How the metadata already present in every public mobile network can be used to find hostile aerial devices

The case that cellular-connected drones now constitute a real and broad hostile-use phenomenon has been made elsewhere in this series. The harder question — and the more practically important one — is what to do about them.This article sets out the analytical approach that telecommunications networks already make possible: detection, tracking and attribution of cellular-connected drones using the signalling data that public mobile networks generate during their ordinary operation.

The approach is not theoretical. It rests on properties of cellular networks that are well-understood, on data already collected by operators for their own engineering and regulatory purposes, and on analytical techniques with mature antecedents in fraud management, lawful interception support, and mobile network planning. It does not require new radio infrastructure, special spectrum, dedicated sensors or modifications to handsets. What it requires is institutional and legal: lawful access to operator signalling, analytical capability applied to it, and the governance arrangements within which both can sit.

The aim of this article is to give a reader who is not a telecommunications specialist enough understanding of how the approach works, and why it is sound, to evaluate it as part of a serious counter-drone posture. The article is deliberately structured around principles and outcomes rather than implementation detail. Where specific analytical methods are referred to, they are referred to in general terms. Realising this capability in operational practice involves substantial engineering and analytical work that is not, and could not usefully be, set out in a public document.

What the network already knows

Modern mobile networks are designed around two logical domains. The user plane carries the content a subscriber sends or receives — voice packets, video streams, application data. The control plane carries the procedural signalling that manages the network itself: the messages by which a device attaches to a cell, authenticates, establishes data sessions, hands over between cells as it moves, and reports its radio conditions. The user plane is what most people picture when they think about mobile communications. The control plane is what makes the user plane possible.

This distinction is fundamental to everything that follows. Signalling analysis is concerned exclusively with the control plane. It does not involve interception, decryption or inspection of the content a device communicates. The analyst observes that a device is attached, how it is behaving on the network, and how that behaviour compares against the population of other devices. The video stream carrying the drone’s camera feed, the commands the operator is sending, the data the drone is uploading — none of these are touched by the analytical approach. They are user-plane traffic, and they remain outside the scope of what the technique examines.

Every connected device generates substantial signalling during the ordinary course of network attachment and use. In 4G LTE the principal control-plane interface between the radio access network and the core is S1; in 5G it is NG. These interfaces aggregate the signalling of every device served by every cell and are the natural observation points for any analytical system.

Operators already collect this signalling for their own purposes. Network planning relies on understanding aggregate device behaviour to dimension capacity and identify coverage problems. Fraud management depends on detecting anomalous subscriber patterns. Lawful interception support, in jurisdictions that have it, operates within the same data fabric. The signalling record is, in this sense, a routine operational asset of the modern mobile network. Drone detection through signalling analysis is the application of analytical techniques developed for these existing purposes to a new question: which of the devices currently attached to the network are not, in fact, devices being used by ground-based subscribers?

Why aerial devices are observable

The reason cellular-connected drones can be detected from signalling alone has nothing to do with anything specific to drones. It is a consequence of how cellular networks are engineered.

Cellular networks are engineered for terrestrial users. Radio planning assumes that handsets and fixed wireless terminals operate at or near ground level, within buildings or vehicles, and within mobility patterns driven byroad networks, rail, pedestrian movement and stationary use. Cell sites are sited, tilted and oriented to serve these patterns. The operational assumption that ground devices are the norm is built deeply into the design.

An aerial device departs from those assumptions in several independent ways simultaneously, and each departure leaves a trace in the signalling record.

The most fundamental is the radio environment a device experiences. A handset at ground level in a city sees only the cells whose signals reach it through gaps in buildings, terrain or vegetation. At one hundred metres in the air, those obstructions are below the device. Cell signals that would never reach a phone at street level reach an airborne antenna with little attenuation. The device sees, and reports the presence of, a radio environment qualitatively different from the one a terrestrial device in the same horizontal location would experience. This difference is not subtle; the propagation conditions of altitude versus ground level are well-understood and produce signatures that ground devices essentially do not produce.

Movement patterns differ in a comparable way. Terrestrial devices follow constrained routes — they move along roads, railways and pavements, at speeds appropriate to those modes. Aerial devices move in three dimensions, along trajectories that need not respect ground topology, at characteristic combinations of speed and acceleration. The way an aerial device’s pattern of network attachment evolves over time looks structurally different from the way a vehicle’s does, and that difference is visible in the signalling record without the device itself reporting anything about its altitude or its intent.

