WO2022027572A1 - Security management service in management plane - Google Patents
Security management service in management plane Download PDFInfo
- Publication number
- WO2022027572A1 WO2022027572A1 PCT/CN2020/107763 CN2020107763W WO2022027572A1 WO 2022027572 A1 WO2022027572 A1 WO 2022027572A1 CN 2020107763 W CN2020107763 W CN 2020107763W WO 2022027572 A1 WO2022027572 A1 WO 2022027572A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security risk
- network
- security
- data
- network function
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Definitions
- Example embodiments of the present disclosure generally relate to the field of communication, and in particular, to a device, method and computer readable storage medium for security management.
- NFs Network Functions
- MDAS Management Data Analytics Services
- security measures can be currently provided only on a terminal side in a control plane in networks.
- example embodiments of the present disclosure provide a device, method and computer readable storage medium for security management.
- a device which comprises at least one processor and at least one memory including computer program code.
- the at least one memory and the computer program code are configured to, with the at least one processor, cause the device to collect, from a plurality of devices, data for security management.
- the device is further caused to identify a security risk based on the collected data and send notification of the security risk to facilitate mitigation of the security risk.
- a method is provided.
- data for security management is collected from a plurality of devices.
- a security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.
- an apparatus comprising means for performing the method according to the second aspect.
- a computer readable storage medium comprising program instructions stored thereon. The instructions, when executed by a processor of a device, cause the device to perform the method according to the second aspect.
- FIG. 1 illustrates an example of cross-domain MDAS architecture
- FIG. 2 illustrates an example environment in which example embodiments of the present disclosure can be implemented
- FIG. 3 illustrates a flowchart of an example method according to some example embodiments of the present disclosure.
- FIG. 4 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
- NF network function
- NF refers to a physical, virtual or hybrid function or entity which is deployed at a network side and provides one or more services to clients.
- an NF may be arranged at a device in an access network or a core network.
- the NF may be implemented in hardware, software, firmware, or some combination thereof.
- circuitry may refer to one or more or all of the following:
- combinations of hardware circuits and software such as (as applicable) : (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
- circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
- circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular base station, or other computing or base station.
- first As used herein, the terms “first” , “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be referred to as a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
- a Network Data Analytics Function can provide security analysis related to an abnormal behavior of user equipment (UE) or a Mobile Initiated Connection Only (MICO) device.
- UE user equipment
- MICO Mobile Initiated Connection Only
- the NWDAF could provide to other NFs alerts for anomaly events together with additional information on a possible cause for the anomaly events, thus allowing for 5G service automation, or allowing for troubleshooting in general.
- the information about anomaly events is currently identified as a key issue. This means that such information could potentially be provided to other NFs so that the NFs could take proper actions. For example, such information could be provided to a Policy Control Function (PCF) to derive different policies.
- PCF Policy Control Function
- the NWDAF can also provide support for cyber-attacks. Cyber-attacks may be efficiently detected by monitoring events and data packets at the UE and on the network side with the support of the NWDAF and machine-learning algorithms, for example.
- the UE and NWDAF collaborate with each other to detect the attacks that may occur at a UE or in a RAN or core network. Alerts for the attack detection could be provided to Operations, Administration and Maintenance (OAM) and 5G Core (5GC) NFs that have subscribed to the alerts so that the NFs could take the corresponding actions.
- OAM Operations, Administration and Maintenance
- 5GC 5G Core
- NWDAF based security analytics could detect some security issues in a core network, the detection is in an early stage where only a key issue and a problem statement are involved without a solution. Moreover, such security analytics has limitation to address more advanced threats which may need correlated data collected from multiple domains with respect to various aspects.
- MDAS Management Data Analytics Services
- RAN Radio Access Network
- 5G fifth generation
- E2E end-to-end
- FIG. 1 shows an example of cross-domain MDAS architecture 100.
- a cross-domain MDAS consumer can interact with corresponding MDAS producers in RAN and 5G Core domains.
- a CN MDAS producer 105 may interact with a Network Data Analytics Function (NWDAF) 110 via an N nwdaf interface 115 or an MDAS interface 220 to use the analytics result of the NWDAF 110 as input.
- NWDAF 110 Network Data Analytics Function
- an MDAS producer may provide analytics data for management purposes based on the data related to different types of NFs, such as data reported from New Radio (NR) NodeB (gNB) and other core network functions.
- NR New Radio
- gNB New Radio NodeB
- MDAS enables automation analysis of raw data related to network and service events in the management plane, for example, as specified in the 3rd Generation Partnership Project (3GPP) specifications such as 3GPP TS 28.552, TS 28.553 and TS 28.554.
- 3GPP 3rd Generation Partnership Project
- the network and service events may be related to the following aspects:
- MDT Trace –Minimization of Driving Tests
- RLF Radio Link Failure
- RCEF Resource Control Enforcement Function
- MDAS may additionally consume analytics knowledge, such as processed data, and network analytics input from different domains, such as a core network (for example, from an NWDAF) and a RAN. Meanwhile, MDAS can be consumed by Management Functions or Management Service (MnS) consumers, 5G core NFs, such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
- MnS Management Functions or Management Service
- 5G core NFs such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
- NWDAF Management Functions
- SON Self-Organizing Network
- MDAS provides services only related to service assurance, troubleshooting and network optimization, but have not addressed or covered security threat detection and analysis.
- security risk assessment and analytics are not considered for MDAS which, however, focuses on fault management concentrating on abnormal behaviors.
- the fault management may be based on measurements with respect to radio condition including Channel Quality Indicator (CQI) , Radio Resource Control (RRC) , Transport Block (TB) and throughput of RAN and 5G Core, as well as performance of session and mobility, such as Protocol Data Unit (PDU) session and Quality of Service (QoS) flow, and User Plane Function (UPF) and network slice failure related issues.
- CQI Channel Quality Indicator
- RRC Radio Resource Control
- TB Transport Block
- PDU Protocol Data Unit
- QoS Quality of Service
- UPF User Plane Function
- NFV Network Function Virtualization
- Example embodiments of the present disclosure provide a scheme for security risk assessment and analytics based on correlated data with respect to failure, virtualization and network function (NF) or UE context and other aspects.
