ETSI TR 104 051 V1.1.1 (2025-06)

TECHNICAL REPORT
Securing Artificial Intelligence (SAI);
Security aspects of using AI/ML techniques
in telecom sector
2 ETSI TR 104 051 V1.1.1 (2025-06)

Reference
DTR/SAI-0011
Keywords
artificial intelligence, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 ETSI TR 104 051 V1.1.1 (2025-06)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 7
3.1 Terms . 7
3.1.1 Network Operations Lifecycle Phases . 7
3.1.2 NIST AI Attack Taxonomy . 7
3.1.3 NIST AI Attacker Goals . 7
3.2 Symbols . 7
3.3 Abbreviations . 8
4 Convention Description . 9
4.1 Notation . 9
5 Overview . 9
5.1 Use of Generative AI vs. traditional AI in telecom providers' networks . 9
5.2 ML functionality in telecom providers' networks . 9
5.2.1 Data collection and preparation mechanisms . 9
5.2.2 Model engineering and evaluation mechanisms . 10
5.2.3 Model deployment mechanisms . 10
5.2.3.1 Introduction . 10
5.2.3.2 Model distribution using CP . 10
5.2.3.3 Model distribution using UP . 11
5.2.3.4 Hybrid model distribution using CP and UP . 12
5.2.4 Model operation (i.e. use of the ML model for prediction and inference) mechanisms . 13
6 AI/ML use cases for telecom and their impact on AI security . 13
6.1 System monitoring . 13
6.1.1 Introduction. 13
6.1.2 Anomaly detection . 13
6.1.3 Root cause identification . 14
6.1.4 Predictive maintenance . 14
6.2 Intelligent networks . 14
6.2.1 Introduction. 14
6.2.2 Ability to self-heal . 14
6.2.3 Root cause identification . 15
6.2.4 Predictive maintenance . 15
6.2.5 Dynamic optimization. 15
6.2.5.1 Mobility Optimization . 15
6.2.5.2 Load Balancing . 15
6.2.6 Automated network design . 15
6.3 Managed telecom services . 16
6.3.1 Use cases . 16
6.3.2 Ticket (e.g. trouble ticket, CR) classification and routing . 16
6.3.3 Customer churn prediction . 16
6.3.4 Service (e.g. SLA) assurance . 16
7 Vulnerabilities and mitigation strategies of AI/ML models deployed in telecom use cases . 17
7.1 Attacks on System Monitoring . 17
7.1.1 Introduction. 17
7.1.2 Anomaly detection . 17
ETSI
4 ETSI TR 104 051 V1.1.1 (2025-06)
7.1.3 Root cause identification . 17
7.1.4 Predictive maintenance . 17
7.2 Attacks on Intelligent Networks . 18
7.2.1 Introduction. 18
7.2.2 Ability to self-heal . 18
7.2.3 Dynamic optimization. 18
7.2.4 Automated Network Design . 18
7.3 Attacks on Managed Telecom Services . 18
7.3.0 Introduction. 18
7.3.1 Ticket (e.g. trouble ticket, CR) classification and routing . 19
7.3.2 Customer churn prediction . 19
7.3.3 Service (e.g. SLA) assurance . 19
Annex A: Bibliography . 20
Annex B: Change history . 21
History . 22

ETSI
5 ETSI TR 104 051 V1.1.1 (2025-06)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Securing Artificial Intelligence (SAI).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Machine learning use cases in telecom have shown great potential in assisting with solving problems such as anomaly
detection, root cause analysis, managed services, and network optimization. The present document aims to study AI
security and privacy aspects that are specific to the telecom industry use cases.

ETSI
6 ETSI TR 104 051 V1.1.1 (2025-06)
1 Scope
The use of AI to facilitate the use cases may cause AI security and privacy issues specific to the telecom industry. The
scope of this proposed work item will be to investigate security and privacy issues related to the use of AI in the
telecom industry sector. Harmonisation with 3GPP work in SA1, SA2, and SA3 is anticipated.
Key AI use cases in telecom networks are (non-exhaustive list):
• Network as a service.
• Network optimization.
• Network planning and upgrades.
• Automating security operations (anomaly detection, planning mitigation and response).
This investigation may use but is not limited to the Network Operations Lifecycle Phases methodology.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] 3GPP TS 23.228: "Architecture enhancements for 5G System (5GS) to support network data
analytics services (Release 18)".
[i.2] 3GPP TS 28.104: "Management and orchestration; Management Data Analytics (MDA)
(Release 17)".
[i.3] 3GPP TR 37.817: "Study on enhancement for data collection for NR and ENDC".
[i.4] ETSI TS 138 423: "5G; NG-RAN; Xn Application Protocol (XnAP) (3GPP TS 38.423
version 18.5.0 Release 18)".
[i.5] Open Source MANO (OSM) - ETSI.
[i.6] Planning for Network Day 0, 1, and 2 Tasks and Stumbling Blocks.
[i.7] The difference between day-0, day-1, and day-2 operations.
