WO2023016641A1 - Handling of logged restricted information based on tag syntax allocation - Google Patents

Handling of logged restricted information based on tag syntax allocation Download PDF

Info

Publication number
WO2023016641A1
WO2023016641A1 PCT/EP2021/072416 EP2021072416W WO2023016641A1 WO 2023016641 A1 WO2023016641 A1 WO 2023016641A1 EP 2021072416 W EP2021072416 W EP 2021072416W WO 2023016641 A1 WO2023016641 A1 WO 2023016641A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
tag
syntax
restricted information
management system
Prior art date
Application number
PCT/EP2021/072416
Other languages
French (fr)
Inventor
Maurizio PIGHETTI
Federico PASINI
Francesca Bruzzone
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2021/072416 priority Critical patent/WO2023016641A1/en
Publication of WO2023016641A1 publication Critical patent/WO2023016641A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation

Definitions

  • Embodiments of the present disclosure relate to methods and apparatuses for data handling, and particularly methods and apparatus for identification of restricted information in a network.
  • Logical networks are a form of Software Defined Networks (SDN), and may also be referred to as virtual networks.
  • SDNs essentially decouple the network control functions (the control plane) from the data forwarding functions (the data plane), introducing a degree of separation between control of the physical components forming the network infrastructure (nodes, cables, etc.) and the overall network control.
  • data transfer services in SDN can be used to provide a user with a data connection between two points, without requiring the user to have detailed knowledge of exactly which components of the network are responsible for providing the connection.
  • a data transfer service can be used to satisfy the data traffic requirements of a user, such as transferring a given volume of data traffic between two points at a given rate, with a given reliability, and so on.
  • VNFs Virtual Network Functions
  • NFV infrastructure includes compute, storage and networking components, both software and hardware, used as the foundation for virtualized functions.
  • NFV architectures may also include NFV management, automation and orchestration and NFV infrastructure components.
  • Management and Orchestration (MANO) components act as the framework for managing and orchestrating VNFs.
  • MANO may be implemented in accordance with standards such as European Telecommunications Standards Institute, ETSI, Management and Orchestration, MANO, standards.
  • An example of a relevant standard is “Network Functions Virtualisation (NFV) Release 4;Management and Orchestration; Report on NFV-MANO software modification” by ETSI, available at https://www.etsi.org/deliver/etsi_gr/NFV-REL/001_099/011/04.01 ,01_60/gr_NFV- REL011 v040101 p.pdf as of 7 July 2021 .
  • NFV Network Functions Virtualisation
  • FIG 1 is a schematic diagram of a network architecture, showing VNFs supported by a NFV infrastructure (NFVI) including virtual computation, storage and network resources that are separated from hardware resources (computation, storage and network resources) by a virtualisation layer.
  • NFVI NFV infrastructure
  • the network architecture is overseen by a NFV MANO system.
  • Cloud-native applications are designed specifically to operate using distributed computing systems (cloud systems), such as those utilised by cloud computing platforms.
  • the application designs may be referred to as loosely coupled, indicating that the application code is not hard-wired to any of the infrastructure components (for example, the code is not required to be run on any specific piece of hardware).
  • Loose coupling allows cloud-native applications to scale up and down on demand, as network requirements evolve.
  • each part of a cloud-native applications is packaged in its own container, dynamically orchestrated so each part is actively scheduled and managed to optimize resource utilization, and microservices-oriented to increase the overall agility and maintainability of applications.
  • Networks may utilise homogeneous or heterogenous cloud architectures.
  • a homogeneous cloud the entire software stack, from the hypervisor (remote cloud provider), through various intermediate management layers, all the way to the end-user portal, is provided by a single supplier.
  • a heterogeneous cloud by contrast, public and private components from more than one supplier may be used. The components from different suppliers may be used at different levels (such as a management tool from one vendor driving a hypervisor from another) or at the same level, where a single management tool drives multiple hypervisors.
  • Heterogeneous clouds may suffer issues due to failures of, or issues with, interoperability between components from different suppliers.
  • One area which may be particularly susceptible to interoperability issues due to evolving requirements is restricted information identification, particularly in the context of log files.
  • Restricted information is a broad term that can encompass any data not freely available to all users. Restricted data can encompass, for example, Personal Identifiable Information (PH) of users, security information, and so on. Examples of PH include user names, contact telephone numbers, addresses, birth dates, email addresses, and so on. In order to meet legal requirements, it may be necessary for network operators to handle restricted information differently from freely available information. Typically, restricted information may be included in general log files, which may necessarily be sent between various network components (for example, from network users to network management systems).
  • PH Personal Identifiable Information
  • log files are generated and analysis of log files is important to ensuring the correct operation of a network, as the log information allows continuous monitoring of the network so that anomalous operations may be identified and addressed during or after runtime.
  • cloud native logging systems typically the collection of log files orchestrated by a cloud provider.
  • Log files may be generated by a large number of different devices connected by a network; the generated log files are typically collected in a dedicated host that is secured and hardened against unauthorised access.
  • a typical logging architecture utilises local storage of log files, being subject to a retention period to avoid overload, as well as a centralized (remote) storage such as a log server where log files are periodically sent.
  • log files may contain restricted data, such as PI I
  • restricted data such as PI I
  • steps may be taken to prevent inadvertent use or disclosure of this data. Suitable steps depend upon the nature of the nature of the restricted data; examples of steps (all of which may be applied to PH) include searching for further restricted data and: modification, deletion, or anonymization/pseudonymization of identified restricted data.
  • Anonymization is a method that replaces original clear data with a value that is both unrelatable to the original data and permanently irretrievable.
  • pseudonymization the information that can point to the identity of a subject is replaced by “pseudonyms” or identifiers. Unlike anonymization, pseudonymization is a reversible operation; the pseudonyms can be used to retrieve the original data.
  • US 2017/0149793 A1 discloses a computer-implemented method for anonymizing log entries that includes detecting a data pattern in a group of log entries documenting events performed by at least one process executing on at least one device and identifying, in the data pattern, at least one data field in the log entries that contains variable data. The method also includes evaluating the data field containing variable data to determine whether the data field contains sensitive data, and in response to determining whether the data field contains sensitive data, applying a data-anonymization policy to the data field to anonymize the log entries.
  • log producers entities that generate log data
  • log producers may apply tags to the restricted data.
  • the nature of log producers in a network is determined by the type of network; using the example of a telecommunications network, log producers may include user equipments, base stations, core network nodes, and so on.
  • tags may be applied by log producers, or by a component separate from the log producers, before the log files are received by a log server.
  • the collection of tags used by a tag application component (such as a log producer) to identify different types of restricted data may be collectively referred to as a tag syntax.
  • a hypothetical example of restricted data tagging is as follows: where a log file contains a telephone number 01234567890 and this telephone number is considered to be restricted data (Pll in this example), instances of the text string “01234567890” in the log file may be replaced by the text string “[restricted-tel- no]01234567890[end-restricted-tel-no]”, where “[restricted-tel-no]” and “[end- restricted-tel-no]” are tags indicating the presence and nature of the restricted data (here, a telephone number).
  • An equivalent tag in the same tag syntax used to identify an email address may be [restricted-email], for example.
  • tags are known and understood by the log servers; returning to the example above, if the log server receiving the log file including the “[restricted-tel-no]01234567890[end- restricted-tel-no]” text string does not recognise the “[restricted-tel-no]” and “[end- restricted-tel-no]” tags, the restricted data may not be correctly identified.
  • tags are applied and interpreted by entities (such as a log producer or separate tag application component and log server respectively) that form part of a homogeneous cloud, both entities will typically understand the tag syntax and therefore the restricted data may effectively be identified.
