Granomaly: A Temporal Graph Neural Network-Based Anomaly Detection Framework for 5G Core Network Control Plane

This article introduces Granomaly, an open-source 5G core network control plane anomaly detection framework developed by TF0x42 (GitHub link: https://github.com/TF0x42/granomaly, release date: 2026-06-16). The framework uses Temporal Graph Neural Network (TGNN) technology to achieve efficient anomaly detection by targeting the graph structure characteristics and temporal dependencies of 5G control plane traffic, providing a new technical solution for 5G network security operations.

The rapid global deployment of 5G brings advantages such as high speed and low latency, but its complexity and openness increase security risks. Compared to 4G, 5G adopts Service-Based Architecture (SBA), NFV, and SDN technologies, significantly expanding the attack surface; traditional rule-based and signature-based detection methods struggle to handle unknown threats, making machine learning-based anomaly detection a research hotspot.

Granomaly is an open-source anomaly detection framework for 5G core network control plane traffic. Its core innovation is applying TGNN to signaling data analysis to capture graph structure and temporal patterns. Characteristics of 5G control plane traffic:

1. SBA architecture uses HTTP/2 communication, which has interface security risks;
2. Complex signaling interactions involving dependencies among multiple network functions;
3. Dynamic changes in network topology require adaptive detection;
4. Massive data requires real-time processing.

Technical Analysis

• GNN Basics: Processes graph-structured data, models relationships, message passing, and structure awareness;
• TGNN Extensions: Supports temporal processing through time encoding, dynamic graph updates, historical aggregation, and temporal prediction;
• Granomaly Implementation: May use GAT/GCN + temporal encoders (LSTM/GRU/Transformer) + anomaly scoring layer.

Detection Process

1. Data Preprocessing: Signaling parsing, graph construction, feature extraction, sequence segmentation;
2. Model Training: Learning normal behavior patterns, graph embeddings, and temporal rules;
3. Online Detection: Real-time graph updates, anomaly scoring, threshold judgment, alarm generation.

Granomaly can detect various 5G anomalies:

• Signaling storm attacks: Identify abnormal signaling frequency/patterns;
• Protocol vulnerability exploitation: Analyze abnormal signaling sequences;
• Network function anomalies: Locate abnormal nodes;
• Insider threats: Identify operations deviating from normal baselines;
• Configuration errors: Quickly detect configuration issues.

Compared to traditional methods, Granomaly's advantages:

1. No labeled data required: Uses unsupervised/self-supervised learning, only needs normal traffic;
2. Strong interpretability: Attention mechanism provides anomaly causes and involved network functions;
3. Adapts to dynamic environments: Temporal modeling supports network changes;
4. Real-time processing: Local computing supports incremental updates and parallel processing.

Deployment Considerations

• Data Collection: Needs integration with NFV MANO and SDN controllers;
• Computing Resources: Requires GPU support; model compression or edge deployment can be considered;
• Latency Optimization: Balance accuracy and response speed;
• Privacy Compliance: Ensure data processing complies with regulations.

Future Directions

• Federated Learning: Collaborative training across operators;
• Multimodal Fusion: Combine control plane/user plane/physical layer data;
• Adversarial Robustness: Enhance attack resistance;
• Automated Response: Integrate with orchestration systems;
• 6G Prospects: Apply to next-generation network security.

Granomaly demonstrates the innovative application of TGNN in the field of 5G security, providing new ideas for addressing 5G security challenges. This open-source project deserves attention from researchers in network security, telecommunications technology, and graph neural networks. As 5G deployment evolves, intelligent security detection technologies will play an important role in ensuring reliable network operation.