- This scheme collects data such as performance measurements, event data, configuration data and logs from a plurality of different devices. These devices may comprise a network element (NE) , a network function (NF) , and/or a network function virtualization (NFV) orchestrator and may act as a management service consumer and/or a management service producer. Based on the collected data, a security risk is identified and then notification of the security risk is sent out to facilitate the security risk.
- NE network element
- NF network function
- NFV network function virtualization
- This scheme introduces a new analytics service related to security risk assessment.
- a security risk such as advanced persistent threat (APT) can be identified based on the data collected from a plurality of devices.
- APT advanced persistent threat
- This scheme further introduces a specific interface to notify an identified security risk to facilitate mitigation of the security risk. For example, the notification may be sent to an NF, a management system or device or a human operator such that the corresponding actions may be taken to isolate the security risk or harden network security.
- FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented.
- the environment 200 which may be a part of a communication network, comprises a management device 210 to provide management services, in particular, related to security risk assessment.
- the management device 210 may be implemented by a MDAS producer in any suitable domain such as a RAN or a core network (for example, 5GC) . Any other suitable device capable of providing management services may also function as the management device 210.
- the management device 210 can communicate with a plurality of devices 220-1...220-N where N represents any suitable positive integer greater than 1.
- N represents any suitable positive integer greater than 1.
- the plurality of devices 220-1...220-N will be collectively or individually referred to as a device or devices 220.
- the devices 220 may comprise any suitable device located on different domains and may enable one or more NFs and/or network services. Examples of the devices 220 may comprise an NE, an NF and/or a NFV orchestrator and may act as a management service consumer and/or producer.
- the communication between the management device 210 and the plurality of devices 220 may be performed in a wired or wireless way and may utilize any suitable communication technology that is existing or to be developed in the future. The scope of the present disclosure will not be limited in this regard.
- the management device 210 collects from the plurality of devices 220 data for security management, which may comprise performance measurements, event data, and/or logs related to network security.
- the data may be generated at the plurality of devices 220 or obtained by the plurality of devices 220 from other devices which generate the data.
- the management device 210 identifies a security risk and sends out notification of the security risk to facilitate mitigation of the security risk.
- FIG. 3 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure.
- the method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services.
- the management device 210 such as a MDAS producer
- FIG. 2 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure.
- the method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services.
- the method 200 will be described with reference to FIG. 2.
- data for security management is collected from the plurality of devices 220.
- the collected data may comprise any suitable data related to network security.
- the collected data may comprise various performance measurements that may be collected at individual NFs or NEs, NF orchestrators or a management system in terms of failures and disruptions, virtualized resources and/or behavior, NF or UE context information, and the like.
- some performance measurements may be dedicated for security management.
- the collected performance measurements may be related to NF relocation, NF performance with respect to specific key performance indicators (KPIs) such as latency, and other NF communication behaviors (for example, how one NF interacts with another NF) .
- KPIs key performance indicators
- Such performance measurements may comprise delay (especially excessive delay) in accessing an NF such as Access and Mobility Function (AMF) or Session Management Function (SMF) .
- these performance measurements may comprise communication between NFs, especially abnormal and excessive NF communication. For example, if an AMF uses a different SMF without performing an expected selection process, abnormal NF communication may be indicated. If an AMF overloads an SMF unexpectedly, excessive NF communication is indicated.
- the dedicated performance measurements may comprise timing, duration, success rate and/or frequency (or rate) of relocation of a NF and/or a location of a NF with respect to a data network.
- the collected data may comprise event data, including, for example, fault measurements or other event measurements.
- the fault measurements may comprise alarm data which comprises any suitable alarm information such as types of alarms.
- the collected data may comprise configuration data, logs, service data, network topology and the like.
- the security risk may comprise any risk related to network security.
- the security risk may be related to abnormal resource usage associated with a network object.
- the network object may be any suitable object such as a device, a function or a service in a network, which may comprise an NF, a PDU session, a QoS flow or the like.
- the network object may be enabled by one or more of the plurality of devices 220 or by other devices.
- the security management may correlate UE procedures or other events with resource usage with respect to a Central Processing Unit (CPU) , a storage, a disk, virtual resources and the like.
- CPU Central Processing Unit
- the expected CPU, storage or disk resource usage should reflect the relevant UE and event processes.
- a NF maintains a predetermined amount of UEs, Protocol Data Unit (PDU) sessions, Quality of Service (QoS) flows or other UE related context
- PDU Protocol Data Unit
- QoS Quality of Service
- the maintaining would require a fixed or expected amount of virtual resources and storage that should not surpass certain limits. If an amount of consumed resources exceeds a certain limit, there could be a security risk, especially if no other fault alarms indicate other reasons than a security risk.
- process registration and PDU session establishment would require a fixed or expected amount of CPU resources that should not surpass certain limits. If the amount of consumed CPU resources surpasses a certain limit, a security risk may be identified.
- the security risk may be related to abnormal performance associated with a network object. For example, an amount of control plane signaling, such as registration, modifications and updates signaling, should not surpass a certain threshold. Moreover, latency in a user plane should not exceed threshold latency. If the corresponding threshold is exceeded, there could be a security risk
- the security risk may also be related to abnormal behavior associated with a network object. For example, a malicious NF that cannot perform desired tasks may cause service disruption. As another example, an NF communicates with another NF, which should not take place. A further example is that communication between NFs that should be allowed is not allowed. If such events occur, a security risk may be identified.
- the security risk may be identified upon occurrence of one or more associated triggering events. For example, if an associated triggering event occurs, the identifying of the security risk will be triggered.
- the triggering event may comprise any suitable events that may trigger or induce a security risk.
- the triggering event may be that an amount of computing resources consumed by a network object is greater than a threshold amount of resources. For example, if an increase of CPU and/or storage load is unexpected or sudden, that is, the increase cannot be justified by current or expected load, a suspicious Distributed Denial-of-Service (DDoS) attack may be predicted.
- DDoS Distributed Denial-of-Service
- Unexpected increase in latency associated with a network object may also be considered as a triggering event.
- latency larger than threshold latency may indicate a suspicious DDoS attack.
- an excessive amount (for example, greater than a threshold amount) of control plane signaling associated with a network object may be considered as a triggering event.
- Unexpected lack of accessibility of an NF from other NFs and/or UEs may also be considered as a triggering event.
- triggering events may be related to NF relocation.