  • the tag syntaxes may originate from different suppliers (and/or network customers) and accordingly a tag syntax used by a log producer may not be understood by a log server. Even where a log server may be aware of a tag syntax, the log server may not easily be able to determine that the tag syntax has been applied to a log file. There is no universally adopted tag syntax convention.
  • log servers attempt to process log files potentially containing restricted information without knowledge of a tag syntax used in the log files, a piece of text representing a tag in a tag syntax may be misinterpreted or not identified as a tag, which may result in errors of interpretation of the restricted data, potentially including inadvertent exposure of the restricted data.
  • the mediation layer of a Network Manager may be employed. All log files may pass through the mediation layer before arrival at a log server, such that the mediation layer can transforms the proprietary tag syntaxes into a normalized tag syntax that is well-known to and recognised by log servers.
  • a further alternative providing a way to reduce the risk of inadvertent exposure of restricted data is to provide the log servers with a constantly updated list of which tag syntax type is used by which log producer. Producing a constantly updated list would require a continuous synchronization of the log servers including information about the log producers potentially running in the cloud. Any mistake in the synchronization may result in exposure of restricted data.
  • Embodiments of the disclosure aim to provide methods and apparatus that alleviate some or all of the problems identified above.
  • An aspect of the disclosure provides a method for restricted information identification in a network comprising a log server and a restricted information management system.
  • the method comprises determining, by the restricted information management system, one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers.
  • the method further comprises assigning, by the restricted information management system, a tag syntax identifier to each of the one or more tag syntaxes, and generating a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier.
  • the method further comprises providing, by the restricted information management system: to each of the plurality of log producers, the tag syntax identifiers for the tag syntax used by that log producer; and to the log server, the tag syntax database.
  • the identification of restricted information during the processing of log files may be simplified by allowing tag syntaxes to be identified by reading a single attribute from log files (the tag syntax identifier) rather than extracting other information, such as a log producer identifier, and matching this other information with potentially large log producers lists.
  • the step of determining the one or more tag syntaxes may comprise obtaining, by the restricted information management system, tag syntax information from each of the plurality of log producers.
  • the tag syntax information from each log producer may detail the tag syntax used by that log producer. In this way, the tag syntax information may be efficiently obtained by the restricted information management system at a suitable interval.
  • the network may comprise a further log server, and the restricted information management system may provide tag syntax databases to each of the log server and the further log server. Further, the tag syntax databases provided to each of the log server and the further log server may be the same, and may associate each of the one or more tag syntaxes with the assigned tag syntax identifier for all of the tag syntaxes used by log producers in the network.
  • the tag syntax database provided to the log server may associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the log server; and the tag syntax database provided to the further log server may associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the further log server.
  • the system may be tailored to minimise the number of entries in the tag syntax databases provided to the plural log servers, or may be tailored to minimise the number of tag syntax databases to be maintained.
  • the network may be a telecommunications network that utilises virtual network functions (VNF) hosted in a heterogeneous cloud architecture, the heterogeneous cloud architecture comprising the log server and at least one of the plurality of log producers.
  • VNF virtual network functions
  • Embodiments may be particularly well suited to restricted information management in telecommunications networks using heterogeneous cloud architectures, wherein a large number of tag syntaxes may be in use such that restricted information identification may be a substantial issue.
  • a further aspect of the disclosure provides a restricted information management system for restricted information identification in a network, the network further comprising a log server.
  • the restricted information management system comprises processing circuitry and a memory containing instructions executable by the processing circuitry.
  • the restricted information management system is operable to determine one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers, and to assign a tag syntax identifier to each of the one or more tag syntaxes.
  • the restricted information management system is further operable to generate a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier, and to provide: to each of the plurality of log producers the tag syntax identifiers for each of the tag syntax used by that log producer; and to the log server the tag syntax database.
  • the restricted information management system may provide some or all of the advantages discussed above in the context of the restricted information management methods.
  • Figure 1 is a schematic diagram of a network architecture
  • Figure 2 is a flowchart illustrating a method in accordance with embodiments
  • Figure 3A is a schematic diagram of a restricted information management system in accordance with embodiments.
  • Figure 3B is a schematic diagram of a restricted information management system in accordance with further embodiments.
  • Figure 4 is a schematic diagram of a portion of a network comprising a restricted information management system.
  • Figure 2 is a flowchart of a method in accordance with embodiments.
  • the method may be performed by any suitable apparatus.
  • suitable apparatus for performing the method shown in Figure 2 are the restricted information management systems 30A and 30B shown schematically in Figure 3A and Figure 3B respectively; the restricted information management systems 30A and 30B may collectively be referred to using reference sign 30.
  • the method may also be performed by any other suitable component or components, such as a further network component.
  • the restricted information management system 30A as shown in Figure 3A may execute steps of the method in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33.
  • the restricted information management system 30B may execute steps of the method using determinator 34, assignor 35, generator 36 and transceivers 37, 38.
  • the restricted information management systems 30A and 30B may also be configured to execute the steps of other embodiments, as discussed in detail below.
  • the method may be executed in any suitable network, for example, telecommunications networks in which log producers may frequently become part of or leave the network. For the reasons discussed above, the method is particularly well suited to use in telecommunications networks utilising VNF hosted in a heterogeneous cloud architecture, as the heterogenous nature of the cloud architecture typically increases the number of different tag syntaxes used relative to a homogenous architecture.
  • a restricted information management system may be located between log file producers and log servers, for example, in a network manager.
  • the restricted information management system may be a cloud native system, distributed across a plurality of different hardware units.
  • Figure 3A and Figure 3B show the restricted information management systems as single apparatuses; while the restricted information management systems may be implemented in a single apparatus, this is not necessarily the case.
  • the method comprises determining tag syntaxes used by a plurality of log producers in log files.
  • the determination may comprise obtaining, by the restricted information management system, tag syntax information from each of the plurality of log producers, wherein the tag syntax information from each log producer details the tag syntax used by that log producer.
  • the tag syntax information may be collected at any suitable opportunity by the restricted information management system, for example, when log producers register with the network the tag syntax information may be obtained by the restricted information management system.
  • the tag syntax information may be sent as part of the registration process. Additionally or alternatively, the restricted information management system may send requests to one or more log producers for the tag syntax information.
  • requests are used by the restricted information management system to obtain the tag syntax information
  • these requests may be sent at any suitable occasion, for example, with a given periodicity, when an attribute change notification is received from the log producer, and so on.
  • the restricted information management system may obtain the tag syntax information directly from the log producers.
  • the restricted information management system may also obtain the tag syntax information from one or more further components, for example, the network may comprise a database to which log producers can write tag syntax information for the restricted information management system to read.
  • the step of determining tag syntaxes may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A.
  • the step of determining tag syntaxes may be performed by a determinator 34 as shown in Figure 3B.