[i.8] Day 0, Day 1, Day 2 Operations: Putting it All Together on Day 2.
[i.9] ETSI GR NFV-EVE 022: "Network Functions Virtualisation (NFV) Release 5; Architectural
Framework; Report on VNF configuration".
[i.10] Pialla, G., Ismail Fawaz, H., Devanne, M. et al.: "Time series adversarial attacks: an investigation
of smooth perturbations and defense approaches". Int J Data Sci Anal (2023).
ETSI
7 ETSI TR 104 051 V1.1.1 (2025-06)
[i.11] Siyang Lu, Mingquan Wang, Dongdong Wang, Xiang Wei, Sizhe Xiao, Zhiwei Wang,
Ningning Han, Liqiang Wang: "Black-box attacks against log anomaly detection with adversarial
examples", Information Sciences, Volume 619, 2023, Pages 249-262, ISSN 0020-0255.
3 Definition of terms, symbols and abbreviations
3.1 Terms
3.1.1 Network Operations Lifecycle Phases
The present document adopts a commonly used nomenclature used for describing activities pertaining to the
commissioning of a service, namely Day 0 - Day N. This approach and terms have been used in the ETSI Open Source
MANO [i.5] project and their application explained in [i.6], [i.7], and [i.8] to describe the onboarding of Containerized
Network Functions, with some concrete use cases to be found in [i.9]. For the scope of the present document, the terms
have been redefined as below.
Day 0
The planning and evaluation phase for a new telecommunications network encompassing all decision-making processes
prior to deployment activities.
Day 1
The deployment phase for a new network, spanning all activities necessary for the commissioning of infrastructure,
systems, and supply chains required for network operations.
Day 2
The steady-state operations and maintenance phase for a network, post initial installation, until the final
decommissioning of the network.
3.1.2 NIST AI Attack Taxonomy
AI supply chain: manipulation of training data or AI/ML model or AI/ML supporting software libraries
evasion: manipulating data which results in misclassification or no detection
poisoning : manipulating training data which results in model learning incorrectly
privacy: extracting sensitive information model was trained on
prompt injection: submission of malicious prompts to an AI system either directly or through ingestion sources
3.1.3 NIST AI Attacker Goals
abuse violation: abuse of a deployed AI/ML model to achieve attacker goals
availability breakdown: degradation of AI/ML model performance during deployment
integrity violation: erosion of model integrity to elicit incorrect results either through evasion or poisoning
privacy compromise: discovery of information pertaining to training data or model characteristics
3.2 Symbols
Void.
ETSI
8 ETSI TR 104 051 V1.1.1 (2025-06)
3.3 Abbreviations
ADRF Analytics Data Repository Function
AF Application Function
AI Artificial Intelligence
AI/ML AF AI/ML Application Function
AKMA Authentication and Key Management for Applications
AMF Access Management Function
AN Access Network
AnLF Analytics Logical Function
AS Access Stratum
CI/CD Continuous Integration and Continuous Delivery
CN Core Network
CoA Course of Action
Cp Control Plane
CP Control Plane
CPU Central Processing Unit
DCCF Data Collection Coordination Function
DDoS Distributed Denial of Service
E2E End-to-End
GBA Generic Bootstrapping Architecture
GenAI Generative AI
GPU Graphic Processing Unit
IaC Infrastructure as Code
IN Intelligent Network
KPI Key Performance Indicator
LLM Large Language Model
MANO Management And Orchestration
MDA Management Data Analytics
MDAS Management Data Analytics Service
MDT Minimization of Drive Test
MFAF Messaging Framework Adaptor Function
ML Machine Learning
MTLF Model Training logical function
NAS Non-Access Stratum
NEF Network Exposure Function
NF Network Function
NN Neural Network
NOC Network Operations Centre
NRF Network Repository Function
NSACF Network Slice Admission Control Function
NWDAF NetWork Data Analytics Function
OAM Operations, Administration and Maintenance
PCA Principal Component Analysis
PCF Policy Control Function
PDCP Packet Data Convergence Protocol
QoE Quality of Experience
QoS Quality of Service
RAG Retrieval Augmented Generation
RAN Radio Access Network
RAT Radio Access Technology
RCA Root Cause Analysis
RCEF RRC Connection Establishment Failure
RLF Radio Link Failure
RRC Radio Resource Control
SBI Service Based Interface
SIP Session Initiation Protocol
SLA Service Level Agreement
SMART Self-Monitoring, Analysis, and Reporting Technology
SMF Session Management Function
SOC Security Operations Centre
ETSI
9 ETSI TR 104 051 V1.1.1 (2025-06)
t-SNE t-distributed Stochastic Neighbour Embedding
UDM Unified Data Management
UDR Unified Data Repository
UE User Equipment
UP User Plane
4 Convention Description
4.1 Notation
For the purpose of the present document, the following notations apply:
stands for the "information" been exchanged or transmitted between different modules or via interfaces.
[security component] stands for the "security components" described in clause 7 that has involved in the interactive
procedures.
