WO2022167105A1 - First node, second node, communications system and methods performed, thereby for handling security in a communications system - Google Patents

Abstract

A computer-implemented method, by a first node (111), for handling security in a communications system (100). The first node (111) receives (301), from another node (115), a first message. The first message requests subscription to receive at least one indication indicating a security attack, of at least one of: i) a first indication of one or more applications, and ii) a second indication of one or more devices (130), that are a target or a source of the attack. The first node (111) initiates (302) instructing, based on the first message, at least one of: one or more additional nodes (112, 113) and a first device (131), to monitor information indicative of the attack. The first node (111) initiates (307) sending, with the proviso that the security attack is detected, another message to the another node (115) comprising the at least one of the first and the second indication.

Description

FIRST NODE, SECOND NODE, COMMUNICATIONS SYSTEM AND METHODS

PERFORMED, THEREBY FOR HANDLING SECURITY IN A COMMUNICATIONS SYSTEM

TECHNICAL FIELD

The present disclosure relates generally to a first node and methods performed thereby for handling security in a communications system. The present disclosure also relates generally to a second node, and methods performed thereby for security in the communications system. The present disclosure further relates generally to a communications system and methods performed thereby for handling security in the communications system. The present disclosure also relates generally to computer programs and computer-readable storage mediums, having stored thereon the computer programs to carry out these methods.

BACKGROUND

Computer systems in a communications network may comprise one or more network nodes. A node may comprise one or more processors which, together with computer program code may perform different functions and actions, a memory, a receiving port and a sending port. A node may be, for example, a server. Nodes may perform their functions entirely on the cloud.

The standardization organization 3GPP is currently in the process of specifying a New Radio Interface called NR or 5G-UTRA, as well as a Fifth Generation (5G) Packet Core Network, which may be referred to as 5G Core Network, abbreviated as 5GC.

A 3GPP system comprising a 5G Access Network (AN), a 5G Core Network and a UE may be referred to as a 5G system.

Figure 1 is a schematic diagram depicting a particular example of a 5G architecture of policy and charging control framework, which may be used as a reference for the present disclosure. A Network Data Analytics Function (NWDAF) 1 may be understood to represent an operator managed network analytics logical function. The NWDAF 1 may be understood to be part of the 5GC architecture and may use the mechanisms and interfaces specified for 5GC and Operations, Administration and Maintenance (OAM). The NWDAF 1 may interact with different entities for different purposes, such as: a) data collection based on event subscription, provided by an Access and Mobility Function (AMF) 2, a Session Management Function (SMF) 3, a Policy Control Function (PCF) 4, a Unified Data Management (UDM), an Application Function (AF) 5, directly or via Network Exposure Function (NEF) 6, and an OAM; b) retrieval of information from data repositories, e.g., a Unified Data Repository (UDR) 7 via the UDM for subscriber-related information; c) retrieval of information about Network Functions (NFs), e.g., Network Repository Function (NRF) for NF-related information, and Network Slice Selection

Function (NSSF) for slice-related information; and e) on demand provision of analytics to consumers.

The UDR 7 may store data grouped into distinct collections of subscription-related information such as: subscription data, policy data; structured data for exposure; and application data. The PCF 4 may support a unified policy framework to govern the network behavior. Specifically, the PCF may provide Policy and Charging Control (PCC) rules to the Policy and Charging Enforcement Function (PCEF), that is, the SMF 3/llser Plane function (UPF) 8 that may enforce policy and charging decisions according to provisioned PCC rules. The SMF 3 may support different functionalities, e.g., the SMF 3 may receive PCC rules from the PCF 4 and may configure the UPF 8 accordingly

The UPF 8 may support handling of user plane (UP) traffic based on the rules received from the SMF 3, e.g., packet inspection and different enforcement actions such as Quality of Service (QoS) handling.

Also depicted in Figure 1 is a Charging Function (CHF) 9. Each of the UDR 7, the NEF 6, the NWDAF 1 , the AF 5, the PCF 4, the CHF 9, the AMF 2, and the SMF 3 may have an interface through which they may be accessed, which as depicted in the Figure, may be, respectively: Nudr 10, Nnef 11 , Nnwdaf 12, Naf 13, Npcf 14, Nchf 15, Namf 16, Nsmf 17. The UPF 8 may have an interface N4 18 with the SMF 3.

The communications network may cover a geographical area which may be divided into cell areas, each cell area being served by another type of node, a network node in the Radio Access Network (RAN) 7, radio network node or Transmission Point (TP), for example, an access node such as a Base Station (BS), e.g. a Radio Base Station (RBS), which sometimes may be referred to as e.g., evolved Node B (“eNB”), “eNodeB”, “NodeB”, “B node”, or Base Transceiver Station (BTS), depending on the technology and terminology used. The base stations may be of different classes such as e.g. Wide Area Base Stations, Medium Range Base Stations, Local Area Base Stations and Home Base Stations, based on transmission power and thereby also cell size. A cell is the geographical area where radio coverage is provided by the base station at a base station site. One base station, situated on the base station site, may serve one or several cells. Further, each base station may support one or several communication technologies. The telecommunications network may also be a non- cellular system, comprising network nodes which may serve receiving nodes, such as user equipments, with serving beams.

Security related attacks in mobile networks

There is a broad family of well-known security attacks in mobile networks which may be classified into: passive attacks, such as Wiretapping, Port scan, Idle scan, or active attacks, such as Denial-of-service attack (DoS), e.g., Distributed DoS (DDoS). In computing, a denial- of-service attack (DoS attack) may be understood as a cyber-attack where the perpetrator may seek to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet. Denial of service may be typically accomplished by flooding the targeted machine or resource with superfluous requests to overload systems and to prevent some or all legitimate requests from being fulfilled.

In a DDoS attack, the incoming traffic flooding the victim may originate from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

There may be different types of DDoS attacks: a) volume-based attacks, which may use high traffic to inundate the network bandwidth, b) protocol attacks, which may focus on exploiting server resources, and c) application attacks, which may focus on web applications and may be considered the most sophisticated and serious type of attacks.

Examples of DDoS attacks may be: SYN flood, User Datagram Protocol (UDP) flood, HTTP flood, Ping of death, Smurf attack, Fraggle attack, Slowloris, Network Time Protocol (NTP) amplification, Advanced Persistent DoS, Zero-day DDoS attacks, etc.

Other examples of active attacks different from DoS may be, e.g.: a) spoofing, such as volume based: spoofing, UDP -Domain Name Security (DNS)-, Internet Control Message Protocol (ICMP), reflection amplification, b) network, such as Man in the middle, Address Resolution Protocol (ARP) poisoning, Ping flood, Ping of death, Smurf attack, and c) host, such as Buffer overflow, Heap overflow, Stack overflow, and Format string attack.

Traffic encryption and network management

Traffic encryption is growing significantly in mobile networks and at the same time, the encryption mechanisms are growing in complexity. Most applications today are not based on Hypertext Transport Protocol (HTTP) cleartext, but instead they may be based on Hypertext Transport Protocol Secure (HTTPS), e.g., using Transport Layer Security (TLS). Additionally, a significant part of the traffic may now be based on Quick User Datagram Protocol Internet Connection (QUIC) transport. In the future, it is foreseen that most apps will be based on QUIC transport.

QUIC

QUIC may be understood as a UDP-based, stream-multiplexing, encrypted transport protocol. QUIC may be understood as basically a UDP based replacement for Transmission Control Protocol (TCP). QUIC is now under the final steps of standardization at IETF and may rely on TLS 1.3. Network operators are challenged due to the exponential increase of connected devices, both mobile broadband and loT devices, which implies much higher probability of security vulnerabilities and threats, for example, according the types of security attacks just described.

SUMMARY

To handle security attacks, existing gateways may provide some basic security functions, such as DDoS detection. However, those security functions are performed locally, under static configuration, and not dynamically, with better efficiency. Furthermore, traffic encryption is a growing trend. DNS traffic today is starting to be encrypted, e.g., DNS over HTTPS (DoH), DNS over TLS (DoT). In the future, it is expected that most DNS traffic will be encrypted. Moreover, most applications today are encrypted, based on HTTPS/TLS or QUIC. In the future, it is foreseen that most applications will be based on QUIC. Furthermore, it is expected that the TLS/QUIC Server Name Indication (SNI) field will also be encrypted.

It is more complex to detect security related attacks at the UPF when traffic is encrypted, specifically when both the DNS traffic and TLS/QUIC SNI are encrypted. This applies both to HTTPS, HTTP/HTTP2 over TLS, and to QUIC based applications, e.g., HTTP3 over QUIC.

It is an object of embodiments herein to improve the handling of security attacks in a communications system.

According to a first aspect of embodiments herein, the object is achieved by a computer- implemented method, performed by a first node. The method is for handling security in a communications system. The first node operates in the communications system. The first node receives, from another node operating in the communications system, a first message. The first message requests a subscription to receive at least one indication indicating a security attack of a first type in the communications system of at least one of a first indication and a second indication. The first indication is of one or more applications that are a target or a source of the security attack of the first type in the communications system. The second indication is of one or more devices operating in the communications system that are a target or a source of the security attack of the first type in the communications system. The first node then initiates instructing, based on the received first message, at least one of: the one or more additional nodes operating in the communications system and the first device of the one or more devices, to monitor information indicative of the security attack of the first type. The first node then initiates sending, with the proviso that the security attack is detected based on the monitored information, another message to the another node. The another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription. According to a second aspect of embodiments herein, the object is achieved by a computer-implemented method, performed by a second node. The method is for handling security in the communications system. The second node operates in the communications system. The second node receives an instruction from the first node operating in the communications network to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node. The second message requests first information, of the information indicative of the security attack of the first type. The first information indicates the traffic indicators for one or more devices operating in the communications system that are the target or the source of the security attack of the first type in the communications system. The second node sends the requested first information to the first node, in the first additional message.

According to a third aspect of embodiments herein, the object is achieved by a computer- implemented method, performed by a communications system. The method is for handling security in the communications system. The communications system comprises the first node and the one or more additional nodes. The method comprises receiving, by the first node, from the another node operating in the communications system, the first message. The first message requests the subscription to receive at least one indication indicating a security attack of the first type in the communications system of at least one of: the first indication and the second indication. The first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system. The second indication is of the one or more devices operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system. The method also comprises initiating instructing, by the first node and based on the received first message, at least one of: the one or more additional nodes and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type. The method further comprises receiving, by the second node of the one or more additional nodes, the instruction from the first node to monitor information indicative of the security attack of the first type, by receiving the second message from the first node. The second message requests the first information, of the information indicative of the security attack of the first type. The first information indicates the traffic indicators for the one or more devices operating in the communications system that are the target or the source of the security attack of the first type in the communications system. The method also comprises sending, by the second node 112 the requested first information to the first node, in the first additional message. The method further comprises initiating sending, by the first node, with the proviso that the security attack is detected based on the monitored information, the another message to the another node. The another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.

According to a fourth aspect of embodiments herein, the object is achieved by the first node, for handling security in the communications system. The first node is configured to operate in the communications system. The first node is further configured to receive, from the another node configured to operate in the communications system, the first message. The first message is configured to request the subscription to receive the at least one indication configured to indicate the security attack of the first type in the communications system of at least one of: the first indication and the second indication. The first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system. The second indication is of the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system. The first node is also configured to initiate instructing, based on the first message configured to be received, at least one of: the one or more additional nodes configured to operate in the communications system and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type. The first node is further configured to initiate sending, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node. The another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.

According to a fifth aspect of embodiments herein, the object is achieved by the second node, for handling security in the communications system. The second node is configured to operate in the communications system. The second node is further configured to receive the instruction from the first node configured to operate in the communications network to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node. The second message is configured to request the first information, of the information indicative of the security attack of the first type. The first information is configured to indicate the traffic indicators for the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system. The second node is also configured to send the first information configured to be requested to the first node, in the first additional message.

According to a sixth aspect of embodiments herein, the object is achieved by the communications system, for handling security in the communications system. The communications system is configured to comprise the first node and the one or more additional nodes. The communications system is further configured to receive, by the first node, from the another node configured to operate in the communications system, the first message. The first message is configured to request the subscription to receive the at least one indication configured to indicate the security attack of the first type in the communications system of the at least one of: the first indication and the second indication. The first indication is of the one or more applications that are the target or the source of the security attack of the first type in the communications system. The second indication is of the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system. The communications system is also configured to initiate instructing , by the first node and based on the first message configured to be received, at least one of: the one or more additional nodes configured to operate in the communications system and the first device of the one or more devices, to monitor the information indicative of the security attack of the first type. The communications system is further configured to receive, the second node of the one or more additional nodes, the instruction from the first node to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node. The second message is configured to request the first information, of the information indicative of the security attack of the first type. The first information is configured to indicate the traffic indicators for the one or more devices configured to operate in the communications system that are the target or the source of the security attack of the first type in the communications system. The communications system is also configured to send, by the second node, the first information configured to be requested to the first node, in the first additional message. The communications system is further configured to initiate sending, by the first node, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node. The another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.

According to a seventh aspect of embodiments herein, the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node.

According to an eighth aspect of embodiments herein, the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first node. According to a ninth aspect of embodiments herein, the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.

According to a tenth aspect of embodiments herein, the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the second node.

By receiving the first message, the first node may be enabled to know which entity may need to be monitored in the communications system as being a potential source or target of a security attack, and for which purpose, namely, which kind of security attack. The first node may then be enabled to initiate prevention of the security attack from happening, or its management once it may have been initiated.

By initiating instructing, the first node may trigger data collection from the entities in the communications network which may be able to provide information on the one or more applications and/or the one or more devices that may be the target or the source of the security attack of the first type, so that after receiving the information, the first node may be enabled to perform an analysis of the information and determine if an attack may be underway, or may have happened.

The second node, by receiving the second message, may be enabled start monitoring the requested first information, and when appropriate, e.g., on-demand, when a condition is met, or periodically, send the collected first information to the first node, thereby enabling the first node to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.

By the first node initiating sending the another message if the attack has been detected, the first node may then enable the another node to be notified about any security attack that may be underway, or may have happened in the communications system, and thereby enable the another node to take appropriate measures to stop the attack and mitigate any adverse effects the attack may have on the operation of the communications system and/or its components. The capacity of the communications system may therefore by improved and the latency may be reduced.

BRIEF DESCRIPTION OF THE DRAWINGS

Examples of embodiments herein are described in more detail with reference to the accompanying drawings, according to the following description.

Figure 1 is a schematic diagram illustrating a non-limiting example of a 5G Network

Architecture. Figure 2 is a schematic diagram illustrating a non-limiting example of a communications system, according to embodiments herein.

Figure 3 is a flowchart depicting embodiments of a method in a first node, according to embodiments herein.

Figure 4 is a flowchart depicting embodiments of a method in a second node, according to embodiments herein.

Figure 5 is a flowchart depicting embodiments of a method in a communications system, according to embodiments herein.

Figure 6 is a schematic diagram depicting a non-limiting example of signalling between nodes in a communications system, according to embodiments herein.