  • the restricted information management system may comprise a Privacy Tag Collector (PTC); where the restricted information management system includes a PTC, the PTC may determine the tag syntax information.
  • PTC Privacy Tag Collector
  • the determined tag syntax information may be stored in a database forming part of, or accessible by, the restricted information management system.
  • step S202 the restricted information management system assigns a tag syntax identifier to each of the one or more tag syntaxes for which information has been obtained.
  • the tag syntax identifiers need not be assigned at the same time, each time a new tag syntax is identified (for example, from tag syntax information) a new tag syntax identifier may be assigned.
  • the tag syntax identifiers may be numerical values allowing the rapid identification of tag syntaxes.
  • the form of the tag syntax identifiers is limited only in that each should uniquely identify a tag syntax, to prevent confusion between tag syntaxes (that is, there is a 1 :1 relationship between tag syntaxes and tag syntax identifiers).
  • the step of assigning tag syntax identifiers may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A.
  • the step of assigning tag syntax identifiers may be performed by an assignor 35 as shown in Figure 3B.
  • the restricted information management system may comprise a PTC; where the restricted information management system includes a PTC, the PTC may assign tag syntax identifiers.
  • step S203 the restricted information management system generates a tag syntax database.
  • the tag syntax database is used to associate each of the one or more tag syntaxes with tag syntax identifier assigned in step S202.
  • the database may be stored in any suitable format.
  • the step of generating the tag syntax database may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A.
  • the step of generating the tag syntax database may be performed by a generator 36 as shown in Figure 3B.
  • the restricted information management system may comprise a Privacy Information Adapter (PIA); where the restricted information management system includes a PIA, the PIA may generate the tag syntax database; this process may comprise exchanging information with PTC using transceivers 37 and 38 as shown in Figure 3B where a PTC is also present.
  • PIA Privacy Information Adapter
  • a network may comprise plural log servers, where different log servers are used by different log producers among the plurality of log producers.
  • the restricted information management system may be configured to generate a single tag syntax database containing information on all of the tag syntaxes identified as being used by log producers in the network; this database may subsequently be provided to all of the plural log servers (see step S205), resulting in a given log server potentially receiving tag syntax information relating to tag syntaxes which none of the log producers using the given log server use. Although this option is simpler to implement, it may therefore result in log servers receiving unnecessary information.
  • the restricted information management system may generate plural tag syntax databases, for example, one for each log server.
  • the tag syntax database provided to each given log server may then associate each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by that given log server (and omit tag syntax information for tag syntaxes not used by log producers using the given server).
  • tag syntax databases are used, the log servers are less likely to receive unnecessary information, however additional work may be required from the restricted information management system to generate plural databases.
  • the method further comprises providing to each of the log producers the tag syntax identifier for the tag syntax used by the log producer, and also providing to the log server (or servers, as discussed above) the tag syntax database(s).
  • the steps of providing the tag syntax identifiers and providing the tag syntax database may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A.
  • the steps of providing the tag syntax identifiers and providing the tag syntax database may be performed by the transceivers 37 and 38 as shown in Figure 3B.
  • the restricted information management system may comprise a PIA and a PTC; where a PIA and PTC are present, the PTC may provide the tag syntax identifiers and the PIA may provide the database(s).
  • the tag syntax identifiers and tag syntax database(s) may be updated as required, for example, when a log producer switches tag syntax or when a new log producer using a new tag syntax becomes part of the network. It is not necessary to maintain a database linking log producers with tag syntaxes; the tag syntax database(s) are significantly more simple to use and keep up to date than such a database linking log producers with tag syntaxes would be.
  • the method may further comprise sending by one or more log producers, to one or more log servers, log files.
  • the log files received by the log server(s) comprise the tag syntax identifier corresponding to the tag syntax used in the log file.
  • the tag syntax identifier may be added to the log file by the log producer, or added to the log file by a logging utility after the generation of the log file by the log producer. It is not necessary for any further component, to be located between the log producer and the log server; the log files may be sent directly between the two.
  • the log server or servers may then use tag syntax database(s) received from the restricted information management system to identify the tag syntax used in each of the one or more log files; the identification is based on the tag syntax identifiers included in the log files.
  • the log files can then be processed.
  • the processing can include any steps taken by the log server; typically knowledge of the tag syntax used in a log file is useful for processes such as anonymizing and/or pseudonymizing restricted information in the one or more log files, as discussed above.
  • FIG 4 is a schematic diagram of a portion of a network (specifically a telecommunications network) comprising a restricted information management system 501 , in accordance with an embodiment.
  • the restricted information management system comprises a PTC 502 and PIA 503.
  • the restricted information management system of Figure 4 does not comprise a database storing the determined tag syntax information, instead this information is stored in a database 504 accessible by the restricted information management system.
  • the portion of the network shown in Figure 4 also includes plural log producers 505, and plural log servers 506.
  • the log producers may be, for example, user equipments, base stations, core network nodes, etc.
  • the log servers in the Figure 4 example are of different types (types 1 and M) and are configured to process the log files in different ways to one another, for example, one could perform an anonymization process on restricted information and the other a pseudonymization process.
  • Arrows in Figure 4 indicate the process of obtaining tag syntaxes from the log producers by the PTC of the restricted information management system, provision of tag syntax identifers to the log producers and tag syntax database(s) to the log servers by the PTC and PIA respectively, and so on.
  • Embodiments may allow log file processing to be optimised as generated log files can be stored without any manipulation after the log file is generated and the tag type added; that is, it is not necessary to intercept each log file, for instance for applying tags normalization, between the log producer and log server. Also, embodiments may simplify the identification of restricted information such as PH during the processing of log files (for example anonymization/pseudoanonymization) by allowing tag syntaxes to be identified by reading a single attribute from log files (the tag syntax identifier) rather than extracting other information, such as a log producer identifier, and matching this other information with potentially large log producers lists. Embodiments may also obviate the need to maintain potentially large and frequently updated log producer lists at all.
  • the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof.
  • some embodiments may be implemented in hardware, while other embodiments may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the disclosure is not limited thereto.
  • firmware or software which may be executed by a controller, microprocessor or other computing device, although the disclosure is not limited thereto.
  • While various aspects of the exemplary embodiments of this disclosure may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the exemplary embodiments of the disclosure may be practiced in various components such as integrated circuit chips and modules. It should thus be appreciated that the exemplary embodiments of this disclosure may be realized in an apparatus that is embodied as an integrated circuit, where the integrated circuit may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor, a digital signal processor, baseband circuitry and radio frequency circuitry that are configurable so as to operate in accordance with the exemplary embodiments of this disclosure.
  • exemplary embodiments of the disclosure may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device.
  • the computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid state memory, RAM, etc.
  • the function of the program modules may be combined or distributed as desired in various embodiments.
  • the function may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Embodiments provide methods and systems for restricted information identification in networks. The method comprises determining one or more tag syntaxes used in log files to identify restricted information, and assigning a tag syntax identifier to each tag syntax. The method further comprises generating a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier. The method also comprises providing the tag syntax identifiers to log producers, and providing the tag syntax database to a log server.

