WO2023099113A1 - Politique de blocage de réseau d'accès radio ouvert - Google Patents

Politique de blocage de réseau d'accès radio ouvert Download PDF

Info

Publication number
WO2023099113A1
WO2023099113A1 PCT/EP2022/080814 EP2022080814W WO2023099113A1 WO 2023099113 A1 WO2023099113 A1 WO 2023099113A1 EP 2022080814 W EP2022080814 W EP 2022080814W WO 2023099113 A1 WO2023099113 A1 WO 2023099113A1
Authority
WO
WIPO (PCT)
Prior art keywords
blocking
temporary
network node
identifier
information
Prior art date
Application number
PCT/EP2022/080814
Other languages
English (en)
Inventor
Jan Eriksson
Patrik Karlsson
Jan Lindgren
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2023099113A1 publication Critical patent/WO2023099113A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/75Temporary identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/79Radio fingerprint

Definitions

  • This disclosure relates to open radio access network (O-RAN) blocking policy.
  • OF-RAN open radio access network
  • Mobile wireless networks can be subject to so called signaling storms where user equipments (UEs) such as mobile phones or tablets intentionally or unintentionally cause network overload by using up bandwidth and/or computational resources.
  • UEs user equipments
  • Intentional signaling storms can be caused by, for example, applications, malwares, and/or modified UEs while unintentional signaling storms can be caused by software bugs.
  • UEs user equipments
  • unintentional signaling storms can be caused by software bugs.
  • the O-RAN specification recognizes this need and describes a use case for signaling storm protection using one or several so called xApps communicating with a radio access network (RAN) over the O-RAN E2 interface, as described in O-RAN Working Group 1, Use Cases, Detailed Specification, v05.00, chapter 3.15 (https://www.o-ran.org/specifications).
  • RAN radio access network
  • O-RAN E2 UE blocking can be performed by either enforcing an E2 POLICY on RAN, thereby letting RAN to perform the actual blocking or by routing, via the E2 interface, UE connection attempts in RAN through an xApp which decides if the UE connection attempt should be blocked or not.
  • a mobile wireless network consists of a RAN built up by a plurality of base stations (e.g., eNBs, gNBs, etc.) and a Core Network (CN).
  • base stations e.g., eNBs, gNBs, etc.
  • CN Core Network
  • UE blocking is preferably applied early (e.g., in the gNB in the RAN) before the UE starts communicating with the CN. Since the CN typically handles several base stations (e.g., gNBs), an affected CN will impact a larger area and/or more customers than an affected base station (e.g., gNB).
  • gNB base station
  • the identity of the UE must be known at the RAN.
  • the O-RAN E2 Policy mechanism used for blocking malicious UEs in the O-RAN storm protection use case mentioned above only supports permanent UE identities, as disclosed in O-RAN Working Group 3, Near-Real-time RAN Intelligent Controller, E2 Service Model (E2SM), RAN Control, vl.00, chapters 6.6, 7.3.2, 9.2.1.1.1, 9.3.26 (not yet published) and O-RAN Working Group 3, Near-Real-time RAN Intelligent Controller, E2 Service Model (E2SM), v02.00, chapter 6.2.2.6 (https://www.o-ran.org/specifications).
  • the permanent UE identity is only known by the UE and the CN.
  • RAN does not know and for a security reason preferably should not know the permanent UE identity. Rather RAN only knows about the temporary UE identity.
  • O-RAN E2 specification signaling it is not possible to use existing O-RAN E2 specification signaling to protect the CN from malicious UEs.
  • a blocking policy is static over time which reduces its flexibility. Furthermore, there is no way to obtain information over E2 about E2 policies in RAN once the policies have been set. It is the responsibility of the O-RAN xApp to keep track of the policies it has set in RAN. If for some reason the information about the policies is lost in the O-RAN xApp, in the existing solution, the xApp cannot query RAN about the policies and thus it is not possible for the O-RAN xApp to remove the policies in RAN once they are set.
  • a method performed by a network node comprises obtaining blocking policy information that comprises (i) a list of one or more blocking policies and (ii) a list of one or more temporary user equipment (UE) identifiers (e.g., 5G S-TMSI, a combination of multiple UE properties) identifying at least one UE to which one of the blocking policies is to be applied.
  • the method further comprises receiving a network access request transmitted by a first UE, wherein the network access request includes a first temporary UE identifier identifying the first UE.
  • the method further comprises using the obtained blocking policy information, determining whether to accept or reject the network access request.
  • the method further comprises transmitting towards the first UE a message (e.g., a RRC connection release message) indicating the determination of whether to accept or reject the network access request.