Patterns of use over time provide a third independent axis of discrimination. Operational drones tend to exhibit session characteristics — duration, timing, repetition — that differ from those of devices in routine personal use.

The combination matters more than any single observation. A device that is unusual in one of these ways may be unusual but explicable. A device that is unusual in all of them at once is producing a behavioural signature that ordinary terrestrial devices do not produce. The discrimination is statistical rather than deterministic — and the rigorous handling of that statistical character is itself a substantial part of what makes operational systems work —but the underlying physics and network design make the discrimination possible. Anyone with telecommunications engineering training can confirm the principle from first principles; the operational sophistication is in turning the principle into reliable, low-false-positive, real-time detection at national scale.

What the analytical approach has to achieve

The detection problem is best understood by the demands it has to meet rather than by the components of any particular implementation.

It must work in real time at national scale. A national operator’s control plane generates billions of signalling events per day across millions of subscribers. Detection cannot rely on offline batch analysis if the operational use case is real-time alerting; the analytical environment has to ingest, process and reason about events as they arrive. This is a significant engineering problem in itself, and it is the principal reason that the analytical approach restricts itself to the control plane: the user-plane volume is several orders of magnitude larger and would be intractable.

It must combine multiple, independent streams of evidence. No single signalling feature, on its own, distinguishes a drone from a phone with the confidence that operational use demands. The discrimination comes from combining evidence drawn from the radio environment, from movement patterns over time, and from contextual features that depend on geography, time of day, and the behaviour of the population of other devices on the same network. The combination is the key to confidence; over-reliance on any single feature is one of the failure modes that distinguishes credible systems from naive ones.

It must produce graded confidence rather than binary verdicts. Real signalling data is noisy, ambiguous, and full of legitimate edge cases. A serious analytical system does not output a yes/no judgement that “this device is a drone.” It outputs a confidence estimate, calibrated against operational data, communicating to the user how strong the evidence is and what residual ambiguity remains. The threshold at which that confidence triggers an alert, an investigation or an interdiction action is an operational choice rather than a technical one, and one that depends on the consequences of acting on each particular threshold.

It must maintain performance across heterogeneous conditions. A model that works well in a dense urban network may underperform in sparse rural coverage. A baseline trained on weekday daytime traffic may misfire at weekends or overnight. Network configuration changes — new cell sites, retuning, software upgrades — shift the baseline against which anomaly is judged. vProduction-grade systems have to be robust against this kind of drift, which isa non-trivial engineering problem and one that benefits from accumulated operational experience.

It must produce outputs that are actionable in an investigative or operational context. A score on its own is not useful to a police officer, a security analyst or an operator’s risk team. The output has to be wrapped in context: where the device has been, when, in proximity to what, alongside which other devices, with what underlying identifiers available. The integration of analytical output with the operational workflows of the people who act on it is as important as the analysis itself.

These demands taken together explain why the approach is not simply amatter of running a generic anomaly detector against cellular signalling. Thechallenge is the combination — the volume, the multi-stream reasoning, the statistical honesty, the robustness across conditions, and the operational integration. Each is solvable. Solving all of them at once, in a way that earnsthe trust of network operators and the security stakeholders who will rely on the output, is the work that distinguishes a credible operational capability from a research exercise.

From detection to tracking, attribution and interdiction

Detection — “is there an aerial device present?” — is the entry point ofthe operational chain, not the end of it. Once a device has been identified as airborne, the same signalling record supports several further capabilities.

Tracking is the most immediate. Because the network already maintains current location information for every attached device, in order to route traffic correctly, the device’s movement through the network can be followed in real time. The location resolution available varies with the density of the radio network — fine-grained in urban areas with overlapping cells, coarser in rural areas where a single cell may cover tens of square kilometres. Refinements based on the device’s interaction with multiple cells can sharpen the estimate. Critically, tracking is continuous across the operator’s footprint. A drone that traverses regions of patchy radar coverage, or sparsely instrumented rural areas, remains observable as long as it is attached to the network. This is a property that no localised counter-drone sensor can match.

Tracking also supports retrospective reconstruction. Past flights can be reconstructed from stored signalling data, which has direct evidential value for incident investigation, pattern-of-life analysis, and the identification of associated infrastructure such as launch locations or operator vantage points.The United Kingdom’s first major prosecution of a prison drone gang relied on exactly this kind of retrospective cellular evidence. The same data fabric supports both real-time and retrospective use.