Description

HANDLING OF LOGGED RESTRICTED INFORMATION BASED ON TAG SYNTAX ALLOCATION
Technical Field
Embodiments of the present disclosure relate to methods and apparatuses for data handling, and particularly methods and apparatus for identification of restricted information in a network.
Background
Recent developments in telecommunication network technology have allowed increased separation between the control of physical network infrastructure and logical networks. Logical networks are a form of Software Defined Networks (SDN), and may also be referred to as virtual networks. SDNs essentially decouple the network control functions (the control plane) from the data forwarding functions (the data plane), introducing a degree of separation between control of the physical components forming the network infrastructure (nodes, cables, etc.) and the overall network control. As an example of this separation, data transfer services in SDN can be used to provide a user with a data connection between two points, without requiring the user to have detailed knowledge of exactly which components of the network are responsible for providing the connection. As such, a data transfer service can be used to satisfy the data traffic requirements of a user, such as transferring a given volume of data traffic between two points at a given rate, with a given reliability, and so on.
To support the separation of physical components from network control, SDNs may utilise Virtual Network Functions (VNFs). VNFs execute virtualized tasks formerly carried out by proprietary, dedicated hardware. VNFs thereby move individual network functions out of dedicated hardware devices into software that runs on commodity hardware, typically including cloud hardware. Individual VNFs can be grouped together to form an overall NFV (Network Function Virtualization) architecture; NFV infrastructure includes compute, storage and networking components, both software and hardware, used as the foundation for virtualized functions. In addition to VNFs, NFV architectures may also include NFV management, automation and orchestration and NFV infrastructure components. Management and Orchestration (MANO) components act as the framework for managing and orchestrating VNFs. MANO may be implemented in accordance with standards such as European Telecommunications Standards Institute, ETSI, Management and Orchestration, MANO, standards. An example of a relevant standard is “Network Functions Virtualisation (NFV) Release 4;Management and Orchestration; Report on NFV-MANO software modification” by ETSI, available at https://www.etsi.org/deliver/etsi_gr/NFV-REL/001_099/011/04.01 ,01_60/gr_NFV- REL011 v040101 p.pdf as of 7 July 2021 . Figure 1 is a schematic diagram of a network architecture, showing VNFs supported by a NFV infrastructure (NFVI) including virtual computation, storage and network resources that are separated from hardware resources (computation, storage and network resources) by a virtualisation layer. The network architecture is overseen by a NFV MANO system.
To support the use of NVF infrastructures, commonly telecommunications networks utilise cloud-native applications. Cloud-native applications are designed specifically to operate using distributed computing systems (cloud systems), such as those utilised by cloud computing platforms. The application designs may be referred to as loosely coupled, indicating that the application code is not hard-wired to any of the infrastructure components (for example, the code is not required to be run on any specific piece of hardware). Loose coupling allows cloud-native applications to scale up and down on demand, as network requirements evolve. Commonly, each part of a cloud-native applications is packaged in its own container, dynamically orchestrated so each part is actively scheduled and managed to optimize resource utilization, and microservices-oriented to increase the overall agility and maintainability of applications.
One consequence of the increasing use of cloud architectures, with loosely coupled applications, in telecommunications networks is increased heterogeneity within network software stacks. Networks may utilise homogeneous or heterogenous cloud architectures. In a homogeneous cloud, the entire software stack, from the hypervisor (remote cloud provider), through various intermediate management layers, all the way to the end-user portal, is provided by a single supplier. In a heterogeneous cloud, by contrast, public and private components from more than one supplier may be used. The components from different suppliers may be used at different levels (such as a management tool from one vendor driving a hypervisor from another) or at the same level, where a single management tool drives multiple hypervisors. Heterogeneous clouds may suffer issues due to failures of, or issues with, interoperability between components from different suppliers. One area which may be particularly susceptible to interoperability issues due to evolving requirements is restricted information identification, particularly in the context of log files.
Restricted information is a broad term that can encompass any data not freely available to all users. Restricted data can encompass, for example, Personal Identifiable Information (PH) of users, security information, and so on. Examples of PH include user names, contact telephone numbers, addresses, birth dates, email addresses, and so on. In order to meet legal requirements, it may be necessary for network operators to handle restricted information differently from freely available information. Typically, restricted information may be included in general log files, which may necessarily be sent between various network components (for example, from network users to network management systems).
Generation and analysis of log files is important to ensuring the correct operation of a network, as the log information allows continuous monitoring of the network so that anomalous operations may be identified and addressed during or after runtime. In cloud native logging systems, typically the collection of log files orchestrated by a cloud provider. Log files may be generated by a large number of different devices connected by a network; the generated log files are typically collected in a dedicated host that is secured and hardened against unauthorised access. A typical logging architecture utilises local storage of log files, being subject to a retention period to avoid overload, as well as a centralized (remote) storage such as a log server where log files are periodically sent.
When log files may contain restricted data, such as PI I, it is desirable to identify any restricted data before using the log files (for example, to identify anomalous operations). When restricted data has been identified, steps may be taken to prevent inadvertent use or disclosure of this data. Suitable steps depend upon the nature of the nature of the restricted data; examples of steps (all of which may be applied to PH) include searching for further restricted data and: modification, deletion, or anonymization/pseudonymization of identified restricted data. Anonymization is a method that replaces original clear data with a value that is both unrelatable to the original data and permanently irretrievable. In pseudonymization, the information that can point to the identity of a subject is replaced by “pseudonyms” or identifiers. Unlike anonymization, pseudonymization is a reversible operation; the pseudonyms can be used to retrieve the original data.
US 2017/0149793 A1 discloses a computer-implemented method for anonymizing log entries that includes detecting a data pattern in a group of log entries documenting events performed by at least one process executing on at least one device and identifying, in the data pattern, at least one data field in the log entries that contains variable data. The method also includes evaluating the data field containing variable data to determine whether the data field contains sensitive data, and in response to determining whether the data field contains sensitive data, applying a data-anonymization policy to the data field to anonymize the log entries.