  • a method performed by a blocking entity comprises obtaining UE information about one or more user equipments (UEs) (e.g., an update on the 5G S-TMSI of a UE) and/or core network (CN) information about a CN (e.g., a load condition of the CN).
  • the method further comprises using the obtained UE information and the obtained CN information, determining blocking policy information that comprises (i) a list of one or more blocking policies and (ii) a list of one or more temporary user equipment (UE) identifiers (e.g., 5G S-TMSI, a combination of multiple UE properties) identifying at least one UE to which one of the blocking policies is to be applied.
  • the method further comprises transmitting towards a network node (e.g., RAN) the determined blocking policy information.
  • a network node e.g., RAN
  • a method performed by a core network comprises receiving a query message (i) including a temporary UE identifier identifying a candidate UE to be blocked and (ii) indicating that a blocking policy will be applied to the candidate UE, wherein the message was transmitted by a blocking entity.
  • the method further comprises after receiving the message, transmitting towards the blocking entity a response message indicating to the blocking entity whether the application of the blocking policy to the candidate UE is permitted or not.
  • a computer program comprising instructions which when executed by processing circuitry of a network node, cause the network node to perform the method of any one of the above embodiments.
  • a network node configured to perform the method of any one of the above embodiments.
  • the network node comprising memory and processing circuitry, wherein the network node is configured to perform the method of any one of the above embodiments.
  • Embodiments of this disclosure allow providing a signaling storm load protection for RAN.
  • the protection may be used to prevent malicious UEs from causing the signaling storm while continuing to allow access for good behaving UEs.
  • Figure 1 shows a system according to some embodiments.
  • Figure 2 shows a process for establishing a network connection.
  • Figure 3 shows a message flow diagram according to some embodiments.
  • Figure 4 shows a message flow diagram according to some embodiments.
  • Figure 5 shows a process according to some embodiments.
  • Figure 6 shows a process according to some embodiments.
  • Figure 7 shows a process according to some embodiments.
  • Figure 8 shows an apparatus according to some embodiments.
  • some embodiments of this disclosure provide a method of providing UE blocking at a base station by providing support for UE blocking that is based on temporary UE identifiers.
  • Each of the temporary UE identifiers may be any one of a 5G Serving Temporary Mobile Subscriber Identity (5G-S-TMSI) and a UE trace ID (proprietary trace information generated at the base station).
  • 5G-S-TMSI 5G Serving Temporary Mobile Subscriber Identity
  • UE trace ID trademarky trace information generated at the base station.
  • the UE trace ID is a locally generated ID for a UE. It may be used for following the UE between internal parts of the network node (e.g., a base station) and even between network nodes (e.g., base stations) for a limited time. It is assigned when a UE connects, and is deprecated when the UE goes to IDLE mode. Instead of the 5G-S-TMSI or the UE trace ID, a group of UE property values related to properties of a UE may be used as the temporary UE identifier.
  • the properties may include any one or a combination of a Timing Advance (TA) value, an angle of arrival (AoA), an angle of departure (AoD), a beam index, a connected cell, and a base station identifier identifying the base station (e.g., gNB).
  • TA Timing Advance
  • AoA angle of arrival
  • AoD angle of departure
  • gNB base station identifier identifying the base station
  • Some embodiments of this disclosure provide various UE blocking logics (e.g., different conditions for applying the UE blocking policies). For example, some embodiments of this disclosure provide a partial blocking, a time limited blocking, an intensity based blocking, and establishment cause based blocking. In the partial blocking, only a percentage of all connection attempts (per UE or per a group of UEs, defined by, for example, a combination of UE properties and/or one or more geographical areas (i.e., one or more zones)) is blocked. In the time limited blocking, a UE’ s connection attempts occurred in a given time interval are blocked.
  • connection attempts are blocked if the number of the connection attempts per second exceeds a threshold value.
  • the connection attempts may be associated with an individual UE, a particular number of UEs, or a group of UEs included in a zone.
  • the establishment cause based blocking there may be provided a list of UEs which are allowed to make UE connection attempts with a particular establishment cause and/or a list of UEs which are not allowed to make UE connection attempts with a particular establishment cause.
  • the current O-RAN specification does not support querying UE blocking policies that are currently implemented at a base station.
  • some embodiments of this disclosure provide a method of querying some or all of the UE blocking policies that are currently used at the base station, query status for a single UE blocking policy, and the information about each of the UE blocking policies.
  • the information about UE connection attempts may be aggregated over time and over UEs before the information is reported from the base station to the blocking entity.
  • the base station may report the aggregated information about UE connection attempts only after a configurable time period has passed or a condition is satisfied.
  • the condition may be that the total number of UE connection attempts made by a particular UE, all UEs connected to the base station, or all UEs in a zone exceeds a configurable threshold value.
