WO2022027572A1 - Security management service in management plane - Google Patents

Security management service in management plane Download PDF

Info

Publication number
WO2022027572A1
WO2022027572A1 PCT/CN2020/107763 CN2020107763W WO2022027572A1 WO 2022027572 A1 WO2022027572 A1 WO 2022027572A1 CN 2020107763 W CN2020107763 W CN 2020107763W WO 2022027572 A1 WO2022027572 A1 WO 2022027572A1
Authority
WO
WIPO (PCT)
Prior art keywords
security risk
network
security
data
network function
Prior art date
Application number
PCT/CN2020/107763
Other languages
French (fr)
Inventor
Konstantinos Samdanis
Iris ADAM
Anja Jerichow
Chaitanya Aggarwal
Jing PING
Original Assignee
Nokia Shanghai Bell Co., Ltd.
Nokia Solutions And Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co., Ltd., Nokia Solutions And Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co., Ltd.
Priority to PCT/CN2020/107763 priority Critical patent/WO2022027572A1/en
Priority to CN202080105176.7A priority patent/CN116114220A/en
Publication of WO2022027572A1 publication Critical patent/WO2022027572A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • Example embodiments of the present disclosure generally relate to the field of communication, and in particular, to a device, method and computer readable storage medium for security management.
  • NFs Network Functions
  • MDAS Management Data Analytics Services
  • security measures can be currently provided only on a terminal side in a control plane in networks.
  • example embodiments of the present disclosure provide a device, method and computer readable storage medium for security management.
  • a device which comprises at least one processor and at least one memory including computer program code.
  • the at least one memory and the computer program code are configured to, with the at least one processor, cause the device to collect, from a plurality of devices, data for security management.
  • the device is further caused to identify a security risk based on the collected data and send notification of the security risk to facilitate mitigation of the security risk.
  • a method is provided.
  • data for security management is collected from a plurality of devices.
  • a security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.
  • an apparatus comprising means for performing the method according to the second aspect.
  • a computer readable storage medium comprising program instructions stored thereon. The instructions, when executed by a processor of a device, cause the device to perform the method according to the second aspect.
  • FIG. 1 illustrates an example of cross-domain MDAS architecture
  • FIG. 2 illustrates an example environment in which example embodiments of the present disclosure can be implemented
  • FIG. 3 illustrates a flowchart of an example method according to some example embodiments of the present disclosure.
  • FIG. 4 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
  • NF network function
  • NF refers to a physical, virtual or hybrid function or entity which is deployed at a network side and provides one or more services to clients.
  • an NF may be arranged at a device in an access network or a core network.
  • the NF may be implemented in hardware, software, firmware, or some combination thereof.
  • circuitry may refer to one or more or all of the following:
  • combinations of hardware circuits and software such as (as applicable) : (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular base station, or other computing or base station.
  • first As used herein, the terms “first” , “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be referred to as a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
  • a Network Data Analytics Function can provide security analysis related to an abnormal behavior of user equipment (UE) or a Mobile Initiated Connection Only (MICO) device.
  • UE user equipment
  • MICO Mobile Initiated Connection Only
  • the NWDAF could provide to other NFs alerts for anomaly events together with additional information on a possible cause for the anomaly events, thus allowing for 5G service automation, or allowing for troubleshooting in general.
  • the information about anomaly events is currently identified as a key issue. This means that such information could potentially be provided to other NFs so that the NFs could take proper actions. For example, such information could be provided to a Policy Control Function (PCF) to derive different policies.
  • PCF Policy Control Function
  • the NWDAF can also provide support for cyber-attacks. Cyber-attacks may be efficiently detected by monitoring events and data packets at the UE and on the network side with the support of the NWDAF and machine-learning algorithms, for example.
  • the UE and NWDAF collaborate with each other to detect the attacks that may occur at a UE or in a RAN or core network. Alerts for the attack detection could be provided to Operations, Administration and Maintenance (OAM) and 5G Core (5GC) NFs that have subscribed to the alerts so that the NFs could take the corresponding actions.
  • OAM Operations, Administration and Maintenance
  • 5GC 5G Core
  • NWDAF based security analytics could detect some security issues in a core network, the detection is in an early stage where only a key issue and a problem statement are involved without a solution. Moreover, such security analytics has limitation to address more advanced threats which may need correlated data collected from multiple domains with respect to various aspects.
  • MDAS Management Data Analytics Services
  • RAN Radio Access Network
  • 5G fifth generation
  • E2E end-to-end
  • FIG. 1 shows an example of cross-domain MDAS architecture 100.
  • a cross-domain MDAS consumer can interact with corresponding MDAS producers in RAN and 5G Core domains.
  • a CN MDAS producer 105 may interact with a Network Data Analytics Function (NWDAF) 110 via an N nwdaf interface 115 or an MDAS interface 220 to use the analytics result of the NWDAF 110 as input.
  • NWDAF 110 Network Data Analytics Function
  • an MDAS producer may provide analytics data for management purposes based on the data related to different types of NFs, such as data reported from New Radio (NR) NodeB (gNB) and other core network functions.
  • NR New Radio
  • gNB New Radio NodeB
  • MDAS enables automation analysis of raw data related to network and service events in the management plane, for example, as specified in the 3rd Generation Partnership Project (3GPP) specifications such as 3GPP TS 28.552, TS 28.553 and TS 28.554.
  • 3GPP 3rd Generation Partnership Project
  • the network and service events may be related to the following aspects:
  • MDT Trace –Minimization of Driving Tests
  • RLF Radio Link Failure
  • RCEF Resource Control Enforcement Function
  • MDAS may additionally consume analytics knowledge, such as processed data, and network analytics input from different domains, such as a core network (for example, from an NWDAF) and a RAN. Meanwhile, MDAS can be consumed by Management Functions or Management Service (MnS) consumers, 5G core NFs, such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
  • MnS Management Functions or Management Service
  • 5G core NFs such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
  • NWDAF Management Functions
  • SON Self-Organizing Network
  • MDAS provides services only related to service assurance, troubleshooting and network optimization, but have not addressed or covered security threat detection and analysis.
  • security risk assessment and analytics are not considered for MDAS which, however, focuses on fault management concentrating on abnormal behaviors.
  • the fault management may be based on measurements with respect to radio condition including Channel Quality Indicator (CQI) , Radio Resource Control (RRC) , Transport Block (TB) and throughput of RAN and 5G Core, as well as performance of session and mobility, such as Protocol Data Unit (PDU) session and Quality of Service (QoS) flow, and User Plane Function (UPF) and network slice failure related issues.
  • CQI Channel Quality Indicator
  • RRC Radio Resource Control
  • TB Transport Block
  • PDU Protocol Data Unit
  • QoS Quality of Service
  • UPF User Plane Function
  • NFV Network Function Virtualization
  • Example embodiments of the present disclosure provide a scheme for security risk assessment and analytics based on correlated data with respect to failure, virtualization and network function (NF) or UE context and other aspects.
  • This scheme collects data such as performance measurements, event data, configuration data and logs from a plurality of different devices. These devices may comprise a network element (NE) , a network function (NF) , and/or a network function virtualization (NFV) orchestrator and may act as a management service consumer and/or a management service producer. Based on the collected data, a security risk is identified and then notification of the security risk is sent out to facilitate the security risk.
  • NE network element
  • NF network function
  • NFV network function virtualization
  • This scheme introduces a new analytics service related to security risk assessment.