Figure 7 is a schematic diagram depicting a continuation of Figure 6. Figure 8 is a schematic diagram depicting a continuation of Figure 7. Figure 9 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a first node, according to embodiments herein.

Figure 10 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a second node, according to embodiments herein.

Figure 11 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a communications system, according to embodiments herein.

DETAILED DESCRIPTION

Certain aspects of the present disclosure and their embodiments address one or more of these challenges identified with the existing methods and provide solutions to the challenges discussed. Embodiments herein may therefore be understood to relate in general to security related attack prevention based on Analytics in 5G networks. Embodiments herein may be understood to solve the above problems with the existing solutions and may be understood to be based on the definition of a new type of analytic relative to security related attacks. Particular embodiments herein may specifically address this problem when traffic may be encrypted.

The embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which examples are shown. In this section, embodiments herein are illustrated by exemplary embodiments. It should be noted that these embodiments are not mutually exclusive. Components from one embodiment or example may be tacitly assumed to be present in another embodiment or example and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. All possible combinations are not described to simplify the description. Figure 2 depicts two non-limiting examples, in panels “a” and “b”, respectively, of a communications system 100, in which embodiments herein may be implemented. In some example implementations, such as that depicted in the non-limiting example of Figure 2a, the communications system 100 may be a computer network. In other example implementations, such as that depicted in the non-limiting example of Figure 2b, the communications system 100 may be implemented in a telecommunications system, sometimes also referred to as a telecommunications network, cellular radio system, cellular network or wireless communications system. In some examples, the telecommunications system may comprise network nodes which may serve receiving nodes, such as wireless devices, with serving beams.

In some examples, the telecommunications system may for example be a network such as 5G system, or a newer system supporting similar functionality. The telecommunications system may also support other technologies, such as a Long-Term Evolution (LTE) network, e.g. LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), LTE Half-Duplex Frequency Division Duplex (HD-FDD), LTE operating in an unlicensed band, Wideband Code Division Multiple Access (WCDMA), Universal Terrestrial Radio Access (UTRA) TDD, Global System for Mobile communications (GSM) network, GSM/Enhanced Data Rate for GSM Evolution (EDGE) Radio Access Network (GERAN) network, Ultra-Mobile Broadband (UMB), EDGE network, network comprising of any combination of Radio Access Technologies (RATs) such as e.g. Multi-Standard Radio (MSR) base stations, multi-RAT base stations etc., any 3rd Generation Partnership Project (3GPP) cellular network, Wireless Local Area Network/s (WLAN) or WiFi network/s, Worldwide Interoperability for Microwave Access (WiMax), IEEE 802.15.4-based low-power short-range networks such as IPv6 over Low-Power Wireless Personal Area Networks (6LowPAN), Zigbee, Z-Wave, Bluetooth Low Energy (BLE), or any cellular network or system. The telecommunications system may for example support a Low Power Wide Area Network (LPWAN). LPWAN technologies may comprise Long Range physical layer protocol (LoRa), Haystack, SigFox, LTE-M, and Narrow-Band loT (NB-loT).

Although terminology from Long Term Evolution (LTE)/5G has been used in this disclosure to exemplify the embodiments herein, this should not be seen as limiting the scope of the embodiments herein to only the aforementioned system. Other wireless systems support similar or equivalent functionality may also benefit from exploiting the ideas covered within this disclosure. In future telecommunication networks, e.g., in the sixth generation (6G), the terms used herein may need to be reinterpreted in view of possible terminology changes in future technologies. The communications system 100 may comprise a plurality of nodes, whereof a first node 111, one or more additional nodes 112, 113 are depicted in Figure 2. The one or more additional nodes 112, 113, may comprise a second node 112, and a third node 113.

The communications system 100 may also comprise a fourth node 114, and comprises another node 115, also referred to herein as a fifth node 115, which are also depicted in Figure 2. Any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be understood, respectively, as a first computer system, a second computer system, and a third computer system. In some examples, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be implemented as a standalone server in e.g., a host computer in the cloud 116. Any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may in some examples be a distributed node or distributed server, with some of their respective functions being implemented locally, e.g., by a client manager, and some of its functions implemented in the cloud 116, by e.g., a server manager. Yet in other examples, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may also be implemented as processing resources in a server farm.

In some embodiments, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be independent and separated nodes. In other embodiments, any of the first node 111 , the second node 112, the third node 113, the fourth node 114 and the fifth node 115 may be co-located or be the same node. In a particular nonlimiting example, the first node 111, e.g., a NWDAF, may either be a central node or may be co-located with the second node 112, e.g., a UPF. All the possible combinations are not depicted in Figure 2 to simplify the Figure. It may be understood that the communications system 100 may comprise more nodes than those represented in Figure 2.

In some examples of embodiments herein, the first node 111 may be a node having a capability to analyze data, such as a NWDAF in 5G, or a node capable of performing a similar function in the communications system 100. The second node 112 may be a node having a capability to support handling of user plane traffic based on one or more rules such as, for example, packet inspection and different enforcement actions such as QoS handling, which may have been received from an SMF. The second node 112 may be a UPF in 5G or a node capable of performing a similar function in the communications system 100.

The third node 113 may be a node capable of storing data grouped into distinct collections of subscription-related information, such as subscription data, policy data, structured data for exposure, and application data. The third node 113 may be a UDR in 5G or a node capable of performing a similar function in the communications system 100. The fourth node 114 may be a node capable of providing content to a user, in relation to an application. The fourth node 114 may be for example an application server, or a node capable of performing a similar function in the communications system 100.

The fifth node 115 may be a node capable of requesting data pertaining to analytics performed by the first node 111. The fifth node 115 may be for example a consumer, such as, any NF, e.g., PCF or OAM, or a node capable of performing a similar function in the communications system 100.

The communications system 100 also comprises one or more devices 130, comprising a first device 131. Any of the one or more devices 130 may be also known as e.g., user equipment (UE), a wireless device, mobile terminal, wireless terminal and/or mobile station, mobile telephone, cellular telephone, or laptop with wireless capability, or a Customer Premises Equipment (CPE), just to mention some further examples. Any of the one or more devices 130 in the present context may be, for example, portable, pocket-storable, hand-held, computer-comprised, or a vehicle-mounted mobile device, enabled to communicate voice and/or data, via a RAN, with another entity, such as a server, a laptop, a Personal Digital Assistant (PDA), or a tablet computer, sometimes referred to as a tablet with wireless capability, or simply tablet, a Machine-to-Machine (M2M) device, a device equipped with a wireless interface, such as a printer or a file storage device, modem, Laptop Embedded Equipped (LEE), Laptop Mounted Equipment (LME), USB dongles, CPE or any other radio network unit capable of communicating over a radio link in the communications system 100. Any of the one or more devices 130 may be wireless, i.e., it may be enabled to communicate wirelessly in the communications system 100 and, in some particular examples, may be able support beamforming transmission. The communication may be performed e.g., between two devices, between a device and a radio network node, and/or between a device and a server. The communication may be performed e.g., via a RAN and possibly one or more core networks, comprised, respectively, within the communications system 100. In some particular embodiments, any of the one or more devices 130 may be an loT device, e.g., a NB loT device.

The communications system 100 may comprise one or more radio network nodes, whereof a radio network node 140 is depicted in Figure 2b. The radio network node 140 may typically be a base station or Transmission Point (TP), or any other network unit capable to serve a wireless device or a machine type node in the communications system 100. The radio network node 140 may be e.g., a 5G gNB, a 4G eNB, or a radio network node in an alternative 5G radio access technology, e.g., fixed or WiFi. The radio network node 140 may be e.g., a Wide Area Base Station, Medium Range Base Station, Local Area Base Station and Home Base Station, based on transmission power and thereby also coverage size. The radio network node 140 may be a stationary relay node or a mobile relay node. The radio network node 140 may support one or several communication technologies, and its name may depend on the technology and terminology used. The radio network node 140 may be directly connected to one or more networks and/or one or more core networks.

The communications system 100 covers a geographical area which may be divided into cell areas, wherein each cell area may be served by a radio network node, although, one radio network node may serve one or several cells.

The first node 111 may communicate with any of the one or more additional nodes 112, 133, e.g., with the the second node 112, respectively, over a respective first link 151 , e.g., a radio link or a wired link. The first node 111 may communicate with the another node 115 over a second link 152, e.g., a radio link or a wired link. The first node 111 may communicate with any of the one or more devices 130, e.g., the first device 131 , respectively, over a respective third link 153, e.g., a radio link or a wired link. The second node 112 may communicate with the fourth node 114 over Any of the one or more first endpoints 120 may communicate with the second node 112 over a respective fourth link 154, e.g., a radio link or a wired link. The radio network node 140 may communicate with the first node 111 over a fifth link 155, e.g., a radio link. The radio network node 140 may communicate with any of the one or more devices 130, e.g., the first device 131, respectively, over a respective sixth link 156, e.g., a radio link. Any of the respective first link 151 , the second link 152, the third link 153, the fourth link 154, the fifth link 155 and the respective sixth link 156 may be a direct link or it may go via one or more computer systems or one or more core networks in the communications system 100, or it may go via an optional intermediate network. The intermediate network may be one of, or a combination of more than one of, a public, private or hosted network; the intermediate network, if any, may be a backbone network or the Internet, which is not shown in Figure 2.

In general, the usage of “first”, “second”, “third”, “fourth”, “fifth” and/or “sixth” herein may be understood to be an arbitrary way to denote different elements or entities, and may be understood to not confer a cumulative or chronological character to the nouns these adjectives modify.

Embodiments of a computer-implemented method, performed by the first node 111 , will now be described with reference to the flowchart depicted in Figure 3. The method may be understood to be for handling security in a communications system 100. The first node 111 operates in the communications system 100.

The method may comprise the actions described below. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 3, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment and it will be obvious to a person skilled in the art how those components may be used in the other examples or embodiments.

In Figure 3, optional actions are represented with dashed boxes. Some actions may be performed in a different order than that depicted in Figure 2. Particularly, Actions 302a, 302b, 302c, 303, 304 and 305 may be performed in a different order. In a particular alternative example to that depicted in Figure 2, these Actions may be performed in the order of 302b, 304, 302a, 302c, 305, 303.

Action 301

During the course of operations of the communications system 100, the communications system 100 may be vulnerable to security attacks. A security attack may be understood as any interference in any process or component of the communications system 100 with the intent to affect its functioning or performance, and/or to steal part of the information processed by it. A security attack may be which may be of different types, as described in the Background section, for example passive attacks, active attacks, etc...

In order to enable detection of different types of security related attacks and to act upon them, an analytics consumer such as the another node 115, which may be e.g., any NF, such as a PCF or a OAM, may subscribe with the first node 111 to receive a new type of analytic according to embodiments herein, as will be described next, and may indicate the security scenario that may of interest to the another node 115 to follow, e.g., a DDoS.

According to the foregoing in this Action 301 , the first node 111 receives, from the another node 115 operating in the communications system 100, a first message. The first message requests a subscription to receive at least one indication indicating a security attack of a first type in the communications system 100. The indication is of at least one of: i) a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system 100, and ii) a second indication of the one or more devices 130 operating in the communications system 100 that are a target or a source of the security attack of the first type in the communications system 100.

In some embodiments, the first node 111 may be an NWDAF and the another node 115 may manage an analytics consumer, such as any NF, e.g. PCF or OAM.

The first indication may be, for example, a Nnwdaf_AnalyticsSubscription_Request message. The first indication may be, for example, a list applications, e.g., a list of identifiers of applications, such as a list of App-ID, which may be understood to indicate the App-ID/s which may be the target or the source for the security attack. As indicated above the first message may indicate the first indication, the second indication, or both. If the first indication is not included, e.g., the list of App-ID/s is empty, it may be understood that all user traffic, and not only that pertaining to a subset of applications, may be subject to the requested analytic.

The second indication may be, for example, an identifier of a device, e.g., a LIE-ID, a list of devices, e.g., a list of identifiers of devices, such as a list of LIE-ID, UE-Group-ID or list of UE-Group-ID, AnyllE, which may be understood to indicate the devices which may be the target or the source for the security attack.

The at least one indication may be requested implicitly, by for example, identifying a type of event the another node 115 is subscribing to, e.g., by including a parameter to that effect, such as Analyticld=Security, or explicitly. That is, the first message may comprise at least one of the first indication and the second indication, explicitly. In other words, the another node 115 may indicate which application(s) and/or device(s) the another node 115 may be interested in having the first node 111 investigate.

A security attack of a first type may be, for example, a Denial of Service (DoS) attack. There may be other types of attacks.

The receiving in this Action 301 need not be directly from the another node 115 via the second link 152.

By receiving the first message in this Action 301 , the first node 111 may be enabled to know which entity may need to be monitored in the communications system 100 as being a potential source or target of a security attack, and for which purpose, namely, which kind of security attack. The first node 111 may then be enabled to initiate prevention of the security attack from happening, or its management once it may have been initiated, by proceeding to perform the next Action 302. Before that, the first node 111 may reply to the received first message with a successful response, accepting the request.

Action 302

In this Action 302, the first node 111 initiates instructing, based on the received first message, at least one of: the one or more additional nodes 112, 113 operating in the communications system 100 and the first device 131 of the one or more devices 130, to monitor information indicative of the security attack of the first type.

Initiating may be understood as triggering or starting.

Action 302a In some embodiments, the one or more additional nodes 112, 113 may comprise the second node 112, e.g., a UPF. In such embodiments, the initiating instructing in this Action 302 may comprise sending 302a a second message to the second node 112. The second message may request first information, that is a first set of information, of the information indicative of the security attack of the first type. The first information may indicate traffic indicators for the indicated one or more devices 130. The first node 111 may therefore in this Action 302a, trigger data collection from the second node 112, specifically to retrieve information relative to protocol metrics for a particular device, e.g., the first device 131.

The second message may be, for example, a Nupf_EventExposure_Subscribe request message.

In some embodiments, the first information may comprise at least one of: a) a first identifier of the first information, this may be for example, an identifier of the event, such as e.g., Eventld=ProtocolMetrics; b) a second identifier of the first device 131 of the one or more devices 130, e.g., a LIE-ID, c) a third identifier of a protocol used for the traffic, such as for example, Protocol-ID=TCP; The protocol may be understood to refer that, e.g., a transport protocol, which may be used by traffic for the particular application, e.g., example.com, which may be the subject of the monitoring; a particular example of such a protocol may be TCP. Other examples of protocol may be UDP or QIIIC; and d) one or more protocol metrics. The one or more protocol metrics may be indicated by a parameter “Protocol Metrics Info”. The one or more metrics may comprise one or more third indications. The one or more third indications may indicate, respectively, one of the following options, although this is not an exhaustive list.

In a first option, a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session. As an example, for the TCP protocol, this ratio may be a parameter “SYN to SYN-ACK ratio”. This may be understood to be a ratio between SYN and SYN-ACK messages for a particular session, e.g., a LIE-ID session. For example, a ratio of 1 may be understood to mean that there is a corresponding SYN-ACK message for each SYN message.

