Abstract The integration of drones into airspace for commercial, military, and recreational purposes presents new challenges for mobile network infrastructure, especially when these drones rely on 4G and 5G networks for command-and-control (C2) and data transmission. This paper extends previous work on heuristic-based detection of airborne devices by introducing advanced methods, including triangulation and signal strength analysis, to enhance precision and reliability in identifying and tracking drones operating at altitude.

1. Introduction

Drones equipped with mobile network modems increasingly rely on public cellular infrastructure for communication, enabling long-range operations using encrypted, low-latency links. However, this usage complicates the task of distinguishing drones from conventional ground-based devices. While initial heuristics—such as high handover frequency and rapid location updates—provide early indicators of drone activity, more refined methods are necessary to confirm the airborne nature of a device. This paper introduces a two-stage model using initial heuristics as a filtering sieve and more advanced, resource-intensive techniques to confirm detections.

2. Initial Heuristics (First-Pass Sieve)

Initial heuristics aim to flag suspicious or anomalous behaviour in mobile network-connected devices. These include:

• Frequent handovers: A high number of cell changes per minute.
• Rapid tracking area updates (TAUs): Often triggered as drones move quickly across regions.
• High uplink throughput: Associated with video transmission.
• SIM clustering: Simultaneous activation of multiple SIMs in a geographic area.
• Signalling load per device: Drones generate a higher rate of control-plane signalling (e.g., RRC connection re-establishments).
• Relocation-related update frequency: Abnormal frequency of location updates due to rapid inter-cell movement.

These heuristics are computationally efficient and scalable, making them suitable for use in near-real-time monitoring environments. Devices exceeding defined thresholds are marked as candidates for further scrutiny.

3. Advanced Heuristics (Second-Pass Confirmation)

3.1. Triangulation for Positional Verification

Once a device is flagged by the first-pass sieve, triangulation can be selectively employed to improve 2D positional accuracy of the device's location, although standard mobile network infrastructure typically lacks the vertical resolution required for reliable altitude estimation based on signal reception at multiple base stations. While standard mobile network implementations do not support precise altitude calculation, positional correlation with flight path patterns can still add value.

Pseudocode: Triangulation-based Confirmation

function triangulate_position(signal_data_list):
   # signal_data_list: list of (cell_id, signal_strength, timing_advance)
   positions = []
   for cell in signal_data_list:
       pos = get_cell_coordinates(cell.cell_id)
       distance = estimate_distance(cell.signal_strength, cell.timing_advance)
       positions.append((pos, distance))
   return multilateration(positions)  # Estimate 2D/3D location

if is_flagged(device):
   signal_data = get_signal_data(device)
   location = triangulate_position(signal_data)  # Note: altitude estimates are only indicative and not reliable in standard mobile networks
   if is_linear_path(location.track) and location.altitude_estimation > 100m:  # Consider altitude as a soft indicator only, unless supported by external or enhanced vertical positioning data
       mark_as_probable_drone(device)

3.2. Signal Strength Stability (Line-of-Sight Heuristic)

Airborne devices often have a stable and consistently high signal strength across multiple cell towers due to unobstructed line of sight.

Pseudocode: Signal Stability Heuristic

function check_signal_stability(device_id, window=60):
   signals = get_signal_samples(device_id, window)
   std_dev = calculate_std_dev(signals)
   if std_dev < threshold and mean(signals) > strong_signal:
       return True
   return False

if is_flagged(device) and check_signal_stability(device):
   mark_as_drone_candidate(device)

3.3. Location-Based Signal Strength Anomaly Detection

By comparing a device's observed signal strength against historical signal strength profiles for the same geographic area, it is possible to identify devices that behave unlike ground-based users.

Pseudocode: Location-Specific Signal Strength Check

function compare_with_historical_baseline(device_id, location):
   observed_strength = get_average_signal_strength(device_id, location)  # Calculated over a rolling window and compared against a historical baseline for that location, accounting for time-of-day and seasonal variations where possible
   baseline_range = get_baseline_signal_strength_range(location)
   if observed_strength > baseline_range.max + margin:
       return True
   return False

if is_flagged(device) and compare_with_historical_baseline(device, location):
   mark_as_high_altitude_candidate(device)

3.4. Velocity and Path Linearization

Drones tend to follow straight-line or high-altitude arced flight paths, unlike ground vehicles.

Pseudocode: Trajectory Analysis

function analyse_path(device_id):
   gps_points = get_gps_track(device_id, duration=300)
   deviation = fit_line_and_measure_error(gps_points)
   if deviation < max_allowed and average_speed(gps_points) > 30 m/s:
       return True
   return False

if is_flagged(device) and analyse_path(device):
   mark_as_confirmed_drone(device)

4. Applications and Deployment Considerations

These advanced heuristics can be integrated into existing mobile network analytics platforms, ideally as part of a layered threat detection framework. Applications include:

• Airspace security: Detecting and intercepting unauthorised drone activity.
• Telecom analytics: Flagging anomalous network usage patterns.
• Critical infrastructure protection: Monitoring for airborne threats near power plants, airports, or government facilities.

Challenges include the need for real-time processing, data privacy compliance, and integration with lawful intercept protocols.

5. Conclusion

By incorporating a two-stage heuristic model—first-pass behavioural filtering followed by advanced spatial and signal analysis—mobile network operators and other authorised parties can significantly improve their ability to identify and classify airborne devices. These techniques provide a layered approach to threat detection and enhance situational awareness in environments where drones may pose a risk.

‍