In order to allow restricted data to be identified, entities that generate log data (referred to herein as log producers) may apply tags to the restricted data. The nature of log producers in a network is determined by the type of network; using the example of a telecommunications network, log producers may include user equipments, base stations, core network nodes, and so on. By assigning a tag to the restricted data, restricted data may be more easily identified and differentiated from the rest of the data in log files. The tags may be applied by log producers, or by a component separate from the log producers, before the log files are received by a log server. The collection of tags used by a tag application component (such as a log producer) to identify different types of restricted data may be collectively referred to as a tag syntax. A hypothetical example of restricted data tagging is as follows: where a log file contains a telephone number 01234567890 and this telephone number is considered to be restricted data (Pll in this example), instances of the text string “01234567890” in the log file may be replaced by the text string “[restricted-tel- no]01234567890[end-restricted-tel-no]”, where “[restricted-tel-no]” and “[end- restricted-tel-no]” are tags indicating the presence and nature of the restricted data (here, a telephone number). An equivalent tag in the same tag syntax used to identify an email address may be [restricted-email], for example.
The application of tags to log files is substantially more effective where the tags are known and understood by the log servers; returning to the example above, if the log server receiving the log file including the “[restricted-tel-no]01234567890[end- restricted-tel-no]” text string does not recognise the “[restricted-tel-no]” and “[end- restricted-tel-no]” tags, the restricted data may not be correctly identified. Where the tags are applied and interpreted by entities (such as a log producer or separate tag application component and log server respectively) that form part of a homogeneous cloud, both entities will typically understand the tag syntax and therefore the restricted data may effectively be identified. However, where the tags are applied and interpreted by entities (such as a log producer or separate tag application component and log server respectively) that form part of a heterogenous cloud, the tag syntaxes may originate from different suppliers (and/or network customers) and accordingly a tag syntax used by a log producer may not be understood by a log server. Even where a log server may be aware of a tag syntax, the log server may not easily be able to determine that the tag syntax has been applied to a log file. There is no universally adopted tag syntax convention.
If log servers attempt to process log files potentially containing restricted information without knowledge of a tag syntax used in the log files, a piece of text representing a tag in a tag syntax may be misinterpreted or not identified as a tag, which may result in errors of interpretation of the restricted data, potentially including inadvertent exposure of the restricted data. In order to reduce the risk of inadvertent exposure of restricted data, the mediation layer of a Network Manager may be employed. All log files may pass through the mediation layer before arrival at a log server, such that the mediation layer can transforms the proprietary tag syntaxes into a normalized tag syntax that is well-known to and recognised by log servers. Although use of a mediation layer in this way may reduce the risk of inadvertent exposure of restricted data, this represents a potentially huge bottleneck in the processing of log files and may substantially slow the processing of log files. A further alternative providing a way to reduce the risk of inadvertent exposure of restricted data is to provide the log servers with a constantly updated list of which tag syntax type is used by which log producer. Producing a constantly updated list would require a continuous synchronization of the log servers including information about the log producers potentially running in the cloud. Any mistake in the synchronization may result in exposure of restricted data.
Summary
It is desirable to avoid mishandling of restricted data in log files while also avoiding undue delays in log file processing.
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. For the avoidance of doubt, the scope of the claimed subject matter is defined by the claims.
It is an object of the present disclosure to provide methods and apparatus for data handling, and particularly methods and apparatus for identification of restricted information in a network, that allow timely and accurate identification of restricted information.
Embodiments of the disclosure aim to provide methods and apparatus that alleviate some or all of the problems identified above.
An aspect of the disclosure provides a method for restricted information identification in a network comprising a log server and a restricted information management system. The method comprises determining, by the restricted information management system, one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers. The method further comprises assigning, by the restricted information management system, a tag syntax identifier to each of the one or more tag syntaxes, and generating a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier. The method further comprises providing, by the restricted information management system: to each of the plurality of log producers, the tag syntax identifiers for the tag syntax used by that log producer; and to the log server, the tag syntax database. Through use of the method, it may not be necessary to apply tag normalization to log files between log producers and log servers, thereby avoiding undue delays in log processing and increasing system efficiency. Further, the identification of restricted information during the processing of log files may be simplified by allowing tag syntaxes to be identified by reading a single attribute from log files (the tag syntax identifier) rather than extracting other information, such as a log producer identifier, and matching this other information with potentially large log producers lists.
In some embodiments, the step of determining the one or more tag syntaxes may comprise obtaining, by the restricted information management system, tag syntax information from each of the plurality of log producers. The tag syntax information from each log producer may detail the tag syntax used by that log producer. In this way, the tag syntax information may be efficiently obtained by the restricted information management system at a suitable interval. In some embodiments, the network may comprise a further log server, and the restricted information management system may provide tag syntax databases to each of the log server and the further log server. Further, the tag syntax databases provided to each of the log server and the further log server may be the same, and may associate each of the one or more tag syntaxes with the assigned tag syntax identifier for all of the tag syntaxes used by log producers in the network. Alternatively, the tag syntax database provided to the log server may associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the log server; and the tag syntax database provided to the further log server may associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the further log server. In this way, the system may be tailored to minimise the number of entries in the tag syntax databases provided to the plural log servers, or may be tailored to minimise the number of tag syntax databases to be maintained.
In some embodiments, the network may be a telecommunications network that utilises virtual network functions (VNF) hosted in a heterogeneous cloud architecture, the heterogeneous cloud architecture comprising the log server and at least one of the plurality of log producers. Embodiments may be particularly well suited to restricted information management in telecommunications networks using heterogeneous cloud architectures, wherein a large number of tag syntaxes may be in use such that restricted information identification may be a substantial issue.
A further aspect of the disclosure provides a restricted information management system for restricted information identification in a network, the network further comprising a log server. The restricted information management system comprises processing circuitry and a memory containing instructions executable by the processing circuitry. The restricted information management system is operable to determine one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers, and to assign a tag syntax identifier to each of the one or more tag syntaxes. The restricted information management system is further operable to generate a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier, and to provide: to each of the plurality of log producers the tag syntax identifiers for each of the tag syntax used by that log producer; and to the log server the tag syntax database. The restricted information management system may provide some or all of the advantages discussed above in the context of the restricted information management methods.