  • a blocking policy is a set of one or more rules related to blocking one or more UEs’ attempt to access a radio access network (RAN) and/or a core network corresponding to the RAN.
  • a rule may indicate a blocking condition for blocking UE access attempt(s).
  • a blocking condition may indicate any one or more of: a type or a characteristic of UE access attempts that are to be blocked, a ratio of a number of access attempts to be blocked with respect to a total number of access attempts, a time interval during which UE access attempts are to be blocked, etc.
  • FIG. 1 shows a system 100 according to some embodiments.
  • the system 100 may comprise a plurality of UEs 102, a plurality of RANs 104 formed by a plurality of network nodes 114 (e.g., base stations such as eNBs, gNBs, etc.), a plurality of CNs 106, a Near Real-Time RAN Intelligent Controller (Near-RT RIC) 108 hosting one or more xApps, and a Non Real-Time Intelligent Controller (Non-RT RIC) 112 hosting one or more rApps.
  • the Non-RT RIC 112 may be a part of the Service Management and Orchestration (SMO) system.
  • SMO Service Management and Orchestration
  • Each of the network nodes may be a single physical or software entity or a combination of multiple physical or software entities that are distributed in a cloud.
  • the UEs 102 may be in the Radio Resource Control (RRC) IDLE state. In such scenarios, the UEs 102 may attempt to access to RANs using the Physical Random Access Channel (PRACH).
  • RRC Radio Resource Control
  • PRACH Physical Random Access Channel
  • Figure 2 shows a RACH procedure 200 for setting up a network connection between the UE 102 and the network node 114 (e.g., a base station such as gNB, eNB, etc.).
  • the network node 114 e.g., a base station such as gNB, eNB, etc.
  • the UE 102 may transmit towards the network node 114 a message (Msg) 1 — PRACH preamble — with a UE identifier.
  • the UE identifier may be randomly selected by the UE 102 from a group of identifiers provided to the UE 102 via RAN broadcast signaling.
  • the network node 114 may transmit towards the UE 102 a Msg 2 — Random Access Response (RAR) — which may include a Temporary Cell (TC) - Radio Network Temporary Identifier (RNTI), Timing Advance (TA) value, and a scheduling grant for Msg3.
  • RAR Random Access Response
  • TC Temporary Cell
  • RNTI Radio Network Temporary Identifier
  • TA Timing Advance
  • the UE 102 may transmit towards the network node 114 the Msg3 — RRC setup request — which is identified by the TC-RNTI.
  • the Msg3 may contain a UE contention resolution identity which may be a random number if the UE 102 is not registered in the Public Land Mobile Network (PLMN). If the UE 102 is registered in the PLMN, the UE contention resolution identity may be a 5G Serving Temporary Mobile Subscriber Identity (5G S- TMSI) part 1 value, which is the 39 rightmost bits of the total 48 bits of the 5G S-TMSI value assigned by the CN 106.
  • the Msg3 may also include information about establishment cause(s) (e.g., emergency call establishment).
  • the network node 114 may transmit towards the UE 102 a Msg4 identified by TC-RNTI.
  • the Msg4 may contain the UE contention resolution identity previously provided in the Msg3. If the network node 114 accepts the UE access request, the Msg4 may include a RRCSetup message.
  • the Msg4 includes the RRCSetup message
  • the UE 102 is switched to the RRC connected state (mode) and the TC-RNTI value of the UE 102 is changed to a C-RNTI.
  • the C-RNTI is a RAN internal identifier identifying a RRC connection and scheduling which is dedicated to the UE 102.
  • the Msg4 does not contain the RRCSetup message but contains a RRCReject message.
  • the UE 102 may respond to the Msg4 by transmitting towards the network node 114 a Msg5 which may include the remaining 9 bits of the 5G S-TMSI value that was not previously transmitted to the network node 114 in the Msg3.
  • figure 2 shows a process for setting up a network connection between the UE 102 and the network node 114.
  • a method for blocking the UE 102’s attempt to connect to the network node 114 using a temporary UE identifier.
  • the method allows the network node 114 to block the UE 102’s attempt to connect to the network node 114.
  • the network node 114 may obtain blocking policy information.
  • the network node 114 may receive the blocking policy information from a blocking entity (e.g., a blocking app).
  • a blocking entity may transmit toward the network node 114 blocking policy information via E2 interface.
  • the blocking policy information may be pre- stored in the network node 114.
  • the blocking policy information may comprise a list of one or more blocking policies and a list of one or more temporary UE identifiers identifying UEs that are subject to the blocking policies. Additionally or alternatively, the list may include temporary UE identifiers identifying UEs of which blocking policies are to be removed/terminated. Each of the blocking policies may describe a condition for blocking access attempts.