- Such triggering events may include an unexpected NF location (virtual or geographical) , unexpected excessive delay in relocating a NF, and other relocation related events. For example, if an NF is relocated to a disallowed location, for example, the NF is relocated outside potential locations allowed by a mobile network operator or the third party, the identifying of the security risk may be triggered. If delay in relocating an NF is larger than threshold delay, the identifying of the security risk may also be triggered.
- the triggering events may provide a guide for a security risk assessment. For example, upon the triggering event, a security risk assessment may be performed to identify abnormal behavior based on the collection data. In some example embodiments, the data collection may also need to be triggered by the triggering events. For example, after it is determined that a triggering event occurs, data for security management is collected from various NFs or NEs to identify an anomaly network object.
- notification of the security risk is sent out to facilitate mitigation of the security risk.
- the notification may be sent to any suitable reception party, including, for example, an NF and/or NE, a management device or system, a management service consumer or a human operator.
- one or more attributes of the security risk are identified and then notification thereof is sent out.
- a specific interface for the attributes of the security risk may further facilitate the mitigation of the security risk.
- the attributes of the security risk may comprise any suitable information related to the identified security risk.
- the attributes of the security risk may comprise a type of the security risk that may be indicated by an identifier.
- the type of the security risk may comprise a DDoS attack for a network object such as a gNB or an NF in the user or control plane.
- the type of the security risk may also be a software-based event internal to an NF with a malicious behavior. For example, a NF communicates abnormally to other NFs or external entities, which creates overload or information leakage.
- the security risk may be a malicious event that triggers relocation of an NF. For example, a frequent abnormal NF relocation is triggered and further disrupts a service.
- the security risk may also be modification of a target location for relocation of an NF. For example, in a relocation process, an NF is relocated towards a different location than a desired location or even outside the operator premises.
- the security risk may be eavesdropping by an intermediate node for a network object, which, for example, causes excessive delay or even service disruption.
- the attributes of the security risk may comprise a location and/or a network object affected by the security risk, root cause, and/or a severity level.
- the attributes may also comprise start time, stop time and/or duration of the security risk. For example, when the security risk starts and stops and how long it last.
- a recommendation action to mitigate the security risk may be notified to further facilitate a mitigation plane.
- the action may comprise isolating the security risk, including, for example, isolating or terminating an NF, terminating or deleting a PDU session, throttling signaling from an NF or a UE and/or blocking a UE.
- the action may also comprise hardening network security, including, for example, hardening security on a specific NF, firewall update, scaling resources, load balancing and/or admission control.
- a type of analytics such as statistics or prediction of security risks may be indicated in the notification. Examples of analytics results for security management are shown below.
- FIG. 4 is a simplified block diagram of a device 400 that is suitable for implementing example embodiments of the present disclosure.
- the device 400 can be implemented at or as a part of the management device 210 such as a MDAS producer or any other device capable of providing the security management.
- the device 400 includes a processor 410, a memory 420 coupled to the processor 410, a communication module 430 coupled to the processor 410, and a communication interface (not shown) coupled to the communication module 430.
- the memory 420 stores at least a program 440.
- the communication module 430 is for bidirectional communications, for example, via multiple antennas or via a cable.
- the communication interface may represent any interface that is necessary for communication.
- the program 440 is assumed to include program instructions that, when executed by the associated processor 410, enable the device 400 to operate in accordance with the example embodiments of the present disclosure, as discussed herein with reference to FIGS. 2 and 3.
- the example embodiments herein may be implemented by computer software executable by the processor 410 of the device 400, or by hardware, or by a combination of software and hardware.
- the processor 410 may be configured to implement various example embodiments of the present disclosure.
- the memory 420 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples. While only one memory 420 is shown in the device 400, there may be several physically distinct memory modules in the device 400.
- the processor 410 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
- the device 400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
- the processor 410 may implement the operations or acts of the analysis device as described above with reference to FIGS. 2 and 3. All operations and features as described above with reference to FIGS. 2 and 3 are likewise applicable to the device 400 and have similar effects. For the purpose of simplification, the details will be omitted.
- various example embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of example embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
- the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
- the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the operations and acts as described above with reference to FIGS. 2 and 3.
- program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
- the functionality of the program modules may be combined or split between program modules as desired in various example embodiments.
- Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
- Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
- the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
- the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
- Examples of the carrier include a signal, computer readable media.
- the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
- a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
- the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , Digital Versatile Disc (DVD) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
- RAM random access memory
- ROM read-only memory
- EPROM or Flash memory erasable programmable read-only memory
- CD-ROM compact disc read-only memory
- DVD Digital Versatile Disc
- an optical storage device a magnetic storage device, or any suitable combination of the foregoing.
- a device comprises: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the device to: collect, from a plurality of devices, data for security management; identify a security risk based on the collected data; and send notification of the security risk to facilitate mitigation of the security risk.
- the device is caused to identify the security risk by: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
- the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
- the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
- the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
- the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
- the device is further caused to: identify one or more attributes of the security risk; and send notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
- the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
- the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
- the device is further caused to: send notification of a recommendation action to mitigate the security risk.
- the device comprises a Management Data Analytics Services producer.
- a method comprises: collecting, from a plurality of devices, data for security management; identifying a security risk based on the collected data; and sending notification of the security risk to facilitate mitigation of the security risk.
- identifying the security risk comprises: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
- the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
- the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
- the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
- the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
- the method further comprises: identifying one or more attributes of the security risk; and sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
- the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
- the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
- the method further comprises: sending notification of a recommendation action to mitigate the security risk.
- the method is implemented at a Management Data Analytics Services producer.
- an apparatus comprises: means for collecting, from a plurality of devices, data for security management; means for identifying a security risk based on the collected data; and means for sending notification of the security risk to facilitate mitigation of the security risk.
- the means for identifying the security risk comprises: means for determining occurrence of at least one triggering event associated with the security risk; and means for in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
- the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
- the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
- the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
- the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
- the apparatus further comprises: means for identifying one or more attributes of the security risk; and means for sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
- the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
- the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
- the apparatus further comprises: means for sending notification of a recommendation action to mitigate the security risk.
- the apparatus is implemented at a Management Data Analytics Services producer.
- a computer readable storage medium comprises program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method according to some example embodiments of the present disclosure.
