System Overview

The LTE S1 Analyser ingests mirrored S1AP signalling from mobile network operators or from simulated sources and decodes it into a common schema. Events are enriched with cell and TAC topology, operator metadata, time and geographic context, and derived handover semantics, enabling a consistent foundation for analysis across multiple feeds and operators.

In an LTE network, a user’s device (known as User Equipment or UE) connects wirelessly to a nearby mobile base station called an eNodeB using the LTE-Uu radio interface. The eNodeB manages the radio connection and forwards signalling information to the Mobility Management Entity (MME), which handles tasks such as checking if the user is authorised to access the network and managing mobility as the user moves. Meanwhile, the user’s data traffic—such as browsing or streaming—is routed through the Serving Gateway (S-GW), which directs the data towards the internet or other services. This system allows users to stay connected while on the move, with smooth handovers between cells and consistent access to mobile broadband.

From this stream, the system builds per‑device sessions and timelines, reconstructing mobility paths and handover graphs in near real time. It engineers features that capture movement (speed, acceleration, path linearity, stop/run cadence) and network behaviour (attach and TAU cadence, RRC/DRB transitions, bearer usage).

Using learned baselines by geography, time‑of‑day, and operator, the analyser applies anomaly detection and supporting rules to score events, trajectories, and entities. Correlation logic clusters related anomalies into coherent entities or missions (for example, a drone flight), assigning confidence and severity while suppressing noise, so that operators see high‑value signals rather than raw event floods.

Results surface as real‑time alerts and investigative views with evidence, including timelines, maps, and extracted features. The system supports triage, replay, and export to external systems via webhooks, SAPIENT or SIEM connectors, and can incorporate feedback for ongoing model refinement. Data handling includes pseudonymisation and retention controls, and the platform can be deployed in cloud or on‑prem environments with horizontal scaling, resilient failover, and backlog processing to match operator feed volumes.