  • Table 1 shown below illustrates an example of the blocking policy information. The example is provided in the table format for illustration purpose only and the table format does not limit the format of the blocking policy information in any way.
  • a unique blocking policy may be associated with a unique temporary UE identifier that identifies one or more UEs.
  • the network node 114 may check whether the particular temporary UE identifier is included in the list of temporary UE identifiers included in the blocking policy information. If the particular temporary UE identifier does not match any of the temporary UE identifiers included in the list, the network node 114 may allow the UE 102 to access the network.
  • the network node 104 may grant the access request.
  • the network node 114 may apply the blocking policy associated with the matched UE identifier.
  • the blocking policy may include a blocking condition.
  • the network node 114 may perform blocking evaluation to determine whether the blocking condition has been satisfied. If the blocking condition is satisfied, the network node 114 may reject the network access request.
  • the network node 114 may not perform any CN related signaling for the access attempts initiated by this UE and may initiate a release of this UE RAN connection (RRC connection release). On the other hand, if the blocking condition is not satisfied, the network node 114 may accept the network access request.
  • the network node 114 may first check whether the temporary UE identifier #4 is included in the list of temporary UE identifiers identifying UEs to which blocking policies are to be applied. Since the UE identifier #4 is included in the list, the network node 114 may identify the blocking policy #4 — blocking access attempts occurring in a particular time interval. Here, there is a blocking condition — that the access attempts must occur within the particular time interval — for blocking the access attempt. Then the network node 114 may evaluate whether the blocking condition has been satisfied.
  • the network node 114 may treat the access attempt as any regular access attempt that is not subject to blocking. On the other hand, if the access attempt by the UE 102 having the temporary UE identifier #4 occurred within the time interval, the network node 114 may reject the access attempt (e.g., by transmitting toward the UE a RRC connection release message).
  • the temporary UE identifiers included in the blocking policy information may be provided in different formats.
  • each of the temporary UE identifiers included in the blocking policy information is a 5G S-TMSI.
  • the network node 114 may retrieve the 5G S-TMSI of the UE 102 that is attempting to connect to the network node 114.
  • the UE 102 transmits toward the network node 114 the Msg3 and the Msg5.
  • the Msg3 and the Msg5 include the entire bits of the 5G S-TMSI.
  • the network node 114 may be able to identify the 5G S-TMSI of the UE 102 that is attempting to connect to the network node 114.
  • a group of property values related to properties of the UE 102 may be used to identify one or more UEs.
  • identifying a UE using such group of property values is referred as UE fingerprint identification.
  • the properties may include any one or a combination of the followings: a Timing Advance (TA) value, an angle of arrival, an angle of departure, a beam index, a cell identifier identifying a cell to which a UE is connected, or a base station identifier identifying a base station to which a UE is connected.
  • TA Timing Advance
  • the timing of blocking the access request may vary based on the type of a temporary UE identifier used for blocking. For example, in case 5G S-TMSI is used as the temporary UE identifier for blocking, since both the Msg3 and the Msg5 are needed to retrieve the full bits of the 5G S-TMSI, the blocking of the access request may only occur after the transmission/receipt of the Msg5.
  • the blocking of the access request may occur before the transmission/receipt of the Msg5.
  • the temporary UE identifier used for blocking may simply identify one or more characteristics of one or more behaviors of a UE.
  • the temporary UE identifier may specify a number of access attempts made during a given time interval. In such embodiments, all UEs showing such behavior characteristics are subject to the blocking.
  • Figure 3 shows a message flow diagram 300 showing messages exchanged for network access attempt by the UE 102.
  • the UE 102 may transmit towards the network node 114 a UE access attempt message 312 that includes the 5G S-TMSI.
  • the network node 114 may transmit towards the blocking entity 350 a report message 314 indicating that the UE 102 has attempted to access the network node 114.
  • the UE 102 may communicate with the CN 106 with the 5G-TMSI.
  • the UE 102 may transmit towards the network node 114 another UE access attempt message 316 that includes the 5G S-TMSI.
  • the blocking entity 350 may determine that one or more UEs each of which having 5G S-TMSI value of x needs to be blocked (e.g., because the one or more UEs are considered to be a malicious UE).
  • the blocking entity 350 may provide blocking policy information 320 towards the network node 114.
  • the blocking policy information 320 may include the 5G S-TMSI having the value of x and one or more blocking policies associated with the 5G S-TMSI having the value of x.
  • the network node 114 may receive a UE access attempt message 322 transmitted by the UE 102.
  • the message 322 may include the 5G S-TMSI having the value of x.
