Search papers, labs, and topics across Lattice.
This paper introduces an unsupervised approach for detecting cross-protocol anomalies in mobile core networks by fusing SS7, Diameter, and GTP signaling data. The method involves embedding serialized fused records of per-subscriber signaling activity using multiple embedding models and then identifying anomalies based on the consensus of these models. Evaluation using synthetically generated cross-protocol anomalies demonstrates that higher consensus scores are strongly correlated with anomalous records, enabling prioritization of potential inconsistencies.
Achieve near-perfect detection of synthetic cross-protocol attacks in mobile networks by combining multiple unsupervised embedding models, despite only 0.97% of records reaching full consensus.
Mobile core networks rely on several signalling protocols in parallel, such as SS7, Diameter, and GTP, so many security-relevant problems become visible only when their interactions are analyzed jointly. At the same time, labeled examples of real attacks and cross-protocol misconfigurations are scarce, which complicates supervised detection. We therefore study unsupervised cross-protocol anomaly analysis on fused representations that combine SS7, Diameter, and GTP signalling. For each subscriber, we aggregate messages into per-minute fused records, serialize each record as text, embed it with several models, and apply unsupervised anomaly detection. We then assign each record a consensus score equal to the number of embedding models that flag it as anomalous. For evaluation, we generate cross-protocol-plausible synthetic anomalies by swapping one field group at a time between pairs of records, preserving per-message validity while making the fused view contradictory. On 219,294 fused records, 44.15% are flagged by at least one model, but only 0.97% reach full agreement across all six. Higher consensus is strongly associated with synthetic records, where for k=1-4 the odds that a flagged record is synthetic are hundreds of times greater than for original records, and for k>=5 all flagged records are synthetic, with extremely small p-values. Cosine distances between synthetic and original records also increase with consensus, suggesting clearer separation in embedding space. These results support the use of multi-embedding consensus to prioritize a much smaller set of candidate cross-protocol inconsistencies for further inspection.