Attribution is the next stage, and the one with the strongest evidential implications. The cellular identifiers associated with an airborne device — IMSI, IMEI, the SIM’s home network, the IP addresses to which the data session connects — are, subject to appropriate legal authority, available within the operator’s records. Attribution does not establish operator identity in the colloquial sense; it establishes the identity of the device and of the subscription that the device is using. Layered with operational context —flight timing, target proximity, repeat behaviour across days — attribution begins to support investigation and, where appropriate, prosecution.

The confidence chain is the operationally important property here. Raw signalling events produce airborne mobility signatures, which produce behavioural patterns, which produce candidate attributions, which can — when the threshold is crossed — support investigative or prosecutorial action. Each step is a progression in confidence rather than a leap. Well-designed systems make the confidence level explicit at every stage and ensure that the threshold for action is set appropriately to its consequences.

Interdiction is the most consequential extension and deserves careful treatment. Once a device has been identified, tracked and attributed within the network, the operator’s control plane offers a number of mechanisms by which its session can be influenced. These range from session teardown, black holing of its traffic, latency injection, quality-of-service downgrade, redirection or geo-fencing, through to prevention of reattachment for the specific identifiers involved. None of these involves jamming the radio environment. They are subscriber-specific, session-specific, an d identity-bound, in contrast to the indiscriminate, spectrum-wide, non-selective character of conventional radio-frequency jamming.

The comparison with RF jamming is the relevant frame. Jamming denies a portion of the spectrum to every device within range. Core-network interdiction(the relevant mechanisms in 4G EPC and 5G core architectures are standardised and well-documented) denies service only to the specific subscription that has been identified as hostile, while leaving every other device on the same network unaffected. This distinction matters operationally — it removes the collateral cost that makes jamming politically and economically difficult in civilian environments — but it also raises governance questions that the technique cannot duck. Any operational use of interdiction must be grounded in clear legal authority, applied with proportionality, and subject to effective oversight. The detection approach itself can operate with less authority than interdiction requires; the action one takes on the basis of the detection demands more.

Limits and honest constraints

Any serious account of an analytical capability has to be clear about what it cannot do. Three constraints matter most.

The first is the cellular-connectivity prerequisite. The approach only sees drones that use cellular networks. Platforms that communicate exclusively via direct radio control, on dedicated licensed spectrum, via satellite links, or through pre-programmed autonomous flight produce no corresponding signalling on public mobile networks and are therefore invisible to this technique. The capability is one layer of a multi-layer counter-uncrewed-aerial-systems posture, not a replacement for radar, RF sensing, or optical detection. Radar sees the airframe regardless of connectivity. RF sensing detects the drone’s own emissions on consumer bands. Signalling analysis sees the subset of drones that have decided to use the operator’s network. Each layer covers a different subset of the threat space; the combined picture is substantially greater than any individual layer.

The second is intermittent and minimal connectivity. A drone that interacts with the network only in brief bursts — to upload a position update, to transmit a short telemetry burst, or to perform a one-off attach for navigation backstop — presents a smaller observational surface than one that maintains a persistent video session. Detection of intermittent connectors is harder. The analytical approach does not lose them entirely, but its confidence and timing characteristics degrade. This is an active area of refinement in the methodology and is also relevant to how operators choose to set retention windows on signalling data.

The third is ambiguity in dense, complex environments. Urban radio environments produce unusual propagation patterns even for ground-based devices. Subscribers in tall buildings, in moving aircraft using picocells for in-flight connectivity, in unusual mobility patterns for legitimate reasons —these can produce features that resemble aerial behaviour in superficial ways.Discrimination is statistical, and in some contexts the false-positive rate is non-trivial. Operationally, this is addressed by corroboration: combining signalling analysis with localised sensors, with intelligence from other sources, and with human review before any action with material consequences is taken. Presenting probabilistic outputs as if they were certainties is the error to be avoided.

A fourth point, slightly different in character, is worth adding.Analytical confidence varies with geography, time of day, network configuration, and the behaviour of the specific device. Well-designed systems communicate this variation explicitly to decision-makers. The approach’s value lies in providing wide-area, persistent visibility that no other layer of the counter-drone posture provides. Its value does not lie in pretending to certainty it cannot deliver.

Why this is deployable now

The principal reason this article is being written at the present moment, rather than as a piece of speculative future capability, is that the analytical approach is technically and legally ready for operational use. The constraints on adoption are institutional rather than scientific.

Technically, the data exists. Operators already capture S1 and NG signalling in the ordinary course of network operations. Analytical platforms capable of ingesting that signalling at national scale, applying behavioural models, and producing real-time outputs have been demonstrated. The computational scale required is significant but tractable — comparable to existing fraud management or lawful interception support deployments, not to the orders of magnitude greater problem that would arise if the technique required user-plane inspection.

