EP4289089A1 - Premier noeud, second noeud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications - Google Patents

Premier noeud, second noeud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications

Info

Publication number
EP4289089A1
EP4289089A1 EP21720779.4A EP21720779A EP4289089A1 EP 4289089 A1 EP4289089 A1 EP 4289089A1 EP 21720779 A EP21720779 A EP 21720779A EP 4289089 A1 EP4289089 A1 EP 4289089A1
Authority
EP
European Patent Office
Prior art keywords
node
session
message
information
communications system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP21720779.4A
Other languages
German (de)
English (en)
Inventor
Miguel Angel MUÑOZ DE LA TORRE ALONSO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP4289089A1 publication Critical patent/EP4289089A1/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Definitions

  • the present disclosure relates generally to a first node and methods performed thereby for handling security in a communications system.
  • the present disclosure also relates generally to a second node, and methods performed thereby for security in the communications system.
  • the present disclosure further relates generally to a communications system and methods performed thereby for handling security in the communications system.
  • the present disclosure also relates generally to computer programs and computer-readable storage mediums, having stored thereon the computer programs to carry out these methods.
  • Computer systems in a communications network may comprise one or more network nodes.
  • a node may comprise one or more processors which, together with computer program code may perform different functions and actions, a memory, a receiving port and a sending port.
  • a node may be, for example, a server. Nodes may perform their functions entirely on the cloud.
  • the standardization organization 3GPP is currently in the process of specifying a New Radio Interface called NR or 5G-UTRA, as well as a Fifth Generation (5G) Packet Core Network, which may be referred to as 5G Core Network, abbreviated as 5GC.
  • 5G Core Network 5G Core Network
  • a 3GPP system comprising a 5G Access Network (AN), a 5G Core Network and a UE may be referred to as a 5G system.
  • AN 5G Access Network
  • 5G Core Network 5G Core Network
  • FIG. 1 is a schematic diagram depicting a particular example of a 5G architecture of policy and charging control framework, which may be used as a reference for the present disclosure.
  • a Network Data Analytics Function (NWDAF) 1 may be understood to represent an operator managed network analytics logical function.
  • the NWDAF 1 may be understood to be part of the 5GC architecture and may use the mechanisms and interfaces specified for 5GC and Operations, Administration and Maintenance (OAM).
  • OAM Operations, Administration and Maintenance
  • the NWDAF 1 may interact with different entities for different purposes, such as: a) data collection based on event subscription, provided by an Access and Mobility Function (AMF) 2, a Session Management Function (SMF) 3, a Policy Control Function (PCF) 4, a Unified Data Management (UDM), an Application Function (AF) 5, directly or via Network Exposure Function (NEF) 6, and an OAM; b) retrieval of information from data repositories, e.g., a Unified Data Repository (UDR) 7 via the UDM for subscriber-related information; c) retrieval of information about Network Functions (NFs), e.g., Network Repository Function (NRF) for NF-related information, and Network Slice Selection
  • NFs Network Functions
  • NRF Network Repository Function
  • NSF Slice-related Information
  • the UDR 7 may store data grouped into distinct collections of subscription-related information such as: subscription data, policy data; structured data for exposure; and application data.
  • the PCF 4 may support a unified policy framework to govern the network behavior. Specifically, the PCF may provide Policy and Charging Control (PCC) rules to the Policy and Charging Enforcement Function (PCEF), that is, the SMF 3/llser Plane function (UPF) 8 that may enforce policy and charging decisions according to provisioned PCC rules.
  • PCC Policy and Charging Control
  • PCEF Policy and Charging Enforcement Function
  • UPF SMF 3/llser Plane function
  • the SMF 3 may support different functionalities, e.g., the SMF 3 may receive PCC rules from the PCF 4 and may configure the UPF 8 accordingly
  • the UPF 8 may support handling of user plane (UP) traffic based on the rules received from the SMF 3, e.g., packet inspection and different enforcement actions such as Quality of Service (QoS) handling.
  • UP user plane
  • QoS Quality of Service
  • a Charging Function (CHF) 9.
  • Each of the UDR 7, the NEF 6, the NWDAF 1 , the AF 5, the PCF 4, the CHF 9, the AMF 2, and the SMF 3 may have an interface through which they may be accessed, which as depicted in the Figure, may be, respectively: Nudr 10, Nnef 11 , Nnwdaf 12, Naf 13, Npcf 14, Nchf 15, Namf 16, Nsmf 17.
  • the UPF 8 may have an interface N4 18 with the SMF 3.
  • the communications network may cover a geographical area which may be divided into cell areas, each cell area being served by another type of node, a network node in the Radio Access Network (RAN) 7, radio network node or Transmission Point (TP), for example, an access node such as a Base Station (BS), e.g. a Radio Base Station (RBS), which sometimes may be referred to as e.g., evolved Node B (“eNB”), “eNodeB”, “NodeB”, “B node”, or Base Transceiver Station (BTS), depending on the technology and terminology used.
  • BS Base Station
  • RBS Radio Base Station
  • eNB evolved Node B
  • eNodeB evolved Node B
  • BTS Base Transceiver Station
  • the base stations may be of different classes such as e.g. Wide Area Base Stations, Medium Range Base Stations, Local Area Base Stations and Home Base Stations, based on transmission power and thereby also cell size.
  • a cell is the geographical area where radio coverage is provided by the base station at a base station site.
  • One base station, situated on the base station site, may serve one or several cells. Further, each base station may support one or several communication technologies.
  • the telecommunications network may also be a non- cellular system, comprising network nodes which may serve receiving nodes, such as user equipments, with serving beams.
  • DoS attack may be understood as a cyber-attack where the perpetrator may seek to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet.
  • Denial of service may be typically accomplished by flooding the targeted machine or resource with superfluous requests to overload systems and to prevent some or all legitimate requests from being fulfilled.
  • DDoS attacks There may be different types of DDoS attacks: a) volume-based attacks, which may use high traffic to inundate the network bandwidth, b) protocol attacks, which may focus on exploiting server resources, and c) application attacks, which may focus on web applications and may be considered the most sophisticated and serious type of attacks.
  • DDoS attacks may be: SYN flood, User Datagram Protocol (UDP) flood, HTTP flood, Ping of death, Smurf attack, Fraggle attack, Slowloris, Network Time Protocol (NTP) amplification, Advanced Persistent DoS, Zero-day DDoS attacks, etc.
  • UDP User Datagram Protocol
  • HTTP flood HTTP flood
  • Ping of death Smurf attack
  • Fraggle attack Fraggle attack
  • Slowloris Slowloris
  • NTP Network Time Protocol
  • Advanced Persistent DoS Zero-day DDoS attacks, etc.
  • DoS active attacks different from DoS
  • spoofing such as volume based: spoofing, UDP -Domain Name Security (DNS)-, Internet Control Message Protocol (ICMP), reflection amplification
  • DNS UDP -Domain Name Security
  • ICMP Internet Control Message Protocol
  • ARP Address Resolution Protocol
  • Ping flood Ping flood
  • Ping of death Smurf attack
  • host such as Buffer overflow, Heap overflow, Stack overflow, and Format string attack.
  • HTTP Hypertext Transport Protocol
  • HTTPS Hypertext Transport Protocol Secure
  • TLS Transport Layer Security
  • QUIC Quick User Datagram Protocol Internet Connection
  • QUIC may be understood as a UDP-based, stream-multiplexing, encrypted transport protocol.
  • QUIC may be understood as basically a UDP based replacement for Transmission Control Protocol (TCP).
  • TCP Transmission Control Protocol
  • QUIC is now under the final steps of standardization at IETF and may rely on TLS 1.3. Network operators are challenged due to the exponential increase of connected devices, both mobile broadband and loT devices, which implies much higher probability of security vulnerabilities and threats, for example, according the types of security attacks just described.
  • gateways may provide some basic security functions, such as DDoS detection. However, those security functions are performed locally, under static configuration, and not dynamically, with better efficiency.
  • traffic encryption is a growing trend. DNS traffic today is starting to be encrypted, e.g., DNS over HTTPS (DoH), DNS over TLS (DoT). In the future, it is expected that most DNS traffic will be encrypted. Moreover, most applications today are encrypted, based on HTTPS/TLS or QUIC. In the future, it is foreseen that most applications will be based on QUIC. Furthermore, it is expected that the TLS/QUIC Server Name Indication (SNI) field will also be encrypted.
  • SNI TLS/QUIC Server Name Indication
  • the object is achieved by a computer- implemented method, performed by a first node.
  • the method is for handling security in a communications system.
  • the first node operates in the communications system.
  • the first node receives, from another node operating in the communications system, a first message.
  • the first message requests a subscription to receive at least one indication indicating a security attack of a first type in the communications system of at least one of a first indication and a second indication.
  • the first indication is of one or more applications that are a target or a source of the security attack of the first type in the communications system.
  • the second indication is of one or more devices operating in the communications system that are a target or a source of the security attack of the first type in the communications system.
  • the first node then initiates instructing, based on the received first message, at least one of: the one or more additional nodes operating in the communications system and the first device of the one or more devices, to monitor information indicative of the security attack of the first type.
  • the first node then initiates sending, with the proviso that the security attack is detected based on the monitored information, another message to the another node.
  • the another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.
  • the object is achieved by a computer-implemented method, performed by a second node.
  • the method is for handling security in the communications system.
  • the second node operates in the communications system.
  • the second node receives an instruction from the first node operating in the communications network to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node.
  • the second message requests first information, of the information indicative of the security attack of the first type.
  • the first information indicates the traffic indicators for one or more devices operating in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the second node sends the requested first information to the first node, in the first additional message.
  • the object is achieved by a computer- implemented method, performed by a communications system.
  • the method is for handling security in the communications system.
  • the communications system comprises the first node and the one or more additional nodes.
  • the method comprises receiving, by the first node, from the another node operating in the communications system, the first message.
  • the first message requests the subscription to receive at least one indication indicating a security attack of the first type in the communications system of at least one of: the first indication and the second indication.
  • the first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system.
  • the second indication is of the one or more devices operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system.
  • the method also comprises initiating instructing, by the first node and based on the received first message, at least one of: the one or more additional nodes and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type.
  • the method further comprises receiving, by the second node of the one or more additional nodes, the instruction from the first node to monitor information indicative of the security attack of the first type, by receiving the second message from the first node.
  • the second message requests the first information, of the information indicative of the security attack of the first type.
  • the first information indicates the traffic indicators for the one or more devices operating in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the method also comprises sending, by the second node 112 the requested first information to the first node, in the first additional message.
  • the method further comprises initiating sending, by the first node, with the proviso that the security attack is detected based on the monitored information, the another message to the another node.
  • the another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.
  • the object is achieved by the first node, for handling security in the communications system.
  • the first node is configured to operate in the communications system.
  • the first node is further configured to receive, from the another node configured to operate in the communications system, the first message.
  • the first message is configured to request the subscription to receive the at least one indication configured to indicate the security attack of the first type in the communications system of at least one of: the first indication and the second indication.
  • the first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system.
  • the second indication is of the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the first node is also configured to initiate instructing, based on the first message configured to be received, at least one of: the one or more additional nodes configured to operate in the communications system and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type.
  • the first node is further configured to initiate sending, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node.
  • the another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.
  • the object is achieved by the second node, for handling security in the communications system.
  • the second node is configured to operate in the communications system.
  • the second node is further configured to receive the instruction from the first node configured to operate in the communications network to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node.
  • the second message is configured to request the first information, of the information indicative of the security attack of the first type.
  • the first information is configured to indicate the traffic indicators for the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the second node is also configured to send the first information configured to be requested to the first node, in the first additional message.
  • the object is achieved by the communications system, for handling security in the communications system.
  • the communications system is configured to comprise the first node and the one or more additional nodes.
  • the communications system is further configured to receive, by the first node, from the another node configured to operate in the communications system, the first message.
