Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Static Thresholds: Adaptive RRC Signaling Storm Detection with Extreme Value Theory

Dang Kien Nguyen, Rim El Malki, Filippo Rebecchi, Raymond Knopp, Melek Önen

TL;DR

The work tackles RRC signaling storms in 5G+ networks by introducing an adaptive threshold detector based on Extreme Value Theory, tailored to differentiate malicious floods from legitimate high-load periods. It uses two EVT-derived thresholds on RRC features, namely the number of Msg3s $\#Msg3$ and the ratio $R1=\frac{\#Msg5}{\#Msg3}$, with a second-stage differentiator using $R2=\frac{N_{BUE}}{N_{max}}$ to separate attacks from high-load. The detector is validated on real operator traces and synthetic abnormal data generated from a validated theoretical model, achieving over 93% accuracy, precision, and recall in diverse scenarios, and approximately 2.7 seconds average detection latency. Compared to Gaussian baselines, the EVT approach better captures tail behavior, reducing false positives in dynamic traffic. The results support practical deployment for rapid mitigation while maintaining legitimate service during emergencies, and point to future work on automated mitigation strategies.

Abstract

In 5G and beyond networks, the radio communication between a User Equipment (UE) and a base station (gNodeB or gNB), also known as the air interface, is a critical component of network access and connectivity. During the connection establishment procedure, the Radio Resource Control (RRC) layer can be vulnerable to signaling storms, which threaten the availability of the radio access control plane. These attacks may occur when one or more UEs send a large number of connection requests to the gNB, preventing new UEs from establishing connections. In this paper, we investigate the detection of such threats and propose an adaptive threshold-based detection system based on Extreme Value Theory (EVT). The proposed solution is evaluated numerically by applying simulated attack scenarios based on a realistic threat model on top of real-world RRC traffic data from an operator network. We show that, by leveraging features from the RRC layer only, the detection system can not only identify the attacks but also differentiate them from legitimate high-traffic situations. The adaptive threshold calculated using EVT ensures that the system can work under diverse traffic conditions. The results show high accuracy, precision, and recall values (above 93%), and a low detection latency even under complex conditions.

Beyond Static Thresholds: Adaptive RRC Signaling Storm Detection with Extreme Value Theory

TL;DR

The work tackles RRC signaling storms in 5G+ networks by introducing an adaptive threshold detector based on Extreme Value Theory, tailored to differentiate malicious floods from legitimate high-load periods. It uses two EVT-derived thresholds on RRC features, namely the number of Msg3s and the ratio , with a second-stage differentiator using to separate attacks from high-load. The detector is validated on real operator traces and synthetic abnormal data generated from a validated theoretical model, achieving over 93% accuracy, precision, and recall in diverse scenarios, and approximately 2.7 seconds average detection latency. Compared to Gaussian baselines, the EVT approach better captures tail behavior, reducing false positives in dynamic traffic. The results support practical deployment for rapid mitigation while maintaining legitimate service during emergencies, and point to future work on automated mitigation strategies.

Abstract

In 5G and beyond networks, the radio communication between a User Equipment (UE) and a base station (gNodeB or gNB), also known as the air interface, is a critical component of network access and connectivity. During the connection establishment procedure, the Radio Resource Control (RRC) layer can be vulnerable to signaling storms, which threaten the availability of the radio access control plane. These attacks may occur when one or more UEs send a large number of connection requests to the gNB, preventing new UEs from establishing connections. In this paper, we investigate the detection of such threats and propose an adaptive threshold-based detection system based on Extreme Value Theory (EVT). The proposed solution is evaluated numerically by applying simulated attack scenarios based on a realistic threat model on top of real-world RRC traffic data from an operator network. We show that, by leveraging features from the RRC layer only, the detection system can not only identify the attacks but also differentiate them from legitimate high-traffic situations. The adaptive threshold calculated using EVT ensures that the system can work under diverse traffic conditions. The results show high accuracy, precision, and recall values (above 93%), and a low detection latency even under complex conditions.

Paper Structure

This paper contains 33 sections, 15 equations, 6 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Literature Review
  4. Background
  5. RRC Establishment Procedure
  6. Anomaly Detection with Extreme Value Theory
  7. RRC Signaling Storms
  8. Threat Model
  9. Theoretical Model
  10. System Design
  11. Anomaly Detection
  12. $\#Msg3$
  13. $R1$
  14. Algorithm
  15. Attack/High-load Differentiation
  16. ...and 18 more sections

Figures (6)

  • Figure 1: 5G Connection Establishment nguyen2025rrc.
  • Figure 2: Proposed RRC Signaling Storm Detection System.
  • Figure 3: Empirical statistics for the features of interest.
  • Figure 4: Data plot for 1 day - single attack.
  • Figure 5: Data plot for 2 days including legitimate (green), attack (yellow), and high-load (blue) periods.
  • ...and 1 more figures