  • a security risk such as advanced persistent threat (APT) can be identified based on the data collected from a plurality of devices.
  • APT advanced persistent threat
  • This scheme further introduces a specific interface to notify an identified security risk to facilitate mitigation of the security risk. For example, the notification may be sent to an NF, a management system or device or a human operator such that the corresponding actions may be taken to isolate the security risk or harden network security.
  • FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented.
  • the environment 200 which may be a part of a communication network, comprises a management device 210 to provide management services, in particular, related to security risk assessment.
  • the management device 210 may be implemented by a MDAS producer in any suitable domain such as a RAN or a core network (for example, 5GC) . Any other suitable device capable of providing management services may also function as the management device 210.
  • the management device 210 can communicate with a plurality of devices 220-1...220-N where N represents any suitable positive integer greater than 1.
  • N represents any suitable positive integer greater than 1.
  • the plurality of devices 220-1...220-N will be collectively or individually referred to as a device or devices 220.
  • the devices 220 may comprise any suitable device located on different domains and may enable one or more NFs and/or network services. Examples of the devices 220 may comprise an NE, an NF and/or a NFV orchestrator and may act as a management service consumer and/or producer.
  • the communication between the management device 210 and the plurality of devices 220 may be performed in a wired or wireless way and may utilize any suitable communication technology that is existing or to be developed in the future. The scope of the present disclosure will not be limited in this regard.
  • the management device 210 collects from the plurality of devices 220 data for security management, which may comprise performance measurements, event data, and/or logs related to network security.
  • the data may be generated at the plurality of devices 220 or obtained by the plurality of devices 220 from other devices which generate the data.
  • the management device 210 identifies a security risk and sends out notification of the security risk to facilitate mitigation of the security risk.
  • FIG. 3 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure.
  • the method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services.
  • the management device 210 such as a MDAS producer
  • FIG. 2 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure.
  • the method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services.
  • the method 200 will be described with reference to FIG. 2.
  • data for security management is collected from the plurality of devices 220.
  • the collected data may comprise any suitable data related to network security.
  • the collected data may comprise various performance measurements that may be collected at individual NFs or NEs, NF orchestrators or a management system in terms of failures and disruptions, virtualized resources and/or behavior, NF or UE context information, and the like.
  • some performance measurements may be dedicated for security management.
  • the collected performance measurements may be related to NF relocation, NF performance with respect to specific key performance indicators (KPIs) such as latency, and other NF communication behaviors (for example, how one NF interacts with another NF) .
  • KPIs key performance indicators
  • Such performance measurements may comprise delay (especially excessive delay) in accessing an NF such as Access and Mobility Function (AMF) or Session Management Function (SMF) .
  • these performance measurements may comprise communication between NFs, especially abnormal and excessive NF communication. For example, if an AMF uses a different SMF without performing an expected selection process, abnormal NF communication may be indicated. If an AMF overloads an SMF unexpectedly, excessive NF communication is indicated.
  • the dedicated performance measurements may comprise timing, duration, success rate and/or frequency (or rate) of relocation of a NF and/or a location of a NF with respect to a data network.
  • the collected data may comprise event data, including, for example, fault measurements or other event measurements.
  • the fault measurements may comprise alarm data which comprises any suitable alarm information such as types of alarms.
  • the collected data may comprise configuration data, logs, service data, network topology and the like.
  • the security risk may comprise any risk related to network security.
  • the security risk may be related to abnormal resource usage associated with a network object.
  • the network object may be any suitable object such as a device, a function or a service in a network, which may comprise an NF, a PDU session, a QoS flow or the like.
  • the network object may be enabled by one or more of the plurality of devices 220 or by other devices.
  • the security management may correlate UE procedures or other events with resource usage with respect to a Central Processing Unit (CPU) , a storage, a disk, virtual resources and the like.
  • CPU Central Processing Unit
  • the expected CPU, storage or disk resource usage should reflect the relevant UE and event processes.
  • a NF maintains a predetermined amount of UEs, Protocol Data Unit (PDU) sessions, Quality of Service (QoS) flows or other UE related context
  • PDU Protocol Data Unit
  • QoS Quality of Service
  • the maintaining would require a fixed or expected amount of virtual resources and storage that should not surpass certain limits. If an amount of consumed resources exceeds a certain limit, there could be a security risk, especially if no other fault alarms indicate other reasons than a security risk.
  • process registration and PDU session establishment would require a fixed or expected amount of CPU resources that should not surpass certain limits. If the amount of consumed CPU resources surpasses a certain limit, a security risk may be identified.
  • the security risk may be related to abnormal performance associated with a network object. For example, an amount of control plane signaling, such as registration, modifications and updates signaling, should not surpass a certain threshold. Moreover, latency in a user plane should not exceed threshold latency. If the corresponding threshold is exceeded, there could be a security risk
  • the security risk may also be related to abnormal behavior associated with a network object. For example, a malicious NF that cannot perform desired tasks may cause service disruption. As another example, an NF communicates with another NF, which should not take place. A further example is that communication between NFs that should be allowed is not allowed. If such events occur, a security risk may be identified.
  • the security risk may be identified upon occurrence of one or more associated triggering events. For example, if an associated triggering event occurs, the identifying of the security risk will be triggered.
  • the triggering event may comprise any suitable events that may trigger or induce a security risk.
  • the triggering event may be that an amount of computing resources consumed by a network object is greater than a threshold amount of resources. For example, if an increase of CPU and/or storage load is unexpected or sudden, that is, the increase cannot be justified by current or expected load, a suspicious Distributed Denial-of-Service (DDoS) attack may be predicted.
  • DDoS Distributed Denial-of-Service
  • Unexpected increase in latency associated with a network object may also be considered as a triggering event.
  • latency larger than threshold latency may indicate a suspicious DDoS attack.
  • an excessive amount (for example, greater than a threshold amount) of control plane signaling associated with a network object may be considered as a triggering event.
  • Unexpected lack of accessibility of an NF from other NFs and/or UEs may also be considered as a triggering event.
  • triggering events may be related to NF relocation.
  • Such triggering events may include an unexpected NF location (virtual or geographical) , unexpected excessive delay in relocating a NF, and other relocation related events. For example, if an NF is relocated to a disallowed location, for example, the NF is relocated outside potential locations allowed by a mobile network operator or the third party, the identifying of the security risk may be triggered. If delay in relocating an NF is larger than threshold delay, the identifying of the security risk may also be triggered.
  • the triggering events may provide a guide for a security risk assessment. For example, upon the triggering event, a security risk assessment may be performed to identify abnormal behavior based on the collection data. In some example embodiments, the data collection may also need to be triggered by the triggering events. For example, after it is determined that a triggering event occurs, data for security management is collected from various NFs or NEs to identify an anomaly network object.
