1. Introduction

Recent conflicts and grey-zone threats have demonstrated the growing role of UAVs in both strategic and tactical operations. Among the most concerning developments is the use of drone swarms coordinated via domestic mobile network infrastructure in the target state. These UAVs, often modified with embedded 4G or 5G modems, are capable of long-range flights that commence from foreign territory and culminate deep within a defended state’s interior.

In certain scenarios, drones remain disconnected from any terrestrial network during their outbound phase, conserving power and minimising electronic visibility. Upon reaching or shortly after crossing a national border, they initiate mobile network registration and begin streaming telemetry and video data to remote controllers. These connections, while technically ordinary in network terms, introduce significant national security implications due to their scale, mobility, and ambiguity.

This paper presents an initial framework for recognising such events at the mobile network layer, outlining a set of indicators, analytic strategies, and coordination mechanisms that could support the identification and response to this class of threat.

2. Operational Scenario

The threat scenario under consideration involves a coordinated UAV swarm launched from a foreign origin, flying at altitudes in the low thousands of feet. These drones, not dependent on continuous RF-based control links, traverse a substantial distance autonomously. Only upon reaching proximity to the target state’s territory do they begin to interact with mobile infrastructure—attaching to base stations, receiving updated flight instructions, and initiating real-time video streams.

The critical observation is that their use of domestic telecommunications networks affords them access to encrypted, low-latency C2 channels that are difficult to distinguish from legitimate mobile IoT or M2M traffic. This poses considerable challenges to detection, attribution, and interdiction.

3. Detection Methodology

3.1 Spatio-Temporal Anomalies in Network Attachments

A central indicator of potential incursion is the appearance of new devices—previously unseen by the network—attaching to base stations along or near a national frontier. These events may occur in clusters, tightly grouped in time and space, and may exhibit signal characteristics indicative of altitude. For instance, connections established from higher elevations may trigger simultaneous visibility to multiple cell towers across wider-than-usual geographies.

Furthermore, the use of roaming or foreign-issued SIMs may be discernible through core network signalling, particularly if devices activate for the first time within domestic borders and exhibit no historical usage profile. It is acknowledged that SIMs from the target country may be employed and these may exhibit a certain historic usage profile.

An airborne device travelling across a large area may exhibit different handover behaviour to that of a ground-based device.

3.2 Airborne Traffic Characteristics

Connected drones are likely to exhibit a distinct traffic profile. Unlike ground-based users, which show intermittent, often downlink-heavy data usage, UAVs conducting surveillance or C2 activities will sustain high uplink throughput for extended periods. The upload of video feeds—particularly using standard protocols such as RTSP or WebRTC—can generate a persistent data stream that is machine-consistent and application-specific.

Paired with telemetry control traffic, this combination can enable heuristic detection without deep packet inspection (DPI), which may be restricted or infeasible due to encryption.

3.3 Device and SIM Profiling

Each drone modem presents a unique International Mobile Equipment Identity (IMEI), and the corresponding SIM card carries its International Mobile Subscriber Identity (IMSI). Clustering of devices with similar IMEI prefixes (indicative of shared manufacturing origin) and similar provisioning profiles can indicate a coordinated deployment.

A critical factor is the freshness of these devices in the network context. Dozens of new activations within a short period, all showing similar hardware and traffic behaviour, should be treated with elevated suspicion. While anonymised or prepaid SIMs present challenges, correlation based on movement, behaviour, and hardware identifiers may enable actionable classification.

4. Attribution and Fusion with Other Sensors

Mobile network telemetry alone is insufficient for precise spatial localisation or positive identification. However, when fused with data from other surveillance systems—such as RF direction finding, radar, or EO/IR imagery—mobile network metadata can serve as a powerful trigger for cueing and confirmation.

Real-time triangulation using tower signal strengths, combined with inference about velocity and direction, can offer an approximate track of each UAV. When integrated into a broader airspace monitoring architecture, this enables timely escalation to intercept or mitigation responses.

5. Legal, Ethical, and Technical Constraints

The use of telecommunications metadata for threat detection intersects with legal frameworks governing privacy and interception. States must develop clear legal pathways and operational protocols to allow real-time or near-real-time access to relevant metadata for national security purposes.

Additionally, technical constraints such as end-to-end encryption, dynamic IP routing, and mobile VPN usage may inhibit direct traffic inspection. As such, behavioural and statistical inference must play a central role in the detection methodology.

False positives also remain a risk, particularly with growing numbers of airborne IoT devices (e.g. weather sensors, aircraft telemetry modules) that may exhibit superficially similar characteristics. Therefore, confidence scoring and multi-sensor corroboration will be critical in any practical deployment.

6. Conclusion and Future Work

The use of domestic mobile networks by adversarial drone swarms represents a significant and evolving threat. As UAVs increasingly integrate with civilian infrastructure, traditional airspace defence methods must be augmented with telecommunications-based situational awareness.

This paper has outlined a conceptual framework for detecting such threats at the network layer, grounded in known behaviours and device characteristics. While not exhaustive, the approach provides a foundation for further exploration by security practitioners, mobile operators, and defence researchers.

Future work should aim to refine detection thresholds through empirical testing, develop automated classification models using machine learning, and formalise public-private data-sharing frameworks that enable lawful and timely threat response.

‍