  • the network node 114 may reject the access attempt by the UE 102.
  • the network node 114 may transmit towards the UE 102 a connection release message 324 releasing the RRC connection (without performing any communication towards the CN 106).
  • the network node 114 may transmit towards the blocking entity 350 a report 326 indicating that the network node 114 has rejected the access request made by the UE 102 associated with the 5G S-TMSI having the value of x.
  • the blocking entity 350 may determine that one or more UEs having a unique combination of property values related to properties of UEs needs to be blocked (e.g., because the one or more UEs are considered to be a malicious UE).
  • the blocking entity 350 may provide towards the network node 114 which may include a particular combination of UE property values and one or more blocking policies associated with the particular combination of the UE property values.
  • the network node 114 may receive a UE access attempt message 322 transmitted by the UE 102.
  • the message 322 may indicate the particular combination of UE property values.
  • the network node 114 may reject the access attempt by the UE 102. Thus, the network node 114 may transmit towards the UE 102 a RRC reject message (instead of the connection release message 324) rejecting the access request.
  • a correct blocking policy needs to be applied to a correct UE.
  • the CN 106 dynamically updates the temporary UE identifier (e.g., the 5G S-TMSI) associated with a UE and signal the updated 5G S-TMSI to the UE via a non-access stratum (NAS) signaling (encrypted signaling that is not normally available to RAN).
  • the blocking entity 350 needs to know the updated temporary UE identifier of the UE.
  • the blocking entity 350 may acquire information about the change of the temporary UE identifier associated with a UE. Note that the blocking entity 350 is not involved in deciding whether to change the temporary UE identifier associated with a UE. The CN 106 makes such decision. Accordingly, in some embodiments, the blocking entity 350 may be subscribed to the CN 106 regarding a change of the temporary UE identifier associated with a particular UE.
  • the blocking entity 350 may transmit toward the CN 106 a subscription request for subscribing to a change of the temporary UE identifier associated with a particular UE. After the blocking entity 350 is subscribed to the change, when the CN 106 changes/updates the temporary UE identifier of a particular UE, the CN 106 notify the blocking entity 350 regarding the update such that the blocking entity 350 can keep track of the changes of the temporary UE identity of the particular UE (without knowing the permanent UE identity).
  • the blocking entity 350 may transmit toward the network node 114 new policy information indicating a new policy that includes the updated temporary UE identifier, and terminate the existing policy associated with the old temporary UE identifier.
  • the blocking entity 350 may transmit towards the network node 114 a dedicated temporary UE identifier update signal for updating the temporary UE identifier associated with the old UE blocking policy such that the old UE blocking policy is associated with the updated temporary UE identifier.
  • Figure 4 shows a message flow diagram 400 according to some embodiments.
  • the CN 106 transmits towards the blocking entity 350 an update message 402 indicating that the temporary UE identifier (e.g., 5G S-TMSI) of the UE 102 has been changed to “y” (Note that the temporary UE identifier has been changed from “x” to “y”).
  • the temporary UE identifier e.g., 5G S-TMSI
  • the blocking entity 350 may update the blocking policy associated with the UE 102 such that the blocking policy associated with the temporary UE identifier “x” is now associated with the temporary UE identifier “y.” Once the blocking policy is updated, the blocking entity 350 may transmit towards the network node 114 a new blocking policy message 404 indicating a blocking policy and the temporary UE identifier “y” that is associated with the indicated blocking policy.
  • the network node 114 may receive the blocking policy information transmitted by the blocking entity 350 (e.g., a blocking app).
  • the blocking entity 350 may decide whether to apply a particular blocking policy (i.e., whether to include a particular blocking policy in the blocking policy information) based on one or more inputs. The followings are examples of such inputs.
  • CN Information One example of the inputs is information regarding the CN 106 (“CN information”). Since one of the functions of the RAN blocking is to help the CN 106 to handle signaling overload storms, CN information such as load experience (e.g., a current signaling and/or processing load condition) of the CN 106 may be used to determine whether to apply a blocking policy.
  • load experience e.g., a current signaling and/or processing load condition
  • the CN 106 may determine whether a signaling overload and/or a processing overload has occurred at the CN 106. As a result of determining that a signaling overload or a processing overload has occurred, the CN 106 may report to the blocking entity 350 an occurrence of such overload.
  • the CN 106 may periodically report to the blocking entity 350 a signaling load condition and/or a processing load condition of the CN 106. Based on the received signaling load condition and/or the received processing load condition, the blocking entity 350 may decide whether to apply a particular blocking policy. For example, if the signaling load condition is greater than or equal to a threshold value and/or if the processing load condition is greater than or equal to a threshold value, the blocking entity 350 may decide to apply a particular blocking policy.