  • the first message is configured to request the subscription to receive the at least one indication configured to indicate the security attack of the first type in the communications system of the at least one of: the first indication and the second indication.
  • the first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system.
  • the second indication is of the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the communications system is also configured to initiate instructing , by the first node and based on the first message configured to be received, at least one of: the one or more additional nodes configured to operate in the communications system and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type.
  • the communications system is further configured to receive, the second node of the one or more additional nodes, the instruction from the first node to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node.
  • the second message is configured to request the first information, of the information indicative of the security attack of the first type.
  • the first information is configured to indicate the traffic indicators for the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system.
  • the communications system is also configured to send, by the second node, the first information configured to be requested to the first node, in the first additional message.
  • the communications system is further configured to initiate sending, by the first node, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node.
  • the another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.
  • the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node.
  • the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node.
  • the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.
  • the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.
  • the first node may be enabled to know which entity may need to be monitored in the communications system as being a potential source or target of a security attack, and for which purpose, namely, which kind of security attack. The first node may then be enabled to initiate prevention of the security attack from happening, or its management once it may have been initiated.
  • the first node may trigger data collection from the entities in the communications network which may be able to provide information on the one or more applications and/or the one or more devices that may be the target or the source of the security attack of the first type, so that after receiving the information, the first node may be enabled to perform an analysis of the information and determine if an attack may be underway, or may have happened.
  • the second node by receiving the second message, may be enabled start monitoring the requested first information, and when appropriate, e.g., on-demand, when a condition is met, or periodically, send the collected first information to the first node, thereby enabling the first node to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.
  • the first node may then enable the another node to be notified about any security attack that may be underway, or may have happened in the communications system, and thereby enable the another node to take appropriate measures to stop the attack and mitigate any adverse effects the attack may have on the operation of the communications system and/or its components.
  • the capacity of the communications system may therefore by improved and the latency may be reduced.
  • Figure 1 is a schematic diagram illustrating a non-limiting example of a 5G Network
  • Figure 2 is a schematic diagram illustrating a non-limiting example of a communications system, according to embodiments herein.
  • Figure 3 is a flowchart depicting embodiments of a method in a first node, according to embodiments herein.
  • Figure 4 is a flowchart depicting embodiments of a method in a second node, according to embodiments herein.
  • FIG. 5 is a flowchart depicting embodiments of a method in a communications system, according to embodiments herein.
  • Figure 6 is a schematic diagram depicting a non-limiting example of signalling between nodes in a communications system, according to embodiments herein.
  • Figure 7 is a schematic diagram depicting a continuation of Figure 6.
  • Figure 8 is a schematic diagram depicting a continuation of Figure 7.
  • Figure 9 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a first node, according to embodiments herein.
  • Figure 10 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a second node, according to embodiments herein.
  • Figure 11 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a communications system, according to embodiments herein.
  • Embodiments herein may therefore be understood to relate in general to security related attack prevention based on Analytics in 5G networks.
  • Embodiments herein may be understood to solve the above problems with the existing solutions and may be understood to be based on the definition of a new type of analytic relative to security related attacks.
  • Particular embodiments herein may specifically address this problem when traffic may be encrypted.
  • FIG. 2 depicts two non-limiting examples, in panels “a” and “b”, respectively, of a communications system 100, in which embodiments herein may be implemented.
  • the communications system 100 may be a computer network.
  • the communications system 100 may be implemented in a telecommunications system, sometimes also referred to as a telecommunications network, cellular radio system, cellular network or wireless communications system.
  • the telecommunications system may comprise network nodes which may serve receiving nodes, such as wireless devices, with serving beams.
  • the telecommunications system may for example be a network such as 5G system, or a newer system supporting similar functionality.
  • the telecommunications system may also support other technologies, such as a Long-Term Evolution (LTE) network, e.g.
  • LTE Long-Term Evolution
  • LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), LTE Half-Duplex Frequency Division Duplex (HD-FDD), LTE operating in an unlicensed band, Wideband Code Division Multiple Access (WCDMA), Universal Terrestrial Radio Access (UTRA) TDD, Global System for Mobile communications (GSM) network, GSM/Enhanced Data Rate for GSM Evolution (EDGE) Radio Access Network (GERAN) network, Ultra-Mobile Broadband (UMB), EDGE network, network comprising of any combination of Radio Access Technologies (RATs) such as e.g.
  • RATs Radio Access Technologies
  • the telecommunications system may for example support a Low Power Wide Area Network (LPWAN).
  • LPWAN technologies may comprise Long Range physical layer protocol (LoRa), Haystack, SigFox, LTE-M, and Narrow-Band loT (NB-loT).
  • the communications system 100 may comprise a plurality of nodes, whereof a first node 111, one or more additional nodes 112, 113 are depicted in Figure 2.
  • the one or more additional nodes 112, 113 may comprise a second node 112, and a third node 113.
  • the communications system 100 may also comprise a fourth node 114, and comprises another node 115, also referred to herein as a fifth node 115, which are also depicted in Figure 2.
  • a fourth node 114 comprises another node 115, also referred to herein as a fifth node 115, which are also depicted in Figure 2.
  • Any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be understood, respectively, as a first computer system, a second computer system, and a third computer system.
  • any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be implemented as a standalone server in e.g., a host computer in the cloud 116.
  • any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may in some examples be a distributed node or distributed server, with some of their respective functions being implemented locally, e.g., by a client manager, and some of its functions implemented in the cloud 116, by e.g., a server manager. Yet in other examples, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may also be implemented as processing resources in a server farm.
  • any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be independent and separated nodes. In other embodiments, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be co-located or be the same node. In a particular nonlimiting example, the first node 111, e.g., a NWDAF, may either be a central node or may be co-located with the second node 112, e.g., a UPF. All the possible combinations are not depicted in Figure 2 to simplify the Figure. It may be understood that the communications system 100 may comprise more nodes than those represented in Figure 2.
  • the first node 111 may be a node having a capability to analyze data, such as a NWDAF in 5G, or a node capable of performing a similar function in the communications system 100.
  • the second node 112 may be a node having a capability to support handling of user plane traffic based on one or more rules such as, for example, packet inspection and different enforcement actions such as QoS handling, which may have been received from an SMF.
  • the second node 112 may be a UPF in 5G or a node capable of performing a similar function in the communications system 100.
  • the third node 113 may be a node capable of storing data grouped into distinct collections of subscription-related information, such as subscription data, policy data, structured data for exposure, and application data.
  • the third node 113 may be a UDR in 5G or a node capable of performing a similar function in the communications system 100.
  • the fourth node 114 may be a node capable of providing content to a user, in relation to an application.
  • the fourth node 114 may be for example an application server, or a node capable of performing a similar function in the communications system 100.
  • the fifth node 115 may be a node capable of requesting data pertaining to analytics performed by the first node 111.
  • the fifth node 115 may be for example a consumer, such as, any NF, e.g., PCF or OAM, or a node capable of performing a similar function in the communications system 100.
  • the communications system 100 also comprises one or more devices 130, comprising a first device 131.
  • Any of the one or more devices 130 may be also known as e.g., user equipment (UE), a wireless device, mobile terminal, wireless terminal and/or mobile station, mobile telephone, cellular telephone, or laptop with wireless capability, or a Customer Premises Equipment (CPE), just to mention some further examples.
  • UE user equipment
  • CPE Customer Premises Equipment
  • any of the one or more devices 130 in the present context may be, for example, portable, pocket-storable, hand-held, computer-comprised, or a vehicle-mounted mobile device, enabled to communicate voice and/or data, via a RAN, with another entity, such as a server, a laptop, a Personal Digital Assistant (PDA), or a tablet computer, sometimes referred to as a tablet with wireless capability, or simply tablet, a Machine-to-Machine (M2M) device, a device equipped with a wireless interface, such as a printer or a file storage device, modem, Laptop Embedded Equipped (LEE), Laptop Mounted Equipment (LME), USB dongles, CPE or any other radio network unit capable of communicating over a radio link in the communications system 100.
  • PDA Personal Digital Assistant
  • M2M Machine-to-Machine
  • M2M Machine-to-Machine
  • LOE Laptop Embedded Equipped
  • LME Laptop Mounted Equipment
  • USB dongles CPE or any other
  • any of the one or more devices 130 may be wireless, i.e., it may be enabled to communicate wirelessly in the communications system 100 and, in some particular examples, may be able support beamforming transmission.
  • the communication may be performed e.g., between two devices, between a device and a radio network node, and/or between a device and a server.
  • the communication may be performed e.g., via a RAN and possibly one or more core networks, comprised, respectively, within the communications system 100.
  • any of the one or more devices 130 may be an loT device, e.g., a NB loT device.
  • the communications system 100 may comprise one or more radio network nodes, whereof a radio network node 140 is depicted in Figure 2b.
  • the radio network node 140 may typically be a base station or Transmission Point (TP), or any other network unit capable to serve a wireless device or a machine type node in the communications system 100.
  • the radio network node 140 may be e.g., a 5G gNB, a 4G eNB, or a radio network node in an alternative 5G radio access technology, e.g., fixed or WiFi.
  • the radio network node 140 may be e.g., a Wide Area Base Station, Medium Range Base Station, Local Area Base Station and Home Base Station, based on transmission power and thereby also coverage size.
  • the radio network node 140 may be a stationary relay node or a mobile relay node.
  • the radio network node 140 may support one or several communication technologies, and its name may depend on the technology and terminology used.
  • the radio network node 140 may be directly connected to one or more networks and/or one or more core networks.
  • the communications system 100 covers a geographical area which may be divided into cell areas, wherein each cell area may be served by a radio network node, although, one radio network node may serve one or several cells.
  • the first node 111 may communicate with any of the one or more additional nodes 112, 133, e.g., with the the second node 112, respectively, over a respective first link 151 , e.g., a radio link or a wired link.
  • the first node 111 may communicate with the another node 115 over a second link 152, e.g., a radio link or a wired link.
  • the first node 111 may communicate with any of the one or more devices 130, e.g., the first device 131 , respectively, over a respective third link 153, e.g., a radio link or a wired link.
  • the second node 112 may communicate with the fourth node 114 over Any of the one or more first endpoints 120 may communicate with the second node 112 over a respective fourth link 154, e.g., a radio link or a wired link.
  • the radio network node 140 may communicate with the first node 111 over a fifth link 155, e.g., a radio link.
  • the radio network node 140 may communicate with any of the one or more devices 130, e.g., the first device 131, respectively, over a respective sixth link 156, e.g., a radio link.
  • any of the respective first link 151 , the second link 152, the third link 153, the fourth link 154, the fifth link 155 and the respective sixth link 156 may be a direct link or it may go via one or more computer systems or one or more core networks in the communications system 100, or it may go via an optional intermediate network.
  • the intermediate network may be one of, or a combination of more than one of, a public, private or hosted network; the intermediate network, if any, may be a backbone network or the Internet, which is not shown in Figure 2.
  • first”, “second”, “third”, “fourth”, “fifth” and/or “sixth” herein may be understood to be an arbitrary way to denote different elements or entities, and may be understood to not confer a cumulative or chronological character to the nouns these adjectives modify.
  • Embodiments of a computer-implemented method, performed by the first node 111 will now be described with reference to the flowchart depicted in Figure 3.
  • the method may be understood to be for handling security in a communications system 100.
  • the first node 111 operates in the communications system 100.
  • the method may comprise the actions described below. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 3, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment and it will be obvious to a person skilled in the art how those components may be used in the other examples or embodiments.