  • notification of the security risk is sent out to facilitate mitigation of the security risk.
  • the notification may be sent to any suitable reception party, including, for example, an NF and/or NE, a management device or system, a management service consumer or a human operator.
  • one or more attributes of the security risk are identified and then notification thereof is sent out.
  • a specific interface for the attributes of the security risk may further facilitate the mitigation of the security risk.
  • the attributes of the security risk may comprise any suitable information related to the identified security risk.
  • the attributes of the security risk may comprise a type of the security risk that may be indicated by an identifier.
  • the type of the security risk may comprise a DDoS attack for a network object such as a gNB or an NF in the user or control plane.
  • the type of the security risk may also be a software-based event internal to an NF with a malicious behavior. For example, a NF communicates abnormally to other NFs or external entities, which creates overload or information leakage.
  • the security risk may be a malicious event that triggers relocation of an NF. For example, a frequent abnormal NF relocation is triggered and further disrupts a service.
  • the security risk may also be modification of a target location for relocation of an NF. For example, in a relocation process, an NF is relocated towards a different location than a desired location or even outside the operator premises.
  • the security risk may be eavesdropping by an intermediate node for a network object, which, for example, causes excessive delay or even service disruption.
  • the attributes of the security risk may comprise a location and/or a network object affected by the security risk, root cause, and/or a severity level.
  • the attributes may also comprise start time, stop time and/or duration of the security risk. For example, when the security risk starts and stops and how long it last.
  • a recommendation action to mitigate the security risk may be notified to further facilitate a mitigation plane.
  • the action may comprise isolating the security risk, including, for example, isolating or terminating an NF, terminating or deleting a PDU session, throttling signaling from an NF or a UE and/or blocking a UE.
  • the action may also comprise hardening network security, including, for example, hardening security on a specific NF, firewall update, scaling resources, load balancing and/or admission control.
  • a type of analytics such as statistics or prediction of security risks may be indicated in the notification. Examples of analytics results for security management are shown below.
  • FIG. 4 is a simplified block diagram of a device 400 that is suitable for implementing example embodiments of the present disclosure.
  • the device 400 can be implemented at or as a part of the management device 210 such as a MDAS producer or any other device capable of providing the security management.
  • the device 400 includes a processor 410, a memory 420 coupled to the processor 410, a communication module 430 coupled to the processor 410, and a communication interface (not shown) coupled to the communication module 430.
  • the memory 420 stores at least a program 440.
  • the communication module 430 is for bidirectional communications, for example, via multiple antennas or via a cable.
  • the communication interface may represent any interface that is necessary for communication.
  • the program 440 is assumed to include program instructions that, when executed by the associated processor 410, enable the device 400 to operate in accordance with the example embodiments of the present disclosure, as discussed herein with reference to FIGS. 2 and 3.
  • the example embodiments herein may be implemented by computer software executable by the processor 410 of the device 400, or by hardware, or by a combination of software and hardware.
  • the processor 410 may be configured to implement various example embodiments of the present disclosure.
  • the memory 420 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples. While only one memory 420 is shown in the device 400, there may be several physically distinct memory modules in the device 400.
  • the processor 410 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the processor 410 may implement the operations or acts of the analysis device as described above with reference to FIGS. 2 and 3. All operations and features as described above with reference to FIGS. 2 and 3 are likewise applicable to the device 400 and have similar effects. For the purpose of simplification, the details will be omitted.
  • various example embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of example embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the operations and acts as described above with reference to FIGS. 2 and 3.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various example embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable media.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , Digital Versatile Disc (DVD) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read-only memory
  • EPROM or Flash memory erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • DVD Digital Versatile Disc
  • an optical storage device a magnetic storage device, or any suitable combination of the foregoing.
  • a device comprises: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the device to: collect, from a plurality of devices, data for security management; identify a security risk based on the collected data; and send notification of the security risk to facilitate mitigation of the security risk.
  • the device is caused to identify the security risk by: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
  • the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
  • the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
  • the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
  • the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
  • the device is further caused to: identify one or more attributes of the security risk; and send notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
  • the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
  • the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
  • the device is further caused to: send notification of a recommendation action to mitigate the security risk.
  • the device comprises a Management Data Analytics Services producer.
  • a method comprises: collecting, from a plurality of devices, data for security management; identifying a security risk based on the collected data; and sending notification of the security risk to facilitate mitigation of the security risk.
  • identifying the security risk comprises: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
  • the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
  • the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
  • the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
  • the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
  • the method further comprises: identifying one or more attributes of the security risk; and sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
  • the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
  • the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
  • the method further comprises: sending notification of a recommendation action to mitigate the security risk.
  • the method is implemented at a Management Data Analytics Services producer.
  • an apparatus comprises: means for collecting, from a plurality of devices, data for security management; means for identifying a security risk based on the collected data; and means for sending notification of the security risk to facilitate mitigation of the security risk.
  • the means for identifying the security risk comprises: means for determining occurrence of at least one triggering event associated with the security risk; and means for in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
  • the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
  • the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
  • the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
  • the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
  • the apparatus further comprises: means for identifying one or more attributes of the security risk; and means for sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
  • the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
  • the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
  • the apparatus further comprises: means for sending notification of a recommendation action to mitigate the security risk.
  • the apparatus is implemented at a Management Data Analytics Services producer.
  • a computer readable storage medium comprises program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method according to some example embodiments of the present disclosure.