Further aspects provide systems and computer-readable media comprising instructions for performing the methods set out above.
Brief Description of Drawings
For a better understanding of the present disclosure, and to show how it may be put into effect, reference will now be made, by way of example only, to the accompanying drawings, in which:
Figure 1 is a schematic diagram of a network architecture;
Figure 2 is a flowchart illustrating a method in accordance with embodiments;
Figure 3A is a schematic diagram of a restricted information management system in accordance with embodiments;
Figure 3B is a schematic diagram of a restricted information management system in accordance with further embodiments; and
Figure 4 is a schematic diagram of a portion of a network comprising a restricted information management system.
Detailed Description
For the purpose of explanation, details are set forth in the following description in order to provide a thorough understanding of the embodiments disclosed. It will be apparent, however, to those skilled in the art that the embodiments may be implemented without these specific details or with an equivalent arrangement.
Figure 2 is a flowchart of a method in accordance with embodiments. The method may be performed by any suitable apparatus. Examples of suitable apparatus for performing the method shown in Figure 2 are the restricted information management systems 30A and 30B shown schematically in Figure 3A and Figure 3B respectively; the restricted information management systems 30A and 30B may collectively be referred to using reference sign 30. As discussed above, the method may also be performed by any other suitable component or components, such as a further network component. The restricted information management system 30A as shown in Figure 3A may execute steps of the method in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33. The restricted information management system 30B may execute steps of the method using determinator 34, assignor 35, generator 36 and transceivers 37, 38. The restricted information management systems 30A and 30B may also be configured to execute the steps of other embodiments, as discussed in detail below. The method may be executed in any suitable network, for example, telecommunications networks in which log producers may frequently become part of or leave the network. For the reasons discussed above, the method is particularly well suited to use in telecommunications networks utilising VNF hosted in a heterogeneous cloud architecture, as the heterogenous nature of the cloud architecture typically increases the number of different tag syntaxes used relative to a homogenous architecture.
A restricted information management system may be located between log file producers and log servers, for example, in a network manager. In some embodiments the restricted information management system may be a cloud native system, distributed across a plurality of different hardware units. Figure 3A and Figure 3B show the restricted information management systems as single apparatuses; while the restricted information management systems may be implemented in a single apparatus, this is not necessarily the case.
As shown in step S201 of Figure 2, the method comprises determining tag syntaxes used by a plurality of log producers in log files. The determination may comprise obtaining, by the restricted information management system, tag syntax information from each of the plurality of log producers, wherein the tag syntax information from each log producer details the tag syntax used by that log producer. The tag syntax information may be collected at any suitable opportunity by the restricted information management system, for example, when log producers register with the network the tag syntax information may be obtained by the restricted information management system. In some embodiments, the tag syntax information may be sent as part of the registration process. Additionally or alternatively, the restricted information management system may send requests to one or more log producers for the tag syntax information. Where requests are used by the restricted information management system to obtain the tag syntax information, these requests may be sent at any suitable occasion, for example, with a given periodicity, when an attribute change notification is received from the log producer, and so on. In some embodiments, the restricted information management system may obtain the tag syntax information directly from the log producers. The restricted information management system may also obtain the tag syntax information from one or more further components, for example, the network may comprise a database to which log producers can write tag syntax information for the restricted information management system to read. The step of determining tag syntaxes may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A. Alternatively, the step of determining tag syntaxes may be performed by a determinator 34 as shown in Figure 3B. In some embodiments, such as the example shown in Figure 3B, the restricted information management system may comprise a Privacy Tag Collector (PTC); where the restricted information management system includes a PTC, the PTC may determine the tag syntax information. The determined tag syntax information may be stored in a database forming part of, or accessible by, the restricted information management system.
In step S202 the restricted information management system assigns a tag syntax identifier to each of the one or more tag syntaxes for which information has been obtained. The tag syntax identifiers need not be assigned at the same time, each time a new tag syntax is identified (for example, from tag syntax information) a new tag syntax identifier may be assigned. Typically, although not necessarily, the tag syntax identifiers may be numerical values allowing the rapid identification of tag syntaxes. However, the form of the tag syntax identifiers is limited only in that each should uniquely identify a tag syntax, to prevent confusion between tag syntaxes (that is, there is a 1 :1 relationship between tag syntaxes and tag syntax identifiers). The step of assigning tag syntax identifiers may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A. Alternatively, the step of assigning tag syntax identifiers may be performed by an assignor 35 as shown in Figure 3B. In some embodiments, such as the example shown in Figure 3B, the restricted information management system may comprise a PTC; where the restricted information management system includes a PTC, the PTC may assign tag syntax identifiers.
In step S203 the restricted information management system generates a tag syntax database. The tag syntax database is used to associate each of the one or more tag syntaxes with tag syntax identifier assigned in step S202. The database may be stored in any suitable format. The step of generating the tag syntax database may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A. Alternatively, the step of generating the tag syntax database may be performed by a generator 36 as shown in Figure 3B. In some embodiments, such as the example shown in Figure 3B, the restricted information management system may comprise a Privacy Information Adapter (PIA); where the restricted information management system includes a PIA, the PIA may generate the tag syntax database; this process may comprise exchanging information with PTC using transceivers 37 and 38 as shown in Figure 3B where a PTC is also present.
In some embodiments, a network may comprise plural log servers, where different log servers are used by different log producers among the plurality of log producers. Where plural log servers are present, the restricted information management system may be configured to generate a single tag syntax database containing information on all of the tag syntaxes identified as being used by log producers in the network; this database may subsequently be provided to all of the plural log servers (see step S205), resulting in a given log server potentially receiving tag syntax information relating to tag syntaxes which none of the log producers using the given log server use. Although this option is simpler to implement, it may therefore result in log servers receiving unnecessary information. Alternatively, the restricted information management system may generate plural tag syntax databases, for example, one for each log server. The tag syntax database provided to each given log server may then associate each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by that given log server (and omit tag syntax information for tag syntaxes not used by log producers using the given server). Where plural tag syntax databases are used, the log servers are less likely to receive unnecessary information, however additional work may be required from the restricted information management system to generate plural databases.
