detect because labelled baselines are scarce, threats evolve faster than detectors can be retrained, and high-dimensional multivariate telemetry overwhelms monolithic inference models.
In the first stage, multivariate KPI streams are converted into visual representations for a Vision-Language Model.
DAST addresses these challenges through a three-stage VLM→LLM→VLM pipeline. In the first stage, multivariate KPI streams are converted into visual representations for a Vision-Language Model. The second stage scores textual per-interface descriptions against O-RAN domain knowledge using a Large Language Model. The third stage verifies suspected anomalies on high-resolution heatmaps via a second VLM pass. The framework outputs the problematic interfaces, the anomalous time intervals, an O-RAN WG11-aligned operational impact rating, and the decision rationale behind each detection.
Evaluated on real network traces collected from an O-RAN testbed under representative performance degradation scenarios, DAST achieves an F1-Score of 0.910 and an Accuracy of 0.843, outperforming state-of-the-art TSAD baselines. The zero-shot design means the framework requires no labelled training data, making it applicable in environments where threat signatures are unavailable or rapidly changing.
Key facts
- 01DAST is a zero-shot multi-agent framework for cross-interface anomaly detection in O-RAN networks.
- 02It chains a three-stage VLM→LLM→VLM pipeline to process multivariate KPI telemetry.
- 03The framework converts KPI streams into visual representations, scores textual per-interface descriptions against O-RAN domain knowledge, and verifies suspects on high-resolution heatmaps.
- 04DAST outputs problematic interfaces, anomalous time intervals, an O-RAN WG11-aligned operational impact rating, and decision rationale.
- 05It was evaluated on real network traces from an O-RAN testbed under performance degradation scenarios.
- 06DAST achieves an F1-Score of 0.910 and Accuracy of 0.843, outperforming state-of-the-art TSAD baselines.
- 07The zero-shot design eliminates the need for labelled training data, addressing a key limitation of traditional TSAD methods.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 7, 2026 · 12:45 UTC. How this works →