(optional) means the description followed by is the alternative that has enhanced effect but more strict requirements
compared. It may be referred to specific situations when implementing a certain security component or a security
mechanism.
5 Overview
5.1 Use of Generative AI vs. traditional AI in telecom providers'
networks
In many cases, traditional AI (as opposed to Generative AI (GenAI)) might be sufficient in telecom providers' networks.
Many of the use cases described in further clauses (e.g. Anomaly detection, Customer churn prediction,
Predictive maintenance, Root cause identification, System monitoring, Ticket classification, and routing) may be
supported by traditional AI.
While GenAI may be suitable for interactive experiences, such as customer care and postmortem assessment of a
network error, a lot of other optimization efforts - such as initial detection of errors and root cause analysis - might not
need more than traditional ML models.
However, when, for example, traditional AI detects a new cyber threat and new firewall rules need to be written to
address it or a new threat signature is discovered for future use by traditional AI, GenAI may be employed to generate
and deploy these rules and/or signatures.
5.2 ML functionality in telecom providers' networks
5.2.1 Data collection and preparation mechanisms
In the context of 5G / 3GPP-enabled standards, data collection forms part of the core functionality of the Management
Data Analytics (MDA) capability of the network. More generally, the telecom provider should ensure the availability of
structured, real-time operational and performance characteristics of their network, such as QoS/QoE metrics,
throughput, and measured network latency. Additionally, unstructured data sources such as natural-language trouble
tickets generated increasingly represent viable sources of information for AI models, especially in conjunction with the
aforementioned structured information.
ETSI
10 ETSI TR 104 051 V1.1.1 (2025-06)
Depending on the nature of the AI/ML models employed, several pre-processing steps may be required. Structured,
quantitative data may require statistical transformations such as normalization to contain their co-domain. In cases
where a large number of features (i.e. input parameters) are available, dimensionality reduction techniques such as
Principal Component Analysis (PCA), or t-distributed Stochastic Neighbour Embedding (t-SNE) may be employed to
reduce the feature space. Natural language data typically undergoes a string of techniques such as normalization (e.g.
non-printed character removal or white space normalization), deduplication, and - depending on the use case - removal
of private data, pseudonymization, or anonymization for security and privacy compliance. The following steps may
include lemmatization, grouping related words into singular concepts (lemmas), and vectorization, which is the
conversion of these lemmas to mathematical vector representations. This subsequently allows for sentiment, syntax, and
semantic analysis, to determine the premise of a given text. The interfaces provided by Large Language Models (LLMs)
typically perform these steps transparently.
5.2.2 Model engineering and evaluation mechanisms
Model engineering refers to the process of designing ML "pipelines" that convert raw data into actionable inferences by
performing a set of transformations. This process is executed based on the insights of domain experts. In the context of
a telecommunications network, this translates to the Network Operations Centre (NOC) and Security Operations Centre
(SOC) domains. The expert knowledge, along with statistical methods like correlation analysis, is used to create and
select a set of features (e.g. mean and variance of some numerical value for a given time window or frequency of words
in textual data) from the raw data, that are most meaningful for a given problem that the model aims to solve. Some
features may be "synthetic," i.e. created from a combination of existing features. In the training phase, the prepared data
is used to obtain model parameters, typically by minimizing a certain error function.
The model evaluation process serves to minimize generalization error, i.e. the error exhibited by the model when faced
with data set that is different from the training data set. This is typically estimated using validation data sets, reserved
within the existing data, and fed to the model post-training. The metrics used to measure this error depend on the nature
of the parameter to be predicted. Since telco systems are considered critical infrastructure, a separate test bed may be
required for the training and evaluation of any new model.
While real-time operational data may be used to train AI models, during the training and evaluation phase, these models
are decoupled from downstream systems. For offline models, i.e. those with separate training and implementation
phases, evaluation is performed entirely within the established test-bed. Online models, on the other hand, undergo
continuous evaluation, both within, and outside the test environment.
5.2.3 Model deployment mechanisms
5.2.3.1 Introduction
Model deployment is often referred to as model distribution. To take advantage of the operators' Core Network (CN)
computing resources, a model can be engineered and evaluated at the core network nodes or AI/ML Application
Functions (AI/ML AF) outside of the operator's core network and deployed for execution to the User Equipment (UE)
nodes.
There are two fundamental ways to distribute information between CN or AF and UE(s). They are utilizing the
Control Plane (CP) and User Plane (UP). In addition, a hybrid distribution would utilize both CP and UP.
Clauses 5.2.3.2, 5.2.3.3, and 5.2.3.4 discuss possible model distribution use cases.
5.2.3.2 Model distribution using CP
The main advantage of model distribution using CP is its confidentiality, integrity, and replay protection over the air
while protected with NAS security. Another advantage is full operator's control over CP and NAS security. However, a
potentially large size of transferred models can adversely affect CP availability for its main purpose of assuring
signalling for mobile communications.
ETSI
11 ETSI TR 104 051 V1.1.1 (2025-06)
AI/ML AF
UE (R)AN CN
1. Decision to initiate
Model Distribution
2. Selected model
forward
...