As shown in step S204 and S205, the method further comprises providing to each of the log producers the tag syntax identifier for the tag syntax used by the log producer, and also providing to the log server (or servers, as discussed above) the tag syntax database(s). The steps of providing the tag syntax identifiers and providing the tag syntax database may be performed in accordance with a computer program stored in a memory 32, executed by a processor 31 in conjunction with one or more interfaces 33, as illustrated by Figure 3A. Alternatively, the steps of providing the tag syntax identifiers and providing the tag syntax database may be performed by the transceivers 37 and 38 as shown in Figure 3B. In some embodiments, such as the example shown in Figure 3B, the restricted information management system may comprise a PIA and a PTC; where a PIA and PTC are present, the PTC may provide the tag syntax identifiers and the PIA may provide the database(s). One or both of the tag syntax identifiers and tag syntax database(s) may be updated as required, for example, when a log producer switches tag syntax or when a new log producer using a new tag syntax becomes part of the network. It is not necessary to maintain a database linking log producers with tag syntaxes; the tag syntax database(s) are significantly more simple to use and keep up to date than such a database linking log producers with tag syntaxes would be.
In some embodiments, the method may further comprise sending by one or more log producers, to one or more log servers, log files. The log files received by the log server(s) comprise the tag syntax identifier corresponding to the tag syntax used in the log file. The tag syntax identifier may be added to the log file by the log producer, or added to the log file by a logging utility after the generation of the log file by the log producer. It is not necessary for any further component, to be located between the log producer and the log server; the log files may be sent directly between the two. When the log server or servers receive one or more log files (including the tag syntax identifiers), the log server or servers may then use tag syntax database(s) received from the restricted information management system to identify the tag syntax used in each of the one or more log files; the identification is based on the tag syntax identifiers included in the log files. Once the tag syntax used in each of the one or more log files has been identified, the log files can then be processed. The processing can include any steps taken by the log server; typically knowledge of the tag syntax used in a log file is useful for processes such as anonymizing and/or pseudonymizing restricted information in the one or more log files, as discussed above.
Figure 4 is a schematic diagram of a portion of a network (specifically a telecommunications network) comprising a restricted information management system 501 , in accordance with an embodiment. In the embodiment shown in Figure 4, the restricted information management system comprises a PTC 502 and PIA 503. The restricted information management system of Figure 4 does not comprise a database storing the determined tag syntax information, instead this information is stored in a database 504 accessible by the restricted information management system. The portion of the network shown in Figure 4 also includes plural log producers 505, and plural log servers 506. The log producers may be, for example, user equipments, base stations, core network nodes, etc. The log servers in the Figure 4 example are of different types (types 1 and M) and are configured to process the log files in different ways to one another, for example, one could perform an anonymization process on restricted information and the other a pseudonymization process. Arrows in Figure 4 indicate the process of obtaining tag syntaxes from the log producers by the PTC of the restricted information management system, provision of tag syntax identifers to the log producers and tag syntax database(s) to the log servers by the PTC and PIA respectively, and so on.
Embodiments may allow log file processing to be optimised as generated log files can be stored without any manipulation after the log file is generated and the tag type added; that is, it is not necessary to intercept each log file, for instance for applying tags normalization, between the log producer and log server. Also, embodiments may simplify the identification of restricted information such as PH during the processing of log files (for example anonymization/pseudoanonymization) by allowing tag syntaxes to be identified by reading a single attribute from log files (the tag syntax identifier) rather than extracting other information, such as a log producer identifier, and matching this other information with potentially large log producers lists. Embodiments may also obviate the need to maintain potentially large and frequently updated log producer lists at all.
In general, the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some embodiments may be implemented in hardware, while other embodiments may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the disclosure is not limited thereto. While various aspects of the exemplary embodiments of this disclosure may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
As such, it should be appreciated that at least some aspects of the exemplary embodiments of the disclosure may be practiced in various components such as integrated circuit chips and modules. It should thus be appreciated that the exemplary embodiments of this disclosure may be realized in an apparatus that is embodied as an integrated circuit, where the integrated circuit may comprise circuitry (as well as possibly firmware) for embodying at least one or more of a data processor, a digital signal processor, baseband circuitry and radio frequency circuitry that are configurable so as to operate in accordance with the exemplary embodiments of this disclosure.
It should be appreciated that at least some aspects of the exemplary embodiments of the disclosure may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device. The computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid state memory, RAM, etc. As will be appreciated by one of skill in the art, the function of the program modules may be combined or distributed as desired in various embodiments. In addition, the function may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.
References in the present disclosure to “one embodiment”, “an embodiment” and so on, indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It should be understood that, although the terms “first”, “second” and so on may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of the disclosure. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the present disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “has”, “having”, “includes” and/or “including”, when used herein, specify the presence of stated features, elements, and/or components, but do not preclude the presence or addition of one or more other features, elements, components and/ or combinations thereof. The terms “connect”, “connects”, “connecting” and/or “connected” used herein cover the direct and/or indirect connection between two elements.
The present disclosure includes any novel feature or combination of features disclosed herein either explicitly or any generalization thereof. Various modifications and adaptations to the foregoing exemplary embodiments of this disclosure may become apparent to those skilled in the relevant arts in view of the foregoing description, when read in conjunction with the accompanying drawings. However, any and all modifications will still fall within the scope of the non-limiting and exemplary embodiments of this disclosure. For the avoidance of doubt, the scope of the disclosure is defined by the claims.

