5g is entering a security inflection point as researchers at the University of Surrey unveil TwinGuard, an AI defense system designed to detect and stop sophisticated 5g cyber-attacks in under 100 milliseconds. The work frames a broader shift: as mobile networks become more open and flexible, defenders are moving from static, rule-based protections to systems that learn behavior in real time.
What Happens When 5g networks get more open and flexible?
The Surrey team describes the underlying dilemma facing modern mobile infrastructure. As 5G networks become more open and flexible—easier to upgrade and less costly to deploy—they also create more potential entry points for cyber attackers. That structural openness can increase complexity across many components working together, making unusual activity harder to spot and giving attackers more room to blend in by mimicking normal traffic or escalating slowly over time.
TwinGuard is presented as a response to that reality, built around a real-time digital twin: a live virtual replica of a mobile network that updates every few milliseconds. The defense approach pairs that digital twin with reinforcement learning AI intended to anticipate suspicious behavior and shut down attacks before they cause disruption. In effect, the system aims to learn what “normal” looks like inside a living network model, rather than depending primarily on fixed warning signs or known attack signatures.
Dr. Sotiris Moschoyiannis, Associate Professor in Complex Systems at Surrey University’s Centre for Cyber Security, argues the attacker playbook has changed in ways traditional defenses were not designed to handle: “Attackers rarely come through the front door anymore. They probe, adapt and escalate in ways that traditional defences simply weren’t designed to handle. ” He adds that the shift demonstrated by TwinGuard—recognizing behaviors as they unfold and responding accordingly—matters for keeping future networked systems dependable in the face of increasingly agile threats.
What If AI-driven digital twins become the new standard for stopping 5g cyber-attacks?
The Surrey researchers tested TwinGuard in two realistic 5G environments to evaluate speed and effectiveness against sophisticated threats. One environment was a simulated multi-cell Open Radio Access Network (O-RAN) setup, described as mimicking several mobile masts working together. The second was a fully virtual 5G core network built with open-source software (OpenAirInterface) and controlled through the real-time FlexRIC platform.
Across both test environments, the researchers state TwinGuard detected and blocked attacks in under 100 milliseconds. The tested attacks included:
| Attack type | How it disrupts the network (as described by the researchers) | Where it was tested |
|---|---|---|
| Handover flooding attack | Fake signals try to overwhelm the system managing connections between masts | Two realistic 5G environments (including simulated multi-cell O-RAN and a virtual 5G core) |
| E2 subscription flooding attack | A malicious app bombards the network controller with data requests to disrupt normal operation | Two realistic 5G environments (including simulated multi-cell O-RAN and a virtual 5G core) |
Dr. Mohammad Shojafar, Associate Professor in Network Security at the University of Surrey, emphasizes the limitation of static defenses in this context, stating that rule-based systems cannot keep pace with the speed and complexity of attacks on modern 5G networks. He describes the framework as letting the AI learn directly from a virtual copy of the live network to identify “normal” and spot trouble before impact, pointing to the sub–tenth-of-a-second shutdown as a signal that real-time, AI-driven defense will matter for future networks.
Neha Gupta, Researcher and Developer at Surrey, describes the design intent as linking real-time network data with an intelligent digital twin, enabling a reinforcement learning agent to anticipate and stop control-plane attacks in O-RAN networks at very high speed.
What Happens When this approach is extended toward early-2030s 6G goals?
The Surrey team positions TwinGuard not only as a 5G security tool, but as a stepping stone toward the resilience expected for next-generation systems. With 6G expected to arrive in the early 2030s, the researchers argue that future mobile networks will need security systems that learn behavioral patterns rather than relying on fixed warning signs.
This is a notable signal about where security is heading: the system’s core promise is adaptability under uncertainty—detecting suspicious behavior that does not necessarily match pre-defined patterns. In the researchers’ framing, the complexity of modern networks and the agility of attackers create a conditions problem: defenders cannot assume threats will look like what they have seen before.
The research was initially presented at the 2025 IEEE International Conference on Trust, Security and Privacy in Computing and Communications and published in IEEE Xplore. The team also states it plans to expand the framework to larger, multi-cell environments, describing this as a step closer to potential deployment in future 6G systems.
At this stage, the publicly described evidence remains centered on performance in two realistic test environments and on the specific attack classes outlined by the researchers. The next proof points will depend on how the framework performs as it scales to larger, multi-cell settings and how reliably it distinguishes malicious behavior from complex, legitimate traffic patterns in evolving network conditions.