  • Actions 302a, 302b, 302c, 303, 304 and 305 may be performed in a different order. In a particular alternative example to that depicted in Figure 2, these Actions may be performed in the order of 302b, 304, 302a, 302c, 305, 303.
  • a security attack may be understood as any interference in any process or component of the communications system 100 with the intent to affect its functioning or performance, and/or to steal part of the information processed by it.
  • a security attack may be which may be of different types, as described in the Background section, for example passive attacks, active attacks, etc...
  • an analytics consumer such as the another node 115, which may be e.g., any NF, such as a PCF or a OAM, may subscribe with the first node 111 to receive a new type of analytic according to embodiments herein, as will be described next, and may indicate the security scenario that may of interest to the another node 115 to follow, e.g., a DDoS.
  • the first node 111 receives, from the another node 115 operating in the communications system 100, a first message.
  • the first message requests a subscription to receive at least one indication indicating a security attack of a first type in the communications system 100.
  • the indication is of at least one of: i) a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system 100, and ii) a second indication of the one or more devices 130 operating in the communications system 100 that are a target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 may be an NWDAF and the another node 115 may manage an analytics consumer, such as any NF, e.g. PCF or OAM.
  • an analytics consumer such as any NF, e.g. PCF or OAM.
  • the first indication may be, for example, a Nnwdaf_AnalyticsSubscription_Request message.
  • the first indication may be, for example, a list applications, e.g., a list of identifiers of applications, such as a list of App-ID, which may be understood to indicate the App-ID/s which may be the target or the source for the security attack.
  • the first message may indicate the first indication, the second indication, or both. If the first indication is not included, e.g., the list of App-ID/s is empty, it may be understood that all user traffic, and not only that pertaining to a subset of applications, may be subject to the requested analytic.
  • the second indication may be, for example, an identifier of a device, e.g., a LIE-ID, a list of devices, e.g., a list of identifiers of devices, such as a list of LIE-ID, UE-Group-ID or list of UE-Group-ID, AnyllE, which may be understood to indicate the devices which may be the target or the source for the security attack.
  • a device e.g., a LIE-ID
  • a list of devices e.g., a list of identifiers of devices, such as a list of LIE-ID, UE-Group-ID or list of UE-Group-ID, AnyllE, which may be understood to indicate the devices which may be the target or the source for the security attack.
  • a security attack of a first type may be, for example, a Denial of Service (DoS) attack. There may be other types of attacks.
  • DoS Denial of Service
  • the receiving in this Action 301 need not be directly from the another node 115 via the second link 152.
  • the first node 111 may be enabled to know which entity may need to be monitored in the communications system 100 as being a potential source or target of a security attack, and for which purpose, namely, which kind of security attack. The first node 111 may then be enabled to initiate prevention of the security attack from happening, or its management once it may have been initiated, by proceeding to perform the next Action 302. Before that, the first node 111 may reply to the received first message with a successful response, accepting the request.
  • the first node 111 initiates instructing, based on the received first message, at least one of: the one or more additional nodes 112, 113 operating in the communications system 100 and the first device 131 of the one or more devices 130, to monitor information indicative of the security attack of the first type.
  • Initiating may be understood as triggering or starting.
  • the one or more additional nodes 112, 113 may comprise the second node 112, e.g., a UPF.
  • the initiating instructing in this Action 302 may comprise sending 302a a second message to the second node 112.
  • the second message may request first information, that is a first set of information, of the information indicative of the security attack of the first type.
  • the first information may indicate traffic indicators for the indicated one or more devices 130.
  • the first node 111 may therefore in this Action 302a, trigger data collection from the second node 112, specifically to retrieve information relative to protocol metrics for a particular device, e.g., the first device 131.
  • the second message may be, for example, a Nupf_EventExposure_Subscribe request message.
  • the protocol may be understood to refer that, e.g., a transport protocol, which may be used by traffic for the particular application, e.g., example.com, which may be the subject of the monitoring; a particular example of such a protocol may be TCP.
  • protocol may be UDP or QIIIC; and d) one or more protocol metrics.
  • the one or more protocol metrics may be indicated by a parameter “Protocol Metrics Info”.
  • the one or more metrics may comprise one or more third indications.
  • the one or more third indications may indicate, respectively, one of the following options, although this is not an exhaustive list.
  • a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session may be a parameter “SYN to SYN-ACK ratio”. This may be understood to be a ratio between SYN and SYN-ACK messages for a particular session, e.g., a LIE-ID session. For example, a ratio of 1 may be understood to mean that there is a corresponding SYN-ACK message for each SYN message.
  • one of the third indications may indicate a number of unacknowledged connection-oriented transport protocol setup request messages.
  • An example for the TCP protocol of this number may be a parameter “Unacked SYN volume”. This may be understood to be the number of TCP SYN messages for which no TCP SYN-ACK and/or TCP ACK messages have been detected by the second node 112, e.g., a UPF, for this particular session, e.g., the UE-ID session.
  • one of the third indications may indicate a volume of a respective message of a first type received for the session.
  • an example for this volume may be a parameter “SYN volume”. This may be understood to be the average volume of each TCP SYN message for this LIE-ID session. Additionally, in case the volume of an individual TCP SYN message exceeds a configurable threshold, this may also be reported.
  • one of the third indications may indicate a number of consecutive messages of a second type received for the session.
  • An example for the TCP protocol of this number may be a parameter “Simultaneous TCP SYN”. This may be understood to be the number of consecutive TCP SYN messages for this session, e.g., LIE-ID session, for example, over a certain timespan which may also be configurable.
  • one of the third indications may indicate an average size of a window for the session.
  • An example for the TCP protocol of this average size may be a parameter “TCP average window size”. This may be understood to be the average window size for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a number of duplicated acknowledgement messages for the session.
  • An example for the TCP protocol of this number may be a parameter “Duplicated ACKs”. This may be understood to be the number of duplicated ACKs for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a number of packets sent for the session.
  • an example for this number may be a parameter “RST”. This may be understood to be the number of TCP RST packets sent for this session, e.g., UE- ID session.
  • one of the third indications may indicate a number of retransmitted information for the session.
  • An example for the TCP protocol of this number may be a parameter “Retransmissions”. This may be understood to be the number of retransmitted packets/bytes for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a maximum segment size for the session.
  • an example for this size may be a parameter “Maximum Segment Size”. This may be understood to be the maximum segment size for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a number of units of information sent during an initial window of the session.
  • An example for the TCP protocol of this number of units may be a parameter “Initial window packets/bytes”. This may be understood to be the number of packets/bytes sent during the initial window for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a maximum idle time between consecutive packets for the session.
  • An example for the TCP protocol of this time may be a parameter “Max Idle time”. This may be understood to be the maximum idle time between consecutive packets for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a minimum idle time between consecutive packets for the session.
  • an example for this time may be a parameter “Min Idle time”. This may be understood to be the minimum idle time between consecutive packets for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a throughput for the session.
  • An example for the TCP protocol of this number of units may be a parameter “Average throughput”. This may be understood to be the average throughput for this session, e.g., LIE-ID session.
  • one of the third indications may indicate a respective start time of a respective flow comprised in the session.
  • an example for this start time may be a timestamp, indicating the start time for the flow.
  • one of the third indications may indicate a respective fourth node 114 serving the first device 131 for the respective flow comprised in the session.
  • An example for the TCP protocol of this time may be a 5-tuple, including the server IP address.
  • one of the third indications may indicate a respective volume of the respective flow comprised in the session.
  • An example for the TCP protocol of this volume may be a parameter Volume, optionally differentiating uplink (UL) and downlink (DL) volume.
  • the mechanisms proposed in 3GPP TR 23.700-91 may, for example, be used, e.g. through an SMF or directly, assuming a service based UPF.
  • protocol metrics may be understood to be specific for TCP Protocol.
  • UDP and QUIC other metrics may be used.
  • UDP protocol metrics may be used, although this list is not exhaustive:
  • one of the third indications may indicate the number of consecutive messages of the second type received for the session.
  • An example for the UDP protocol of this number may be a parameter “Simultaneous UL UDP”. This may be understood to be the number of consecutive UL UDP messages, e.g., with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, for example, over a certain timespan which may be configurable.
  • the number of consecutive messages of the second type received for the session and a same server may be a parameter “Simultaneous UL UDP same server”. This may be understood to be the number of consecutive UL UDP messages, with different 5-tuple, usually different source port, for this session, e.g., LIE-ID session, and for the same server, e.g., over a certain timespan which may be configurable.
  • one of the third indications may indicate a number of consecutive messages of another second type received for the session and a same server.
  • An example for the UDP protocol of this number may be a parameter “Simultaneous unsolicited DL UDP same server”. This may be understood to be the number of consecutive DL UDP messages, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, and from the same server, over a certain timespan which may be configurable, initiated from the server side, that is, unsolicited traffic.
  • one of the third indications may indicate the volume of respective message of the first type received for the session.
  • An example for the QUIC protocol of this volume may be a parameter “UL Initial QUIC long header packet volume”. This may be understood to be the average volume of each UL Initial QUIC long header packet for this session, e.g., UE-ID session. Additionally, in case the volume of an individual UL Initial QUIC long header packet exceeds a configurable threshold, this may also be reported.
  • one of the third indications may indicate the number of consecutive messages of the second type received for the session.
  • An example for the QUIC protocol of this number may be a parameter “Simultaneous UL QUIC”. This may be understood to be the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session, over a certain timespan which may also be configurable.
  • one of the third indications may indicate the number of consecutive messages of the second type received for the session and a same server.
  • An example for the QUIC protocol of this number may be a parameter “Simultaneous UL QUIC same server”. This may be understood to be the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session and for the same server, e.g., over a certain timespan which is also configurable.
  • one of the third indications may indicate the number of consecutive messages of another second type received for the session.
  • An example for the QUIC protocol of this number may be a parameter “Simultaneous unsolicited DL QUIC same server”. This may be understood to be the number of consecutive DL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, and from the same server, over a certain timespan which is also configurable, initiated from the server side, that is, unsolicited traffic.
  • the sending in this Action 302a may be performed over a respective first link 151.
  • the second node 112 may answer the second message with a successful response, accepting the request.
  • the one or more additional nodes 112, 113 may comprise the third node 113, e.g., a UDR.
  • the initiating instructing in this Action 302 may comprise sending 302b, based on the received first message, a third message to the third node 113.
  • the third message may request second information, of the information indicative of the security attack of the first type.
  • the second information may indicate a history of security attacks of the first type for the indicated one or more devices 130.
  • the third message may be, for example, a Nudr_Query request message, which may indicate the one or more devices 130 with a respective LIE-ID as parameter.
  • the third node 113 may be a UDR
  • the first node 111 e.g., a NWDAF
  • the first node 111 may triggers data collection from by requesting from the UDR the subscriber profile relative to indicated one or more devices 130.
  • the sending in this Action 302b may be performed over another respective first link 151.
  • the initiating instructing in this Action 302 may comprise sending 302c a fourth message to a first device 131 of the one or more devices 130.
  • the fourth message may request third information, of the information indicative of the security attack of the first type.
  • the third information may indicate traffic indicators for one or more applications used by the first device 131.
  • the first node 111 may therefore in this Action 302a, trigger data collection from the first device 131 , specifically to retrieve information relative to active (OS) applications for a particular device, e.g., as identified by a UE-ID.
  • OS active
  • the fourth message may be, for example, a Nue_EventExposure_Subscribe request message.
  • the sending in this Action 302c may be performed over, e.g., the third link 153.
  • the first device 131 may answer the request message with a successful response, accepting the request.
  • the first node 111 may trigger data collection from the entities in the communications network 100 which may be able to provide information on the one or more applications and/or the one or more devices 130 operating in the communications system 100 that may be a target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 may therefore be enabled to receive, in response to the sending of the second message, the third message and/or the fourth message, one or more additional messages from the at least one of: the one or more additional nodes 112, 113 and the first device 131, as will be described in the next Actions.
  • the first node 111 may receive from the second node 112, the requested first information in a first additional message of the one or more additional messages. That is, the receiving in this Action 303 of the first information may be in response to the sent second message.
  • the receiving in this Action 303 may be performed over the respective first link 151.
  • the first additional message may be a Nupf_EventExposure_Notify request message.
  • Eventld ProtocolMetrics, LIE-ID, and a parameter gathering the information on the protocol used and the one or more protocol metrics as a single parameter “ProtocolMetricsInfo”, which may include the following information.
  • the parameter ProtocolMetricsInfo may include the first information on the one or more protocol metrics with the parameter Protocol-Metrics.
  • the one or more metrics may comprise the one or more third indications described in Action 302a.
  • the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received first information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 may receive, from the third node 113, the requested second information in a second additional message of the one or more additional messages.
  • the receiving in this Action 304 may be performed over the respective first link 151.
  • the second additional message may comprise the subscriber profile for the indicated one or more devices 130, e.g., via LIE-ID, including historic security related information for the indicated one or more devices 130, e.g., via the LIE-ID.
  • the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received second information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 may receive, from the first device 131 , the requested third information in a third additional message of the one or more additional messages.
  • the receiving in this Action 305 may be performed over the third link 153.
  • the first additional message may be a Nue_EventExposure_Notify request message.
  • This may comprise the following information.
  • an identifier of the one or more applications via the parameter OSApplicationld e.g., example.com.
  • the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received third information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 may determine, based on the one or more additional messages received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating 302 instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as requested in the received first message.
  • Determining may be understood as e.g., calculating, deciding or detecting.
  • the determining in this Action 306 may comprise to produce analytics based on the data collected from the one or more additional nodes 112, 113 and the first device 131.
  • the first node 111 may, based on the data collected above, run analytic processes and generate a result, as a new analytic which may be referred to e.g., “AnalyticResult”.
  • the first node 111 for example, as part of the determining in this Action 306, check if the one or more protocol metrics reported meet one or more conditions, e.g., exceed a particular threshold. If so, the first node 111 may then identify the one or more devices 130 that may be involved and or the respective fourth node 114 that may be involved, and compile a list of one or more devices 130, and/or one or more applications, and/or respective fourth nodes 114 that may be suspected of being a source or a target of the security attack of the first type.
  • the first node 111 may determine if any of the following protocol metrics conditions may be met: 1) the number of unacknowledged connection-oriented transport protocol setup request messages, e.g., “Unacked SYN volume”, exceeds a certain configurable threshold, and/or 2) the volume of respective message of the first type received for the session, e.g., “SYN volume”, exceeds a configurable threshold, and/or 3) the number of consecutive messages of the second type received for the session, e.g., “Simultaneous TCP SYN” exceeds a configurable threshold.
  • protocol metrics conditions may be met: 1) the number of unacknowledged connection-oriented transport protocol setup request messages, e.g., “Unacked SYN volume”, exceeds a certain configurable threshold, and/or 2) the volume of respective message of the first type received for the session, e.g., “SYN volume”, exceeds a configurable threshold, and/or 3) the number of consecutive messages of the second type received for the session,
  • the first node 111 may look for matches between the 5-tuples collected from the first device 131 and the second node 112, and only for the flows where the above protocol metrics values have exceeded the configurable thresholds above. If there is a match, e.g., the same 5- tuple and same or similar Timestamp, taking into consideration that the clocks of the first device 131 and the second node 112 may be different, the first node 111 may store the following information. First, as part of the second indication of the one or more devices 130 that may be the target or the source of the security attack of the first type, a list of suspect one or more devices 130, e.g., as the parameter “List of Suspect UE-IDs”.
  • the list may comprise an identifier for each of the one or more devices 130.
  • a single LIE-ID which may include subscriber identifier, e.g., International Mobile Subscriber Identifier (IMSI), and/or device identifier, e.g. International Mobile Equipment Identifier (I M El).
  • subscriber identifier e.g., International Mobile Subscriber Identifier (IMSI)
  • device identifier e.g. International Mobile Equipment Identifier (I M El).
  • an indication for an identified device e.g., via LIE-ID, as being either the source or the target of the security attack of the first type may be generated.
  • a list of suspect one or more applications e.g., as the parameter “List of Suspect App-IDs”.
  • the list may comprise an identifier for each of the one or more applications.
  • App-ID example.com.
  • an indication for an identified application e.g., via App-ID, as being either the source or the target of the security attack of the first type.
  • the first node 111 may determine one or more suspect fourth nodes 114, e.g., a list of suspect fourth nodes 114, that may be the target or the source of the security attack of the first type, e.g., as the parameter “List of Suspect Server IP”. A further indication may be generated indication whether the fourth node 114 may be either the source or the target of the security attack of the first type. Fourth, the first node 111 may determine one or more suspected types of attack, e.g., a list of suspect types of attack, e.g., as the parameter “List of Suspect type of attack", For example, SYN flood.
  • DDoS there may be different sub-categories, such as a brute force DDoS attack or a low rate DDoS attack, or being more granular: SYN flood, UDP flood, HTTP flood, Ping of death, Smurf attack, etc. Additionally, a confidence level may also be determined, e.g., a percentage from 0% to 100%).
  • the first node 111 may be able to perform a new type of analytic relative to security related attacks.
  • the first node 111 may then be enabled to notify the another node 115, and which may allow an operator of the communications system 100 to detect different security related attacks and to act upon them, e.g., by blocking the suspected entities, and thereby mitigate the negative consequences that the detected attack may have on the communications system 100,
  • the first node 111 initiates sending, with the proviso that the security attack is detected based on the monitored information, another message to the another node 115.
  • the another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.
  • the another message may be understood to be based a result of the determining of Action 306.
  • the another message may further comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) a recommended action to mitigate the detected security attack, e.g. block traffic, store an indication of the attack as part of subscriber profile, notify the content provider.
  • the recommended mitigation action may be determined by the first node 111 based both on the detected type of attack and on the confidence level.
  • the another message may be, for example, a Nnwdaf_AnalyticsSubscription_Notify request message.
  • a further indication may be provided indicating whether the fourth node 114 may be either the source or the target of the security attack of the first type: c) the one or more suspected types of attack, e.g., as the parameter “Suspect type of attack", For example, SYN flood.
  • the confidence level may also be provided, e.g. a percentage from 0% to 100%; and d) the recommended action to mitigate the detected security attack.
  • the first node 111 may then enable the another node 115 to be notified about any security attack may be underway in the communications system 100, and thereby enable the another node 115 to take appropriate measures to stop the attack and mitigate any adverse effects the attack may have on the operation of the communications system 100 and/or its components.
  • the capacity of the communications system 100 may therefore by improved and the latency may be reduced.
  • the first node 111 may be an NWDAF
  • the another node 115 may manage an analytics consumer, e.g., a PCF or an OAM
  • the one or more additional nodes 113, 114 may comprise one of a UPF and a UDR.
  • Embodiments of a computer-implemented method performed by the second node 112 will now be described with reference to the flowchart depicted in Figure 4.
  • the method may be understood to be for handling security in the communications system 100.
  • the second node 112 operates in the communications system 100.
  • the method comprises the following actions.
  • One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment, and it will be obvious to a person skilled in the art how those components may be used in the other examples.
  • the first node 111 may be a NWDAF and the second node 112 may be a UPF.
  • the second node 112 receives the instruction from the first node 111 operating in the communications system 100 to monitor information indicative of the security attack of the first type, by receiving the second message from the first node 111.
  • the second message requests the first information, of the information indicative of the security attack of the first type.
  • the first information indicates the traffic indicators for the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the receiving in this Action 401 may be via the respective first link 151.
  • the first information may comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of the protocol used for the traffic, and d) the one or more protocol metrics.
  • the one or more metrics may comprise the one or more third indications indicating, respectively, one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session, o) the respective fourth node 114
  • the security attack of the first type may be a DoS attack.
  • the second node 112 may be enabled start monitoring the requested first information, and when appropriate, e.g., on- demand, when a condition is met, or periodically, report the collected first information to the first node 111, thereby enabling the first node 111 to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.
  • the second node 112 after receiving the second message, may initiate the monitoring of the information indicative of the security attack of the first type. This may be performed, by example, by monitoring traffic, e.g., UL traffic from the one or more devices 130, in relation to the one or more applications.
  • the second node 112 may detect this traffic, e.g., UL TCP traffic, and detect, for example, TCP SYN messages, and gather data for the requested first information.
  • the second node 112 may for example, store the following information: for each detected flow: a) the time of start of a flow ran by the first device 131 on the first application, e.g., a Timestamp, b) the fourth indication, e.g., the 5-tuple, including the Server IP address, and c) the fifth indication, e.g., the Volume.
  • the second node 112 sends the requested first information to the first node 111 , in the first additional message.
  • the sending in this Action 402 may be via the respective first link 151.
  • the sending in this Action 402 may be one of: perioding, when prompted by the first node 111 , and/or upon fulfilment of one or more conditions, e.g., a number of TCP SYN messages having been detected.
  • the second node 112 may then enable the first node 111 to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.
  • the communications system 100 comprises the first node 111 and the one or more additional nodes 112, 113.
  • the method may comprise one or more of the following actions. Several embodiments are comprised herein. In some embodiments, the method may comprise one action. In other embodiments, the method may comprise two or more actions. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example may be tacitly assumed to be present in another example and it will be obvious to a person skilled in the art how those components may be used in the other examples. In Figure 5, optional actions are depicted with dashed lines.
  • the first node 111 may be an NWDAF
  • the another node 115 may manage an analytics consumer, e.g., a PCF or an OAM
  • the one or more additional nodes 113, 114 may comprise one of a UPF and a UDR.
  • some actions may be performed in a different order than that depicted in Figure 5.
  • Actions 502a, 502b, 502c, 509, 510 and 511 may be performed in a different order.
  • these Actions may be performed in the order of 502b, 510, 502a, 502c, 511, 509.
  • the first node 111 receives, from the another node 115 operating in the communications system 100, the first message.
  • the first message requests the subscription to receive at least one indication indicating the security attack of the first type in the communications system 100.
  • the indication is of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the security attack of the first type may be, for example, a DoS attack. There may be other types of attacks.
  • the first node 111 initiates instructing, based on the received first message, at least one of: the one or more additional nodes 112, 113 and the first device 131 of the one or more devices 130, to monitor information indicative of the security attack of the first type.
  • the first node 111 may send the second message to the second node 112.
  • the initiating 302 instructing may comprise, in this Action 502b, which corresponds to Action 302b, the first node 111 sending, based on the received first message, the third message to the third node 113.
  • the third message may request the second information, of the information indicative of the security attack of the first type.
  • the first information may indicate the history of the security attacks of the first type for the indicated one or more devices 130.
  • the first node 111 may send the fourth message to the first device 131 of the one or more devices 130.
  • the fourth message may request the third information, of the information indicative of the security attack of the first type.
  • the third information may indicate the traffic indicators for one or more applications used by the first device 131.
  • the third information may comprise at least one of: a) the identifier of the first application used by the first device 131, b) the time of start of the flow run by the first device 131 on the first application; c) the fourth indication of the fourth node 114 serving the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.
  • the second node 112 of the one or more additional nodes 112, 113 receives the instruction from the first node 111 operating in the communications system 100 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111.
  • the second message requests the first information, of the information indicative of the security attack of the first type.
  • the first information indicates the traffic indicators for the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the first information may comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.
  • the one or more metrics may comprise the one or more third indications.
  • the one or more third indications may indicate, respectively, one of the following options, although this is not an non-exhaustive list: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n
  • this Action 504 may comprise, receiving, by the third node 113, from the first node 111 , the third message.
  • the receiving in this Action 504, may be performed via a respective first link 151.
  • this Action 505 may comprise receiving 505, by the first device 131 , from the first node 111 , the fourth message.
  • the receiving in this Action 505, may be performed via the third link 153.
  • This Action 506, which corresponds to Action 402, comprises sending 506, 402, by the second node 112 the requested first information to the first node 111 , in the first additional message.
  • the method may comprise, in this Action 507, sending 507, by the third node 113, to the first node 111, the requested second information in the second additional message of the one or more additional messages.
  • This Action 508, may comprise, sending 508, by the first device 131 , to the first node 111 , the requested third information in the third additional message of the one or more additional messages.
  • the method may comprise, in this Action 304, which corresponds to Action 303, receiving, by the first node 111, from the second node 112, the requested first information in the first additional message of the one or more additional messages.
  • This Action 510 which corresponds to Action 402, may comprise receiving, by the first node 111 , from the third node 113, the requested second information in the first additional message.
  • the method may comprise, in this Action 511, which corresponds to Action 305, receiving, by the first node 111, from the first device 131, the requested third information in the third additional message.
  • This Action 512 which corresponds to Action 306, may comprise determining, by the first node 111 and based on the one or more additional messages received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating 302 instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as requested in the received first message.
  • This Action 513 which corresponds to Action 307, comprises initiating sending, by the first node 111 , with the proviso that the security attack is detected based on the monitored information, the another message to the another node 115.
  • the another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.
  • the another message may be based a result of the determining in Action 512.
  • the another message may further comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack.
  • Figure 6 is a signalling diagram depicting a first non-limiting example on the method performed by the communications system 100, to generate and use the new analytic relative to security related attacks for the specific case of DDoS attacks, described in embodiments herein.
  • the steps of this example are detailed below.
  • the first node 111 is a NWDAF
  • the second node 112 is an UPF
  • the third node 113 is a UDR
  • the fourth node 114 is an Application Server (App Server)
  • the another node 115 is a consumer, e.g., any NF, such as a PCF or a OAM
  • the first device 131 is a UE.
  • the first message requests to receive at least one of the first indication and the second indication.
  • the first message may explicitly comprise the first indication as a list of App-ID. This may indicate the App-ID/s which may be the target for security. In the example use case shown in the sequence diagram of Figure 6, no App-ID is included, that is, the list is empty, which may be understood to mean that all user traffic is subject to this analytic.
  • the first message may explicitly comprise the second indication as a LIE-ID or list of LIE-ID, UE-Group-ID or list of UE-Group-ID, or AnyllE. This may indicate the UE(s) which may be the target for security. In the example use case shown in the sequence diagram of Figure 6, for simplicity, this field is set to a certain UE, with a particular UE-ID.
  • the first node 111 answers the request message in Step 2 with a successful response, accepting the request.
  • the first node 111 triggers, according to Action 502b, 302b, data collection from the third node 113.
  • the first node 111 requests the third node 113 to provide as second information, the subscriber profile relative to the first device 131 indicated with a UE-ID.
  • the first node 111 triggers a Nudr_Query request message as third message indicating the UE-ID as parameter, which the third node 113 receives in accordance with Action 504.
  • the third node 113 returns the subscriber profile for the UE-ID, including historic security related information for the UE-ID in the second additional message.
  • the first node 111 according to Action 502a, 302a, 503, 401, triggers data collection from the second node 112, specifically to retrieve information relative to protocol metrics for the LIE-ID.
  • Eventld ProtocolMetrics to request the one or more protocol metrics
  • LIE-ID LIE-ID
  • 17.0.0 may be used, e.g., through the SMF or directly, assuming a service based UPF.
  • the second node 112 answers the request message in Step 8 with a successful response, accepting the request.
  • the first node 111 according to Action 502c, 302c, 505, triggers data collection from the first device 131 , specifically to retrieve information relative to the active Operating System (OS) applications used by the first device 131, identified with the UE-ID.
  • OS Operating System
  • the first device 131 answers the request message in Step 11 with a successful response, accepting the request.
  • Figure 7 is a continuation of the procedure depicted in Figure 6.
  • the first device 131 starts an application, e.g., example.com, which runs over TCP and uses encryption, e.g., TLS 1.3 and where the TLS Client Hello SNI field is encrypted, thus making it difficult for the network operator to detect the corresponding App-ID.
  • the first device 131 stores the following information: 1) the identifier of a first application used by the first device 131 with the parameter OSApplicationld, e.g., example.com, and 2) for each flow: a) the time of start of the flow ran by the first device 131 on the first application with the parameter Timestamp, indicating the start time for the flow, b) the fourth indication of the fourth node 114 serving the first device 131 for the flow with the parameter 5-tuple, including the Server IP address, and c) the fifth indication of the volume of traffic for the flow with the parameter Volume.
  • the first device 131 sends application traffic for example.com, to the second node 112.
  • the application triggers multiple TCP SYN messages, which may be understood to be a type of DDoS attack aimed to consume network and/ or server resources.
  • the second node 112 stores the following information: for each detected flow: a) Timestamp, indicating the start time for the flow, b) 5-tuple, including the Server IP address, and c) Volume.
  • the fourth node 114 here the application server for example.com, receives uplink traffic in Step 16, processes it and generates downlink traffic in Step 17 for the same, but reversed, 5-tuple as in Step 16, but in this example, it does not answer the UL TCP SYN messages with the corresponding DL TCP SYN ACK messages. That is, either the application server is overloaded due to the high amount of simultaneous UL TCP SYN messages received or the application server intentionally avoids sending TCP SYN ACK messages trying to consume network resources.
  • the second node 112 detects DL TCP traffic from the fourth node 114, the Application Server.
  • the second node 112 forwards Application traffic towards the first device 131.
  • Figure 8 is a continuation of the procedure depicted in Figure 7.
  • the first node 111 answers the message in Step 22 with a successful response.
  • the application example.com, uses TCP as transport protocol.
  • this may be TCP, UDP or QIIIC.
  • QIIIC is more than a transport protocol. It goes over UDP transport protocol, but QIIIC may include an “embedded” transport protocol, so QIIIC related metrics may be possible to be obtained, and 3.b) the one or more protocol metrics for this protocol as the parameter Protocol-Metrics.
  • the application example.com uses TCP as transport protocol, the following TCP protocol metrics as one or more third indications are proposed, although the list is non-exhaustive: 3.b.1) First, the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session as the parameter “SYN to SYN- ACK ratio”.
  • 3. b.2) Second, the number of unacknowledged connection-oriented transport protocol setup request messages as the parameter “Unacked SYN volume”. This may be understood to indicate the number of TCP SYN messages for which no TCP SYN-ACK and/or TCP ACK messages have been detected by UPF for this UE- ID session. 3.b.3) Third, the volume of respective message of the first type received for the session as the parameter “SYN volume”.
  • the following metrics as one or more third indications may be used for UDP and QIIIC.
  • the application uses UDP as transport protocol
  • This may be understood to indicate the number of consecutive DL UDP messages, with different 5-tuple, usually different source port, for this UE-ID session and from the same server, over a certain timespan which may be configurable, initiated from the server side, that is, unsolicited traffic.
  • the parameter “UL Initial QUIC long header packet volume” This may be understood to indicate the average volume of each UL Initial QUIC long header packet for this UE-ID session. Additionally, in case the volume of an individual UL Initial QUIC long header packet exceeds a configurable threshold, this may also be reported.
  • This may be understood to indicate the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session and for the same server, over a certain timespan which may also be configurable. 3.b.4”) Fourth, as the number of consecutive messages of another second type received for the session, the parameter “Simultaneous unsolicited DL QUIC same server”. This may be understood to indicate the number of consecutive DL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session and from the same server, over a certain timespan which is also configurable, initiated from server side, that is, unsolicited traffic.
  • the first node 111 answers the message in Step 25 with a successful response.
  • the first node 111 in accordance with Action 512, 306, produces analytics based on the data collected from the third node 113, the first device 131 and the second node 112. Specifically, the first node 111 runs the following logic.
  • the first node 111 looks for matches between the 5-tuples collected from the first device 131 and the second node 112, and only for the flows where the above protocol metrics values have exceeded the configurable thresholds above.
  • the first node 111 stores the following information: 1) First, the second indication as the parameter List of Suspect UE-IDs, in this example, a single LIE-ID, which may include subscriber identifier, e.g. I MSI , and/or device identifier, e.g. I M El .
  • the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session as the parameter List of Suspect Server IP, in this example, a single server, the fourth node 114.
  • the Application Server identified by Server IP, is the target of the DDoS attack.
  • the sixth indication of the suspected type of security attack with the parameter List of Suspect type of attack in this example, SYN flood.
  • SYN flood there may be different sub-categories, such as a brute force DDoS attack or a low rate DDoS attack, or being more granular: SYN flood, UDP flood, HTTP flood, Ping of death, Smurf attack, etc.
  • a confidence level may also be provided, e.g. a percentage from 0% to 100%.
  • subscriber identifier e.g. IMSI
  • device identifier e.g. I M El
  • UE-ID is the source of the DDoS attack.
  • the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session as the parameter Suspect Server IP.
  • the Application Server shown in Figure 8 as a single server.
  • the Application Server, identified by Server IP is the target of the DDoS attack
  • the sixth indication of the suspected type of security attack as the parameter Suspect type of attack, e.g., SYN flood.
  • a confidence level may also be provided, e.g., a percentage from 0% to 100%.
  • the recommended action to mitigate the detected security attack as the parameter Recommended mitigation action e.g., block traffic
  • the recommended mitigation action may be determined by the the first node 111 based both on the detected type of attack and on the confidence level.
  • the another node 115 the Consumer answers the message in Step 28 with a successful response.
  • the another node 115 the Consumer, e.g., PCF or CAM, applies the corresponding actions based on the AnalyticResult.
  • the subscriber profile an indication of a subscriber subject to Security attacks and the corresponding Security related information.
  • the Consumer triggers towards the third node 113 a Nudr_Store request message including the following parameters: the second identifier of the first device 131 of the one or more devices 130 as the parameter LIE-ID.
  • LIE-ID is the source of the DDoS attack.
  • the fourth indication of the fourth node 114 serving the first device 131 for the flow as the parameter Suspect Server IP.
  • the Application Server identified by Server IP, is the target of the DDoS attack.
  • a second sixth indication of the suspected type of security attack as the parameter Suspect type of attack e.g. SYN flood.
  • the third node 113 stores the Securityinfo as part of the subscriber profile for LIE-ID.
  • the third node 113 answers the message in Step 31 with a successful response.
  • the another node 115 may be blocked or charged. It may be noted that some network operators do not charge TCP signaling traffic.
  • the another node 115 e.g., PCF
  • the Content Provider e.g., example.com
  • the Content Provider may take the corresponding actions, e.g., block the traffic at Application Server side.
  • the Securityinfo stored in the third node 113 may be used in subsequent sessions for the same indicated first device 131 , e.g., LIE-ID, e.g. to continue monitor Security related attacks for the same indicated first device 131 , e.g., via LIE-ID, and if the same behavior is found and/or if the accumulated suspect DDoS volume exceeds a configured threshold, the user may be notified accordingly.
  • LIE-ID e.g. to continue monitor Security related attacks for the same indicated first device 131 , e.g., via LIE-ID, and if the same behavior is found and/or if the accumulated suspect DDoS volume exceeds a configured threshold, the user may be notified accordingly.
  • the another node 115 may subscribe to a new analytic for security related attacks detection rules and/or models, for a certain type of security related attack, e.g. DDoS, in agreement with Action 501, 301.
  • the first node 111 may then, in agreement with Action 502, 302, trigger data collection, e.g., from one or more additional nodes 112, 113, e.g., UDR, UPF and the first device 131 , e.g., a UE.
  • the first node 111 may, according to Action 512, 306, run analytics processes and may obtain security related attacks detection rules and/or models.
  • the first node 111 may then, according to Action 307, 513 notify the another node 115 with the obtained security related attacks detection rules and/or models.
  • the another node 115 e.g., OAM, may then load the security related attacks detection rules and/or models in a security firewall network function, which may be integrated in the second node 112.
  • One advantage of embodiments herein is that they may allow an operator of the network to support prevention of security related attacks in a simple an efficient way, by detecting different security related attacks, specifically DDoS, and also by identifying which subscribers, devices, applications and servers may be responsible for it.
  • Embodiments herein may also be understood to work even when the traffic is encrypted, e.g. DNS encryption and/or HTTPS (TLS) or QIIIC based applications.
  • DNS DNS encryption
  • TLS HTTPS
  • QIIIC QIIIC based applications
  • Figure 9 depicts two different examples in panels a) and b), respectively, of the arrangement that the first node 111 may comprise to perform the method actions described above in relation to Figure 3, Figure 5, and/or Figures 6-8.
  • the first node 111 may comprise the following arrangement depicted in Figure 9a.
  • the first node 111 may be understood to be for handling security in the communications system 100.
  • the first node 111 is configured to operate in the communications system 100.
  • the first node 111 may be configured to be a NWDAF
  • the another node 115 may be configured to manage an analytics consumer
  • the one or more additional nodes 113, 114 may be configured to comprise one of a UPF, and a UDR.
  • the first node 111 is configured to, e.g. by means of a receiving unit 901 within the first node 111 configured to, receive, from the another node 115 configured to operate in the communications system 100, the first message.
  • the first message may be configured to request the subscription to receive the at least one indication being configured to indicate the security attack of the first type in the communications system 100 of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 configured to operate in the communications system 100 that are the target or a source of the security attack of the first type in the communications system 100.
  • the first node 111 is also configured to, e.g. by means of an initiating instructing unit
  • the 902 within the first node 111 configured to, initiate instructing, based on the first message configured to be received, at least one of: the one or more additional nodes 112, 113 configured to operate in the communications system 100 and the first device 131 of the one or more devices 130, to monitor the information indicative of the security attack of the first type.
  • the first node 111 is further configured to, e.g. by means of an initiating sending unit
  • the 903 within the first node 111 configured to, initiate sending, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node 115.
  • the another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.
  • the first node 111 may be configured to, e.g. by means of a determining unit 904 within the first node 111 configured to, determine, based on the one or more additional messages configured to be received from the at least one of: the one or more additional nodes 112, 113 and the first device 131, in response to the initiating instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received.
  • the another message may be configured to be based a result of the determining.
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending the second message to the second node 112.
  • the second message may be configured to request the first information, of the information indicative of the security attack of the first type.
  • the first information may be configured to indicate the traffic indicators for the one or more devices 130 configured to be indicated.
  • the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the second node 112, the first information configured to be requested in the first additional message of the one or more additional messages.
  • the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.
  • the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of a respective flow comprised in the session
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, based on the first message configured to be received, the third message to the third node 113.
  • the third message may be configured to request the second information, of the information indicative of the security attack of the first type.
  • the second information may be configured to indicate the history of security attacks of the first type for the one or more devices 130 configured to be indicated.
  • the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the third node 113, the second information configured to be requested in the second additional message of the one or more additional messages.
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending the fourth message to the first device 131 of the one or more devices 130.
  • the fourth message may be configured to request the third information, of the information indicative of the security attack of the first type.
  • the third information may be configured to indicate the traffic indicators for one or more applications used by the first device 131.
  • the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the first device 131 , the third information configured to be requested in the third additional message of the one or more additional messages.
  • the third information may be configured to comprise at least one of: a) the identifier of the first application used by the first device 131, b) the time of start of the flow run by the first device 131 on the first application, c) the fourth indication of the fourth node 114 configured to serve the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.
  • the security attack of the first type may be configured to be a DoS attack.
  • the another message may be further configured to comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack.
  • the embodiments herein may be implemented through one or more processors, such as a processor 905 in the first node 111 depicted in Figure 9, together with computer program code for performing the functions and actions of the embodiments herein.
  • the program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the first node 111.
  • a data carrier carrying computer program code for performing the embodiments herein when being loaded into the first node 111.
  • One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick.
  • the computer program code may furthermore be provided as pure program code on a server and downloaded to the first node 111.
  • the first node 111 may further comprise a memory 906 comprising one or more memory units.
  • the memory 906 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first node 111.
  • the first node 111 may receive information from, e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, and/or any of the one or more devices 130 through a receiving port 907.
  • the receiving port 907 may be, for example, connected to one or more antennas in the first node 111.
  • the first node 111 may receive information from another structure in the communications system 100 through the receiving port 907. Since the receiving port 907 may be in communication with the processor 905, the receiving port 907 may then send the received information to the processor 905.
  • the receiving port 907 may also be configured to receive other information.
  • the processor 905 in the first node 111 may be further configured to transmit or send information to e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100, through a sending port 908, which may be in communication with the processor 905, and the memory 906.
  • any of the units 901-904 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 905, perform as described above.
  • processors as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
  • ASIC Application-Specific Integrated Circuit
  • SoC System-on-a-Chip
  • any of the units 901-904 described above may be the processor 905 of the first node 111 , or an application running on such processor.
  • the methods according to the embodiments described herein for the first node 111 may be respectively implemented by means of a computer program 909 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 905, cause the at least one processor 905 to carry out the actions described herein, as performed by the first node 111.
  • the computer program 909 product may be stored on a computer- readable storage medium 910.
  • the computer-readable storage medium 910, having stored thereon the computer program 909, may comprise instructions which, when executed on at least one processor 905, cause the at least one processor 905 to carry out the actions described herein, as performed by the first node 111.
  • the computer- readable storage medium 910 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space.
  • the computer program 909 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 910, as described above.
  • the first node 111 may comprise an interface unit to facilitate communications between the first node 111 and other nodes or devices, e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100.
  • the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
  • the first node 111 may comprise the following arrangement depicted in Figure 9b.
  • the first node 111 may comprise a processing circuitry 905, e.g., one or more processors such as the processor 905, in the first node 111 and the memory 906.
  • the first node 111 may also comprise a radio circuitry 911 , which may comprise e.g., the receiving port 907 and the sending port 908.
  • the processing circuitry 905 may be configured to, or operable to, perform the method actions according to Figure 3, Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 9a.
  • the radio circuitry 911 may be configured to set up and maintain at least a wireless connection with the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100.
  • embodiments herein also relate to the first node 111 operative to handle security in the communications system 100, the first node 111 being operative to operate in the communications system 100.
  • the first node 111 may comprise the processing circuitry 905 and the memory 906, said memory 906 containing instructions executable by said processing circuitry 905, whereby the first node 111 is further operative to perform the actions described herein in relation to the first node 111, e.g., in Figure 3, Figure 5, and/or Figures 6-8.
  • Figure 10 depicts two different examples in panels a) and b), respectively, of the arrangement that the second node 112 may comprise to perform the method actions described above in relation to Figure 4, Figure 5, and/or Figures 6-8.
  • the second node 112 may comprise the following arrangement depicted in Figure 10a.
  • the second node 112 may be understood to be for handling security in the communications system 100.
  • the second node 112 may be configured to operate in the communications system 100.
  • the first node 111 may be configured to be a NWDAF
  • the second node 112 may be configured to be a UPF.
  • the second node 112 is configured to, e.g. by means of a receiving unit 1001 within the second node 112 configured to receive the instruction from the first node 111 configured to operate in the communications network 100 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111.
  • the second message is configured to request the first information, of the information indicative of the security attack of the first type.
  • the first information is configured to indicate the traffic indicators for the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the second node 112 is also configured to, e.g. by means of a sending unit 1002 within the second node 112 configured to send the first information configured to be requested to the first node 111 , in the first additional message.
  • the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of the protocol used for the traffic, and d) the one or more protocol metrics.
  • the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of the respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session,
  • the embodiments herein may be implemented through one or more processors, such as a processor 1003 in the second node 112 depicted in Figure 10, together with computer program code for performing the functions and actions of the embodiments herein.
  • the program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the second node 112.
  • a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the second node 112.
  • One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick.
  • the computer program code may furthermore be provided as pure program code on a server and downloaded to the second node 112.
  • the second node 112 may further comprise a memory 1004 comprising one or more memory units.
  • the memory 1004 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the second node 112.
  • the second node 112 may receive information from, e.g., the first node 111 , the third node 113, the fourth node 114, the another node 115, and/or any of the one or more devices 130, through a receiving port 1005.
  • the receiving port 1005 may be, for example, connected to one or more antennas in the second node 112.
  • the second node 112 may receive information from another structure in the communications system 100 through the receiving port 1005. Since the receiving port 1005 may be in communication with the processor 1003, the receiving port 1005 may then send the received information to the processor 1003.
  • the receiving port 1005 may also be configured to receive other information.
  • the processor 1003 in the second node 112 may be further configured to transmit or send information to e.g., the first node 111, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100, through a sending port 1006, which may be in communication with the processor 1003, and the memory 1004.
  • the units 1001-1002 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 1003, perform as described above.
  • processors as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
  • ASIC Application-Specific Integrated Circuit
  • SoC System-on-a-Chip
  • the units 1001-1002 described above may be the processor 1003 of the second node 112, or an application running on such processor.
  • the methods according to the embodiments described herein for the second node 112 may be respectively implemented by means of a computer program 1007 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 1003, cause the at least one processor 1003 to carry out the actions described herein, as performed by the second node 112.
  • the computer program 1007 product may be stored on a computer-readable storage medium 1008.
  • the computer-readable storage medium 1008, having stored thereon the computer program 1007, may comprise instructions which, when executed on at least one processor 1003, cause the at least one processor 1003 to carry out the actions described herein, as performed by the second node 112.
  • the computer-readable storage medium 1008 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space.
  • the computer program 1007 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 1008, as described above.
  • the second node 112 may comprise an interface unit to facilitate communications between the second node 112 and other nodes or devices, e.g., the first node 111, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100.
  • the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
  • the second node 112 may comprise the following arrangement depicted in Figure 10b.
  • the second node 112 may comprise a processing circuitry 1003, e.g., one or more processors such as the processor 1003, in the second node 112 and the memory 1004.
  • the second node 112 may also comprise a radio circuitry 1009, which may comprise e.g., the receiving port 1005 and the sending port 1006.
  • the processing circuitry 1003 may be configured to, or operable to, perform the method actions according to Figure 4, Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 10a.
  • the radio circuitry 1009 may be configured to set up and maintain at least a wireless connection with the first node 111 , the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100.
  • embodiments herein also relate to the second node 112 operative to handle security in the communications system 100, the second node 112 being operative to operate in the communications system 100.
  • the second node 112 may comprise the processing circuitry 1003 and the memory 1004, said memory 1004 containing instructions executable by said processing circuitry 1003, whereby the second node 112 is further operative to perform the actions described herein in relation to the second node 112, e.g., in Figure 4, Figure 5, and/or Figures 6-8.
  • Figure 11 depicts two different examples in panels a) and b), respectively, of the arrangement that the communications system 100 may comprise to perform the method actions described above in relation to Figure 5.
  • the arrangement depicted in panel a) corresponds to that described in relation to panel a) in Figure 9 and Figure 10 for each of the first node 111 and as additional node, the second node 112, respectively.
  • the third node 113 may have an equivalent arrangement to that described for the second node 112.
  • the first device 131 may have to perform the Actions performed by it in Figure 5.
  • the arrangement depicted in panel b) corresponds to that described in relation to panel b) in Figure 9 and Figure 10 for each of the first node 111 and as additional node, the second node 112, respectively. It may be understood that the third node 113 may have an equivalent arrangement to that described for the second node 112. Also depicted is an alternative arrangement the first device 131 may have to perform the Actions performed by it in Figure 5.
  • the communications system 100 may be for handling security in the communications system 100.
  • the first node 111 may be configured to be a NWDAF
  • the another node 115 may be configured to manage an analytics consumer
  • the one or more additional nodes 113, 114 may be configured to comprise one of a UPF, and a UDR.
  • the communications system 100 is configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111 , from the another node 115 configured to operate in the communications system 100, the first message.
  • the first message may be configured to request the subscription to receive the at least one indication being configured to indicate the security attack of the first type in the communications system 100 of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the communications system 100 is also configured to, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, initiate instructing, by the first node 111 and based on the first message configured to be received, at least one of: the one or more additional nodes 112, 113 configured to operate in the communications system 100 and the first device 131 of the one or more devices 130, to monitor the information indicative of the security attack of the first type.
  • the communications system 100 is configured to, e.g. by means of the receiving unit 1001 within the second node 112 configured to receive, by the second node 112 of the one or more additional nodes 112, 113, the instruction from the first node 111 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111.
  • the second message is configured to request the first information, of the information indicative of the security attack of the first type.
  • the first information is configured to indicate the traffic indicators for the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.
  • the communications system 100 is also configured to, e.g. by means of the sending unit 1002 within the second node 112 configured to, send, by the second node 112, the first information configured to be requested to the first node 111 , in the first additional message.
  • the communications system 100 is further configured to, e.g. by means of the initiating sending unit 903 within the first node 111 configured to, initiate sending, by the first node 111, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node 115.
  • the another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.
  • the communications system 100 may be configured to, e.g. by means of the determining unit 904 within the first node 111 configured to, determine, by the first node 111 and based on the one or more additional messages configured to be received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received.
  • the another message may be configured to be based a result of the determining.
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111, the second message to the second node 112.
  • the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111, from the second node 112, the first information configured to be requested in the first additional message of the one or more additional messages.
  • the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.
  • the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session,
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111 and based on the first message configured to be received, the third message to the third node 113.
  • the third message may be configured to request the second information, of the information indicative of the security attack of the first type.
  • the second information may be configured to indicate the history of security attacks of the first type for the one or more devices 130 configured to be indicated.
  • the communications system 100 may be further configured to, e.g. by means of a respective receiving unit 1001 within the third node 113 configured to, receive by the third node 113, from the first node 111 , the third message.
  • the communications system 100 may be further configured to, e.g. by means of the a respective sending unit 1002 within the first node 111 configured to, send, by the third node 113, to the first node 111 , the second information configured to be requested in the second additional message of the one or more additional messages.
  • the communications system 100 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111 , from the third node 113, the second information configured to be requested in the second additional message.
  • the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111 , the fourth message to the first device 131 of the one or more devices 130.
  • the fourth message may be configured to request the third information, of the information indicative of the security attack of the first type.
  • the third information may be configured to indicate the traffic indicators for one or more applications used by the first device 131 .
  • the communications system 100 may be further configured to, e.g. by means of a receiving unit 1101 within the first device 131 configured to, receive, by the first device 131 , from the first node 111 , the fourth message.
  • the communications system 100 may be further configured to, e.g. by means of a sending unit 1101 within the first device 131 configured to, send, by the first device 131 , to the first node 111 , the third information configured to be requested in the third additional message of the one or more additional messages.
  • the communications system 100 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the first device 131 , the third information configured to be requested in the third additional message.
  • the third information may be configured to comprise at least one of: a) the identifier of the first application used by the first device 131 , b) the time of start of the flow run by the first device 131 on the first application, c) the fourth indication of the fourth node 114 configured to serve the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.
  • the security attack of the first type may be configured to be a DoS attack.
  • the another message may be further configured to comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack.
  • first node 111 and the second node 112 in relation to Figure 11 may be understood to correspond to those described in Figure 9, and Figure 10, respectively, and to be performed, e.g., by means of the corresponding units and arrangements described in Figure 9 and Figure 10, which will not be repeated here. It may be understood that the third node 113, as additional node, may have an equivalent arrangement to that described for the second node 112.
  • the embodiments herein may be implemented through one or more processors, such as a processor 1103 in the first device 131 depicted in Figure 11 , together with computer program code for performing the functions and actions of the embodiments herein.
  • the program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the first device 131.
  • a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the first device 131.
  • One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick.
  • the computer program code may furthermore be provided as pure program code on a server and downloaded to the first device 131.
  • the first device 131 may further comprise a memory 1104 comprising one or more memory units.
  • the memory 1104 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first device 131.
  • the first device 131 may receive information from, e.g., the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, and/or any of the other one or more devices 130, through a receiving port 1105.
  • the receiving port 1105 may be, for example, connected to one or more antennas in the first device 131.
  • the first device 131 may receive information from another structure in the communications system 100 through the receiving port 1105. Since the receiving port 1105 may be in communication with the processor 1103, the receiving port 1105 may then send the received information to the processor 1103.
  • the receiving port 1105 may also be configured to receive other information.
  • the processor 1103 in the first device 131 may be further configured to transmit or send information to e.g., the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100, through a sending port 1106, which may be in communication with the processor 1103, and the memory 1104.
  • the units 1101-1102 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 1103, perform as described above.
  • processors as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
  • ASIC Application-Specific Integrated Circuit
  • SoC System-on-a-Chip
  • the units 1101-1102 described above may be the processor 1103 of the first device 131 , or an application running on such processor.
  • the methods according to the embodiments described herein for the first device 131 may be respectively implemented by means of a computer program 1107 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 1103, cause the at least one processor 1103 to carry out the actions described herein, as performed by the first device 131.
  • the computer program 1107 product may be stored on a computer-readable storage medium 1108.
  • the computer-readable storage medium 1108, having stored thereon the computer program 1107 may comprise instructions which, when executed on at least one processor 1103, cause the at least one processor 1103 to carry out the actions described herein, as performed by the first device 131.
  • the computer-readable storage medium 1108 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space.
  • the computer program 1107 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 1108, as described above.
  • the first device 131 may comprise an interface unit to facilitate communications between the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100.
  • the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
  • the first device 131 may comprise the following arrangement depicted in Figure 11b.
  • the first device 131 may comprise a processing circuitry 1103, e.g., one or more processors such as the processor 1103, in the first device 131 and the memory 1104.
  • the first device 131 may also comprise a radio circuitry 1109, which may comprise e.g., the receiving port 1105 and the sending port 1106.
  • the processing circuitry 1103 may be configured to, or operable to, perform the method actions according to Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 11a.
  • the radio circuitry 1109 may be configured to set up and maintain at least a wireless connection with the first node 111, the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100.
  • embodiments herein also relate to the first device 131 operative to handle security in the communications system 100, the first device 131 being operative to operate in the communications system 100.
  • the first device 131 may comprise the processing circuitry 1103 and the memory 1104, said memory 1104 containing instructions executable by said processing circuitry 1103, whereby the first device 131 is further operative to perform the actions described herein in relation to the first device 131, e.g., in Figure 5, and/or Figures 6-8.
  • the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “and” term, may be understood to mean that only one of the list of alternatives may apply, more than one of the list of alternatives may apply or all of the list of alternatives may apply.
  • This expression may be understood to be equivalent to the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “or” term.
  • processor and circuitry may be understood herein as a hardware component.
  • the expression “in some embodiments” has been used to indicate that the features of the embodiment described may be combined with any other embodiment or example disclosed herein.
  • 3GPP TS 23.288 v16.5.0 (Sept 2020): Architecture enhancements for 5G System (5GS) to support network data analytics services.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Procédé mis en œuvre par ordinateur, par un premier nœud (111), pour gérer la sécurité dans un système de communications (100). Le premier nœud (111) reçoit (301), en provenance d'un autre nœud (115), un premier message. Le premier message demande une adhésion pour recevoir au moins une indication indiquant une attaque de sécurité, constituée d'au moins l'une parmi : i) une première indication d'une ou plusieurs applications, et ii) une seconde indication d'un ou plusieurs dispositifs (130), qui sont une cible ou une source de l'attaque. Le premier nœud (111) initie (302) l'instruction, sur la base du premier message, d'au moins un composant parmi : un ou plusieurs nœuds supplémentaires (112, 113) et un premier dispositif (131), pour surveiller des informations décrivant l'attaque. Le premier nœud (111) initie (307) l'envoi, à la condition que l'attaque de sécurité soit détectée, d'un autre message à l'autre nœud (115) comprenant l'au moins une indication parmi la première et la seconde indication.
EP21720779.4A 2021-02-05 2021-04-27 Premier noeud, second noeud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications Pending EP4289089A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP21382097 2021-02-05
PCT/EP2021/060946 WO2022167105A1 (fr) 2021-02-05 2021-04-27 Premier nœud, second nœud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications

Publications (1)

Publication Number Publication Date
EP4289089A1 true EP4289089A1 (fr) 2023-12-13

Family

ID=74732829

Family Applications (1)

Application Number Title Priority Date Filing Date
EP21720779.4A Pending EP4289089A1 (fr) 2021-02-05 2021-04-27 Premier noeud, second noeud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications

Country Status (3)

Country Link
EP (1) EP4289089A1 (fr)
CN (1) CN117136526A (fr)
WO (1) WO2022167105A1 (fr)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018141432A1 (fr) * 2017-01-31 2018-08-09 Telefonaktiebolaget Lm Ericsson (Publ) Procédé et fonction de détection d'attaque pour la détection d'une attaque distribuée dans un réseau sans fil
WO2019032968A1 (fr) * 2017-08-11 2019-02-14 Convida Wireless, Llc Analyse de données de réseau dans un réseau de communication
WO2019201458A1 (fr) * 2018-04-17 2019-10-24 Telefonaktiebolaget Lm Ericsson (Publ) Procédés, nœuds et réseau d'opérateur pour permettre la gestion d'une attaque vers une application
US11140048B2 (en) * 2019-01-11 2021-10-05 Huawei Technologies Co., Ltd. Sharable storage method and system for network data analytics

Also Published As

Publication number Publication date
WO2022167105A1 (fr) 2022-08-11
CN117136526A (zh) 2023-11-28

Similar Documents

Publication Publication Date Title
US10506492B2 (en) System and method to facilitate link aggregation using network-based internet protocol (IP) flow mobility in a network environment
US20210250771A1 (en) Method For Determining Class Information And Apparatus
KR101778705B1 (ko) 이동통신 시스템에서 위치 기반 pcc 제어 방법 및 시스템, 위치 기반 pcc 제어를 위한 패킷 데이터 네트워크 게이트웨이 장치
US11765200B2 (en) Methods, nodes and operator network for enabling management of an attack towards an application
EP3687135B1 (fr) Surveillance de dispositifs, et procédé et appareil de désinscription
US20220294791A1 (en) Methods and nodes for handling overload
US11895533B2 (en) Method for controlling connection between terminal and network, and related apparatus
Henrydoss et al. Critical security review and study of DDoS attacks on LTE mobile network
EP3257286B1 (fr) Atténuation de l'impact des attaques de l'internet dans un ran à l'aide du transport internet
US9538422B2 (en) Blind mobility load balancing between source and target cells
EP4289089A1 (fr) Premier noeud, second noeud, système de communications et procédés effectués par ceux-ci pour gérer la sécurité dans un système de communications
US20230379293A1 (en) Methods for Handling Usage of a Domain Name Service and Corresponding Devices
US20230164623A1 (en) Application Function Node, Access and Mobility Management Function Node, System and Methods in a Communications Network
US20220321251A1 (en) Methods and arrangements for determining parameters of bursts for data flow transmission in a wireless communication network based on channel quality
WO2023020747A1 (fr) Premier nœud, deuxième nœud, troisième nœud, système de communication et procédés ainsi effectués pour gérer une attaque par déni de service (dos)
US20240196180A1 (en) First Node, Second Node, Communications System and Methods Performed Thereby for Handling One or More Data Sessions
US20240276293A1 (en) First Node, Second Node, and Methods Performed Thereby for Handling Traffic From the Second Node
US20220377558A1 (en) Facilitation of protection from 5g or other next generation network user equipment denial of service attacks
US9781136B2 (en) Mitigating the impact from internet attacks in a RAN using internet transport

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230831

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)