Claims

CLAIMS A method for restricted information identification in a network comprising a log server and a restricted information management system, the method comprising: determining, by the restricted information management system, one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers; assigning, by the restricted information management system, a tag syntax identifier to each of the one or more tag syntaxes; generating, by the restricted information management system, a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier; providing, by the restricted information management system to each of the plurality of log producers, the tag syntax identifiers for the tag syntax used by that log producer; and providing, by the restricted information management system to the log server, the tag syntax database. The method of claim 1 , further comprising sending, by a log producer from among the plurality of log producers, a log file to the log server, wherein the log file received by the log server comprises the tag syntax identifier corresponding to the tag syntax used in the log file. The method of claim 2, wherein the tag syntax identifier is added to the log file by the log producer, or wherein the tag syntax identifier is added to the log file by a logging utility after the generation of the log file by the log producer. The method of any preceding claim wherein the step of determining the one or more tag syntaxes comprises obtaining, by the restricted information management system, tag syntax information from each of the plurality of log producers, wherein the tag syntax information from each log producer details the tag syntax used by that log producer. The method of claim 4, wherein the tag syntax information is sent to the restricted information management system by a log producer from among the plurality of log producers when the log producer registers with the network.
6. The method of any of claims 4 and 5, wherein the tag syntax information is sent to the restricted information management system by a log producer from among the plurality of log producers when the restricted information management system sends a request for the tag syntax information.
7. The method of claim 6, wherein the restricted information management system sends the request for the tag syntax information periodically and/or in response to receiving an attribute change notification from a log producer.
8. The method of any preceding claim, wherein the network comprises a further log server, and wherein the restricted information management system provides tag syntax databases to each of the log server and the further log server.
9. The method of claim 8, wherein the tag syntax databases provided to each of the log server and the further log server are the same, and associate each of the one or more tag syntaxes with the assigned tag syntax identifier for all of the tag syntaxes used by log producers in the network.
10. The method of claim 8, wherein: the tag syntax database provided to the log server associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the log server; and the tag syntax database provided to the further log server associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the further log server.
11 . The method of any preceding claim, further comprising: receiving, by the log server, one or more log files from the plurality of log producers; identifying, by the log server, tag syntaxes used in the one or more log files using the tag syntax database; and processing the one or more log files using the identified tag syntaxes.
12. The method of claim 11 , wherein the processing comprises identifying and anonymizing and/or pseudonymizing restricted information in the one or more log files.
13. The method of any preceding claim, wherein the network is a telecommunications network.
14. The method of claim 13, wherein the telecommunications network utilises virtual network functions, VNF, hosted in a heterogeneous cloud architecture, the heterogeneous cloud architecture comprising the log server and at least one of the plurality of log producers.
15. A restricted information management system for restricted information identification in a network, the network further comprising a log server, the restricted information management system comprising processing circuitry and a memory containing instructions executable by the processing circuitry, whereby the restricted information management system is operable to: determine one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers; assign a tag syntax identifier to each of the one or more tag syntaxes; generate a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier; provide to each of the plurality of log producers the tag syntax identifiers for each of the tag syntax used by that log producer; and provide to the log server the tag syntax database.
16. The restricted information management system of claim 15 wherein, when determining the one or more tag syntaxes, the restricted information management system is configured to obtain tag syntax information from each of the plurality of log producers, wherein the tag syntax information from each log producer details the tag syntax used by that log producer.
17. The restricted information management system of claim 16, wherein the tag syntax information is received by the restricted information management system from a log producer from among the plurality of log producers when the log producer registers with the network. The restricted information management system of any of claims 16 and 17 wherein prior to receiving the tag syntax information from a log producer from among the plurality of log producers, the restricted information management system is configured to send a request for the tag syntax information. The restricted information management system of claim 18, wherein the restricted information management system is configured to send the request for the tag syntax information periodically and/or in response to receiving an attribute change notification from a log producer. The restricted information management system of any of claims 15 to 19, wherein the network comprises a further log server, and wherein the restricted information management system is configured to provide tag syntax databases to each of the log server and the further log server. The restricted information management system of claim 20, wherein the restricted information management system is configured to provide tag syntax databases to each of the log server and the further log server that are the same, and wherein the provided tag syntax databases associate each of the one or more tag syntaxes with the assigned tag syntax identifier for all of the tag syntaxes used by log producers in the network. The restricted information management system of claim 20, configured to provide: a tag syntax database to the log server that associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the log server; and a further tag syntax database to the further log server that associates each of the one or more tag syntaxes with the assigned tag syntax identifier for the tag syntaxes used by log producers served by the further log server. The restricted information management system of any of claims 15 to 23, wherein the network is a telecommunications network. The restricted information management system of claim 23, wherein the telecommunications network utilises virtual network functions, VNF, hosted in a heterogeneous cloud architecture, the heterogeneous cloud architecture comprising the log server and at least one of the plurality of log producers. A network comprising the restricted information management system of any of claims 15 to 24, wherein the network further comprises a log server and a plurality of log producers. The network of claim 25, wherein the network is a telecommunications network and the plurality of log producers comprise at least one of: user equipments, base stations, core network nodes. A restricted information management system for restricted information identification in a network, the network further comprising a log server, the restricted information management system comprising: a determinator configured to determine one or more tag syntaxes used in log files to identify restricted information, wherein the log files are generated by a plurality of log producers; an assignor configured to assign a tag syntax identifier to each of the one or more tag syntaxes; a generator configured to generate a tag syntax database associating each of the one or more tag syntaxes with the assigned tag syntax identifier; and a transceiver configured to provide to each of the plurality of log producers the tag syntax identifiers for each of the tag syntax used by that log producer; and provide to the log server the tag syntax database. A computer-readable medium comprising instructions which, when executed on a computer, cause the computer to perform a method in accordance with any of claims 1 to 14.
PCT/EP2021/072416 2021-08-11 2021-08-11 Handling of logged restricted information based on tag syntax allocation WO2023016641A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/072416 WO2023016641A1 (en) 2021-08-11 2021-08-11 Handling of logged restricted information based on tag syntax allocation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/072416 WO2023016641A1 (en) 2021-08-11 2021-08-11 Handling of logged restricted information based on tag syntax allocation

Publications (1)

Publication Number Publication Date
WO2023016641A1 true WO2023016641A1 (en) 2023-02-16

Family

ID=77447905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/072416 WO2023016641A1 (en) 2021-08-11 2021-08-11 Handling of logged restricted information based on tag syntax allocation

Country Status (1)

Country Link
WO (1) WO2023016641A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170149793A1 (en) 2015-11-20 2017-05-25 Symantec Corporation Systems and methods for anonymizing log entries
US20190026163A1 (en) * 2017-07-18 2019-01-24 Sap Se Intelligent Business Logging for Cloud Applications
WO2021091522A1 (en) * 2019-11-04 2021-05-14 Hewlett-Packard Development Company, L. P. Anonymization protocols

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170149793A1 (en) 2015-11-20 2017-05-25 Symantec Corporation Systems and methods for anonymizing log entries
US20190026163A1 (en) * 2017-07-18 2019-01-24 Sap Se Intelligent Business Logging for Cloud Applications
WO2021091522A1 (en) * 2019-11-04 2021-05-14 Hewlett-Packard Development Company, L. P. Anonymization protocols

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
RAO S NAGARAJ GRAB S SAHIB R GUEST SALESFORCE S: "Personal Information Tagging for Logs; draft-rao-pitfol-02.txt", no. 2, 13 July 2020 (2020-07-13), pages 1 - 11, XP015140814, Retrieved from the Internet <URL:https://tools.ietf.org/html/draft-rao-pitfol-02> [retrieved on 20200713] *

Similar Documents

Publication Publication Date Title
US10560465B2 (en) Real time anomaly detection for data streams
US8978032B2 (en) Host naming application programming interface
EP3281360B1 (en) Virtualized network function monitoring
US9858124B1 (en) Dynamic management of data stream processing
US8458699B2 (en) Methods, systems, and apparatus to prioritize computing devices for virtualization
US20180285596A1 (en) System and method for managing sensitive data
US11669599B2 (en) Systems and methods for software license management
US10860385B2 (en) Method and system for allocating and migrating workloads across an information technology environment based on persistent memory availability
WO2019001312A1 (en) Method and apparatus for realizing alarm association, and computer readable storage medium
US10083051B1 (en) System, method, and code for classifying resources of a virtual computing environment
CN107103011B (en) Method and device for realizing terminal data search
US10929373B2 (en) Event failure management
US12014216B2 (en) Method for platform-based scheduling of job flow
US10164897B1 (en) System and method for host isolation in a web-based computing system
WO2020233013A1 (en) Data processing method and device, and storage medium
US8166143B2 (en) Methods, systems and computer program products for invariant representation of computer network information technology (IT) managed resources
CN112417213B (en) VMware self-discovery monitoring and instance topology self-discovery method
WO2023016641A1 (en) Handling of logged restricted information based on tag syntax allocation
US10171442B2 (en) Predicting a need for and creating temporary access to a computer component in infrastructure information technology
CN116151631A (en) Service decision processing system, service decision processing method and device
CN112068953B (en) Cloud resource fine management traceability system and method
CN111448551A (en) Method and system for tracking application activity data from a remote device and generating corrective action data structures for the remote device
US11868349B2 (en) Row secure table plan generation
WO2021096346A1 (en) A computer-implemented system for management of container logs and its method thereof
CN115484149B (en) Network switching method, network switching device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21758693

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE