AI‑Driven Signaling Firewalls for SS7, Diameter, and GTP‑C: Research, Development, and Enea’s Approach

Enea’s Approach to AI in the Adaptive Signaling Firewall

Enea’s strategy for integrating AI into the Adaptive Signaling Firewall involves enhancing its functionality and accuracy by adding an additional layer to the already robust and proven rule-based, intelligence-driven foundation. The research we have been conducting over several years has been guided by these principles:

• Invest in thorough research to identify advanced, domain-specific features. This requires domain expertise and experience with real-world signaling security deployments. It also requires insights and deep knowledge of how threat actors behave and how they try to bypass current defenses, not only knowledge of guidelines such as GSMA’s recommendations.
• Exceed conventional detection rules to identify a greater amount of malicious signaling traffic. AI washing does not serve any beneficial purpose. Numerous filters within signaling firewalls are more effectively implemented through the use of rules, as they provide predictability, consistency, and generally consume fewer resources. For instance, applying GSMA Category 1, 2, and 3 traffic rule hits for training will only cause the AI model to recognize the same traffic that the considerably simpler rules detect. Any AI implementation must distinctly enhance the signaling firewalls’ filtering outcomes in ways rules cannot.
• Ensure a low false positive rate for reliable results. False positives may, in the worst case, block legitimate calls, messages, and data traffic, which is unacceptable. The application of generic models risks resulting in a high rate of false positives, as they do not account for the specific and occasionally volatile characteristics of mobile network signaling.
• Provide outcomes that are transparent, explainable, and verifiable even by non-experts. Mobile network operators need transparency for several reasons including regulatory compliance and long-term reliability. Non-black-box models let engineers and fraud analysts validate whether the AI detected a real threat and tune or retrain the model, which reduces false positives and operational friction. Many operators lack in-house signaling security expertise, which means non-experts need to be able to understand the output from a signaling firewall AI. Security is a concern not only for the experts, but for the entire organization and external stakeholders. The output of any AI solution must also be understandable by this larger group.

Key Areas of Enea’s AI-Enhanced Signaling Security

Enea has been researching AI for use in the signaling firewall for several years. We have invested significant time and effort in identifying which features are relevant and how to apply them to an AI model to improve the Adaptive Signaling Firewall’s accuracy.

Our research has yielded several AI-driven algorithms that improve the Adaptive Signaling Firewall’s functions. These algorithms identify anomalies in signaling traffic by learning typical patterns and analyzing various factors such as:

• Traffic sources
• Activities and behavior
• Traffic formats and values

Background: Foundations for Applying AI to Signaling Firewalls

Signaling security differs significantly from enterprise security. The approaches used to protect enterprise or home networks cannot be directly applied to securing the signaling plane of mobile networks. Any AI integrated into a signaling firewall must be highly specialized for this domain.

Most AI approaches in cybersecurity build on decades of research in IT security, which has produced a rich body of work on how to extract and interpret meaningful features from network traffic, such as packet sizes, flow durations, connection patterns, IP addresses, port numbers, protocol types, DNS queries, and HTTP metadata. This established foundation allows ML models to leverage well‑understood behavioral baselines to detect anomalies, classify threats, and prioritize alerts with relatively high confidence. In contrast, signaling security lacks this same depth of foundational research: the domain is narrower, historically more proprietary, and less exposed to open‑source modeling and benchmark datasets, so there are fewer standardized feature sets, fewer published large‑scale behavioral studies, and fewer pre‑validated models. As a result, while AI‑driven NDR and endpoint security can lean heavily on established telemetry conventions and feature‑engineering playbooks, AI in signaling security must start from scratch, before it can match the maturity and robustness seen in broader IT‑security AI applications.