Closed-Loop Resilience Framework for 5G Core Networks
March 27, 2026 · View on GitHub
This repository contains a research prototype implementing a closed-loop resilience framework for 5G core networks.
The objective of this work is to automate the detection, mitigation, and validation of cyberattacks in critical infrastructures by integrating monitoring, decision-making, and testing into a unified pipeline.
The approach follows a closed-loop process:
- Monitoring of network traffic using event-based properties
- Alert-driven reaction through adaptive mitigation mechanisms
- Non-regression testing to validate the effectiveness of mitigation actions
This repository is part of an academic research effort and is intended for experimental and reproducibility purposes.
Architecture Overview
The framework is composed of four main components:
Property Generator (external repository)
- Generates formal event-based properties from high-level descriptions using LLMs
- Outputs executable rules (e.g., XML for MMT-Security)
Available here: [https://github.com/Montimage/PropertyGeneration]
Property Receiver
- Receives generated properties
- Validates and forwards them to the monitoring system
- Acts as a bridge between property generation and runtime monitoring
Reaction Engine
- Consumes alerts generated by monitoring tools (e.g., MMT-probe via Kafka)
- Ranks mitigation mechanisms based on alert severity, topological impact, mechanism effectiveness, cost, and risk
- Deploys the selected mitigation strategy
Testing Engine
- Selects and executes targeted test cases based on the alert context
- Validates whether mitigation actions restore system functionality and prevent cascading effects
- Supports test suite optimization through relevance-based selection
Alert Catalog
- Provides structural metadata for alerts, including severity levels, affected assets, protocols, and validation objectives
- Enables consistent interpretation of alerts across components
Repository Structure
.
├── alert_catalog/ # Alert definitions and normalization
├── property_receiver/ # Property ingestion and validation
├── reaction_engine/ # Alert-driven mitigation and scoring
├── testing_engine/ # Non-regression testing and test selection
├── LICENSE
└── README.md
Usage (High-Level)
Each component can be executed independently depending on the experimental setup:
- Deploy monitoring (e.g., MMT-probe) to generate alerts
- Run the Reaction Engine to process alerts and apply mitigation
- Execute the Testing Engine to validate system behavior post-mitigation
Detailed instructions are provided in each component’s README.