  • Information about Access Attempts Another example of the inputs is information about access attempts one or more UEs has made.
  • the blocking entity 350 may need information about access attempts (e.g., a number of access attempts made by one or more UEs) associated with a particular UE (that is associated with a temporary UE identifier).
  • the information about access attempts may also include a time reference at some level (e.g., the exact timings of making access attempts or a time period within which a plurality of access attempts were made) to be able to quantify the access intensity per UE.
  • the information about access attempts may be provided directly to the blocking entity 350 from the network node 114, the CN 106, or indirectly via a mediator (E.g., a non-real time RIC over the Al interface), or via listening and extracting directly from the transport between the RAN and the CN 106.
  • the blocking entity 350 may identify one or more UEs that have a high access intensity and apply different blocking policies for these UEs.
  • the application of different blocking policies may occur at all times or may occur only when the load on the CN 106 is high (e.g., when the load is greater than or equal to a load threshold value).
  • Blocking Policy Status Another example of the inputs is blocking policy status.
  • the blocking policy status may identify temporary UE identifiers identifying UEs that are subject to blocking policies and/or time stamps indicating timings of blocking network access attempts made by the UEs.
  • the network access requests will be blocked by the network node 114 internally (i.e., the access requests will be blocked internally in RAN).
  • the network node 114 may need to inform the blocking entity 350 about the current blocked accesses — e.g., 5G S-TMSIs identifying UEs of which the access attempts were blocked and time-stamps indicating the timings of blocking the network access attempts.
  • 5G S-TMSIs identifying UEs of which the access attempts were blocked
  • time-stamps indicating the timings of blocking the network access attempts.
  • the blocking policy status may also include temporary UE identifiers (e.g., 5G S-TMSI) identifying UEs of which access attempts have been granted even though the UEs are subject to the blocking policies.
  • temporary UE identifiers e.g., 5G S-TMSI
  • the blocking entity 350 may know about the impacts of applying blocking policies.
  • the blocking entity 350 may detect when the access attempts from a specific UE that is subject to a blocking policy has decreased, and based on the detection, the blocking entity 350 may remove or change the blocking policy for the specific UE.
  • Blocked 5G S-TMSI Other example of the inputs is temporary UE identifiers (e.g., 5G S-TMSI) identifying UEs to which blocking policies are applied.
  • the blocking entity 350 may need to be able to inform the CN 106 that it has applied or it wants to apply a blocking policy for a specific 5G S-TMSI (UE).
  • UE 5G S-TMSI
  • the CN 106 may approve or disapprove the application of the blocking policy for the specific 5G S-TMSI.
  • Radio Characteristics Other example of the inputs is radio characteristics. To be able to fingerprint a (malicious) user, the network node 114 needs to be able to provide radio characteristics of a user to the blocking entity 350. Examples of the radio characteristics are Timing Advance (TA) value, Angel of Arrival (AO A), Angle of Departure (AOD), cell info, etc.
  • TA Timing Advance
  • AO A Angel of Arrival
  • AOD Angle of Departure
  • cell info etc.
  • a temporary UE identifier e.g., 5G S-TMSI
  • the blocking entity 350 may not be able to correctly estimate total network access load (e.g., a total number of network access requests the UE made during a given time interval) of the UE because the total network access load for the UE is distributed among multiple temporary UE identifiers associated with the UE. Table 2 below illustrates such scenario.
  • the blocking entity 350 may correlate the five different temporary UE identifiers #l-#5 to the same UE such that the blocking entity 350 may determine that M+N+O+X+Y number of network access requests were made by the same UE during a given time interval.
  • the sum of M, N, O, X, and Y corresponds to the total network access load of the UE.
  • the blocking entity 350 may transmit towards the CN 106 a request for subscription to a change of the temporary UE identifier associated with a particular UE (e.g., a particular malicious UE).
  • a particular UE e.g., a particular malicious UE.
  • the CN 106 may notify the blocking entity 350 about the change of the temporary UE identifier of the particular UE, thereby enabling the blocking entity 350 to correlate different temporary UE identifiers to the same UE.
  • FIG. 5 shows a process 500 performed by the network node 114 according to some embodiments.
  • the process 500 may begin with step s502.
  • Step s502 comprises obtaining blocking policy information that comprises (i) a list of one or more blocking policies and (ii) a list of one or more temporary user equipment (UE) identifiers (e.g., 5G S-TMSI, a combination of multiple UE properties) identifying at least one UE to which one of the blocking policies is to be applied.
  • Step s504 comprises receiving a network access request transmitted by a first UE, wherein the network access request includes a first temporary UE identifier identifying the first UE.
  • UE temporary user equipment
  • Step s506 comprises using the obtained blocking policy information, determining whether to accept or reject the network access request.
  • Step s508 comprises transmitting towards the first UE a message (e.g., a RRC connection release message) indicating the determination of whether to accept or reject the network access request.
  • a message e.g., a RRC connection release message
  • the one or more temporary UE identifiers is a 5G Serving Temporary Mobile Subscriber Identity (5G S-TMSI), and the first temporary UE identifier is a 5G S-TMSI.
  • 5G S-TMSI 5G Serving Temporary Mobile Subscriber Identity
  • the one or more temporary UE identifiers is a group of a plurality of property values related to properties of at least one UE, and the first temporary UE identifier is a first group of property values related to properties of the first UE.
  • the properties of said at least one UE and/or the properties of the first UE include any one or a combination of preamble power, a Timing Advance (TA) value, an angle of arrival, an angle of departure, a beam index, a cell identifier identifying a cell to which a UE is connected, or a base station identifier identifying a base station to which a UE is connected.
  • TA Timing Advance
  • the method further comprises transmitting towards a blocking entity the first group of property values related to the properties of the first UE.
  • determining whether to accept or reject the network access request comprises checking whether the first temporary UE identifier is included in the list of temporary UE identifiers; and based at least on the checking, determining whether to accept or reject the network access request.
  • the blocking condition specifies any one or more of the followings: that a total number of network access attempts the first UE made to the network node during a time interval exceeds a threshold value, or that the network access request includes information indicating a particular establishment cause (e.g., an emergency call establishment).
  • obtaining the blocking policy information comprises receiving the blocking policy information transmitted by a blocking entity.
  • the method further comprises receiving updated blocking policy information that comprises a second temporary UE identifier identifying the first UE, wherein the updated blocking policy information was sent by the blocking entity; and switching the first temporary UE identifier with the second temporary UE identifier.
  • the method further comprises transmitting toward a blocking entity a blocked list of one or more temporary UE identifiers identifying blocked UEs and blocked timing information indicating the timings of blocking network access attempts made by the blocked UEs.
  • Step 6 shows a process 600 performed by the blocking entity 350.
  • the process 600 may begin with step s602.
  • Step s602 comprises obtaining UE information about one or more user equipments (UEs) (e.g., an update on the 5G S-TMSI of a UE) and/or core network (CN) information about a CN (e.g., a load condition of the CN).
  • UEs user equipments
  • CN core network
  • Step s604 comprises using the obtained UE information and the obtained CN information, determining blocking policy information that comprises (i) a list of one or more blocking policies and (ii) a list of one or more temporary user equipment (UE) identifiers (e.g., 5G S-TMSI, a combination of multiple UE properties) identifying at least one UE to which one of the blocking policies is to be applied.
  • Step s606 comprises transmitting towards a network node (e.g., RAN) the determined blocking policy information.
  • a network node e.g., RAN
  • one or more of the blocking policies includes a blocking condition for rejecting a network access request.
  • the blocking condition specifies any one or more of the followings: that a total number of network access attempts a UE made to the network node during a time interval exceeds a threshold value; or that a network access request transmitted by the UE towards the network node includes information indicating a particular establishment cause (e.g., an emergency call establishment).
  • a particular establishment cause e.g., an emergency call establishment
  • the method further comprises transmitting towards the CN a subscription request for subscribing to a change of a temporary UE identifier of a particular UE; and after transmitting the subscription request, receiving a subscription notification indicating that the temporary UE identifier of the particular UE has been changed from a first temporary UE identifier to a second temporary UE identifier.
  • obtaining the CN information comprises receiving an overload occurrence message indicating that an overload condition has occurred at the CN and/or receiving periodically load information indicating a current load condition of the CN.
  • the UE information comprises any one or more of the followings: a list of one or more temporary UE identifiers identifying UEs; a total number of network access attempts one or more UEs made during a given interval; or time information related to one or more of the network access attempts one or more UEs made during the given interval.
  • the method further comprises receiving a blocked list of one or more temporary UE identifiers identifying blocked UEs and blocked timing information indicating the timings of blocking network access attempts made by the blocked UEs, wherein the blocked list and the blocked timing information were sent by the network node.
  • the method further comprises transmitting towards the CN a message (i) including a temporary UE identifier identifying a UE to be blocked and (ii) indicating that a blocking policy will be applied to the UE to be blocked.
  • the method further comprises transmitting towards the network node a request for current blocking policy information that comprises (i) a list of one or more blocking policies and (ii) a list of one or more temporary user equipment (UE) identifiers (e.g., 5G S-TMSI, a combination of multiple UE properties) identifying at least one UE to which one of the blocking policies is to be applied; and after transmitting the request, receiving the current blocking policy information transmitted by the network node.