Abstract
Example embodiments of the present disclosure relate to a device, method and computer readable storage medium for security management. In example embodiments, data for security management is collected from a plurality of devices. A security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.
Description
Example embodiments of the present disclosure generally relate to the field of communication, and in particular, to a device, method and computer readable storage medium for security management.
Security risk assessment issues related to management of Network Functions (NFs) can be considered based on data analytic services in a management plane. For example, Management Data Analytics Services (MDAS) can provide root cause analysis and other data analytics in the management plane. However, security measures can be currently provided only on a terminal side in a control plane in networks.
SUMMARY
In general, example embodiments of the present disclosure provide a device, method and computer readable storage medium for security management.
In a first aspect, a device is provided which comprises at least one processor and at least one memory including computer program code. The at least one memory and the computer program code are configured to, with the at least one processor, cause the device to collect, from a plurality of devices, data for security management. The device is further caused to identify a security risk based on the collected data and send notification of the security risk to facilitate mitigation of the security risk.
In a second aspect, a method is provided. In the method, data for security management is collected from a plurality of devices. A security risk is identified based on the collected data. Further, notification of the security risk is sent to facilitate mitigation of the security risk.
In a third aspect, there is provided an apparatus comprising means for performing the method according to the second aspect.
In a fourth aspect, there is provided a computer readable storage medium comprising program instructions stored thereon. The instructions, when executed by a processor of a device, cause the device to perform the method according to the second aspect.
It is to be understood that the summary section is not intended to identify key or essential features of example embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
Some example embodiments will now be described with reference to the accompanying drawings, where:
FIG. 1 illustrates an example of cross-domain MDAS architecture;
FIG. 2 illustrates an example environment in which example embodiments of the present disclosure can be implemented;
FIG. 3 illustrates a flowchart of an example method according to some example embodiments of the present disclosure; and
FIG. 4 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these example embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
As used herein, the term “network function” or “NF” refers to a physical, virtual or hybrid function or entity which is deployed at a network side and provides one or more services to clients. For example, an NF may be arranged at a device in an access network or a core network. The NF may be implemented in hardware, software, firmware, or some combination thereof.
As used herein, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) : (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular base station, or other computing or base station.
As used herein, the singular forms “a” , “an” , and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. The term “includes” and its variants are to be read as open terms that mean “includes, but is not limited to” . The term “based on” is to be read as “based at least in part on” . The term “one embodiment” and “an embodiment” are to be read as “at least one embodiment” . The term “another embodiment” is to be read as “at least one other embodiment” . Other definitions, explicit and implicit, may be included below.
As used herein, the terms “first” , “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be referred to as a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
In 3GPP Service Based Architecture (SBA) , in a control plane, a Network Data Analytics Function (NWDAF) can provide security analysis related to an abnormal behavior of user equipment (UE) or a Mobile Initiated Connection Only (MICO) device. The following factors or issues may be considered in analyzing the abnormal behavior of a device such as a UE and a MICO device to detect security situations:
● Unexpected position –the device is moved where it is not supposed to be
● Unexpected communication patterns –device traffic patterns and volume are not expected
● Unexpected device wake-up
● Suspicious Distributed Denial-of-Service (DDoS) attack
● Wrong destination address
With the capability to collect different types of data, the NWDAF could provide to other NFs alerts for anomaly events together with additional information on a possible cause for the anomaly events, thus allowing for 5G service automation, or allowing for troubleshooting in general. The information about anomaly events is currently identified as a key issue. This means that such information could potentially be provided to other NFs so that the NFs could take proper actions. For example, such information could be provided to a Policy Control Function (PCF) to derive different policies.
The NWDAF can also provide support for cyber-attacks. Cyber-attacks may be efficiently detected by monitoring events and data packets at the UE and on the network side with the support of the NWDAF and machine-learning algorithms, for example. The UE and NWDAF collaborate with each other to detect the attacks that may occur at a UE or in a RAN or core network. Alerts for the attack detection could be provided to Operations, Administration and Maintenance (OAM) and 5G Core (5GC) NFs that have subscribed to the alerts so that the NFs could take the corresponding actions.
However, while the NWDAF based security analytics could detect some security issues in a core network, the detection is in an early stage where only a key issue and a problem statement are involved without a solution. Moreover, such security analytics has limitation to address more advanced threats which may need correlated data collected from multiple domains with respect to various aspects.
Management Data Analytics Services (MDAS) is provided by a management system. MDAS concentrates on a Radio Access Network (RAN) domain and/or the fifth generation (5G) Core domain and can be provided on end-to-end (E2E) (or cross-domain) basis or on per domain basis.
FIG. 1 shows an example of cross-domain MDAS architecture 100. As shown, a cross-domain MDAS consumer can interact with corresponding MDAS producers in RAN and 5G Core domains. In addition, a CN MDAS producer 105 may interact with a Network Data Analytics Function (NWDAF) 110 via an N
nwdaf interface 115 or an MDAS interface 220 to use the analytics result of the NWDAF 110 as input. Accordingly, an MDAS producer may provide analytics data for management purposes based on the data related to different types of NFs, such as data reported from New Radio (NR) NodeB (gNB) and other core network functions.
MDAS enables automation analysis of raw data related to network and service events in the management plane, for example, as specified in the 3rd Generation Partnership Project (3GPP) specifications such as 3GPP TS 28.552, TS 28.553 and TS 28.554. The network and service events may be related to the following aspects:
● Performance measurements
● Trace –Minimization of Driving Tests (MDT) /Radio Link Failure (RLF) / Resource Control Enforcement Function (RCEF)
● Service experience –Quality of Experience (QoE)
● Fault measurements –Alarms
MDAS may additionally consume analytics knowledge, such as processed data, and network analytics input from different domains, such as a core network (for example, from an NWDAF) and a RAN. Meanwhile, MDAS can be consumed by Management Functions or Management Service (MnS) consumers, 5G core NFs, such as an NWDAF, Self-Organizing Network (SON) functions, optimization tools and human operators.
Currently, MDAS provides services only related to service assurance, troubleshooting and network optimization, but have not addressed or covered security threat detection and analysis. For example, security risk assessment and analytics are not considered for MDAS which, however, focuses on fault management concentrating on abnormal behaviors. The fault management may be based on measurements with respect to radio condition including Channel Quality Indicator (CQI) , Radio Resource Control (RRC) , Transport Block (TB) and throughput of RAN and 5G Core, as well as performance of session and mobility, such as Protocol Data Unit (PDU) session and Quality of Service (QoS) flow, and User Plane Function (UPF) and network slice failure related issues.
Moreover, there is no means for MDAS to detect security threats for physical, virtual and/or hybrid NFs within a network. Especially, it cannot be detected in the management plane whether, when and where a NF is or can potentially be vulnerable to a security attack.
A framework on Network Function Virtualization (NFV) life-cycle management is defined by considering security planning, security monitoring and security enforcement. Security monitoring deals with anomaly detection, logging, analytics, reporting and remediation, but only discusses, on a high-level, what type of requirements and processes are needed.
Example embodiments of the present disclosure provide a scheme for security risk assessment and analytics based on correlated data with respect to failure, virtualization and network function (NF) or UE context and other aspects. This scheme collects data such as performance measurements, event data, configuration data and logs from a plurality of different devices. These devices may comprise a network element (NE) , a network function (NF) , and/or a network function virtualization (NFV) orchestrator and may act as a management service consumer and/or a management service producer. Based on the collected data, a security risk is identified and then notification of the security risk is sent out to facilitate the security risk.
This scheme introduces a new analytics service related to security risk assessment. With this scheme, a security risk such as advanced persistent threat (APT) can be identified based on the data collected from a plurality of devices. This scheme further introduces a specific interface to notify an identified security risk to facilitate mitigation of the security risk. For example, the notification may be sent to an NF, a management system or device or a human operator such that the corresponding actions may be taken to isolate the security risk or harden network security.
FIG. 2 shows an example environment 200 in which example embodiments of the present disclosure can be implemented.
The environment 200, which may be a part of a communication network, comprises a management device 210 to provide management services, in particular, related to security risk assessment. As an example, the management device 210 may be implemented by a MDAS producer in any suitable domain such as a RAN or a core network (for example, 5GC) . Any other suitable device capable of providing management services may also function as the management device 210.
In the environment 200, the management device 210 can communicate with a plurality of devices 220-1…220-N where N represents any suitable positive integer greater than 1. For the purpose of discussion, the plurality of devices 220-1…220-N will be collectively or individually referred to as a device or devices 220.
The devices 220 may comprise any suitable device located on different domains and may enable one or more NFs and/or network services. Examples of the devices 220 may comprise an NE, an NF and/or a NFV orchestrator and may act as a management service consumer and/or producer.
The communication between the management device 210 and the plurality of devices 220 may be performed in a wired or wireless way and may utilize any suitable communication technology that is existing or to be developed in the future. The scope of the present disclosure will not be limited in this regard.
In various embodiments of the present disclosure, the management device 210 collects from the plurality of devices 220 data for security management, which may comprise performance measurements, event data, and/or logs related to network security. The data may be generated at the plurality of devices 220 or obtained by the plurality of devices 220 from other devices which generate the data. Based on the collected data, the management device 210 identifies a security risk and sends out notification of the security risk to facilitate mitigation of the security risk.
FIG. 3 shows a flowchart of an example method 300 according to some example embodiments of the present disclosure. The method 300 can be implemented at the management device 210 (such as a MDAS producer) as shown in FIG. 2 or any other suitable device capable of providing security management services. For the purpose of discussion, the method 200 will be described with reference to FIG. 2.
At block 305, data for security management is collected from the plurality of devices 220. The collected data may comprise any suitable data related to network security. For example, the collected data may comprise various performance measurements that may be collected at individual NFs or NEs, NF orchestrators or a management system in terms of failures and disruptions, virtualized resources and/or behavior, NF or UE context information, and the like.
In some example embodiments, some performance measurements may be dedicated for security management. For example, the collected performance measurements may be related to NF relocation, NF performance with respect to specific key performance indicators (KPIs) such as latency, and other NF communication behaviors (for example, how one NF interacts with another NF) .
Such performance measurements may comprise delay (especially excessive delay) in accessing an NF such as Access and Mobility Function (AMF) or Session Management Function (SMF) . Alternatively or in addition, these performance measurements may comprise communication between NFs, especially abnormal and excessive NF communication. For example, if an AMF uses a different SMF without performing an expected selection process, abnormal NF communication may be indicated. If an AMF overloads an SMF unexpectedly, excessive NF communication is indicated. Alternatively or in addition, the dedicated performance measurements may comprise timing, duration, success rate and/or frequency (or rate) of relocation of a NF and/or a location of a NF with respect to a data network.
In some example embodiments, the collected data may comprise event data, including, for example, fault measurements or other event measurements. As an example, the fault measurements may comprise alarm data which comprises any suitable alarm information such as types of alarms. Alternatively or in addition, the collected data may comprise configuration data, logs, service data, network topology and the like.
Examples of the collected data as an input for security management are show as below.
Based on the collected data, a security risk is identified at block 310. The security risk may comprise any risk related to network security. In some example embodiments, the security risk may be related to abnormal resource usage associated with a network object. The network object may be any suitable object such as a device, a function or a service in a network, which may comprise an NF, a PDU session, a QoS flow or the like. The network object may be enabled by one or more of the plurality of devices 220 or by other devices.
In some example embodiments, the security management may correlate UE procedures or other events with resource usage with respect to a Central Processing Unit (CPU) , a storage, a disk, virtual resources and the like. For example, the expected CPU, storage or disk resource usage should reflect the relevant UE and event processes. In the case that a NF maintains a predetermined amount of UEs, Protocol Data Unit (PDU) sessions, Quality of Service (QoS) flows or other UE related context, the maintaining would require a fixed or expected amount of virtual resources and storage that should not surpass certain limits. If an amount of consumed resources exceeds a certain limit, there could be a security risk, especially if no other fault alarms indicate other reasons than a security risk.
As another example, process registration and PDU session establishment would require a fixed or expected amount of CPU resources that should not surpass certain limits. If the amount of consumed CPU resources surpasses a certain limit, a security risk may be identified.
Alternatively or in addition, the security risk may be related to abnormal performance associated with a network object. For example, an amount of control plane signaling, such as registration, modifications and updates signaling, should not surpass a certain threshold. Moreover, latency in a user plane should not exceed threshold latency. If the corresponding threshold is exceeded, there could be a security risk
The security risk may also be related to abnormal behavior associated with a network object. For example, a malicious NF that cannot perform desired tasks may cause service disruption. As another example, an NF communicates with another NF, which should not take place. A further example is that communication between NFs that should be allowed is not allowed. If such events occur, a security risk may be identified.
In some example embodiments, the security risk may be identified upon occurrence of one or more associated triggering events. For example, if an associated triggering event occurs, the identifying of the security risk will be triggered. The triggering event may comprise any suitable events that may trigger or induce a security risk.
In some example embodiments, the triggering event may be that an amount of computing resources consumed by a network object is greater than a threshold amount of resources. For example, if an increase of CPU and/or storage load is unexpected or sudden, that is, the increase cannot be justified by current or expected load, a suspicious Distributed Denial-of-Service (DDoS) attack may be predicted.
Unexpected increase in latency associated with a network object may also be considered as a triggering event. For example, latency larger than threshold latency may indicate a suspicious DDoS attack. Alternatively or in addition, an excessive amount (for example, greater than a threshold amount) of control plane signaling associated with a network object may be considered as a triggering event. Unexpected lack of accessibility of an NF from other NFs and/or UEs may also be considered as a triggering event.
Some triggering events may be related to NF relocation. Such triggering events may include an unexpected NF location (virtual or geographical) , unexpected excessive delay in relocating a NF, and other relocation related events. For example, if an NF is relocated to a disallowed location, for example, the NF is relocated outside potential locations allowed by a mobile network operator or the third party, the identifying of the security risk may be triggered. If delay in relocating an NF is larger than threshold delay, the identifying of the security risk may also be triggered.
The triggering events may provide a guide for a security risk assessment. For example, upon the triggering event, a security risk assessment may be performed to identify abnormal behavior based on the collection data. In some example embodiments, the data collection may also need to be triggered by the triggering events. For example, after it is determined that a triggering event occurs, data for security management is collected from various NFs or NEs to identify an anomaly network object.
After the security risk is identified, at block 315, notification of the security risk is sent out to facilitate mitigation of the security risk. The notification may be sent to any suitable reception party, including, for example, an NF and/or NE, a management device or system, a management service consumer or a human operator.
In some example embodiments, one or more attributes of the security risk are identified and then notification thereof is sent out. A specific interface for the attributes of the security risk may further facilitate the mitigation of the security risk. The attributes of the security risk may comprise any suitable information related to the identified security risk.
In some example embodiments, the attributes of the security risk may comprise a type of the security risk that may be indicated by an identifier. For example, the type of the security risk may comprise a DDoS attack for a network object such as a gNB or an NF in the user or control plane. The type of the security risk may also be a software-based event internal to an NF with a malicious behavior. For example, a NF communicates abnormally to other NFs or external entities, which creates overload or information leakage.
Alternatively or in addition, the security risk may be a malicious event that triggers relocation of an NF. For example, a frequent abnormal NF relocation is triggered and further disrupts a service. The security risk may also be modification of a target location for relocation of an NF. For example, in a relocation process, an NF is relocated towards a different location than a desired location or even outside the operator premises. As another example, the security risk may be eavesdropping by an intermediate node for a network object, which, for example, causes excessive delay or even service disruption.
In addition to or rather than the type of the security risk, the attributes of the security risk may comprise a location and/or a network object affected by the security risk, root cause, and/or a severity level. The attributes may also comprise start time, stop time and/or duration of the security risk. For example, when the security risk starts and stops and how long it last.
In some example embodiments, a recommendation action to mitigate the security risk may be notified to further facilitate a mitigation plane. The action may comprise isolating the security risk, including, for example, isolating or terminating an NF, terminating or deleting a PDU session, throttling signaling from an NF or a UE and/or blocking a UE. The action may also comprise hardening network security, including, for example, hardening security on a specific NF, firewall update, scaling resources, load balancing and/or admission control.
Other related information may also be indicated or contained in the notification. For example, a type of analytics such as statistics or prediction of security risks may be indicated in the notification. Examples of analytics results for security management are shown below.
FIG. 4 is a simplified block diagram of a device 400 that is suitable for implementing example embodiments of the present disclosure. The device 400 can be implemented at or as a part of the management device 210 such as a MDAS producer or any other device capable of providing the security management.
As shown, the device 400 includes a processor 410, a memory 420 coupled to the processor 410, a communication module 430 coupled to the processor 410, and a communication interface (not shown) coupled to the communication module 430. The memory 420 stores at least a program 440. The communication module 430 is for bidirectional communications, for example, via multiple antennas or via a cable. The communication interface may represent any interface that is necessary for communication.
The program 440 is assumed to include program instructions that, when executed by the associated processor 410, enable the device 400 to operate in accordance with the example embodiments of the present disclosure, as discussed herein with reference to FIGS. 2 and 3. The example embodiments herein may be implemented by computer software executable by the processor 410 of the device 400, or by hardware, or by a combination of software and hardware. The processor 410 may be configured to implement various example embodiments of the present disclosure.
The memory 420 may be of any type suitable to the local technical network and may be implemented using any suitable data storage technology, such as a non-transitory computer readable storage medium, semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory, as non-limiting examples. While only one memory 420 is shown in the device 400, there may be several physically distinct memory modules in the device 400. The processor 410 may be of any type suitable to the local technical network, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 400 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
When the device 400 acts as the management device 210, the processor 410 may implement the operations or acts of the analysis device as described above with reference to FIGS. 2 and 3. All operations and features as described above with reference to FIGS. 2 and 3 are likewise applicable to the device 400 and have similar effects. For the purpose of simplification, the details will be omitted.
Generally, various example embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of example embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the operations and acts as described above with reference to FIGS. 2 and 3. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various example embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable media.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , Digital Versatile Disc (DVD) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular example embodiments. Certain features that are described in the context of separate example embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple example embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Various example embodiments of the techniques have been described. In addition to or as an alternative to the above, the following examples are described. The features described in any of the following examples may be utilized with any of the other examples described herein.
In some aspects, a device comprises: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the device to: collect, from a plurality of devices, data for security management; identify a security risk based on the collected data; and send notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, the device is caused to identify the security risk by: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
In some example embodiments, the device is further caused to: identify one or more attributes of the security risk; and send notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the device is further caused to: send notification of a recommendation action to mitigate the security risk.
In some example embodiments, the device comprises a Management Data Analytics Services producer.
In some aspects, a method comprises: collecting, from a plurality of devices, data for security management; identifying a security risk based on the collected data; and sending notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, identifying the security risk comprises: determining occurrence of at least one triggering event associated with the security risk; and in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
In some example embodiments, the method further comprises: identifying one or more attributes of the security risk; and sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of:a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the method further comprises: sending notification of a recommendation action to mitigate the security risk.
In some example embodiments, the method is implemented at a Management Data Analytics Services producer.
In some aspects, an apparatus comprises: means for collecting, from a plurality of devices, data for security management; means for identifying a security risk based on the collected data; and means for sending notification of the security risk to facilitate mitigation of the security risk.
In some example embodiments, the means for identifying the security risk comprises: means for determining occurrence of at least one triggering event associated with the security risk; and means for in accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
In some example embodiments, the at least one triggering event comprises at least one of: an amount of computing resources consumed by a network object being greater than a threshold amount of resources; an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling; latency associated with a network object being larger than threshold latency; a network function being re-located to a disallowed location; delay in relocating a network function being larger than threshold delay; or lack of accessibility of a network function.
In some example embodiments, the security risk is related to at least one of: abnormal resource usage associated with a network object; abnormal performance associated with a network object; or abnormal behavior associated with a network object.
In some example embodiments, the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
In some example embodiments, the performance measurements comprise at least one of: delay in accessing a network function; communication between network functions; at least one of timing, duration, success rate or frequency of relocation of a network function; or a location of a network function with respect to a data network.
In some example embodiments, the apparatus further comprises: means for identifying one or more attributes of the security risk; and means for sending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
In some example embodiments, the one or more attributes of the security risk comprise at least one of: a type of the security risk; at least one of a location or a network object, affected by the security risk; at least one of start time, stop time or duration of the security risk; root cause of the security risk; or a severity level of the security risk.
In some example embodiments, the type of the security risk comprises at least one of: a distributed denial-of-service attack for a network object; a software-based event internal to a network function with a malicious behavior; a malicious event to trigger relocation of a network function; modification of a target location for relocation of a network function; eavesdropping by an intermediate node for a network object.
In some example embodiments, the apparatus further comprises: means for sending notification of a recommendation action to mitigate the security risk.
In some example embodiments, the apparatus is implemented at a Management Data Analytics Services producer.
In some aspects, a computer readable storage medium comprises program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method according to some example embodiments of the present disclosure.
Claims (24)
- A device, comprising:at least one processor; andat least one memory including computer program code;the at least one memory and the computer program code configured to, with the at least one processor, cause the device to:collect, from a plurality of devices, data for security management;identify a security risk based on the collected data; andsend notification of the security risk to facilitate mitigation of the security risk.
- The device of claim 1, wherein the device is caused to identify the security risk by:determining occurrence of at least one triggering event associated with the security risk; andin accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
- The device of claim 2, wherein the at least one triggering event comprises at least one of:an amount of computing resources consumed by a network object being greater than a threshold amount of resources;an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling;latency associated with a network object being larger than threshold latency;a network function being re-located to a disallowed location;delay in relocating a network function being larger than threshold delay; orlack of accessibility of a network function.
- The device of any of claims 1-3, wherein the security risk is related to at least one of:abnormal resource usage associated with a network object;abnormal performance associated with a network object; orabnormal behavior associated with a network object.
- The device of claim 1, wherein the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
- The device of claim 5, wherein the performance measurements comprise at least one of:delay in accessing a network function;communication between network functions;at least one of timing, duration, success rate or frequency of relocation of a network function; ora location of a network function with respect to a data network.
- The device of claim 1, wherein the device is further caused to:identify one or more attributes of the security risk; andsend notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
- The device of claim 7, wherein the one or more attributes of the security risk comprise at least one of:a type of the security risk;at least one of a location or a network object, affected by the security risk;at least one of start time, stop time or duration of the security risk;root cause of the security risk; ora severity level of the security risk.
- The device of claim 8, wherein the type of the security risk comprises at least one of:a distributed denial-of-service attack for a network object;a software-based event internal to a network function with a malicious behavior;a malicious event to trigger relocation of a network function;modification of a target location for relocation of a network function;eavesdropping by an intermediate node for a network object.
- The device of claim 1, wherein the device is further caused to:send notification of a recommendation action to mitigate the security risk.
- The device of claim 1, wherein the device comprises a Management Data Analytics Services producer.
- A method, comprising:collecting, from a plurality of devices, data for security management;identifying a security risk based on the collected data; andsending notification of the security risk to facilitate mitigation of the security risk.
- The method of claim 12, wherein identifying the security risk comprises:determining occurrence of at least one triggering event associated with the security risk; andin accordance with determining the occurrence of the at least one triggering event, identifying the security risk based on the collected data.
- The method of claim 13, wherein the at least one triggering event comprises at least one of:an amount of computing resources consumed by a network object being greater than a threshold amount of resources;an amount of control plane signaling associated with a network object being greater than a threshold amount of control plane signaling;latency associated with a network object being larger than threshold latency;a network function being re-located to a disallowed location;delay in relocating a network function being larger than threshold delay; orlack of accessibility of a network function.
- The method of any of claims 12-14, wherein the security risk is related to at least one of:abnormal resource usage associated with a network object;abnormal performance associated with a network object; orabnormal behavior associated with a network object.
- The method of claim 13, wherein the collected data comprises at least one of performance measurements, event data, configuration data or logs for security analytics.
- The method of claim 16, wherein the performance measurements comprise at least one of:delay in accessing a network function;communication between network functions;at least one of timing, duration, success rate or frequency of relocation of a network function; ora location of a network function with respect to a data network.
- The method of claim 12, further comprising:identifying one or more attributes of the security risk; andsending notification of the one or more attributes of the network security risk to facilitate the mitigation of the network security risk.
- The method of claim 18, wherein the one or more attributes of the security risk comprise at least one of:a type of the security risk;at least one of a location or a network object, affected by the security risk;at least one of start time, stop time or duration of the security risk;root cause of the security risk; ora severity level of the security risk.
