Although modern 5G networks are becoming more open and flexible – making them easier to upgrade and less costly to deploy – this also increases potential entry points for cyber attackers.

TwinGuard is said to address this challenge using a real-time digital twin, which is described as a live virtual replica of a mobile network that updates every few milliseconds. The team paired TwinGuard with reinforcement learning AI that can anticipate suspicious behaviour and shut down attacks before they cause disruption. 

Traditional security systems often rely on recognising known attack patterns and can struggle to deal with new or rapidly changing threats. To test whether TwinGuard could respond more quickly, the researchers used two realistic 5G environments. The first was a simulated multi-cell Open Radio Access Network (O-RAN) set-up, which mimics several mobile masts working together. The second was a fully virtual 5G core network built with open-source software (OpenAirInterface) and controlled through the real-time FlexRIC platform.

Across both environments, TwinGuard detected and blocked attacks in under 100 milliseconds. These included a handover flooding attack (fake signals that try to overwhelm the system managing connections between masts) and an E2 subscription flooding attack, where a malicious app bombards the network controller with data requests to disrupt normal operation. 

In a statement, research lead Dr Sotiris Moschoyiannis, an Associate Professor in Complex Systems at Surrey University’s Centre for Cyber Security, said: “Attackers rarely come through the front door anymore. They probe, adapt and escalate in ways that traditional defences simply weren’t designed to handle.

“What TwinGuard demonstrates is that mobile networks can learn to recognise these behaviours as they unfold, and respond accordingly, rather than relying on pre-defined rules. That shift is essential if we want future 6G networked systems to be resilient and remain dependable in the face of increasingly agile threats.” 

Unusual activity can be difficult to spot because today’s 5G networks are built from many different components working together. Hackers can hide their movements by mimicking normal traffic or escalating slowly over time. With 6G expected to arrive in the early 2030s, the researchers said the next generation of mobile networks will need security systems that learn behavioural patterns rather than relying on fixed warning signs. 

The study was initially presented at the 2025 IEEE International Conference on Trust, Security and Privacy in Computing and Communications and published in IEEE Xplore.

The team now plans to expand the framework to larger, multi-cell environments, bringing it another step closer to deployment in future 6G systems.