By Patrik Rokyta, CTO Titan.ium Platform
Artificial Intelligence (AI) and Machine Learning (ML) are increasingly becoming foundational technologies across the telecommunications industry. Starting in the Radio Access Network (RAN), early 3GPP releases such as Release 17 (2022) and Release 18 (2023) explored AI/ML applications for dynamic spectrum management, predictive handovers, and energy-efficient scheduling. These techniques enabled smarter, context-aware radio networks that adapt in near real-time to changing traffic and environmental conditions.
Building on these advancements, AI/ML is now being applied in the mobile core (Release 19, 2024), where Network Functions (NFs) generate data that is collected and analyzed by the Network Data Analytics Function (NWDAF). By training models on this data, the NWDAF can predict traffic load and detect abnormal signaling behaviors, feeding these insights back into routing and resource allocation decisions within the core network.
This blog traces the journey from applying AI/ML to simple tasks to embedding AI/ML into 5G Signaling Firewall (SFW), sharing local metrics with higher-level analytics systems for coordinated decision-making.
Solving the XOR-Problem with AI
To illustrate the basics of AI/ML, consider the classic XOR problem: calculating the output from two binary inputs, x₁ and x₂. A linear regression model is the simplest approach, but it fails here because XOR is not linearly separable. Any attempt produces poor predictions.
A nearest neighbors (KNN) model performs better, as it classifies outputs based on the closest observed examples, but it introduces potential false positives and false negatives (green dots) when x₁ or x₂ are near 0.5 in the [0.0, 1.0] range; the nearest neighbor might lie on the opposite side of the threshold, producing incorrect predictions. KNN also does not generalize well to unseen inputs and can become computationally expensive for larger datasets.
In contrast, a neural network, even a small feedforward model with a hidden layer, can successfully learn the XOR function by capturing the non-linear relationship between inputs.
Deterministic and Statistical Methods versus Neural Networks
Deterministic and statistical methods rely on explicit rules, mathematical formulas, or probabilistic models to process inputs and produce predictable outputs. In telecommunications, the choice between these methods and neural networks or other blackbox models has significant implications for network reliability and safety. Deterministic and statistical approaches such as rule-based logic, thresholding, or regression models offer traceable, explainable behavior and are easier to validate and audit, which is critical for infrastructure that underpins regulatory compliance. Their limitations lie in handling complex, high-dimensional, or non-linear patterns, which can reduce effectiveness for anomaly detection or adaptive traffic management. Neural networks and other blackbox models excel at capturing non-linear relationships and complex correlations in large datasets, enabling sophisticated analytics and predictive capabilities. However, their behavior is often opaque, difficult to trace and audit, and challenging to certify for critical network functions.
Deterministic AI: Automating Decisions with Traceable Logic
While neural networks and black-box models often dominate the AI conversation, deterministic and statistical methods remain valid AI techniques because they automate decision-making and pattern recognition. AI is fundamentally about automating intelligence-driven tasks, not solely about complex or opaque models. Under this definition, deterministic and statistical approaches provide outputs that are mathematically grounded, rely on rule-based and/or model-driven logic rather than opaque networks, and are fully interpretable and explainable, meaning the reasoning behind every AI decision can be traced and audited. These characteristics make them particularly well-suited for telecommunications networks, where reliability, transparency, and regulatory compliance are essential. Let’s elaborate on how deterministic AI can be utilized in a core network element: the 5G Signaling Firewall (SFW).
AI-powered 5G Signaling Firewall
Injecting AI directly into a network function and applying the embedded AI model to every routed message, instead of mirroring traffic to external network data analytics for non-real-time processing, enables us to stop threats in-flight rather than react to them after the fact. Such network function is referred to as an AI-native Network Function (AINF).
AINFs, such as the AI-powered 5G Signaling Firewall (SFW), can follow the architectural approach proposed in 3GPP TR 38.843, ‘Study on AI/ML for NR Air Interface’. This architecture is particularly important because it defines dedicated endpoints, one for messages used in training and another for messages to be inferred. An additional component manages the distribution of trained AI models and can also trigger re-training when needed.
The training of the 5G SFW can be carried out in two ways. First, the SFW can be trained using low-rate service requests from network functions deployed in the mobile core, ensuring that only service requests supported by the network are allowed to pass. Second, the SFW can be trained with digital twins, each simulating the service requests of a particular serving network, ensuring that inbound messages are filtered on a per-serving-PLMN basis. By combining these two training methods, both home and serving network capabilities are taken into account for message filtering.
Message Filtering
Message filtering is one of the most common use cases for a signaling firewall. In the 5G mobile core, messages are filtered based on a combination of the service request type and the service request resource. The key challenge in telecommunications networks is that message filtering must be highly accurate: false negatives (allowing malicious messages into the core network) and false positives (blocking legitimate users from service access) must be avoided. This requirement poses a significant challenge for AI models that operate on probabilities. For this reason, message filtering has traditionally been rules-based.
Nevertheless, as shown in the diagram below, AI models can meet these requirements. In the example, the 5G SFW, powered by an AI model that combines an indexed trie with a bag-of-words approach, blocks two messages. The first message is blocked because of an unknown resource, ‘ue-authentication,’ highlighting the AI model’s ability to detect anomalies even from small deviations in the expected input (‘ue-authentications’). The second service request is blocked because it uses the ‘PUT’ request type, which is not defined for the UE authentication service request.
Even though these requests could also be detected using static rules, the use of an AI model provides several important benefits:
- Unsupervised operation: The AI model functions without manual intervention, reducing configuration effort and ongoing maintenance.
- Incremental learning: The AI model continuously adapts to new network function types and services introduced in the mobile core and across the serving networks, without requiring frequent rule updates.
- Handling identifiers: The AI model can effectively process service requests containing dynamic identifiers (e.g., UE, IMSI, PLMN ID, PDU session ID), which would otherwise complicate the creation and management of deterministic rules.
Once the 5G SFW reliably filters out malicious content from inferred traffic, it establishes a baseline of legitimate traffic content and patterns. If the digital twin used for training has also delivered the expected traffic shape, the AI-powered 5G SFW can then go beyond content validation to detect anomalies in traffic trends, volumes, and mixes. The detected anomalies are reported to a higher-level monitoring system, which correlates them with additional data sources and then leverages agentic AI to generate the most suitable mitigation proposals. These proposals are subsequently validated and applied by the operator, an operational procedure aligned with emerging regulatory frameworks such as the EU AI Act.
Traffic Shape Monitoring
The diagram below shows the AI model analyzing inferred traffic volumes and trends while predicting expected values at any point in the future. Traffic volume prediction can be applied to real-time anomaly detection in traffic patterns, while traffic trend prediction is best suited for the long-term dimensioning of mobile core resources. Note that each simulated minute corresponds to one hour in real time, meaning 24 minutes represent a full day.
Anomalies in traffic volume are detected using a threshold applied to a scoring function, which calculates the deviation of the actual traffic load (green curve) from the predicted, expected traffic load (yellow curve).
As shown in the diagram, traffic patterns often follow a seasonal trend (e.g., a daily cycle). In this case, the anomaly occurs when the actual traffic volume is unexpectedly high compared to the model’s prediction, even though it does not exceed the maximum daily load. A static threshold would fail to capture this deviation, since the value remains below such a cutoff. Instead, the AI model uses a scoring function that measures the difference between actual traffic and the predicted seasonal baseline, enabling the detection of anomalies that would otherwise remain hidden.
Traffic Mix Monitoring
Traffic mix refers to the composition of different types of messages, services, or sessions within the network at a given time. For example, it could reflect the proportion of registration requests, authentication messages, or PDU session setups, and how these proportions change over time. Detecting anomalies in traffic mix helps identify unusual patterns such as harvesting of data.
Similarly to anomalies in traffic volume, anomalies in traffic mix are detected using a threshold applied to a scoring function that calculates the deviation of the actual traffic mix from the predicted, expected traffic mix. Note that each simulated minute corresponds to one hour in real time, meaning 24 minutes represent a full day.
As shown in the diagram above, shifts in traffic mix may not always appear as anomalies in overall traffic volume. The detection of anomalies relies on the scoring function and the configured threshold. In addition, generative AI can be used to identify the service(s) causing the anomaly.
Integration
Titan.ium is introducing its AI-powered 5G Signaling Firewall (SFW) to work alongside two key network elements: the 5G Security Edge Protection Proxy (SEPP) and the 5G Service Communication Proxy (SCP). The SEPP safeguards the mobile core perimeter from malicious actors and spoofed messages, while the SCP centralizes traffic for service discovery, intelligent routing, and policy enforcement. Both Titan.ium’s SEPP and SCP already include built-in message filtering based on configured rules and also mirror received message to a Network Data Analytics Function (NWDAF). With the AI-powered 5G SFW, these foundational capabilities can be enhanced by AI-driven analytics, offering a glimpse of how advanced intelligence could improve traffic filtering and anomaly detection in the future.
Disclaimer
This blog contains summaries and interpretations of publicly available 3GPP Technical Specifications (TS) and Technical Reports (TR). All 3GPP documents are © 3GPP and its Organizational Partners (ETSI, ATIS, etc.). No official 3GPP text or figures are reproduced here; diagrams are redrawn and content is paraphrased for explanatory purposes. For the authoritative versions of 3GPP specifications and reports, please refer to the official 3GPP portal at https://www.3gpp.org/Specifications.
About Titan.ium
Titan.ium Platform is a leader in signaling, routing, subscriber data management, and security software and services. Our solutions are deployed in more than 80 countries by over 180 companies, including eight of the world’s top ten communications service providers.
Titan.ium began its cloud-native journey in 2019 with the introduction of its Titan.ium cloud-native platform. By the mid of 2025, Titan.ium’s cloud-native portfolio includes several 5G network functions and selected legacy network functions that have transitioned to cloud-native to address immediate market demands. At the same time, we continue supporting the Titan virtualized platform that can also be deployed on physical servers. This gradual shift enables communication service providers to harmonize their infrastructure while ensuring continuity.