In a second option, one of the third indications may indicate a number of unacknowledged connection-oriented transport protocol setup request messages. An example for the TCP protocol of this number may be a parameter “Unacked SYN volume”. This may be understood to be the number of TCP SYN messages for which no TCP SYN-ACK and/or TCP ACK messages have been detected by the second node 112, e.g., a UPF, for this particular session, e.g., the UE-ID session.

In a third option, one of the third indications may indicate a volume of a respective message of a first type received for the session. In the TCP protocol, an example for this volume may be a parameter “SYN volume”. This may be understood to be the average volume of each TCP SYN message for this LIE-ID session. Additionally, in case the volume of an individual TCP SYN message exceeds a configurable threshold, this may also be reported.

In a fourth option, one of the third indications may indicate a number of consecutive messages of a second type received for the session. An example for the TCP protocol of this number may be a parameter “Simultaneous TCP SYN”. This may be understood to be the number of consecutive TCP SYN messages for this session, e.g., LIE-ID session, for example, over a certain timespan which may also be configurable.

In a fifth option, one of the third indications may indicate an average size of a window for the session. An example for the TCP protocol of this average size may be a parameter “TCP average window size”. This may be understood to be the average window size for this session, e.g., LIE-ID session.

In a sixth option, one of the third indications may indicate a number of duplicated acknowledgement messages for the session. An example for the TCP protocol of this number may be a parameter “Duplicated ACKs”. This may be understood to be the number of duplicated ACKs for this session, e.g., LIE-ID session.

In a seventh option, one of the third indications may indicate a number of packets sent for the session. In the TCP protocol, an example for this number may be a parameter “RST”. This may be understood to be the number of TCP RST packets sent for this session, e.g., UE- ID session.

In an eighth option, one of the third indications may indicate a number of retransmitted information for the session. An example for the TCP protocol of this number may be a parameter “Retransmissions”. This may be understood to be the number of retransmitted packets/bytes for this session, e.g., LIE-ID session.

In a ninth option, one of the third indications may indicate a maximum segment size for the session. In the TCP protocol, an example for this size may be a parameter “Maximum Segment Size”. This may be understood to be the maximum segment size for this session, e.g., LIE-ID session.

In a tenth option, one of the third indications may indicate a number of units of information sent during an initial window of the session. An example for the TCP protocol of this number of units may be a parameter “Initial window packets/bytes”. This may be understood to be the number of packets/bytes sent during the initial window for this session, e.g., LIE-ID session.

In an eleventh option, one of the third indications may indicate a maximum idle time between consecutive packets for the session. An example for the TCP protocol of this time may be a parameter “Max Idle time”. This may be understood to be the maximum idle time between consecutive packets for this session, e.g., LIE-ID session. In a twelfth option, one of the third indications may indicate a minimum idle time between consecutive packets for the session. In the TCP protocol, an example for this time may be a parameter “Min Idle time”. This may be understood to be the minimum idle time between consecutive packets for this session, e.g., LIE-ID session.

In a thirteenth option, one of the third indications may indicate a throughput for the session. An example for the TCP protocol of this number of units may be a parameter “Average throughput”. This may be understood to be the average throughput for this session, e.g., LIE-ID session.

In a fourteenth option, one of the third indications may indicate a respective start time of a respective flow comprised in the session. In the TCP protocol, an example for this start time may be a timestamp, indicating the start time for the flow.

In a fifteenth option, one of the third indications may indicate a respective fourth node 114 serving the first device 131 for the respective flow comprised in the session. An example for the TCP protocol of this time may be a 5-tuple, including the server IP address.

In a sixteenth option, one of the third indications may indicate a respective volume of the respective flow comprised in the session. An example for the TCP protocol of this volume may be a parameter Volume, optionally differentiating uplink (UL) and downlink (DL) volume.

It is not in scope of embodiments herein to describe the specific mechanism for the sending of the second message triggering data collection. For examples wherein the first node 111 may be an NWDAF and the second node 112 may be UPF, the mechanisms proposed in 3GPP TR 23.700-91 may, for example, be used, e.g. through an SMF or directly, assuming a service based UPF.

The above examples of protocol metrics may be understood to be specific for TCP Protocol. For UDP and QUIC, other metrics may be used.

If the application uses UDP as transport protocol, for example if the Protocol-Metrics parameter indicates that the protocol used is UDP, e.g., with a Protocol-ID=UDP, the following UDP protocol metrics may be used, although this list is not exhaustive:

In a seventeenth option, one of the third indications may indicate the number of consecutive messages of the second type received for the session. An example for the UDP protocol of this number may be a parameter “Simultaneous UL UDP”. This may be understood to be the number of consecutive UL UDP messages, e.g., with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, for example, over a certain timespan which may be configurable.

In an eighteenth option, the number of consecutive messages of the second type received for the session and a same server. An example for the UDP protocol of this number may be a parameter “Simultaneous UL UDP same server”. This may be understood to be the number of consecutive UL UDP messages, with different 5-tuple, usually different source port, for this session, e.g., LIE-ID session, and for the same server, e.g., over a certain timespan which may be configurable.

In a nineteenth option, one of the third indications may indicate a number of consecutive messages of another second type received for the session and a same server. An example for the UDP protocol of this number may be a parameter “Simultaneous unsolicited DL UDP same server”. This may be understood to be the number of consecutive DL UDP messages, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, and from the same server, over a certain timespan which may be configurable, initiated from the server side, that is, unsolicited traffic.

If the application uses QUIC as transport protocol, for example if the Protocol-Metrics parameter indicates that the protocol used is QUIC, e.g., with a Protocol-ID=QUIC, the following QUIC protocol metrics may be used, although this list is not exhaustive.

In a twentieth option, one of the third indications may indicate the volume of respective message of the first type received for the session. An example for the QUIC protocol of this volume may be a parameter “UL Initial QUIC long header packet volume”. This may be understood to be the average volume of each UL Initial QUIC long header packet for this session, e.g., UE-ID session. Additionally, in case the volume of an individual UL Initial QUIC long header packet exceeds a configurable threshold, this may also be reported.

In a twenty-first option, one of the third indications may indicate the number of consecutive messages of the second type received for the session. An example for the QUIC protocol of this number may be a parameter “Simultaneous UL QUIC”. This may be understood to be the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session, over a certain timespan which may also be configurable.

In a twenty-second option, one of the third indications may indicate the number of consecutive messages of the second type received for the session and a same server. An example for the QUIC protocol of this number may be a parameter “Simultaneous UL QUIC same server”. This may be understood to be the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session and for the same server, e.g., over a certain timespan which is also configurable.

In a twenty-third option, one of the third indications may indicate the number of consecutive messages of another second type received for the session. An example for the QUIC protocol of this number may be a parameter “Simultaneous unsolicited DL QUIC same server”. This may be understood to be the number of consecutive DL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this session, e.g., UE-ID session, and from the same server, over a certain timespan which is also configurable, initiated from the server side, that is, unsolicited traffic.

The sending in this Action 302a may be performed over a respective first link 151.

The second node 112 may answer the second message with a successful response, accepting the request.

Action 302b

In some embodiments, the one or more additional nodes 112, 113 may comprise the third node 113, e.g., a UDR. In such embodiments, the initiating instructing in this Action 302 may comprise sending 302b, based on the received first message, a third message to the third node 113. The third message may request second information, of the information indicative of the security attack of the first type. The second information may indicate a history of security attacks of the first type for the indicated one or more devices 130.

The third message may be, for example, a Nudr_Query request message, which may indicate the one or more devices 130 with a respective LIE-ID as parameter.

For the embodiments wherein the third node 113 may be a UDR, by sending the third message, the first node 111, e.g., a NWDAF, may triggers data collection from by requesting from the UDR the subscriber profile relative to indicated one or more devices 130.

The sending in this Action 302b may be performed over another respective first link 151.

Action 302c

In some embodiments, the initiating instructing in this Action 302 may comprise sending 302c a fourth message to a first device 131 of the one or more devices 130. The fourth message may request third information, of the information indicative of the security attack of the first type. The third information may indicate traffic indicators for one or more applications used by the first device 131. The first node 111 may therefore in this Action 302a, trigger data collection from the first device 131 , specifically to retrieve information relative to active (OS) applications for a particular device, e.g., as identified by a UE-ID.

The fourth message may be, for example, a Nue_EventExposure_Subscribe request message.

In some embodiments, the third information may comprise at least one of: a) an identifier of a first application used by the first device 131 ; an example of this identifier may be, e.g., a parameter such as “Eventld=OSApplications”; the second indication indicating the target UE/s for this event may be, e.g., UE-ID; b) a time of start of a flow ran by the first device 131 on the first application; c) a fourth indication of a fourth node 114 serving the first device 131 for the flow, and d) a fifth indication of a volume of traffic for the flow. It is not in scope of embodiments herein to describe the specific mechanism for NWDAF triggering data collection from the first device 131. This may be performed according to mechanisms described in in 3GPP TR 23.700-91 , v. 17.0.0.

The sending in this Action 302c may be performed over, e.g., the third link 153.

The first device 131 may answer the request message with a successful response, accepting the request.

By initiating instructing in this Action 302, the first node 111 may trigger data collection from the entities in the communications network 100 which may be able to provide information on the one or more applications and/or the one or more devices 130 operating in the communications system 100 that may be a target or a source of the security attack of the first type in the communications system 100. The first node 111 may therefore be enabled to receive, in response to the sending of the second message, the third message and/or the fourth message, one or more additional messages from the at least one of: the one or more additional nodes 112, 113 and the first device 131, as will be described in the next Actions.

Action 303

The second node 112 may have continued to gather data for the one or more protocol metrics, e.g., as indicated in the parameter, Eventld=ProtocolMetrics. At some point in time, e.g. in the reporting is configured to be periodic, the second node 112 may report data for the indicated one or more protocol metrics.

In this Action 303, the first node 111 may receive from the second node 112, the requested first information in a first additional message of the one or more additional messages. That is, the receiving in this Action 303 of the first information may be in response to the sent second message.

The receiving in this Action 303 may be performed over the respective first link 151.

The first additional message may be a Nupf_EventExposure_Notify request message.

In a particular example, for the TCP protocol, the first additional message may comprise the following parameters: Eventld=ProtocolMetrics, LIE-ID, and a parameter gathering the information on the protocol used and the one or more protocol metrics as a single parameter “ProtocolMetricsInfo”, which may include the following information. First, the third identifier of the protocol used for the traffic; for example, if the application, e.g., example.com, may use TCP as transport protocol, the third identifier may be “Protocol-ID=TCP”; in other examples, the protocol used may be UDP or QIIIC. It may be noted that QIIIC may be understood to be more than a transport protocol, since it may go over the UDP transport protocol, but QUIC may include an “embedded” transport protocol; hence, QUIC related metrics may be possible to be obtained. Second, the parameter ProtocolMetricsInfo may include the first information on the one or more protocol metrics with the parameter Protocol-Metrics. The one or more metrics may comprise the one or more third indications described in Action 302a.

By receiving the first information in this Action 303, the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received first information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.

Action 304

In this Action 304, the first node 111 may receive, from the third node 113, the requested second information in a second additional message of the one or more additional messages.

The receiving in this Action 304 may be performed over the respective first link 151.

The second additional message may comprise the subscriber profile for the indicated one or more devices 130, e.g., via LIE-ID, including historic security related information for the indicated one or more devices 130, e.g., via the LIE-ID.

By the first node 111 receiving the requested second information in this Action 304, the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received second information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.

Action 305

The first device 131 may have continued to gather data for the one or more applications that are a target or a source of a security attack of a first type in the communications system 100, e.g., as indicated in the parameter, Eventld=OSApplications. At some point in time, e.g. in the reporting is configured to be periodic, the first device 131 may report data for the indicated one or more applications.

In this Action 305, the first node 111 may receive, from the first device 131 , the requested third information in a third additional message of the one or more additional messages.

The receiving in this Action 305 may be performed over the third link 153.

The first additional message may be a Nue_EventExposure_Notify request message. In a particular example of embodiments herein, the third additional message may comprise the Eventld=OSApplications, the second indication of the device operating in the communications system 100 that may be a target or a source of the security attack of the first type in the communications system 100, e.g., via the parameter LIE-ID, first indication of the one or more applications that are a target or a source of a security attack of a first type in the communications system 100, e.g., with the parameter OSApplicationsInfo. This may comprise the following information. First, an identifier of the one or more applications via the parameter OSApplicationld, e.g., example.com. For each flow: a) an indication of the start time for the flow, e.g., via the parameter Timestamp, b) an indication of the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session for the indicated application, e.g., via a 5-tuple including the Server IP address, and c) an indication of the volume of the information exchanged between the first device 131 and the respective fourth node 114 for the indicated application, optionally differentiating uplink and downlink volume.

By the first node 111 receiving the requested third information in this Action 305, the first node 111 may then be enabled to, as will be described in Action 306, determine, based on the received third information whether or not the security attack has occurred, and the at least one of the first indication and the second indication, as requested in the received first message. That is, the one or more applications, and the one or more devices 130 that may be a target or a source of the security attack of the first type in the communications system 100.

Action 306

In this Action 306, the first node 111 may determine, based on the one or more additional messages received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating 302 instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as requested in the received first message.

Determining may be understood as e.g., calculating, deciding or detecting. The determining in this Action 306 may comprise to produce analytics based on the data collected from the one or more additional nodes 112, 113 and the first device 131. In other words, in this Action 306, the first node 111 may, based on the data collected above, run analytic processes and generate a result, as a new analytic which may be referred to e.g., “AnalyticResult”. The new analytic result may comprise the following information: an identifier to the analytic, as the parameter e.g., Analyticld=Security, and a sixth indication of a suspected type of security attack, as the parameter, AnalyticldType, which in the event the suspected type of security attack is DDos may be, e.g., AnalyticldType=DDoS.

The first node 111 for example, as part of the determining in this Action 306, check if the one or more protocol metrics reported meet one or more conditions, e.g., exceed a particular threshold. If so, the first node 111 may then identify the one or more devices 130 that may be involved and or the respective fourth node 114 that may be involved, and compile a list of one or more devices 130, and/or one or more applications, and/or respective fourth nodes 114 that may be suspected of being a source or a target of the security attack of the first type.

To illustrate this with a particular example, for when TCP may be the transport protocol used for the traffic, the first node 111 may determine if any of the following protocol metrics conditions may be met: 1) the number of unacknowledged connection-oriented transport protocol setup request messages, e.g., “Unacked SYN volume”, exceeds a certain configurable threshold, and/or 2) the volume of respective message of the first type received for the session, e.g., “SYN volume”, exceeds a configurable threshold, and/or 3) the number of consecutive messages of the second type received for the session, e.g., “Simultaneous TCP SYN” exceeds a configurable threshold.

