Beyond Static Thresholds: Adaptive RRC Signaling Storm Detection with Extreme Value Theory

In 5G and beyond networks, the radio communication between a User Equipment (UE) and a base station (gNodeB or gNB), also known as the air interface, is a critical component of network access and connectivity. During the connection establishment procedure, the Radio Resource Control (RRC) layer can be vulnerable to signaling storms, which threaten the availability of the radio access control plane. These attacks may occur when one or more UEs send a large number of connection requests to the gNB, preventing new UEs from establishing connections. In this paper, we investigate the detection of such threats and propose an adaptive threshold-based detection system based on Extreme Value Theory (EVT). The proposed solution is evaluated numerically by applying simulated attack scenarios based on a realistic threat model on top of real-world RRC traffic data from an operator network. We show that, by leveraging features from the RRC layer only, the detection system can not only identify the attacks but also differentiate them from legitimate high-traffic situations. The adaptive threshold calculated using EVT ensures that the system can work under diverse traffic conditions. The results show high accuracy, precision, and recall values (above 93%), and a low detection latency even under complex conditions.