Abstract

Example embodiments of the present disclosure relate to a device, method and computer readable storage medium for security management. In example embodiments, data for security management is collected from a plurality of devices. A security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.

Description

SECURITY MANAGEMENT SERVICE IN MANAGEMENT PLANE FIELD
Example embodiments of the present disclosure generally relate to the field of communication, and in particular, to a device, method and computer readable storage medium for security management.
BACKGROUND
Security risk assessment issues related to management of Network Functions (NFs) can be considered based on data analytic services in a management plane. For example, Management Data Analytics Services (MDAS) can provide root cause analysis and other data analytics in the management plane. However, security measures can be currently provided only on a terminal side in a control plane in networks.
SUMMARY
In general, example embodiments of the present disclosure provide a device, method and computer readable storage medium for security management.
In a first aspect, a device is provided which comprises at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the device to collect, from a plurality of devices, data for security management. The device is further caused to identify a security risk based on the collected data and send notification of the security risk to facilitate mitigation of the security risk.
In a second aspect, a method is provided. In the method, data for security management is collected from a plurality of devices. A security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.
In a third aspect, there is provided an apparatus comprising means for performing the method according to the second aspect.
In a fourth aspect, there is provided a computer readable storage medium comprising program instructions stored thereon. The instructions, when executed by a processor of a device, cause the device to perform the method according to the second  aspect.
It is to be understood that the summary section is not intended to identify key or essential features of example embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, where:
FIG. 1 illustrates an example of cross-domain MDAS architecture;
FIG. 2 illustrates an example environment in which example embodiments of the present disclosure can be implemented;
FIG. 3 illustrates a flowchart of an example method according to some example embodiments of the present disclosure; and
FIG. 4 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these example embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
As used herein, the term “network function” or “NF” refers to a physical, virtual or hybrid function or entity which is deployed at a network side and provides one or more  services to clients. For example, an NF may be arranged at a device in an access network or a core network. The NF may be implemented in hardware, software, firmware, or some combination thereof.
As used herein, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) : (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular base station, or other computing or base station.
As used herein, the singular forms “a” , “an” , and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. The term “includes” and its variants are to be read as open terms that mean “includes, but is not limited to” . The term “based on” is to be read as “based at least in part on” . The term “one embodiment” and “an embodiment” are to be read as “at least one embodiment” . The term “another embodiment” is to be read as “at least one other embodiment” . Other definitions, explicit and implicit, may be included below.
As used herein, the terms “first” , “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These  terms are only used to distinguish one element from another. For example, a first element could be referred to as a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
In 3GPP Service Based Architecture (SBA) , in a control plane, a Network Data Analytics Function (NWDAF) can provide security analysis related to an abnormal behavior of user equipment (UE) or a Mobile Initiated Connection Only (MICO) device. The following factors or issues may be considered in analyzing the abnormal behavior of a device such as a UE and a MICO device to detect security situations:
● Unexpected position –the device is moved where it is not supposed to be
● Unexpected communication patterns –device traffic patterns and volume are not expected
● Unexpected device wake-up
● Suspicious Distributed Denial-of-Service (DDoS) attack
● Wrong destination address
With the capability to collect different types of data, the NWDAF could provide to other NFs alerts for anomaly events together with additional information on a possible cause for the anomaly events, thus allowing for 5G service automation, or allowing for troubleshooting in general. The information about anomaly events is currently identified as a key issue. This means that such information could potentially be provided to other NFs so that the NFs could take proper actions. For example, such information could be provided to a Policy Control Function (PCF) to derive different policies.
The NWDAF can also provide support for cyber-attacks. Cyber-attacks may be efficiently detected by monitoring events and data packets at the UE and on the network side with the support of the NWDAF and machine-learning algorithms, for example. The UE and NWDAF collaborate with each other to detect the attacks that may occur at a UE or in a RAN or core network. Alerts for the attack detection could be provided to Operations, Administration and Maintenance (OAM) and 5G Core (5GC) NFs that have subscribed to the alerts so that the NFs could take the corresponding actions.
However, while the NWDAF based security analytics could detect some security issues in a core network, the detection is in an early stage where only a key issue and a  problem statement are involved without a solution. Moreover, such security analytics has limitation to address more advanced threats which may need correlated data collected from multiple domains with respect to various aspects.
Management Data Analytics Services (MDAS) is provided by a management system. MDAS concentrates on a Radio Access Network (RAN) domain and/or the fifth generation (5G) Core domain and can be provided on end-to-end (E2E) (or cross-domain) basis or on per domain basis.
FIG. 1 shows an example of cross-domain MDAS architecture 100. As shown, a cross-domain MDAS consumer can interact with corresponding MDAS producers in RAN and 5G Core domains. In addition, a CN MDAS producer 105 may interact with a Network Data Analytics Function (NWDAF) 110 via an N nwdaf interface 115 or an MDAS interface 220 to use the analytics result of the NWDAF 110 as input. Accordingly, an MDAS producer may provide analytics data for management purposes based on the data related to different types of NFs, such as data reported from New Radio (NR) NodeB (gNB) and other core network functions.
MDAS enables automation analysis of raw data related to network and service events in the management plane, for example, as specified in the 3rd Generation Partnership Project (3GPP) specifications such as 3GPP TS 28.552, TS 28.553 and TS 28.554. The network and service events may be related to the following aspects:
● Performance measurements
● Trace –Minimization of Driving Tests (MDT) /Radio Link Failure (RLF) / Resource Control Enforcement Function (RCEF)
● Service experience –Quality of Experience (QoE)
● Fault measurements –Alarms
MDAS may additionally consume analytics knowledge, such as processed data, and network analytics input from different domains, such as a core network (for example, from an NWDAF) and a RAN. Meanwhile, MDAS can be consumed by Management Functions or Management Service (MnS) consumers, 5G core NFs, such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
Currently, MDAS provides services only related to service assurance, troubleshooting and network optimization, but have not addressed or covered security  threat detection and analysis. For example, security risk assessment and analytics are not considered for MDAS which, however, focuses on fault management concentrating on abnormal behaviors. The fault management may be based on measurements with respect to radio condition including Channel Quality Indicator (CQI) , Radio Resource Control (RRC) , Transport Block (TB) and throughput of RAN and 5G Core, as well as performance of session and mobility, such as Protocol Data Unit (PDU) session and Quality of Service (QoS) flow, and User Plane Function (UPF) and network slice failure related issues.
Moreover, there is no means for MDAS to detect security threats for physical, virtual and/or hybrid NFs within a network. Especially, it cannot be detected in the management plane whether, when and where a NF is or can potentially be vulnerable to a security attack.
A framework on Network Function Virtualization (NFV) life-cycle management is defined by considering security planning, security monitoring and security enforcement. Security monitoring deals with anomaly detection, logging, analytics, reporting and remediation, but only discusses, on a high-level, what type of requirements and processes are needed.
Example embodiments of the present disclosure provide a scheme for security risk assessment and analytics based on correlated data with respect to failure, virtualization and network function (NF) or UE context and other aspects. This scheme collects data such as performance measurements, event data, configuration data and logs from a plurality of different devices. These devices may comprise a network element (NE) , a network function (NF) , and/or a network function virtualization (NFV) orchestrator and may act as a management service consumer and/or a management service producer. Based on the collected data, a security risk is identified and then notification of the security risk is sent out to facilitate the security risk.
This scheme introduces a new analytics service related to security risk assessment. With this scheme, a security risk such as advanced persistent threat (APT) can be identified based on the data collected from a plurality of devices. This scheme further introduces a specific interface to notify an identified security risk to facilitate mitigation of the security risk. For example, the notification may be sent to an NF, a management system or device or a human operator such that the corresponding actions may be taken to isolate the security risk or harden network security.
FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented.
The environment 200, which may be a part of a communication network, comprises a management device 210 to provide management services, in particular, related to security risk assessment. As an example, the management device 210 may be implemented by a MDAS producer in any suitable domain such as a RAN or a core network (for example, 5GC) . Any other suitable device capable of providing management services may also function as the management device 210.
In the environment 200, the management device 210 can communicate with a plurality of devices 220-1…220-N where N represents any suitable positive integer greater than 1. For the purpose of discussion, the plurality of devices 220-1…220-N will be collectively or individually referred to as a device or devices 220.
The devices 220 may comprise any suitable device located on different domains and may enable one or more NFs and/or network services. Examples of the devices 220 may comprise an NE, an NF and/or a NFV orchestrator and may act as a management service consumer and/or producer.
The communication between the management device 210 and the plurality of devices 220 may be performed in a wired or wireless way and may utilize any suitable communication technology that is existing or to be developed in the future. The scope of the present disclosure will not be limited in this regard.
In various embodiments of the present disclosure, the management device 210 collects from the plurality of devices 220 data for security management, which may comprise performance measurements, event data, and/or logs related to network security. The data may be generated at the plurality of devices 220 or obtained by the plurality of devices 220 from other devices which generate the data. Based on the collected data, the management device 210 identifies a security risk and sends out notification of the security risk to facilitate mitigation of the security risk.
FIG. 3 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure. The method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services. For the purpose of discussion, the method 200 will be described with reference to FIG. 2.
At block 305, data for security management is collected from the plurality of devices 220. The collected data may comprise any suitable data related to network security. For example, the collected data may comprise various performance measurements that may be collected at individual NFs or NEs, NF orchestrators or a management system in terms of failures and disruptions, virtualized resources and/or behavior, NF or UE context information, and the like.
In some example embodiments, some performance measurements may be dedicated for security management. For example, the collected performance measurements may be related to NF relocation, NF performance with respect to specific key performance indicators (KPIs) such as latency, and other NF communication behaviors (for example, how one NF interacts with another NF) .
Such performance measurements may comprise delay (especially excessive delay) in accessing an NF such as Access and Mobility Function (AMF) or Session Management Function (SMF) . Alternatively or in addition, these performance measurements may comprise communication between NFs, especially abnormal and excessive NF communication. For example, if an AMF uses a different SMF without performing an expected selection process, abnormal NF communication may be indicated. If an AMF overloads an SMF unexpectedly, excessive NF communication is indicated. Alternatively or in addition, the dedicated performance measurements may comprise timing, duration, success rate and/or frequency (or rate) of relocation of a NF and/or a location of a NF with respect to a data network.
In some example embodiments, the collected data may comprise event data, including, for example, fault measurements or other event measurements. As an example, the fault measurements may comprise alarm data which comprises any suitable alarm information such as types of alarms. Alternatively or in addition, the collected data may comprise configuration data, logs, service data, network topology and the like.
Examples of the collected data as an input for security management are show as below.
Figure PCTCN2020107763-appb-000001
Figure PCTCN2020107763-appb-000002
Figure PCTCN2020107763-appb-000003
Based on the collected data, a security risk is identified at block 310. The security risk may comprise any risk related to network security. In some example embodiments, the security risk may be related to abnormal resource usage associated with a network object. The network object may be any suitable object such as a device, a function or a service in a network, which may comprise an NF, a PDU session, a QoS flow or the like. The network object may be enabled by one or more of the plurality of devices 220 or by other devices.
In some example embodiments, the security management may correlate UE procedures or other events with resource usage with respect to a Central Processing Unit (CPU) , a storage, a disk, virtual resources and the like. For example, the expected CPU, storage or disk resource usage should reflect the relevant UE and event processes. In the case that a NF maintains a predetermined amount of UEs, Protocol Data Unit (PDU) sessions, Quality of Service (QoS) flows or other UE related context, the maintaining would require a fixed or expected amount of virtual resources and storage that should not surpass certain limits. If an amount of consumed resources exceeds a certain limit, there could be a security risk, especially if no other fault alarms indicate other reasons than a security risk.
As another example, process registration and PDU session establishment would require a fixed or expected amount of CPU resources that should not surpass certain limits. If the amount of consumed CPU resources surpasses a certain limit, a security risk may be identified.
Alternatively or in addition, the security risk may be related to abnormal performance associated with a network object. For example, an amount of control plane signaling, such as registration, modifications and updates signaling, should not surpass a certain threshold. Moreover, latency in a user plane should not exceed threshold latency. If the corresponding threshold is exceeded, there could be a security risk
The security risk may also be related to abnormal behavior associated with a network object. For example, a malicious NF that cannot perform desired tasks may cause service disruption. As another example, an NF communicates with another NF, which  should not take place. A further example is that communication between NFs that should be allowed is not allowed. If such events occur, a security risk may be identified.
In some example embodiments, the security risk may be identified upon occurrence of one or more associated triggering events. For example, if an associated triggering event occurs, the identifying of the security risk will be triggered. The triggering event may comprise any suitable events that may trigger or induce a security risk.
In some example embodiments, the triggering event may be that an amount of computing resources consumed by a network object is greater than a threshold amount of resources. For example, if an increase of CPU and/or storage load is unexpected or sudden, that is, the increase cannot be justified by current or expected load, a suspicious Distributed Denial-of-Service (DDoS) attack may be predicted.
Unexpected increase in latency associated with a network object may also be considered as a triggering event. For example, latency larger than threshold latency may indicate a suspicious DDoS attack. Alternatively or in addition, an excessive amount (for example, greater than a threshold amount) of control plane signaling associated with a network object may be considered as a triggering event. Unexpected lack of accessibility of an NF from other NFs and/or UEs may also be considered as a triggering event.
Some triggering events may be related to NF relocation. Such triggering events may include an unexpected NF location (virtual or geographical) , unexpected excessive delay in relocating a NF, and other relocation related events. For example, if an NF is relocated to a disallowed location, for example, the NF is relocated outside potential locations allowed by a mobile network operator or the third party, the identifying of the security risk may be triggered. If delay in relocating an NF is larger than threshold delay, the identifying of the security risk may also be triggered.
The triggering events may provide a guide for a security risk assessment. For example, upon the triggering event, a security risk assessment may be performed to identify abnormal behavior based on the collection data. In some example embodiments, the data collection may also need to be triggered by the triggering events. For example, after it is determined that a triggering event occurs, data for security management is collected from various NFs or NEs to identify an anomaly network object.
After the security risk is identified, at block 315, notification of the security risk is sent out to facilitate mitigation of the security risk. The notification may be sent to any  suitable reception party, including, for example, an NF and/or NE, a management device or system, a management service consumer or a human operator.
In some example embodiments, one or more attributes of the security risk are identified and then notification thereof is sent out. A specific interface for the attributes of the security risk may further facilitate the mitigation of the security risk. The attributes of the security risk may comprise any suitable information related to the identified security risk.
In some example embodiments, the attributes of the security risk may comprise a type of the security risk that may be indicated by an identifier. For example, the type of the security risk may comprise a DDoS attack for a network object such as a gNB or an NF in the user or control plane. The type of the security risk may also be a software-based event internal to an NF with a malicious behavior. For example, a NF communicates abnormally to other NFs or external entities, which creates overload or information leakage.
Alternatively or in addition, the security risk may be a malicious event that triggers relocation of an NF. For example, a frequent abnormal NF relocation is triggered and further disrupts a service. The security risk may also be modification of a target location for relocation of an NF. For example, in a relocation process, an NF is relocated towards a different location than a desired location or even outside the operator premises. As another example, the security risk may be eavesdropping by an intermediate node for a network object, which, for example, causes excessive delay or even service disruption.
In addition to or rather than the type of the security risk, the attributes of the security risk may comprise a location and/or a network object affected by the security risk, root cause, and/or a severity level. The attributes may also comprise start time, stop time and/or duration of the security risk. For example, when the security risk starts and stops and how long it last.
In some example embodiments, a recommendation action to mitigate the security risk may be notified to further facilitate a mitigation plane. The action may comprise isolating the security risk, including, for example, isolating or terminating an NF, terminating or deleting a PDU session, throttling signaling from an NF or a UE and/or blocking a UE. The action may also comprise hardening network security, including, for example, hardening security on a specific NF, firewall update, scaling resources, load balancing and/or admission control.
Other related information may also be indicated or contained in the notification. For example, a type of analytics such as statistics or prediction of security risks may be indicated in the notification. Examples of analytics results for security management are shown below.
Figure PCTCN2020107763-appb-000004
FIG. 4 is a simplified block diagram of a device 400 that is suitable for implementing example embodiments of the present disclosure. The device 400 can be implemented at or as a part of the management device 210 such as a MDAS producer or any other device capable of providing the security management.
As shown, the device 400 includes a processor 410, a memory 420 coupled to the  processor 410, a communication module 430 coupled to the processor 410, and a communication interface (not shown) coupled to the communication module 430. The memory 420 stores at least a program 440. The communication module 430 is for bidirectional communications, for example, via multiple antennas or via a cable. The communication interface may represent any interface that is necessary for communication.
The program 440 is assumed to include program instructions that, when executed by the associated processor 410, enable the device 400 to operate in accordance with the example embodiments of the present disclosure, as discussed herein with reference to FIGS. 2 and 3. The example embodiments herein may be implemented by computer software executable by the processor 410 of the device 400, or by hardware, or by a combination of software and hardware. The processor 410 may be configured to implement various example embodiments of the present disclosure.
The memory 420 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples. While only one memory 420 is shown in the device 400, there may be several physically distinct memory modules in the device 400. The processor 410 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
When the device 400 acts as the management device 210, the processor 410 may implement the operations or acts of the analysis device as described above with reference to FIGS. 2 and 3. All operations and features as described above with reference to FIGS. 2 and 3 are likewise applicable to the device 400 and have similar effects. For the purpose of simplification, the details will be omitted.
Generally, various example embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be  implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of example embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the operations and acts as described above with reference to FIGS. 2 and 3. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various example embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable media.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , Digital Versatile Disc (DVD) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular example embodiments. Certain features that are described in the context of separate example embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple example embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Various example embodiments of the techniques have been described. In addition to or as an alternative to the above, the following examples are described. The features described in any of the following examples may be utilized with any of the other examples described herein.
In some aspects, a device comprises: at least one processor; and at least one  memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the device to: collect, from a plurality of devices, data for security management; identify a security risk based on the collected data; and send notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, the device is caused to identify the security risk by: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
In some example embodiments, the device is further caused to: identify one or more attributes of the security risk; and send notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the device is further caused to: send notification of a recommendation action to mitigate the security risk.
In some example embodiments, the device comprises a Management Data Analytics Services producer.
In some aspects, a method comprises: collecting, from a plurality of devices, data for security management; identifying a security risk based on the collected data; and sending notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, identifying the security risk comprises: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network  function; or a location of a network function with respect to a data network.
In some example embodiments, the method further comprises: identifying one or more attributes of the security risk; and sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of:a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the method further comprises: sending notification of a recommendation action to mitigate the security risk.
In some example embodiments, the method is implemented at a Management Data Analytics Services producer.
In some aspects, an apparatus comprises: means for collecting, from a plurality of devices, data for security management; means for identifying a security risk based on the collected data; and means for sending notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, the means for identifying the security risk comprises: means for determining occurrence of at least one triggering event associated with the security risk; and means for in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being  larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
In some example embodiments, the apparatus further comprises: means for identifying one or more attributes of the security risk; and means for sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the apparatus further comprises: means for sending notification of a recommendation action to mitigate the security risk.
In some example embodiments, the apparatus is implemented at a Management Data Analytics Services producer.
In some aspects, a computer readable storage medium comprises program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method according to some example embodiments of the present disclosure.

Claims (24)

  1. A device, comprising:
    at least one processor; and
    at least one memory including computer program code;
    the at least one memory and the computer program code configured to, with the at least one processor, cause the device to:
    collect, from a plurality of devices, data for security management;
    identify a security risk based on the collected data; and
    send notification of the security risk to facilitate mitigation of the security risk.
  2. The device of claim 1, wherein the device is caused to identify the security risk by:
    determining occurrence of at least one triggering event associated with the security risk; and
    in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
  3. The device of claim 2, wherein the at least one triggering event comprises at least one of:
    an amount of computing resources consumed by a network object being greater than a threshold amount of resources;
    an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling;
    latency associated with a network object being larger than threshold latency;
    a network function being re-located to a disallowed location;
    delay in relocating a network function being larger than threshold delay; or
    lack of accessibility of a network function.
  4. The device of any of claims 1-3, wherein the security risk is related to at least one of:
    abnormal resource usage associated with a network object;
    abnormal performance associated with a network object; or
    abnormal behavior associated with a network object.
  5. The device of claim 1, wherein the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
  6. The device of claim 5, wherein the performance measurements comprise at least one of:
    delay in accessing a network function;
    communication between network functions;
    at least one of timing, duration, success rate or frequency of relocation of a network function; or
    a location of a network function with respect to a data network.
  7. The device of claim 1, wherein the device is further caused to:
    identify one or more attributes of the security risk; and
    send notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
  8. The device of claim 7, wherein the one or more attributes of the security risk comprise at least one of:
    a type of the security risk;
    at least one of a location or a network object, affected by the security risk;
    at least one of start time, stop time or duration of the security risk;
    root cause of the security risk; or
    a severity level of the security risk.
  9. The device of claim 8, wherein the type of the security risk comprises at least one of:
    a distributed denial-of-service attack for a network object;
    a software-based event internal to a network function with a malicious behavior;
    a malicious event to trigger relocation of a network function;
    modification of a target location for relocation of a network function;
    eavesdropping by an intermediate node for a network object.
  10. The device of claim 1, wherein the device is further caused to:
    send notification of a recommendation action to mitigate the security risk.
  11. The device of claim 1, wherein the device comprises a Management Data Analytics Services producer.
  12. A method, comprising:
    collecting, from a plurality of devices, data for security management;
    identifying a security risk based on the collected data; and
    sending notification of the security risk to facilitate mitigation of the security risk.
  13. The method of claim 12, wherein identifying the security risk comprises:
    determining occurrence of at least one triggering event associated with the security risk; and
    in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
  14. The method of claim 13, wherein the at least one triggering event comprises at least one of:
    an amount of computing resources consumed by a network object being greater than a threshold amount of resources;
    an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling;
    latency associated with a network object being larger than threshold latency;
    a network function being re-located to a disallowed location;
    delay in relocating a network function being larger than threshold delay; or
    lack of accessibility of a network function.
  15. The method of any of claims 12-14, wherein the security risk is related to at least one of:
    abnormal resource usage associated with a network object;
    abnormal performance associated with a network object; or
    abnormal behavior associated with a network object.
  16. The method of claim 13, wherein the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
  17. The method of claim 16, wherein the performance measurements comprise at least one of:
    delay in accessing a network function;
    communication between network functions;
    at least one of timing, duration, success rate or frequency of relocation of a network function; or
    a location of a network function with respect to a data network.
  18. The method of claim 12, further comprising:
    identifying one or more attributes of the security risk; and
    sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
  19. The method of claim 18, wherein the one or more attributes of the security risk comprise at least one of:
    a type of the security risk;
    at least one of a location or a network object, affected by the security risk;
    at least one of start time, stop time or duration of the security risk;
    root cause of the security risk; or
    a severity level of the security risk.
  20. The method of claim 19, wherein the type of the security risk comprises at least one of:
    a distributed denial-of-service attack for a network object;
    a software-based event internal to a network function with a malicious behavior;
    a malicious event to trigger relocation of a network function;
    modification of a target location for relocation of a network function;
    eavesdropping by an intermediate node for a network object.
  21. The method of claim 12, further comprising:
    sending notification of a recommendation action to mitigate the security risk.
  22. The method of claim 12, wherein the method is implemented at a Management Data Analytics Services producer.
  23. An apparatus comprising:
    means for collecting, from a plurality of devices, data for security management;
    means for identifying a security risk based on the collected data; and
    means for sending notification of the security risk to facilitate mitigation of the security risk.
  24. A computer readable storage medium comprising program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method of any of claims 12-22.
PCT/CN2020/107763 2020-08-07 2020-08-07 Security management service in management plane WO2022027572A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/107763 WO2022027572A1 (en) 2020-08-07 2020-08-07 Security management service in management plane
CN202080105176.7A CN116114220A (en) 2020-08-07 2020-08-07 Security management services in management plane

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/107763 WO2022027572A1 (en) 2020-08-07 2020-08-07 Security management service in management plane

Publications (1)

Publication Number Publication Date
WO2022027572A1 true WO2022027572A1 (en) 2022-02-10

Family

ID=80118587

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/107763 WO2022027572A1 (en) 2020-08-07 2020-08-07 Security management service in management plane

Country Status (2)

Country Link
CN (1) CN116114220A (en)
WO (1) WO2022027572A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024046423A1 (en) * 2022-09-01 2024-03-07 华为技术有限公司 Data analysis method and apparatus

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160259937A1 (en) * 2015-03-02 2016-09-08 Dell Products L.P. Device reporting and protection systems and methods using a secure distributed transactional ledger
CN107277039A (en) * 2017-07-18 2017-10-20 河北省科学院应用数学研究所 A kind of network attack data analysis and intelligent processing method
US20170346846A1 (en) * 2016-05-31 2017-11-30 Valarie Ann Findlay Security threat information gathering and incident reporting systems and methods
US20180255076A1 (en) * 2017-03-02 2018-09-06 ResponSight Pty Ltd System and Method for Cyber Security Threat Detection
US20200228563A1 (en) * 2014-12-13 2020-07-16 SecurityScorecard, Inc. Online portal for improving cybersecurity risk scores

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605065A (en) * 2009-04-22 2009-12-16 网经科技(苏州)有限公司 The implementation method of security incident monitoring in the system of security centre
CN203204423U (en) * 2013-04-22 2013-09-18 湖南智卓创新金融电子有限公司 Comprehensive service system for network data analysis
CN109698760B (en) * 2017-10-23 2021-05-04 华为技术有限公司 Traffic processing method, user plane device and terminal equipment
CN110351229B (en) * 2018-04-04 2020-12-08 电信科学技术研究院有限公司 Terminal UE (user equipment) management and control method and device
CN110769455B (en) * 2018-07-26 2022-05-31 华为技术有限公司 Data collection method, equipment and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200228563A1 (en) * 2014-12-13 2020-07-16 SecurityScorecard, Inc. Online portal for improving cybersecurity risk scores
US20160259937A1 (en) * 2015-03-02 2016-09-08 Dell Products L.P. Device reporting and protection systems and methods using a secure distributed transactional ledger
US20170346846A1 (en) * 2016-05-31 2017-11-30 Valarie Ann Findlay Security threat information gathering and incident reporting systems and methods
US20180255076A1 (en) * 2017-03-02 2018-09-06 ResponSight Pty Ltd System and Method for Cyber Security Threat Detection
CN107277039A (en) * 2017-07-18 2017-10-20 河北省科学院应用数学研究所 A kind of network attack data analysis and intelligent processing method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024046423A1 (en) * 2022-09-01 2024-03-07 华为技术有限公司 Data analysis method and apparatus

Also Published As

Publication number Publication date
CN116114220A (en) 2023-05-12

Similar Documents

Publication Publication Date Title
JP5877429B2 (en) Method and apparatus for network analysis
EP3954099B1 (en) Network anomaly detection
US10986067B2 (en) Anomaly detection in software defined networking
US9883413B2 (en) Management of group mobile device network traffic usage
Iyer et al. Automating diagnosis of cellular radio access network problems
US20210243610A1 (en) Machine-learning framework for spectrum allocation
US11711395B2 (en) User-determined network traffic filtering
WO2022027572A1 (en) Security management service in management plane
Gelenbe et al. Detection and mitigation of signaling storms in mobile networks
Gelenbe et al. Countering mobile signaling storms with counters
WO2017140710A1 (en) Detection of malware in communications
EP3466143B1 (en) Method and network node for providing an rf model of a telecommunications system
Suomalainen et al. Security-driven prioritization for tactical mobile networks
Fehling-Kaschek et al. Risk and resilience assessment and improvement in the telecommunication industry
KR101564228B1 (en) SYSTEM FOR DETECTING SIGNALING DoS TRAFFIC IN MOBILE COMMUNICATION NETWORK AND METHOD THEREOF
US20180114021A1 (en) Optimizing data detection in communications
WO2022067835A1 (en) Method, apparatus and computer program
EP4060915B1 (en) Signalling framework for jamming detection and mitigation
Adikpe et al. Congestion Analysis of a GSM Network in Kaduna State Nigeria
Ijaz et al. An AI-enabled framework to defend ingenious MDT-based attacks on the emerging zero touch cellular networks
US20230232235A1 (en) Monitoring of at least one slice of a communications network using a confidence index assigned to the slice of the network
WO2024077582A1 (en) Security counter measure for distributed network slice admission control
US20230139435A1 (en) System and method for progressive traffic inspection and treatment ina network
Yungaicela-Naula et al. Misconfiguration in O-RAN: Analysis of the impact of AI/ML
Shin National Institute of Advanced Industrial Science and Technology (AIST), 2-3-26, Aomi, Koto-ku, Tokyo 135-0064, Japan seonghan. shin@ aist. go. jp

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20948018

Country of ref document: EP

Kind code of ref document: A1