The first node 111 may look for matches between the 5-tuples collected from the first device 131 and the second node 112, and only for the flows where the above protocol metrics values have exceeded the configurable thresholds above. If there is a match, e.g., the same 5- tuple and same or similar Timestamp, taking into consideration that the clocks of the first device 131 and the second node 112 may be different, the first node 111 may store the following information. First, as part of the second indication of the one or more devices 130 that may be the target or the source of the security attack of the first type, a list of suspect one or more devices 130, e.g., as the parameter “List of Suspect UE-IDs”. The list may comprise an identifier for each of the one or more devices 130. In this example, a single LIE-ID, which may include subscriber identifier, e.g., International Mobile Subscriber Identifier (IMSI), and/or device identifier, e.g. International Mobile Equipment Identifier (I M El). Optionally, an indication for an identified device, e.g., via LIE-ID, as being either the source or the target of the security attack of the first type may be generated.

Second, as part of the first indication of the one or more applications that may be the target or the source of the security attack of the first type, a list of suspect one or more applications, e.g., as the parameter “List of Suspect App-IDs”. The list may comprise an identifier for each of the one or more applications. In this example, App-ID=example.com. Optionally, an indication for an identified application, e.g., via App-ID, as being either the source or the target of the security attack of the first type.

Third, the first node 111 may determine one or more suspect fourth nodes 114, e.g., a list of suspect fourth nodes 114, that may be the target or the source of the security attack of the first type, e.g., as the parameter “List of Suspect Server IP”. A further indication may be generated indication whether the fourth node 114 may be either the source or the target of the security attack of the first type. Fourth, the first node 111 may determine one or more suspected types of attack, e.g., a list of suspect types of attack, e.g., as the parameter “List of Suspect type of attack", For example, SYN flood. It may be noted that within DDoS, there may be different sub-categories, such as a brute force DDoS attack or a low rate DDoS attack, or being more granular: SYN flood, UDP flood, HTTP flood, Ping of death, Smurf attack, etc. Additionally, a confidence level may also be determined, e.g., a percentage from 0% to 100%).

By the first node 111 determining whether or not the security attack has occurred, and the at least one of the first indication and the second indication in this Action 306, the first node 111 may be able to perform a new type of analytic relative to security related attacks. The first node 111 may then be enabled to notify the another node 115, and which may allow an operator of the communications system 100 to detect different security related attacks and to act upon them, e.g., by blocking the suspected entities, and thereby mitigate the negative consequences that the detected attack may have on the communications system 100,

Action 307

In this Action 307, the first node 111 initiates sending, with the proviso that the security attack is detected based on the monitored information, another message to the another node 115. The another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.

The another message may be understood to be based a result of the determining of Action 306.

The another message may further comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) a recommended action to mitigate the detected security attack, e.g. block traffic, store an indication of the attack as part of subscriber profile, notify the content provider. The recommended mitigation action may be determined by the first node 111 based both on the detected type of attack and on the confidence level.

The another message may be, for example, a Nnwdaf_AnalyticsSubscription_Notify request message.

In a particular example, when TCP may be the transport protocol used for the traffic, the another message may comprise 1) an indication of the analysis having been performed in Action 305, e.g., the parameter “Analyticld=Security”, 2) the sixth indication the suspected type of security attack, e.g., via the parameter “AnalyticldType=DDoS” in the event the first type of attack may be a DDos, 3) the second indication of the one or more devices 130 that may be the target or the source of the security attack of the first type, e.g., via the LIE-ID; this may be an identifier of a single device, e.g., a single LIE-ID, which may include a subscriber identifier, e.g., I MSI , and/or a device identifier, e.g., an I M El ; and an indication of a result of the determination performed in Action 306, as e.g., the parameter “AnalyticResult”. This parameter may comprise the following information: a) the first indication of the one or more applications that may be the target or the source of the security attack of the first type, as e.g., the parameter “Suspect App-ID = example.com”; optionally, an indication for the indication one or more applications, e.g., via App-ID, as being either the source or the target of the security attack of the first type; b) the one or more suspect fourth nodes 114 that may be the target or the source of the security attack of the first type, e.g., as the parameter “Suspect Server IP”. A further indication may be provided indicating whether the fourth node 114 may be either the source or the target of the security attack of the first type: c) the one or more suspected types of attack, e.g., as the parameter “Suspect type of attack", For example, SYN flood.

Additionally, the confidence level may also be provided, e.g. a percentage from 0% to 100%; and d) the recommended action to mitigate the detected security attack.

By the first node 111 initiating sending the another message in this Action 307, the first node 111 may then enable the another node 115 to be notified about any security attack may be underway in the communications system 100, and thereby enable the another node 115 to take appropriate measures to stop the attack and mitigate any adverse effects the attack may have on the operation of the communications system 100 and/or its components. The capacity of the communications system 100 may therefore by improved and the latency may be reduced.

In some embodiments, the first node 111 may be an NWDAF, the another node 115 may manage an analytics consumer, e.g., a PCF or an OAM, and the one or more additional nodes 113, 114 may comprise one of a UPF and a UDR.

Embodiments of a computer-implemented method performed by the second node 112 will now be described with reference to the flowchart depicted in Figure 4. The method may be understood to be for handling security in the communications system 100. The second node 112 operates in the communications system 100.

The method comprises the following actions. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment, and it will be obvious to a person skilled in the art how those components may be used in the other examples.

The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here to simplify the description. For example, the first node 111 may be a NWDAF and the second node 112 may be a UPF.

Action 401

In this Action 401, the second node 112 receives the instruction from the first node 111 operating in the communications system 100 to monitor information indicative of the security attack of the first type, by receiving the second message from the first node 111. The second message requests the first information, of the information indicative of the security attack of the first type. The first information indicates the traffic indicators for the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

The receiving in this Action 401 may be via the respective first link 151.

In some embodiments, the first information may comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of the protocol used for the traffic, and d) the one or more protocol metrics.

The one or more metrics may comprise the one or more third indications indicating, respectively, one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session, o) the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session, and p) the respective volume of the respective flow comprised in the session.

In some embodiments, the security attack of the first type may be a DoS attack.

By receiving the second message in this Action 401 , the second node 112 may be enabled start monitoring the requested first information, and when appropriate, e.g., on- demand, when a condition is met, or periodically, report the collected first information to the first node 111, thereby enabling the first node 111 to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.

Action 402

The second node 112, after receiving the second message, may initiate the monitoring of the information indicative of the security attack of the first type. This may be performed, by example, by monitoring traffic, e.g., UL traffic from the one or more devices 130, in relation to the one or more applications. The second node 112 may detect this traffic, e.g., UL TCP traffic, and detect, for example, TCP SYN messages, and gather data for the requested first information. During the monitoring, the second node 112 may for example, store the following information: for each detected flow: a) the time of start of a flow ran by the first device 131 on the first application, e.g., a Timestamp, b) the fourth indication, e.g., the 5-tuple, including the Server IP address, and c) the fifth indication, e.g., the Volume.

In this Action 402, the second node 112 sends the requested first information to the first node 111 , in the first additional message.

The sending in this Action 402 may be via the respective first link 151.

The sending in this Action 402 may be one of: perioding, when prompted by the first node 111 , and/or upon fulfilment of one or more conditions, e.g., a number of TCP SYN messages having been detected.

By sending the requested first information to the first node 111 , the second node 112 may then enable the first node 111 to analyze the information and determine whether or not the attack has taken place, and by whom, so that actions to mitigate such an attack may be taken.

Embodiments of a computer-implemented method performed by the communications system 100, will now be described with reference to the flowchart depicted in Figure 5. The method may be understood to be for handling security in the communications system 100. The communications system 100 comprises the first node 111 and the one or more additional nodes 112, 113.

The method may comprise one or more of the following actions. Several embodiments are comprised herein. In some embodiments, the method may comprise one action. In other embodiments, the method may comprise two or more actions. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example may be tacitly assumed to be present in another example and it will be obvious to a person skilled in the art how those components may be used in the other examples. In Figure 5, optional actions are depicted with dashed lines.

The detailed description of the Actions depicted in Figure 5 may be understood to correspond to that already provided when describing the actions performed by each of the first node 111 and the second node 112, and will therefore not be repeated here. Any of the details and/or embodiments already described earlier may be understood to equally apply to the description below. For example, the first node 111 may be an NWDAF, the another node 115 may manage an analytics consumer, e.g., a PCF or an OAM, and the one or more additional nodes 113, 114 may comprise one of a UPF and a UDR. Also, some actions may be performed in a different order than that depicted in Figure 5. Particularly, Actions 502a, 502b, 502c, 509, 510 and 511 may be performed in a different order. In a particular alternative example to that depicted in Figure 5, these Actions may be performed in the order of 502b, 510, 502a, 502c, 511, 509.

Action 501

In this Action 501 , which corresponds to Action 301 , the first node 111 receives, from the another node 115 operating in the communications system 100, the first message. The first message requests the subscription to receive at least one indication indicating the security attack of the first type in the communications system 100. The indication is of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

The security attack of the first type may be, for example, a DoS attack. There may be other types of attacks.

Action 502

In this Action 502 , which corresponds to Action 302, the first node 111 initiates instructing, based on the received first message, at least one of: the one or more additional nodes 112, 113 and the first device 131 of the one or more devices 130, to monitor information indicative of the security attack of the first type.

Action 502a

In some embodiments, in this Action 502a, which corresponds to Action 302a, the first node 111 may send the second message to the second node 112.

Action 502b

In some embodiments, wherein the one or more additional nodes 112, 113 may comprise the third node 113, the initiating 302 instructing may comprise, in this Action 502b, which corresponds to Action 302b, the first node 111 sending, based on the received first message, the third message to the third node 113. The third message may request the second information, of the information indicative of the security attack of the first type. The first information may indicate the history of the security attacks of the first type for the indicated one or more devices 130.

Action 502c

In some embodiments, in this Action 502c, which corresponds to Action 302c, the first node 111 may send the fourth message to the first device 131 of the one or more devices 130. The fourth message may request the third information, of the information indicative of the security attack of the first type. The third information may indicate the traffic indicators for one or more applications used by the first device 131.

In some embodiments, the third information may comprise at least one of: a) the identifier of the first application used by the first device 131, b) the time of start of the flow run by the first device 131 on the first application; c) the fourth indication of the fourth node 114 serving the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.

Action 503

In this Action 503, which corresponds to Action 401 , the second node 112 of the one or more additional nodes 112, 113, receives the instruction from the first node 111 operating in the communications system 100 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111. The second message requests the first information, of the information indicative of the security attack of the first type. The first information indicates the traffic indicators for the one or more devices 130 operating in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

In some embodiments, the first information may comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.

The one or more metrics may comprise the one or more third indications. The one or more third indications may indicate, respectively, one of the following options, although this is not an non-exhaustive list: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session, o) the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session, and p) the respective volume of the respective flow comprised in the session.

Action 504

In some embodiments, this Action 504 may comprise, receiving, by the third node 113, from the first node 111 , the third message.

The receiving in this Action 504, may be performed via a respective first link 151.

Action 505

In some embodiments, this Action 505 may comprise receiving 505, by the first device 131 , from the first node 111 , the fourth message.

The receiving in this Action 505, may be performed via the third link 153.

Action 506

This Action 506, which corresponds to Action 402, comprises sending 506, 402, by the second node 112 the requested first information to the first node 111 , in the first additional message.

Action 507

In some embodiments, the method may comprise, in this Action 507, sending 507, by the third node 113, to the first node 111, the requested second information in the second additional message of the one or more additional messages.

Action 508

This Action 508, may comprise, sending 508, by the first device 131 , to the first node 111 , the requested third information in the third additional message of the one or more additional messages. Action 509

In some embodiments, the method may comprise, in this Action 304, which corresponds to Action 303, receiving, by the first node 111, from the second node 112, the requested first information in the first additional message of the one or more additional messages.

Action 510

This Action 510, which corresponds to Action 402, may comprise receiving, by the first node 111 , from the third node 113, the requested second information in the first additional message.

Action 511

In some embodiments, the method may comprise, in this Action 511, which corresponds to Action 305, receiving, by the first node 111, from the first device 131, the requested third information in the third additional message.

Action 512

This Action 512, which corresponds to Action 306, may comprise determining, by the first node 111 and based on the one or more additional messages received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating 302 instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as requested in the received first message.

Action 513

This Action 513, which corresponds to Action 307, comprises initiating sending, by the first node 111 , with the proviso that the security attack is detected based on the monitored information, the another message to the another node 115. The another message comprises the requested at least one of the first indication and the second indication, based on the requested subscription.

The another message may be based a result of the determining in Action 512.

The another message may further comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack. The methods just described as being implemented by the first node 111 , the second node 112 and communications system 100 will now be described in further detail with a specific non-limiting example in the next three figures.

Figure 6 is a signalling diagram depicting a first non-limiting example on the method performed by the communications system 100, to generate and use the new analytic relative to security related attacks for the specific case of DDoS attacks, described in embodiments herein. The steps of this example are detailed below. In this non-limiting example, the first node 111 is a NWDAF, the second node 112 is an UPF, the third node 113 is a UDR, the fourth node 114 is an Application Server (App Server), the another node 115 is a consumer, e.g., any NF, such as a PCF or a OAM, and the first device 131 is a UE. In this example, in step 1 , the another node 115, the consumer, subscribes with the first node 111 to the new analytic described in examples herein, Analyticld=Security, and indicates which is the security scenario of interest, here, DDoS related attacks, as indicated by the parameter AnalyticldType=DDoS. The another node 115 subscribes, at step 2, according to Action 501 , 301 , by triggering the first message as a Nnwdaf_AnalyticsSubscription_Subscribe request message including the following parameters: Analyticld=Security, and AnalyticldType=DDoS. The first message requests to receive at least one of the first indication and the second indication. Optionally, the first message may explicitly comprise the first indication as a list of App-ID. This may indicate the App-ID/s which may be the target for security. In the example use case shown in the sequence diagram of Figure 6, no App-ID is included, that is, the list is empty, which may be understood to mean that all user traffic is subject to this analytic. Also optionally, the first message may explicitly comprise the second indication as a LIE-ID or list of LIE-ID, UE-Group-ID or list of UE-Group-ID, or AnyllE. This may indicate the UE(s) which may be the target for security. In the example use case shown in the sequence diagram of Figure 6, for simplicity, this field is set to a certain UE, with a particular UE-ID. At step 3, the first node 111 answers the request message in Step 2 with a successful response, accepting the request. At steps 4 and 5, the first node 111 triggers, according to Action 502b, 302b, data collection from the third node 113. In order to do this, the first node 111 requests the third node 113 to provide as second information, the subscriber profile relative to the first device 131 indicated with a UE-ID. In order to do this, the first node 111 triggers a Nudr_Query request message as third message indicating the UE-ID as parameter, which the third node 113 receives in accordance with Action 504. At step 6, the third node 113, according to Actions 507, 510, 304, returns the subscriber profile for the UE-ID, including historic security related information for the UE-ID in the second additional message. At steps 7 and 8, the first node 111 , according to Action 502a, 302a, 503, 401, triggers data collection from the second node 112, specifically to retrieve information relative to protocol metrics for the LIE-ID. In order to do this, the first node 111 triggers the second message as a Nupf_EventExposure_Subscribe request message requesting the first information including the following parameters: the first identifier of the first information as the parameter Eventld=ProtocolMetrics to request the one or more protocol metrics, and the second identifier of the first device 131 of the one or more devices 130 as LIE-ID. This may be understood to indicate the target UE(s) for this event. It is not in scope of embodiments herein to describe the specific mechanism for NWDAF triggering data collection from UPF. It is assumed the existing mechanisms proposed in 3GPP TR 23.700-91 , v. 17.0.0 may be used, e.g., through the SMF or directly, assuming a service based UPF. At step 9, the second node 112 answers the request message in Step 8 with a successful response, accepting the request. At steps 10 and 11, the first node 111 , according to Action 502c, 302c, 505, triggers data collection from the first device 131 , specifically to retrieve information relative to the active Operating System (OS) applications used by the first device 131, identified with the UE-ID. In order to do this, the first node 111 triggers the fourth message as a Nue_EventExposure_Subscribe request message requesting the third information indicating traffic indicators for one or more applications used by the first device 131 , including the following parameters: Eventld=OSApplications, and UE-ID. This may be understood to indicate the target UE(s) for this event. It is not in scope of embodiments herein to describe the specific mechanism for the NWDAF triggering data collection from a UE. It is assumed the existing mechanisms proposed in 3GPP TR 23.700-91, v. 17.0.0 may be used. At step 12, the first device 131 answers the request message in Step 11 with a successful response, accepting the request.

Figure 7 is a continuation of the procedure depicted in Figure 6. At step 13, the first device 131, starts an application, e.g., example.com, which runs over TCP and uses encryption, e.g., TLS 1.3 and where the TLS Client Hello SNI field is encrypted, thus making it difficult for the network operator to detect the corresponding App-ID. The first device 131 detects the request from the application client and gathers data for the Eventld=OSApplications. In particular, the first device 131 stores the following information: 1) the identifier of a first application used by the first device 131 with the parameter OSApplicationld, e.g., example.com, and 2) for each flow: a) the time of start of the flow ran by the first device 131 on the first application with the parameter Timestamp, indicating the start time for the flow, b) the fourth indication of the fourth node 114 serving the first device 131 for the flow with the parameter 5-tuple, including the Server IP address, and c) the fifth indication of the volume of traffic for the flow with the parameter Volume. At step 14, the first device 131 sends application traffic for example.com, to the second node 112. In this case, the application triggers multiple TCP SYN messages, which may be understood to be a type of DDoS attack aimed to consume network and/ or server resources. At step 15, the second node 112 detects UL TCP traffic, in this example multiple TCP SYN messages, and gathers data for the Eventld=ProtocolMetrics. In this example, it is assumed that the second node 112 is not able to detect the App-ID for this TCP traffic. The second node 112 stores the following information: for each detected flow: a) Timestamp, indicating the start time for the flow, b) 5-tuple, including the Server IP address, and c) Volume. At steps 16, 17 and 18, the fourth node 114, here the application server for example.com, receives uplink traffic in Step 16, processes it and generates downlink traffic in Step 17 for the same, but reversed, 5-tuple as in Step 16, but in this example, it does not answer the UL TCP SYN messages with the corresponding DL TCP SYN ACK messages. That is, either the application server is overloaded due to the high amount of simultaneous UL TCP SYN messages received or the application server intentionally avoids sending TCP SYN ACK messages trying to consume network resources. At step 19, the second node 112 detects DL TCP traffic from the fourth node 114, the Application Server. In this example, the second node 112 detects no DL TCP SYN ACK messages corresponding to the UL TCP SYN messages, and gathers data for Eventld=ProtocolMetrics. At step 20, the second node 112 forwards Application traffic towards the first device 131. At steps 21 and 22, the first device 131 continues gathering data for the Eventld=OSApplications and at some point, e.g., periodic reporting, the first device 131 reports data for the Eventld=OSApplications. In order to do that, the first device 131 , according to Action 508, 511 , 305, notifies the first node 111 by triggering the third additional message as a Nue_EventExposure_Notify request message including the third information as the following parameters: a) the parameter Eventld=OSApplications, the second indication as a UE-ID, which indicates the target first device 131 for this event, and c) the indication as the parameter OSApplicationsInfo, which includes the following information, stored in previous steps: c.1) the identifier of the first application used by the first device 131, as the parameter OSApplicationld, in this example, example.com, and c.2) for each flow: i) the time of start of the flow ran by the first device 131 on the first application as the parameter Timestamp, indicating the start time for the flow, ii) the fourth indication of the fourth node 114 serving the first device 131 for the flow as the parameter 5-tuple, including the Server IP address, and iii) the fifth indication of the volume of traffic for the flow as the parameter Volume, optionally differentiating uplink and downlink volume.

Figure 8 is a continuation of the procedure depicted in Figure 7. At step 23, the first node 111 answers the message in Step 22 with a successful response. At steps 24 and 25, the second node 112 continues gathering data for the Eventld=ProtocolMetrics and, at some point, e.g., periodic reporting, the second node 112, in agreement with Action 506, 402, 509 and 303, reports data for the Eventld=ProtocolMetrics. In order to do that, the second node 112 notifies the first node 111 by triggering the first additional message as a Nupf_EventExposure_Notify request message including the following parameters: 1) first identifier of the first information as the parameter Eventld=ProtocolMetrics, 2) the second identifier of the first device 131 of the one or more devices 130 as the LIE-ID, and 3) the one or more protocol metrics as the parameter Protocol Metrics Info. In this non-limiting example, this parameter includes the following information, stored from previous steps: 3. a) the third identifier of a protocol used for the traffic as the parameter Protocol-ID=TCP. In this example, the application, example.com, uses TCP as transport protocol. In general, this may be TCP, UDP or QIIIC. It may be noted that QIIIC is more than a transport protocol. It goes over UDP transport protocol, but QIIIC may include an “embedded” transport protocol, so QIIIC related metrics may be possible to be obtained, and 3.b) the one or more protocol metrics for this protocol as the parameter Protocol-Metrics. In this example, as the application example.com uses TCP as transport protocol, the following TCP protocol metrics as one or more third indications are proposed, although the list is non-exhaustive: 3.b.1) First, the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session as the parameter “SYN to SYN- ACK ratio”. This may be understood to indicate the ratio between SYN and SYN-ACK messages for this LIE-ID session, e.g., a ratio of 1 means that there is a corresponding SYN- ACK message for each SYN message. 3. b.2) Second, the number of unacknowledged connection-oriented transport protocol setup request messages as the parameter “Unacked SYN volume”. This may be understood to indicate the number of TCP SYN messages for which no TCP SYN-ACK and/or TCP ACK messages have been detected by UPF for this UE- ID session. 3.b.3) Third, the volume of respective message of the first type received for the session as the parameter “SYN volume”. This may be understood to indicate the average volume of each TCP SYN message for this LIE-ID session. Additionally, in case the volume of an individual TCP SYN message exceeds a configurable threshold, this may be also reported. 3.b.4) Fourth, the number of consecutive messages of the second type received for the session as the parameter “Simultaneous TCP SYN”. This may be understood to indicate the number of consecutive TCP SYN messages for this LIE-ID session over a certain timespan which may also be configurable. 3.b.5) Fifth, the average size of the window for the session as the parameter “TCP average window size”. This may be understood to indicate the average window size for this LIE-ID session. 3.b.6) Sixth, the number of duplicated acknowledgement messages for the session as the parameter “Duplicated ACKs”. This may be understood to indicate the number of duplicated ACKs for this LIE-ID session. 3.b.7) Seventh, the number of packets sent for the session as the parameter “RST”. This may be understood to indicate the number of TCP RST packets sent for this LIE-ID session. 3.b.8) Eighth, the number of retransmitted information for the session as the parameter “Retransmissions”. This may be understood to indicate the number of retransmitted packets/bytes for this LIE-ID session. 3.b.9) Ninth, the maximum segment size for the session as the parameter “Maximum Segment Size”. This may be understood to indicate the maximum segment size for this LIE-ID session. 3.b.10) Tenth, the number of units of information sent during the initial window of the session as the parameter “Initial window packets/bytes”. This may be understood to indicate the number of packets/bytes sent during the initial window for this LIE-ID session. 3.b.11) Eleventh, the maximum idle time between consecutive packets for the session as the parameter “Max Idle time”. This may be understood to indicate the maximum idle time between consecutive packets for this LIE-ID session. 3.b.12) Twelfth, the minimum idle time between consecutive packets for the session as the parameter “Min Idle time”. This may be understood to indicate the minimum idle time between consecutive packets for this LIE-ID session. 3.b.13) Thirteenth, the throughput for the session as the parameter “Average throughput”. This may be understood to indicate the average throughput for this LIE-ID session. For each flow, each of 3.b.14), 3.b.15), and 3.b.16). 3.b.14) Fourteenth, the respective start time of the respective flow comprised in the session as the parameter Timestamp. 3.b.15) Fifteenth, the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session as the parameter 5-tuple, including the Server IP address. 3.b.16) Sixteenth, the respective volume of the respective flow comprised in the session as the parameter Volume, optionally differentiating uplink and downlink volume. The above Protocol-Metrics as one or more third indications may be understood to be specific for TCP Protocol.

The following metrics as one or more third indications may be used for UDP and QIIIC. If the application uses UDP as transport protocol, the following UDP protocol metrics comprised in the parameter Protocol-Metrics, for Protocol-ID=UDP, may be used, although the list is non-exhaustive list: 3.b.1’) First, as the number of consecutive messages of the second type received for the session, the parameter “Simultaneous UL UDP”. This may be understood to indicate the number of consecutive UL UDP messages, with different 5-tuple, usually different source port, for this UE-ID session, over a certain timespan which may be configurable. 3.b.2’) Second, as the number of consecutive messages of the second type received for the session for a same server, the parameter “Simultaneous UL UDP same server”. This may be understood to indicate the number of consecutive UL UDP messages, with different 5-tuple, usually different source port, for this UE-ID session and for the same server, over a certain timespan which may be configurable. 3.b.3’) Second, as the number of consecutive messages of another second type received for the session for a same server, the parameter “Simultaneous unsolicited DL UDP same server”. This may be understood to indicate the number of consecutive DL UDP messages, with different 5-tuple, usually different source port, for this UE-ID session and from the same server, over a certain timespan which may be configurable, initiated from the server side, that is, unsolicited traffic.

If the application uses QUIC as transport protocol, the following QUIC protocol metrics as one or more third indications may be used comprised in the parameter Protocol-Metrics for Protocol-ID=QUIC, although the list may be understood to be non-exhaustive: 3.b.1”) First, as the volume of respective message of the first type received for the session, the parameter “UL Initial QUIC long header packet volume”. This may be understood to indicate the average volume of each UL Initial QUIC long header packet for this UE-ID session. Additionally, in case the volume of an individual UL Initial QUIC long header packet exceeds a configurable threshold, this may also be reported. 3.b.2”) Second, as the number of consecutive messages of the second type received for the session, the parameter “Simultaneous UL QUIC”. This may be understood to indicate the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session, over a certain timespan which is also configurable. 3.b.3”) Third, as the number of consecutive messages of the second type received for the session and a same server, the parameter “Simultaneous UL QUIC same server”. This may be understood to indicate the number of consecutive UL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session and for the same server, over a certain timespan which may also be configurable. 3.b.4”) Fourth, as the number of consecutive messages of another second type received for the session, the parameter “Simultaneous unsolicited DL QUIC same server”. This may be understood to indicate the number of consecutive DL Initial QUIC long header packets, with different 5-tuple, usually different source port, for this UE-ID session and from the same server, over a certain timespan which is also configurable, initiated from server side, that is, unsolicited traffic. At step 26, the first node 111 answers the message in Step 25 with a successful response. At step 27, the first node 111 , in accordance with Action 512, 306, produces analytics based on the data collected from the third node 113, the first device 131 and the second node 112. Specifically, the first node 111 runs the following logic. In case any of the following protocol metrics, taking TCP in the example, conditions are met: “Unacked SYN volume” exceeds a certain configurable threshold, and/or “SYN volume” exceeds a configurable threshold, and/or “Simultaneous TCP SYN” exceeds a configurable threshold, the first node 111 looks for matches between the 5-tuples collected from the first device 131 and the second node 112, and only for the flows where the above protocol metrics values have exceeded the configurable thresholds above. If there is a match, that is, the same 5-tuple and same and/or similar Timestamp, considering the clocks of the first device 131 and the second node 112 may be different, the first node 111 stores the following information: 1) First, the second indication as the parameter List of Suspect UE-IDs, in this example, a single LIE-ID, which may include subscriber identifier, e.g. I MSI , and/or device identifier, e.g. I M El . Optionally, an indication for LIE-ID as being either the source or the target of the DDoS attack. In this example, LIE-ID is the source of the DDoS attack. 2) Second, optionally, the first indication as the parameter List of Suspect App-IDs, in this example, App-ID=example.com. Optionally, an indication for App-ID as being either the source or the target of the DDoS attack. In this example, App-ID=example.com is the source of the DDoS attack. 3) Third, optionally, the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session as the parameter List of Suspect Server IP, in this example, a single server, the fourth node 114. Optionally, it is proposed an indication for Server IP as being either the source or the target of the DDoS attack. In this example, the Application Server, identified by Server IP, is the target of the DDoS attack. 4) Fourth, the sixth indication of the suspected type of security attack with the parameter List of Suspect type of attack, in this example, SYN flood. It may be noted that within DDoS, there may be different sub-categories, such as a brute force DDoS attack or a low rate DDoS attack, or being more granular: SYN flood, UDP flood, HTTP flood, Ping of death, Smurf attack, etc. Additionally, a confidence level may also be provided, e.g. a percentage from 0% to 100%. At step 28, based on the foregoing, the first node 111 notifies the another node 115, the Consumer, by triggering the another message as a Nnwdaf_AnalyticsSubscription_Notify request message including the following parameters: 1) First, Analyticld=Security, 2) Second, the sixth indication of the suspected type of security attack with the parameter AnalyticldType=DDoS, 3) Third, the second indication with the parameter UE-ID, here, a single UE-ID, which may include subscriber identifier, e.g. IMSI, and/or device identifier, e.g. I M El . As mentioned, optionally, it is proposed an indication for UE- ID as being either the source or the target of the DDoS attack, in this example, UE-ID is the source of the DDoS attack. 4) Fourth, a result of the determining performed in Action 510, 306 with the parameter AnalyticResult. This includes the following information stored in Step 27 above: a) First, optionally, the first indication as the parameter Suspect App-ID = example.com. Optionally, it is proposed an indication for App-ID as being either the source or the target of the DDoS attack. In this example, App-ID=example.com is the source of the DDoS attack, b) Second, optionally, the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session as the parameter Suspect Server IP. In this example, the Application Server shown in Figure 8 as a single server. Optionally, it is proposed an indication for Server IP as being either the source or the target of the DDoS attack. In this example, the Application Server, identified by Server IP, is the target of the DDoS attack, c) Third, the sixth indication of the suspected type of security attack as the parameter Suspect type of attack, e.g., SYN flood. Additionally, a confidence level may also be provided, e.g., a percentage from 0% to 100%. D) Fourth, optionally, the recommended action to mitigate the detected security attack as the parameter Recommended mitigation action, e.g., block traffic, store as part of subscriber profile, notify content provider. The recommended mitigation action may be determined by the the first node 111 based both on the detected type of attack and on the confidence level. At step 29, the another node 115, the Consumer answers the message in Step 28 with a successful response. At step 30 and 31 , the another node 115, the Consumer, e.g., PCF or CAM, applies the corresponding actions based on the AnalyticResult. In this example, to store in the subscriber profile an indication of a subscriber subject to Security attacks and the corresponding Security related information. In order to do this, the Consumer triggers towards the third node 113 a Nudr_Store request message including the following parameters: the second identifier of the first device 131 of the one or more devices 130 as the parameter LIE-ID. Optionally, it is proposed an indication for LIE-ID as being either the source or the target of the DDoS attack. In this example, LIE-ID is the source of the DDoS attack. The parameter Securityinfo, including: a first sixth indication of the suspected type of security attack as the parameter Suspect attack = DDoS, optionally, the identifier of a first application used by the first device 131, the Suspect App-ID = example.com. Optionally, it is proposed an indication for App-ID as being either the source or the target of the DDoS attack. In this example, App-ID=example.com is the source of the DDoS attack. Optionally, the fourth indication of the fourth node 114 serving the first device 131 for the flow as the parameter Suspect Server IP. Optionally, it is proposed an indication for Server IP as being either the source or the target of the DDoS attack. In this example, the Application Server, identified by Server IP, is the target of the DDoS attack. A second sixth indication of the suspected type of security attack as the parameter Suspect type of attack, e.g. SYN flood. At step 32, the third node 113 stores the Securityinfo as part of the subscriber profile for LIE-ID. At step 33, the third node 113 answers the message in Step 31 with a successful response. While it is not depicted in the sequence diagram of Figure 8, many different actions may be triggered by the another node 115 based on the AnalyticResult. As a first example, the traffic for the suspect application, e.g., indicated by App-ID as example.com, may be blocked or charged. It may be noted that some network operators do not charge TCP signaling traffic. As a second example, the another node 115, e.g., PCF, may notify the Content Provider, e.g., example.com, to indicate the threat detected so the Content Provider may take the corresponding actions, e.g., block the traffic at Application Server side. As a third example, the Securityinfo stored in the third node 113 may be used in subsequent sessions for the same indicated first device 131 , e.g., LIE-ID, e.g. to continue monitor Security related attacks for the same indicated first device 131 , e.g., via LIE-ID, and if the same behavior is found and/or if the accumulated suspect DDoS volume exceeds a configured threshold, the user may be notified accordingly.

Not depicted in the sequence diagram of Figures 6-8, is a different alternative of embodiments herein, according to which the another node 115, e.g., OAM, may subscribe to a new analytic for security related attacks detection rules and/or models, for a certain type of security related attack, e.g. DDoS, in agreement with Action 501, 301. The first node 111 may then, in agreement with Action 502, 302, trigger data collection, e.g., from one or more additional nodes 112, 113, e.g., UDR, UPF and the first device 131 , e.g., a UE. The first node 111 may, according to Action 512, 306, run analytics processes and may obtain security related attacks detection rules and/or models. The first node 111 may then, according to Action 307, 513 notify the another node 115 with the obtained security related attacks detection rules and/or models. The another node 115, e.g., OAM, may then load the security related attacks detection rules and/or models in a security firewall network function, which may be integrated in the second node 112.

One advantage of embodiments herein is that they may allow an operator of the network to support prevention of security related attacks in a simple an efficient way, by detecting different security related attacks, specifically DDoS, and also by identifying which subscribers, devices, applications and servers may be responsible for it.

Embodiments herein may also be understood to work even when the traffic is encrypted, e.g. DNS encryption and/or HTTPS (TLS) or QIIIC based applications.

Figure 9 depicts two different examples in panels a) and b), respectively, of the arrangement that the first node 111 may comprise to perform the method actions described above in relation to Figure 3, Figure 5, and/or Figures 6-8. In some embodiments, the first node 111 may comprise the following arrangement depicted in Figure 9a. The first node 111 may be understood to be for handling security in the communications system 100. The first node 111 is configured to operate in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 9, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here. For example, the first node 111 may be configured to be a NWDAF, the another node 115 may be configured to manage an analytics consumer, the one or more additional nodes 113, 114 may be configured to comprise one of a UPF, and a UDR.

The first node 111 is configured to, e.g. by means of a receiving unit 901 within the first node 111 configured to, receive, from the another node 115 configured to operate in the communications system 100, the first message. The first message may be configured to request the subscription to receive the at least one indication being configured to indicate the security attack of the first type in the communications system 100 of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 configured to operate in the communications system 100 that are the target or a source of the security attack of the first type in the communications system 100.

The first node 111 is also configured to, e.g. by means of an initiating instructing unit

902 within the first node 111 configured to, initiate instructing, based on the first message configured to be received, at least one of: the one or more additional nodes 112, 113 configured to operate in the communications system 100 and the first device 131 of the one or more devices 130, to monitor the information indicative of the security attack of the first type.

The first node 111 is further configured to, e.g. by means of an initiating sending unit

903 within the first node 111 configured to, initiate sending, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node 115. The another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.

In some embodiments, the first node 111 may be configured to, e.g. by means of a determining unit 904 within the first node 111 configured to, determine, based on the one or more additional messages configured to be received from the at least one of: the one or more additional nodes 112, 113 and the first device 131, in response to the initiating instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received. The another message may be configured to be based a result of the determining.

In some embodiments wherein the one or more additional nodes 112, 113 may be configured to comprise the second node 112, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending the second message to the second node 112. The second message may be configured to request the first information, of the information indicative of the security attack of the first type. The first information may be configured to indicate the traffic indicators for the one or more devices 130 configured to be indicated. In some embodiments wherein the one or more additional nodes 112, 113 may be configured to comprise the second node 112, the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the second node 112, the first information configured to be requested in the first additional message of the one or more additional messages.

In some embodiments, the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.

In some embodiments, the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of a respective flow comprised in the session, o) the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session, and p) the respective volume of the respective flow comprised in the session.

In some embodiments wherein the one or more additional nodes 112, 113 may be configured to comprise the third node 113, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, based on the first message configured to be received, the third message to the third node 113. The third message may be configured to request the second information, of the information indicative of the security attack of the first type. The second information may be configured to indicate the history of security attacks of the first type for the one or more devices 130 configured to be indicated.

In some embodiments wherein the one or more additional nodes 112, 113 may be configured to comprise the third node 113, the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the third node 113, the second information configured to be requested in the second additional message of the one or more additional messages.

In some embodiments, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending the fourth message to the first device 131 of the one or more devices 130. The fourth message may be configured to request the third information, of the information indicative of the security attack of the first type. The third information may be configured to indicate the traffic indicators for one or more applications used by the first device 131.

In some embodiments, the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the first device 131 , the third information configured to be requested in the third additional message of the one or more additional messages.

The third information may be configured to comprise at least one of: a) the identifier of the first application used by the first device 131, b) the time of start of the flow run by the first device 131 on the first application, c) the fourth indication of the fourth node 114 configured to serve the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.

In some embodiments, the security attack of the first type may be configured to be a DoS attack.

In some embodiments, the another message may be further configured to comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack.

The embodiments herein may be implemented through one or more processors, such as a processor 905 in the first node 111 depicted in Figure 9, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the first node 111. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the first node 111.

The first node 111 may further comprise a memory 906 comprising one or more memory units. The memory 906 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first node 111. In some embodiments, the first node 111 may receive information from, e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, and/or any of the one or more devices 130 through a receiving port 907. In some examples, the receiving port 907 may be, for example, connected to one or more antennas in the first node 111. In other embodiments, the first node 111 may receive information from another structure in the communications system 100 through the receiving port 907. Since the receiving port 907 may be in communication with the processor 905, the receiving port 907 may then send the received information to the processor 905. The receiving port 907 may also be configured to receive other information.

The processor 905 in the first node 111 may be further configured to transmit or send information to e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100, through a sending port 908, which may be in communication with the processor 905, and the memory 906.

Those skilled in the art will also appreciate that any of the units 901-904 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 905, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

Any of the units 901-904 described above may be the processor 905 of the first node 111 , or an application running on such processor.

Thus, the methods according to the embodiments described herein for the first node 111 may be respectively implemented by means of a computer program 909 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 905, cause the at least one processor 905 to carry out the actions described herein, as performed by the first node 111. The computer program 909 product may be stored on a computer- readable storage medium 910. The computer-readable storage medium 910, having stored thereon the computer program 909, may comprise instructions which, when executed on at least one processor 905, cause the at least one processor 905 to carry out the actions described herein, as performed by the first node 111. In some embodiments, the computer- readable storage medium 910 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 909 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 910, as described above.

The first node 111 may comprise an interface unit to facilitate communications between the first node 111 and other nodes or devices, e.g., the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the first node 111 may comprise the following arrangement depicted in Figure 9b. The first node 111 may comprise a processing circuitry 905, e.g., one or more processors such as the processor 905, in the first node 111 and the memory 906. The first node 111 may also comprise a radio circuitry 911 , which may comprise e.g., the receiving port 907 and the sending port 908. The processing circuitry 905 may be configured to, or operable to, perform the method actions according to Figure 3, Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 9a. The radio circuitry 911 may be configured to set up and maintain at least a wireless connection with the second node 112, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130 and/or another structure in the communications system 100.

Hence, embodiments herein also relate to the first node 111 operative to handle security in the communications system 100, the first node 111 being operative to operate in the communications system 100. The first node 111 may comprise the processing circuitry 905 and the memory 906, said memory 906 containing instructions executable by said processing circuitry 905, whereby the first node 111 is further operative to perform the actions described herein in relation to the first node 111, e.g., in Figure 3, Figure 5, and/or Figures 6-8.

Figure 10 depicts two different examples in panels a) and b), respectively, of the arrangement that the second node 112 may comprise to perform the method actions described above in relation to Figure 4, Figure 5, and/or Figures 6-8. In some embodiments, the second node 112 may comprise the following arrangement depicted in Figure 10a. The second node 112 may be understood to be for handling security in the communications system 100. The second node 112 may be configured to operate in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 10, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the second node 112 and will thus not be repeated here. For example, the first node 111 may be configured to be a NWDAF, and the second node 112 may be configured to be a UPF.

The second node 112 is configured to, e.g. by means of a receiving unit 1001 within the second node 112 configured to receive the instruction from the first node 111 configured to operate in the communications network 100 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111. The second message is configured to request the first information, of the information indicative of the security attack of the first type. The first information is configured to indicate the traffic indicators for the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

The second node 112 is also configured to, e.g. by means of a sending unit 1002 within the second node 112 configured to send the first information configured to be requested to the first node 111 , in the first additional message.

In some embodiments, the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of the protocol used for the traffic, and d) the one or more protocol metrics.

In some embodiments, the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for the session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of the respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session, o) the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session, and p) the respective volume of the respective flow comprised in the session. In some embodiments, the security attack of the first type may be configured to be a DoS attack.

The embodiments herein may be implemented through one or more processors, such as a processor 1003 in the second node 112 depicted in Figure 10, together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the second node 112. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the second node 112.

The second node 112 may further comprise a memory 1004 comprising one or more memory units. The memory 1004 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the second node 112.

In some embodiments, the second node 112 may receive information from, e.g., the first node 111 , the third node 113, the fourth node 114, the another node 115, and/or any of the one or more devices 130, through a receiving port 1005. In some examples, the receiving port 1005 may be, for example, connected to one or more antennas in the second node 112. In other embodiments, the second node 112 may receive information from another structure in the communications system 100 through the receiving port 1005. Since the receiving port 1005 may be in communication with the processor 1003, the receiving port 1005 may then send the received information to the processor 1003. The receiving port 1005 may also be configured to receive other information.

The processor 1003 in the second node 112 may be further configured to transmit or send information to e.g., the first node 111, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100, through a sending port 1006, which may be in communication with the processor 1003, and the memory 1004.

Those skilled in the art will also appreciate that the units 1001-1002 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 1003, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

The units 1001-1002 described above may be the processor 1003 of the second node 112, or an application running on such processor.

Thus, the methods according to the embodiments described herein for the second node 112 may be respectively implemented by means of a computer program 1007 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 1003, cause the at least one processor 1003 to carry out the actions described herein, as performed by the second node 112. The computer program 1007 product may be stored on a computer-readable storage medium 1008. The computer-readable storage medium 1008, having stored thereon the computer program 1007, may comprise instructions which, when executed on at least one processor 1003, cause the at least one processor 1003 to carry out the actions described herein, as performed by the second node 112. In some embodiments, the computer-readable storage medium 1008 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 1007 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 1008, as described above.

The second node 112 may comprise an interface unit to facilitate communications between the second node 112 and other nodes or devices, e.g., the first node 111, the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the second node 112 may comprise the following arrangement depicted in Figure 10b. The second node 112 may comprise a processing circuitry 1003, e.g., one or more processors such as the processor 1003, in the second node 112 and the memory 1004. The second node 112 may also comprise a radio circuitry 1009, which may comprise e.g., the receiving port 1005 and the sending port 1006. The processing circuitry 1003 may be configured to, or operable to, perform the method actions according to Figure 4, Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 10a. The radio circuitry 1009 may be configured to set up and maintain at least a wireless connection with the first node 111 , the third node 113, the fourth node 114, the another node 115, any of the one or more devices 130, and/or another structure in the communications system 100. Hence, embodiments herein also relate to the second node 112 operative to handle security in the communications system 100, the second node 112 being operative to operate in the communications system 100. The second node 112 may comprise the processing circuitry 1003 and the memory 1004, said memory 1004 containing instructions executable by said processing circuitry 1003, whereby the second node 112 is further operative to perform the actions described herein in relation to the second node 112, e.g., in Figure 4, Figure 5, and/or Figures 6-8.

Figure 11 depicts two different examples in panels a) and b), respectively, of the arrangement that the communications system 100 may comprise to perform the method actions described above in relation to Figure 5. The arrangement depicted in panel a) corresponds to that described in relation to panel a) in Figure 9 and Figure 10 for each of the first node 111 and as additional node, the second node 112, respectively. It may be understood that the third node 113 may have an equivalent arrangement to that described for the second node 112. Also depicted is an arrangement the first device 131 may have to perform the Actions performed by it in Figure 5. The arrangement depicted in panel b) corresponds to that described in relation to panel b) in Figure 9 and Figure 10 for each of the first node 111 and as additional node, the second node 112, respectively. It may be understood that the third node 113 may have an equivalent arrangement to that described for the second node 112. Also depicted is an alternative arrangement the first device 131 may have to perform the Actions performed by it in Figure 5. The communications system 100 may be for handling security in the communications system 100.

Several embodiments are comprised herein. Components from one embodiment may be tacitly assumed to be present in another embodiment and it will be obvious to a person skilled in the art how those components may be used in the other exemplary embodiments. In Figure 9, optional boxes are indicated by dashed lines. The detailed description of some of the following corresponds to the same references provided above, in relation to the actions described for the first node 111 and will thus not be repeated here. For example, the first node 111 may be configured to be a NWDAF, the another node 115 may be configured to manage an analytics consumer, the one or more additional nodes 113, 114 may be configured to comprise one of a UPF, and a UDR.

The communications system 100 is configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111 , from the another node 115 configured to operate in the communications system 100, the first message. The first message may be configured to request the subscription to receive the at least one indication being configured to indicate the security attack of the first type in the communications system 100 of at least one of: i) the first indication of the one or more applications that are the target or the source of the security attack of the first type in the communications system 100, and ii) the second indication of the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

The communications system 100 is also configured to, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, initiate instructing, by the first node 111 and based on the first message configured to be received, at least one of: the one or more additional nodes 112, 113 configured to operate in the communications system 100 and the first device 131 of the one or more devices 130, to monitor the information indicative of the security attack of the first type.

The communications system 100 is configured to, e.g. by means of the receiving unit 1001 within the second node 112 configured to receive, by the second node 112 of the one or more additional nodes 112, 113, the instruction from the first node 111 to monitor the information indicative of the security attack of the first type, by receiving the second message from the first node 111. The second message is configured to request the first information, of the information indicative of the security attack of the first type. The first information is configured to indicate the traffic indicators for the one or more devices 130 configured to operate in the communications system 100 that are the target or the source of the security attack of the first type in the communications system 100.

The communications system 100 is also configured to, e.g. by means of the sending unit 1002 within the second node 112 configured to, send, by the second node 112, the first information configured to be requested to the first node 111 , in the first additional message.

The communications system 100 is further configured to, e.g. by means of the initiating sending unit 903 within the first node 111 configured to, initiate sending, by the first node 111, with the proviso that the security attack is detected based on the information configured to be monitored, the another message to the another node 115. The another message is configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested.

In some embodiments, the communications system 100 may be configured to, e.g. by means of the determining unit 904 within the first node 111 configured to, determine, by the first node 111 and based on the one or more additional messages configured to be received from the at least one of: the one or more additional nodes 112, 113 and the first device 131 , in response to the initiating instructing: i) whether or not the security attack has occurred, and ii) the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received. The another message may be configured to be based a result of the determining.

In some embodiments, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111, the second message to the second node 112.

In some embodiments, the first node 111 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111, from the second node 112, the first information configured to be requested in the first additional message of the one or more additional messages.

In some embodiments, the first information may be configured to comprise at least one of: a) the first identifier of the first information, b) the second identifier of the first device 131 of the one or more devices 130, c) the third identifier of a protocol used for the traffic, and d) the one or more protocol metrics.

In some embodiments, the one or more metrics may be configured to comprise the one or more third indications configured to indicate, respectively, the one of: a) the ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b) the number of unacknowledged connection-oriented transport protocol setup request messages, c) the volume of respective message of the first type received for the session, d) the number of consecutive messages of the second type received for the session, e) the average size of the window for the session, f) the number of duplicated acknowledgement messages for the session, g) the number of packets sent for the session, h) the number of retransmitted information for the session, i) the maximum segment size for the session, j) the number of units of information sent during the initial window of the session, k) the maximum idle time between consecutive packets for the session, I) the minimum idle time between consecutive packets for the session, m) the throughput for the session, n) the respective start time of the respective flow comprised in the session, o) the respective fourth node 114 serving the first device 131 for the respective flow comprised in the session, and p) the respective volume of the respective flow comprised in the session.

In some embodiments, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111 and based on the first message configured to be received, the third message to the third node 113. The third message may be configured to request the second information, of the information indicative of the security attack of the first type. The second information may be configured to indicate the history of security attacks of the first type for the one or more devices 130 configured to be indicated. In some embodiments, the communications system 100 may be further configured to, e.g. by means of a respective receiving unit 1001 within the third node 113 configured to, receive by the third node 113, from the first node 111 , the third message.

In some embodiments, the communications system 100 may be further configured to, e.g. by means of the a respective sending unit 1002 within the first node 111 configured to, send, by the third node 113, to the first node 111 , the second information configured to be requested in the second additional message of the one or more additional messages.

In some embodiments, the communications system 100 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive, by the first node 111 , from the third node 113, the second information configured to be requested in the second additional message.

In some embodiments, the initiating instructing may be configured to comprise, e.g. by means of the initiating instructing unit 902 within the first node 111 configured to, sending, by the first node 111 , the fourth message to the first device 131 of the one or more devices 130. The fourth message may be configured to request the third information, of the information indicative of the security attack of the first type. The third information may be configured to indicate the traffic indicators for one or more applications used by the first device 131 .

In some embodiments, the communications system 100 may be further configured to, e.g. by means of a receiving unit 1101 within the first device 131 configured to, receive, by the first device 131 , from the first node 111 , the fourth message.

In some embodiments, the communications system 100 may be further configured to, e.g. by means of a sending unit 1101 within the first device 131 configured to, send, by the first device 131 , to the first node 111 , the third information configured to be requested in the third additional message of the one or more additional messages.

In some embodiments, the communications system 100 may be further configured to, e.g. by means of the receiving unit 901 within the first node 111 configured to, receive from the first device 131 , the third information configured to be requested in the third additional message.

The third information may be configured to comprise at least one of: a) the identifier of the first application used by the first device 131 , b) the time of start of the flow run by the first device 131 on the first application, c) the fourth indication of the fourth node 114 configured to serve the first device 131 for the flow, and d) the fifth indication of the volume of traffic for the flow.

In some embodiments, the security attack of the first type may be configured to be a DoS attack. In some embodiments, the another message may be further configured to comprise at least one of: a) the sixth indication of the suspected type of security attack, and b) the recommended action to mitigate the detected security attack.

The remaining hardware components and the remaining configurations described for the first node 111 and the second node 112 in relation to Figure 11 , may be understood to correspond to those described in Figure 9, and Figure 10, respectively, and to be performed, e.g., by means of the corresponding units and arrangements described in Figure 9 and Figure 10, which will not be repeated here. It may be understood that the third node 113, as additional node, may have an equivalent arrangement to that described for the second node 112.

The embodiments herein may be implemented through one or more processors, such as a processor 1103 in the first device 131 depicted in Figure 11 , together with computer program code for performing the functions and actions of the embodiments herein. The program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the first device 131. One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick. The computer program code may furthermore be provided as pure program code on a server and downloaded to the first device 131.

The first device 131 may further comprise a memory 1104 comprising one or more memory units. The memory 1104 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first device 131.

In some embodiments, the first device 131 may receive information from, e.g., the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, and/or any of the other one or more devices 130, through a receiving port 1105. In some examples, the receiving port 1105 may be, for example, connected to one or more antennas in the first device 131. In other embodiments, the first device 131 may receive information from another structure in the communications system 100 through the receiving port 1105. Since the receiving port 1105 may be in communication with the processor 1103, the receiving port 1105 may then send the received information to the processor 1103. The receiving port 1105 may also be configured to receive other information.

The processor 1103 in the first device 131 may be further configured to transmit or send information to e.g., the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100, through a sending port 1106, which may be in communication with the processor 1103, and the memory 1104.

Those skilled in the art will also appreciate that the units 1101-1102 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 1103, perform as described above. One or more of these processors, as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).

The units 1101-1102 described above may be the processor 1103 of the first device 131 , or an application running on such processor.

Thus, the methods according to the embodiments described herein for the first device 131 may be respectively implemented by means of a computer program 1107 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 1103, cause the at least one processor 1103 to carry out the actions described herein, as performed by the first device 131. The computer program 1107 product may be stored on a computer-readable storage medium 1108. The computer-readable storage medium 1108, having stored thereon the computer program 1107, may comprise instructions which, when executed on at least one processor 1103, cause the at least one processor 1103 to carry out the actions described herein, as performed by the first device 131. In some embodiments, the computer-readable storage medium 1108 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space. In other embodiments, the computer program 1107 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 1108, as described above.

The first device 131 may comprise an interface unit to facilitate communications between the first node 111 , the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100. In some particular examples, the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.

In other embodiments, the first device 131 may comprise the following arrangement depicted in Figure 11b. The first device 131 may comprise a processing circuitry 1103, e.g., one or more processors such as the processor 1103, in the first device 131 and the memory 1104. The first device 131 may also comprise a radio circuitry 1109, which may comprise e.g., the receiving port 1105 and the sending port 1106. The processing circuitry 1103 may be configured to, or operable to, perform the method actions according to Figure 5, and/or Figures 6-8, in a similar manner as that described in relation to Figure 11a. The radio circuitry 1109 may be configured to set up and maintain at least a wireless connection with the first node 111, the second node 112, the third node 113, the fourth node 114, the another node 115, any of the other one or more devices 130, and/or another structure in the communications system 100.

Hence, embodiments herein also relate to the first device 131 operative to handle security in the communications system 100, the first device 131 being operative to operate in the communications system 100. The first device 131 may comprise the processing circuitry 1103 and the memory 1104, said memory 1104 containing instructions executable by said processing circuitry 1103, whereby the first device 131 is further operative to perform the actions described herein in relation to the first device 131, e.g., in Figure 5, and/or Figures 6-8.

When using the word "comprise" or “comprising”, it shall be interpreted as non- limiting, i.e. meaning "consist at least of".

The embodiments herein are not limited to the above described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention.

Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.

As used herein, the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “and” term, may be understood to mean that only one of the list of alternatives may apply, more than one of the list of alternatives may apply or all of the list of alternatives may apply. This expression may be understood to be equivalent to the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “or” term.

Any of the terms processor and circuitry may be understood herein as a hardware component. As used herein, the expression “in some embodiments” has been used to indicate that the features of the embodiment described may be combined with any other embodiment or example disclosed herein.

As used herein, the expression “in some examples” has been used to indicate that the features of the example described may be combined with any other embodiment or example disclosed herein.

Reference:

3GPP TS 23.288 v16.5.0 (Sept 2020): Architecture enhancements for 5G System (5GS) to support network data analytics services.

Claims

58

CLAIMS:

1 . A computer-implemented method, performed by a first node (111), for handling security in a communications system (100), the first node (111) operating in the communications system (100), the method comprising:

- receiving (301), from another node (115) operating in the communications system (100), a first message, the first message requesting a subscription to receive at least one indication indicating a security attack of a first type in the communications system (100) of at least one of: i. a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system (100), and ii. a second indication of one or more devices (130) operating in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- initiating (302) instructing, based on the received first message, at least one of: one or more additional nodes (112, 113) operating in the communications system (100) and a first device (131) of the one or more devices (130), to monitor information indicative of the security attack of the first type, and

- initiating (307) sending, with the proviso that the security attack is detected based on the monitored information, another message to the another node (115), the another message comprising the requested at least one of the first indication and the second indication, based on the requested subscription.

2. The method according to claim 1 , the method further comprising:

- determining (306), based on one or more additional messages received from the at least one of: the one or more additional nodes (112, 113) and the first device (131), in response to the initiating (302) instructing: i. whether or not the security attack has occurred, and ii. the at least one of the first indication and the second indication, as requested in the received first message, and wherein the another message is based a result of the determining (306).

3. The method according to claim 2, wherein the one or more additional nodes (112, 113) comprise a second node (112), wherein the initiating (302) instructing comprises:

- sending (302a) a second message to the second node (112), the second message requesting first information, of the information indicative of the security attack of the 59 first type, the first information indicating traffic indicators for the indicated one or more devices (130), and wherein the method further comprises:

- receiving (303) from the second node (112), the requested first information in a first additional message of the one or more additional messages. The method according to 3, wherein the first information comprises at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), c. a third identifier of a protocol used for the traffic, and d. one or more protocol metrics. The method according to 4, wherein the one or more metrics comprises one or more third indications indicating, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of a respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session. The method according to any of claims 2-5, wherein the one or more additional nodes (112, 113) comprise a third node (113), wherein the initiating (302) instructing comprises: 60

- sending (302b), based on the received first message, a third message to the third node (113), the third message requesting second information, of the information indicative of the security attack of the first type, the second information indicating a history of security attacks of the first type for the indicated one or more devices (130), and wherein the method further comprises:

- receiving (304) from the third node (113), the requested second information in a second additional message of the one or more additional messages. The method according to any of claims 2-6, wherein the initiating (302) instructing comprises:

- sending (302c) a fourth message to a first device (131) of the one or more devices (130), the fourth message requesting third information, of the information indicative of the security attack of the first type, the third information indicating traffic indicators for one or more applications used by the first device (131), and wherein the method further comprises:

- receiving (305) from the first device (131), the requested third information in a third additional message of the one or more additional messages. The method according to 7, wherein the third information comprises at least one of: a. an identifier of a first application used by the first device (131), b. a time of start of a flow run by the first device (131) on the first application, c. a fourth indication of a fourth node (114) serving the first device (131) for the flow, and d. a fifth indication of a volume of traffic for the flow. The method according to any of claims 1-8, wherein the security attack of the first type is a Denial of Service, DoS, attack. The method according to any of claims 1-9, wherein the another message further comprises at least one of: a. a sixth indication of a suspected type of security attack, and b. a recommended action to mitigate the detected security attack. The method according to any of claims 2-10, wherein the first node (111) is a Network Data Analytics Function, NWDAF, the another node (115) manages an analytics consumer, and the one or more additional nodes (113, 114) comprise one of a User Plane Function, UPF, and a Unified Data Repository (UDR). 61

12. A computer program (909), comprising instructions which, when executed on at least one processor (905), cause the at least one processor (905) to carry out the method according to any one of claims 1 to 11.

13. A computer-readable storage medium (910), having stored thereon a computer program (909), comprising instructions which, when executed on at least one processor (905), cause the at least one processor (905) to carry out the method according to any one of claims 1 to 11.

14. A computer-implemented method, performed by a second node (112), for handling security in a communications system (100), the second node (112) operating in the communications system (100), the method comprising:

- receiving (401) an instruction from a first node (111) operating in the communications network (100) to monitor information indicative of a security attack of a first type, by receiving a second message from the first node (111), the second message requesting first information, of the information indicative of the security attack of the first type, the first information indicating traffic indicators for one or more devices (130) operating in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100), and

- sending (402) the requested first information to the first node (111), in a first additional message.

15. The method according to 14, wherein the first information comprises at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), c. a third identifier of a protocol used for the traffic, and d. one or more protocol metrics.

16. The method according to 15, wherein the one or more metrics comprises one or more third indications indicating, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of a respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, 62 e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session.