- The method of claim 19, wherein the type of the security risk comprises at least one of:a distributed denial-of-service attack for a network object;a software-based event internal to a network function with a malicious behavior;a malicious event to trigger relocation of a network function;modification of a target location for relocation of a network function;eavesdropping by an intermediate node for a network object.
- The method of claim 12, further comprising:sending notification of a recommendation action to mitigate the security risk.
- The method of claim 12, wherein the method is implemented at a Management Data Analytics Services producer.
- An apparatus comprising:means for collecting, from a plurality of devices, data for security management;means for identifying a security risk based on the collected data; andmeans for sending notification of the security risk to facilitate mitigation of the security risk.
- A computer readable storage medium comprising program instructions stored thereon, the instructions, when executed by a processor of a device, causing the device to perform the method of any of claims 12-22.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/107763 WO2022027572A1 (en) | 2020-08-07 | 2020-08-07 | Security management service in management plane |
CN202080105176.7A CN116114220A (en) | 2020-08-07 | 2020-08-07 | Security management services in management plane |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/107763 WO2022027572A1 (en) | 2020-08-07 | 2020-08-07 | Security management service in management plane |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022027572A1 true WO2022027572A1 (en) | 2022-02-10 |
Family
ID=80118587
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/107763 WO2022027572A1 (en) | 2020-08-07 | 2020-08-07 | Security management service in management plane |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN116114220A (en) |
WO (1) | WO2022027572A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024046423A1 (en) * | 2022-09-01 | 2024-03-07 | 华为技术有限公司 | Data analysis method and apparatus |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160259937A1 (en) * | 2015-03-02 | 2016-09-08 | Dell Products L.P. | Device reporting and protection systems and methods using a secure distributed transactional ledger |
CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
US20170346846A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
US20180255076A1 (en) * | 2017-03-02 | 2018-09-06 | ResponSight Pty Ltd | System and Method for Cyber Security Threat Detection |
US20200228563A1 (en) * | 2014-12-13 | 2020-07-16 | SecurityScorecard, Inc. | Online portal for improving cybersecurity risk scores |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101605065A (en) * | 2009-04-22 | 2009-12-16 | 网经科技(苏州)有限公司 | The implementation method of security incident monitoring in the system of security centre |
CN203204423U (en) * | 2013-04-22 | 2013-09-18 | 湖南智卓创新金融电子有限公司 | Comprehensive service system for network data analysis |
CN109698760B (en) * | 2017-10-23 | 2021-05-04 | 华为技术有限公司 | Traffic processing method, user plane device and terminal equipment |
CN110351229B (en) * | 2018-04-04 | 2020-12-08 | 电信科学技术研究院有限公司 | Terminal UE (user equipment) management and control method and device |
CN110769455B (en) * | 2018-07-26 | 2022-05-31 | 华为技术有限公司 | Data collection method, equipment and system |
-
2020
- 2020-08-07 CN CN202080105176.7A patent/CN116114220A/en active Pending
- 2020-08-07 WO PCT/CN2020/107763 patent/WO2022027572A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200228563A1 (en) * | 2014-12-13 | 2020-07-16 | SecurityScorecard, Inc. | Online portal for improving cybersecurity risk scores |
US20160259937A1 (en) * | 2015-03-02 | 2016-09-08 | Dell Products L.P. | Device reporting and protection systems and methods using a secure distributed transactional ledger |
US20170346846A1 (en) * | 2016-05-31 | 2017-11-30 | Valarie Ann Findlay | Security threat information gathering and incident reporting systems and methods |
US20180255076A1 (en) * | 2017-03-02 | 2018-09-06 | ResponSight Pty Ltd | System and Method for Cyber Security Threat Detection |
CN107277039A (en) * | 2017-07-18 | 2017-10-20 | 河北省科学院应用数学研究所 | A kind of network attack data analysis and intelligent processing method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2024046423A1 (en) * | 2022-09-01 | 2024-03-07 | 华为技术有限公司 | Data analysis method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
CN116114220A (en) | 2023-05-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5877429B2 (en) | Method and apparatus for network analysis | |
EP3954099B1 (en) | Network anomaly detection | |
US10986067B2 (en) | Anomaly detection in software defined networking | |
US9883413B2 (en) | Management of group mobile device network traffic usage | |
Iyer et al. | Automating diagnosis of cellular radio access network problems | |
US20210243610A1 (en) | Machine-learning framework for spectrum allocation | |
US11711395B2 (en) | User-determined network traffic filtering | |
WO2022027572A1 (en) | Security management service in management plane | |
Gelenbe et al. | Detection and mitigation of signaling storms in mobile networks | |
Gelenbe et al. | Countering mobile signaling storms with counters | |
WO2017140710A1 (en) | Detection of malware in communications | |
EP3466143B1 (en) | Method and network node for providing an rf model of a telecommunications system | |
Suomalainen et al. | Security-driven prioritization for tactical mobile networks | |
Fehling-Kaschek et al. | Risk and resilience assessment and improvement in the telecommunication industry | |
KR101564228B1 (en) | SYSTEM FOR DETECTING SIGNALING DoS TRAFFIC IN MOBILE COMMUNICATION NETWORK AND METHOD THEREOF | |
US20180114021A1 (en) | Optimizing data detection in communications | |
WO2022067835A1 (en) | Method, apparatus and computer program | |
EP4060915B1 (en) | Signalling framework for jamming detection and mitigation | |
Adikpe et al. | Congestion Analysis of a GSM Network in Kaduna State Nigeria | |
Ijaz et al. | An AI-enabled framework to defend ingenious MDT-based attacks on the emerging zero touch cellular networks | |
US20230232235A1 (en) | Monitoring of at least one slice of a communications network using a confidence index assigned to the slice of the network | |
WO2024077582A1 (en) | Security counter measure for distributed network slice admission control | |
US20230139435A1 (en) | System and method for progressive traffic inspection and treatment ina network | |
Yungaicela-Naula et al. | Misconfiguration in O-RAN: Analysis of the impact of AI/ML | |
Shin | National Institute of Advanced Industrial Science and Technology (AIST), 2-3-26, Aomi, Koto-ku, Tokyo 135-0064, Japan seonghan. shin@ aist. go. jp |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20948018 Country of ref document: EP Kind code of ref document: A1 |