Legally, the foundations are in place. In the United Kingdom, theInvestigatory Powers Act 2016 provides a detailed statutory framework for the acquisition of communications data, with authorisation regimes, independent judicial oversight, and safeguards on retention and handling. The Telecommunications (Security) Act 2021 makes resilience against the misuse of public communications networks an explicit operator responsibility. At European evel, the General Data Protection Regulation and the ePrivacy Directive establish the overall framework for lawful processing, with derogations fornational security and law enforcement that are themselves subject to substantive and procedural conditions. The European Commission’s Action Plan onDrone and Counter-Drone Security explicitly identifies telecommunications networks as a component of AI-based detection capability. Comparable frameworks exist in other jurisdictions.

The legal foundations do not solve the problem of how operators, regulators and security stakeholders work together in practice. That requires governance arrangements that, in most jurisdictions, do not yet exist in mature form. The constraints are around data-handling standards, lines of accountability, oversight mechanisms, and the operational protocols by which analytical outputs flow from operator-hosted analytical environments to security authorities. These are solvable, but they require deliberate action.

The infrastructure question is largely answered. Where mobile coverage exists, the analytical approach works. Coverage in most developed economies is substantially complete across the relevant national territory and beyond. The marginal cost of adopting this layer of counter-drone capability is substantially lower than the marginal cost of equivalent radar coverage, because the underlying signalling fabric is already paid for and already operational.

The bottleneck, in short, is institutional. The technical approach is ready. The legal basis is largely available. What is needed is the structured working relationship between operators, regulators and security authorities within which the approach can be applied at scale, lawfully and proportionately— and the experienced analytical capability to deliver it.

Position within a layered detection model

Signalling analysis should be understood as one component of a layered counter-uncrewed-aerial-systems posture rather than as a stand-alone solution.

Radar provides physical detection of airframes regardless of their connectivity, with performance governed by target size, radar cross-section, and the geometry of the deployment. Radio-frequency sensing detects the drone’s own emissions, particularly on the consumer-grade bands used by commercial drone remote controls, and can identify known protocol signatures. Electro-optical and infrared systems provide visual confirmation, classification, and intent assessment for engagement decisions. Each layer coversa different subset of the threat space; each has limitations the otherscompensate for.

Signalling analysis adds two properties that no other layer currently offers at comparable scale. The first is national-scope persistent visibility for cellular-connected drones — visibility that is intrinsically wide-area, that operates across regions of patchy radar coverage, and that supports both real-time alerting and retrospective forensic reconstruction. The second is the natural pathway from detection through tracking, attribution and, where appropriate, interdiction within a single analytical and legal framework. Localised sensors detect the presence of a drone in a defined area; signalling analysis follows that drone across the country, links it to repeat behaviour over time, and can — within appropriate governance — influence its session.

The right relationship between the layers is hierarchical. Signalling analysis provides wide-area awareness and prompts closer investigation. Localised sensors confirm, classify, and where authorised support engagement. No single layer is sufficient. The combined picture, with each layer doing the work it is best suited to, is substantially greater than the sum of its parts.

Conclusion

The argument for using mobile network signalling analysis to detect cellular-connected drones reduces to a small number of substantive claims.Cellular-connected drones leave behavioural signatures in the signalling record of public mobile networks. Those signatures are distinguishable from ordinary terrestrial traffic, using analytical techniques whose engineering and statistical foundations are well-understood. The data on which the analysis runs is already collected by operators in the ordinary course of network operations. The legal frameworks within which such analysis can lawfully take place are largely in place in the United Kingdom, the European Union, and comparable jurisdictions. The technique fits naturally within a layered counter-uncrewed-aerial-systems posture, complementing rather than replacing radar, RF and electro-optical detection.

The remaining constraints are institutional. They concern how operators, regulators and security authorities establish the working arrangements within which signalling analysis can be applied at scale, lawfully, proportionately, and with effective oversight. These are real questions, and they will not solve themselves. They will require deliberate engagement between actors who, in most jurisdictions, do not yet routinely engage with each other on this subject —and access to the analytical expertise required to deliver the capability in practice.

The cellular-connected drone is a class of threat that is intrinsically national in scale, jam-resistant against conventional countermeasures, and arriving over the same network that carries the rest of civilian life. The defensive response that fits the shape of the threat is one that operates at the same scale, on the same network, using the data the network already produces. The technical case for that response is, on the evidence, mature. The institutional case is the work that remains.