17. The method according to any of claims 14-16, wherein the security attack of the first type is a Denial of Service, DoS, attack.

18. The method according to any of claims 14-18, wherein the first node (111) is a Network Data Analytics Function, NWDAF, and the second node (112) is one a User Plane Function, UPF.

19. A computer program (909), comprising instructions which, when executed on at least one processor (905), cause the at least one processor (905) to carry out the method according to any one of claims 14 to 18.

20. A computer-readable storage medium (910), having stored thereon a computer program (909), comprising instructions which, when executed on at least one processor (905), cause the at least one processor (905) to carry out the method according to any one of claims 14 to 18.

21. A computer-implemented method, performed by a communications system (100), for handling security in a communications system (100), the communications system (100) comprising a first node (111) and one or more additional nodes (112, 113), the method comprising:

- receiving (501, 301), by the first node (111), from another node (115) operating in the communications system (100), a first message, the first message requesting a subscription to receive at least one indication indicating a security attack of a first type in the communications system (100) of at least one of: i. a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system (100), and ii. a second indication of one or more devices (130) operating in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- initiating (502, 302) instructing, by the first node (111) and based on the received first message, at least one of: the one or more additional nodes (112, 113) and a first device (131) of the one or more devices (130), to monitor information indicative of the security attack of the first type, and

- receiving (503, 401), by a second node (112) of the one or more additional nodes (112, 113), the instruction from the first node (111) to monitor information indicative of the security attack of the first type, by receiving a second message from the first node (111), the second message requesting first information, of the information indicative of the security attack of the first type, the first information indicating traffic indicators for one or more devices (130) operating in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- sending (506, 402), by the second node (112) the requested first information to the first node (111), in a first additional message, and

- initiating (513, 307) sending, by the first node (111), with the proviso that the security attack is detected based on the monitored information, another message to the another node (115), the another message comprising the requested at least one of the first indication and the second indication, based on the requested subscription. e method according to claim 21 , the method further comprising:

- determining (512, 306), by the first node (111) and based on one or more additional messages received from the at least one of: the one or more additional nodes (112, 113) and the first device (131), in response to the initiating (302) instructing: i. whether or not the security attack has occurred, and ii. the at least one of the first indication and the second indication, as requested in the received first message, and wherein the another message is based a result of the determining (512, 306).e method according to claim 22, wherein the initiating (302) instructing comprises: - sending (502a, 302a), by the first node (111), the second message to the second node (112), and wherein the method further comprises:

- receiving (509, 303), by the first node (111), from the second node (112), the requested first information in the first additional message of the one or more additional messages.

24. The method according to 23, wherein the first information comprises at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), c. a third identifier of a protocol used for the traffic, and d. one or more protocol metrics.

25. The method according to 24, wherein the one or more metrics comprises one or more third indications indicating, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of a respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session.

26. The method according to any of claims 22-25, wherein the one or more additional nodes (112, 113) comprise a third node (113), wherein the initiating (302) instructing comprises: 65

- sending (502b, 302b), by the first node (111) and based on the received first message, a third message to the third node (113), the third message requesting second information, of the information indicative of the security attack of the first type, the second information indicating a history of security attacks of the first type for the indicated one or more devices (130),

- receiving (504), by the third node (113), from the first node (111), the third message,

- sending (507), by the third node (113), to the first node (111), the requested second information in a second additional message of the one or more additional messages, and

- receiving (510, 304), by the first node (111), from the third node (113), the requested second information in the second additional message. The method according to any of claims 22-26, wherein the initiating (302) instructing comprises:

- sending (502c, 302c), by the first node (111), a fourth message to a first device (131) of the one or more devices (130), the fourth message requesting third information, of the information indicative of the security attack of the first type, the third information indicating traffic indicators for one or more applications used by the first device (131),

- receiving (505), by the first device (131), from the first node (111), the fourth message,

- sending (508), by the first device (131), to the first node (111), the requested third information in a third additional message of the one or more additional messages, and

- receiving (511, 305), by the first node (111), from the first device (131), the requested third information in the third additional message. The method according to 27, wherein the third information comprises at least one of: a. an identifier of a first application used by the first device (131), b. a time of start of a flow run by the first device (131) on the first application, c. a fourth indication of a fourth node (114) serving the first device (131) for the flow, and d. a fifth indication of a volume of traffic for the flow. The method according to any of claims 21-28, wherein the security attack of the first type is a Denial of Service, DoS, attack. 66 The method according to any of claims 21-29, wherein the another message further comprises at least one of: a. a sixth indication of a suspected type of security attack, and b. a recommended action to mitigate the detected security attack. The method according to any of claims 22-30, wherein the first node (111) is a Network Data Analytics Function, NWDAF, the another node (115) manages an analytics consumer, and the one or more additional nodes (113, 114) comprise one of a User Plane Function, UPF, and a Unified Data Repository, UDR. A first node (111), for handling security in a communications system (100), the first node (111) being configured to operate in the communications system (100), the first node (111) being configured to:

- receive, from another node (115) configured to operate in the communications system (100), a first message, the first message being configured to request a subscription to receive at least one indication being configured to indicate a security attack of a first type in the communications system (100) of at least one of: i. a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system (100), and ii. a second indication of one or more devices (130) configured to operate in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- initiate instructing, based on the first message configured to be received, at least one of: one or more additional nodes (112, 113) configured to operate in the communications system (100) and a first device (131) of the one or more devices (130), to monitor information indicative of the security attack of the first type, and

- initiate sending, with the proviso that the security attack is detected based on the information configured to be monitored, another message to the another node (115), the another message being configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested. The first node (111) according to claim 32, the first node (111) being further configured to: 67

- determine (306), based on one or more additional messages configured to be received from the at least one of: the one or more additional nodes (112, 113) and the first device (131), in response to the initiating instructing: i. whether or not the security attack has occurred, and ii. the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received, and wherein the another message is configured to be based a result of the determining. The first node (111) according to claim 33, wherein the one or more additional nodes (112, 113) are configured to comprise a second node (112), wherein the initiating instructing is configured to:

- send a second message to the second node (112), the second message being configured to request first information, of the information indicative of the security attack of the first type, the first information being configured to indicate traffic indicators for the one or more devices (130) configured to be indicated, and wherein the first node (111) is further configured to:

- receive from the second node (112), the first information configured to be requested in a first additional message of the one or more additional messages. The first node (111) according to 34, wherein the first information is configured to comprise at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), c. a third identifier of a protocol used for the traffic, and d. one or more protocol metrics. The first node (111) according to 35, wherein the one or more metrics are configured to comprise one or more third indications configured to indicate, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, 68 g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session. The first node (111) according to any of claims 33-36, wherein the one or more additional nodes (112, 113) are configured to comprise a third node (113), wherein the initiating instructing is configured to comprise:

- sending, based on the first message configured to be received, a third message to the third node (113), the third message being configured to request second information, of the information indicative of the security attack of the first type, the second information being configured to indicate a history of security attacks of the first type for the one or more devices (130) configured to be indicated, and wherein the first node (111) is further configured to:

- receive from the third node (113), the second information configured to be requested in a second additional message of the one or more additional messages. The first node (111) according to any of claims 33-37, wherein the initiating instructing is configured to comprise:

- sending a fourth message to a first device (131) of the one or more devices (130), the fourth message being configured to request third information, of the information indicative of the security attack of the first type, the third information being configured to indicate traffic indicators for one or more applications used by the first device (131), and wherein the first node (111) is further configured to:

- receive from the first device (131), the third information configured to be requested in a third additional message of the one or more additional messages. The first node (111) according to 38, wherein the third information is configured to comprise at least one of: 69 a. an identifier of a first application used by the first device (131), b. a time of start of a flow run by the first device (131) on the first application, c. a fourth indication of a fourth node (114) configured to serve the first device (131) for the flow, and d. a fifth indication of a volume of traffic for the flow.

40. The first node (111) according to any of claims 32-39, wherein the security attack of the first type is configured to be a Denial of Service, DoS, attack.

41. The first node (111) according to any of claims 32-40, wherein the another message is further configured to comprise at least one of: a. a sixth indication of a suspected type of security attack, and b. a recommended action to mitigate the detected security attack.

42. The first node (111) according to any of claims 33-41 , wherein the first node (111) is configured to be a Network Data Analytics Function, NWDAF, the another node (115) is configured to manage an analytics consumer, and the one or more additional nodes (113, 114) are configured to comprise one of a User Plane Function, UPF, and a Unified Data Repository (UDR).

43. A second node (112), for handling security in a communications system (100), the second node (112) being configured to operate in the communications system (100), the second node (112) being further configured to:

- receive an instruction from a first node (111) configured to operate in the communications network (100) to monitor information indicative of a security attack of a first type, by receiving a second message from the first node (111), the second message being configured to request first information, of the information indicative of the security attack of the first type, the first information being configured to indicate traffic indicators for one or more devices (130) configured to operate in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100), and

- send the first information configured to be requested to the first node (111), in a first additional message.

44. The second node (112) according to 43, wherein the first information is configured to comprise at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), 70 c. a third identifier of a protocol used for the traffic, and d. one or more protocol metrics. The second node (112) according to 44, wherein the one or more metrics are configured to comprise one or more third indications indicating, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of a respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session. The second node (112) according to any of claims 43-45, wherein the security attack of the first type is configured to be a Denial of Service, DoS, attack. The second node (112) according to any of claims 43-46, wherein the first node (111) is configured to be a Network Data Analytics Function, NWDAF, and the second node (112) is configured to be a User Plane Function, UPF. A communications system (100), for handling security in a communications system (100), the communications system (100) being configured to comprise a first node (111) and one or more additional nodes (112, 113), the communications system (100) being further configured to: 71

- receive, by the first node (111), from another node (115) configured to operate in the communications system (100), a first message, the first message being configured to request a subscription to receive at least one indication configured to indicate a security attack of a first type in the communications system (100) of at least one of: i. a first indication of one or more applications that are a target or a source of the security attack of the first type in the communications system (100), and ii. a second indication of one or more devices (130) configured to operate in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- initiate instructing, by the first node (111) and based on the first message configured to be received, at least one of: the one or more additional nodes (112, 113) and a first device (131) of the one or more devices (130), to monitor information indicative of the security attack of the first type, and

- receive, by a second node (112) of the one or more additional nodes (112, 113), the instruction from the first node (111) to monitor information indicative of the security attack of the first type, by receiving a second message from the first node (111), the second message being configured to request first information, of the information indicative of the security attack of the first type, the first information being configured to indicate traffic indicators for one or more devices (130) configured to operate in the communications system (100) that are a target or a source of the security attack of the first type in the communications system (100),

- send, by the second node (112), the first information configured to be requested to the first node (111), in a first additional message, and

- initiate sending, by the first node (111), with the proviso that the security attack is detected based on the information configured to be monitored, another message to the another node (115), the another message being configured to comprise the at least one of the first indication and the second indication configured to be requested, based on the subscription configured to be requested. The communications system (100) according to claim 48, the communications system (100) being further configured to:

- determine, by the first node (111) and based on one or more additional messages configured to be received from the at least one of: the one or more additional nodes (112, 113) and the first device (131), in response to the initiating instructing: i. whether or not the security attack has occurred, and 72 ii. the at least one of the first indication and the second indication, as configured to be requested in the first message configured to be received, and wherein the another message is configured to be based a result of the determining.

50. The communications system (100) according to claim 49, wherein the initiating instructing is configured to comprise:

- sending, by the first node (111), the second message to the second node (112), and wherein the communications system (100) is further configured to:

- receive, by the first node (111), from the second node (112), the first information configured to be requested in the first additional message of the one or more additional messages.

51. The communications system (100) according to 50, wherein the first information is configured to comprise at least one of: a. a first identifier of the first information, b. a second identifier of the first device (131) of the one or more devices (130), c. a third identifier of a protocol used for the traffic, d. one or more protocol metrics.

52. The communications system (100) according to 51 , wherein the one or more metrics are configured to comprise one or more third indications configured to indicate, respectively, one of: a. a ratio of connection-oriented transport protocol setup request messages to connection-oriented transport protocol setup response messages for a session, b. a number of unacknowledged connection-oriented transport protocol setup request messages, c. a volume of a respective message of a first type received for the session, d. a number of consecutive messages of a second type received for the session, e. an average size of a window for the session, f. a number of duplicated acknowledgement messages for the session, g. a number of packets sent for the session, h. a number of retransmitted information for the session, i. a maximum segment size for the session, j. a number of units of information sent during an initial window of the session, k. a maximum idle time between consecutive packets for the session, l. a minimum idle time between consecutive packets for the session, 73 m. a throughput for the session, n. a respective start time of a respective flow comprised in the session, o. a respective fourth node (114) serving the first device (131) for the respective flow comprised in the session, and p. a respective volume of the respective flow comprised in the session. The communications system (100) according to any of claims 49-52, wherein the one or more additional nodes (112, 113) are further configured to comprise a third node (113), wherein the initiating instructing is further configured to comprise:

- sending, by the first node (111) and based on the first message configured to be received, a third message to the third node (113), the third message being configured to request second information, of the information indicative of the security attack of the first type, the second information being configured to indicate a history of security attacks of the first type for the one or more devices (130) configured to be indicated,

- receive, by the third node (113), from the first node (111), the third message,

- send, by the third node (113), to the first node (111), the second information configured to be requested in a second additional message of the one or more additional messages, and

- receive, by the first node (111), from the third node (113), the second information configured to be requested in the second additional message. The communications system (100) according to any of claims 49-53, wherein the initiating instructing is further configured to comprise:

- sending, by the first node (111), a fourth message to a first device (131) of the one or more devices (130), the fourth message being configured to request third information, of the information indicative of the security attack of the first type, the third information being configured to indicate traffic indicators for one or more applications configured to be used by the first device (131),

- receive, by the first device (131), from the first node (111), the fourth message,

- send, by the first device (131), to the first node (111), the third information configured to be requested in a third additional message of the one or more additional messages, and

- receive, by the first node (111), from the first device (131), the third information configured to be requested in the third additional message. 74 The communications system (100) according to 54, wherein the third information is configured to comprise at least one of: a. an identifier of a first application used by the first device (131), b. a time of start of a flow run by the first device (131) on the first application, c. a fourth indication of a fourth node (114) serving the first device (131) for the flow, and d. a fifth indication of a volume of traffic for the flow. The communications system (100) according to any of claims 48-28, wherein the security attack of the first type is configured to be a Denial of Service, DoS, attack. The communications system (100) according to any of claims 48-29, wherein the another message is further configured to comprise at least one of: a. a sixth indication of a suspected type of security attack, and b. a recommended action to mitigate the detected security attack. The communications system (100) according to any of claims 22-30, wherein the first node (111) is configured to be a Network Data Analytics Function, NWDAF, the another node (115) is configured to manage an analytics consumer, and the one or more additional nodes (113, 114) are configured to comprise one of a User Plane Function, UPF, and a Unified Data Repository, UDR.