  • UE temporary user equipment
  • obtaining the UE information about one or more UEs comprises periodically receiving values related to properties of said one or more UEs, and the values related to the properties of said one or more UEs were transmitted by the network node.
  • the properties of said one or more UEs include any one or a combination of preamble power, a Timing Advance (TA) value, an angle of arrival, an angle of departure, a beam index, a cell identifier identifying a cell to which a UE is connected, or a base station identifier identifying a base station to which a UE is connected.
  • TA Timing Advance
  • Step 7 shows a process 700 performed by the core network 106.
  • the process 700 may begin with step s702.
  • Step s702 comprises receiving a query message (i) including a temporary UE identifier identifying a candidate UE to be blocked and (ii) indicating that a blocking policy will be applied to the candidate UE, wherein the message was transmitted by a blocking entity.
  • Step s704 comprises after receiving the message, transmitting towards the blocking entity a response message indicating to the blocking entity whether the application of the blocking policy to the candidate UE is permitted or not.
  • the response message includes one or more blocking conditions for applying the blocking policy to the candidate UE.
  • said one or more blocking conditions specify any one or more of the followings: that a total number of network access attempts a UE is made to a network node during a time interval exceeds a threshold value, or that a network access request a UE transmitted towards a network node includes information indicating a particular establishment cause (e.g., an emergency call establishment).
  • a particular establishment cause e.g., an emergency call establishment
  • FIG 8 is a block diagram of a network node (e.g., any one of the network node 114, the CN 106, and the blocking entity 350) according to some embodiments.
  • the network node may comprise: processing circuitry (PC) 802, which may include one or more processors (P) 855 (e.g., a general purpose microprocessor and/or one or more other processors, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), and the like), which processors may be co-located in a single housing or in a single data center or may be geographically distributed (i.e., the network node may be a distributed computing apparatus); at least one network interface 848 comprising a transmitter (Tx) 845 and a receiver (Rx) 847 for enabling the network node to transmit data to and receive data from other nodes connected to a network 110 (e.g., an Internet Protocol (IP) network) to which network interface 848 is connected (direct
  • IP Internet Protocol
  • CPP 841 includes a computer readable medium (CRM) 842 storing a computer program (CP) 843 comprising computer readable instructions (CRI) 844.
  • CRM 842 may be a non- transitory computer readable medium, such as, magnetic media (e.g., a hard disk), optical media, memory devices (e.g., random access memory, flash memory), and the like.
  • the CRI 844 of computer program 843 is configured such that when executed by PC 802, the CRI causes the network node to perform steps described herein (e.g., steps described herein with reference to one or more of the flow charts).
  • the network node may be configured to perform steps described herein without the need for code. That is, for example, PC
  • ASIC 802 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé mis en œuvre par un nœud de réseau. Le procédé comprend l'obtention d'informations de politique de blocage qui comprennent (i) une liste d'une ou de plusieurs politiques de blocage et (ii) une liste d'un ou de plusieurs identifiants d'équipement utilisateur (UE) temporaires identifiant au moins un UE auquel une des politiques de blocage doit être appliquée. Le procédé comprend en outre la réception d'une demande d'accès au réseau transmise par un premier UE. La demande d'accès au réseau contient un premier identifiant d'UE temporaire identifiant le premier UE. Le procédé comprend en outre l'utilisation des informations de politique de blocage obtenues, la détermination s'il faut accepter ou refuser la demande d'accès au réseau et la transmission vers le premier UE d'un message indiquant la détermination qu'il faut accepter ou refuser la demande d'accès au réseau.
PCT/EP2022/080814 2021-12-01 2022-11-04 Politique de blocage de réseau d'accès radio ouvert WO2023099113A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163284853P 2021-12-01 2021-12-01
US63/284,853 2021-12-01

Publications (1)

Publication Number Publication Date
WO2023099113A1 true WO2023099113A1 (fr) 2023-06-08

Family

ID=84362673

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/080814 WO2023099113A1 (fr) 2021-12-01 2022-11-04 Politique de blocage de réseau d'accès radio ouvert

Country Status (1)

Country Link
WO (1) WO2023099113A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016184505A1 (fr) * 2015-05-19 2016-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Identification d'équipement utilisateur se comportant mal déclenchant une procédure d'accès aléatoire
EP2553979B1 (fr) * 2010-03-26 2016-12-07 Telefonaktiebolaget LM Ericsson (publ) Politique d'accès à un message posté dans un réseau de communication mobile
US20200359260A1 (en) * 2018-03-28 2020-11-12 Zte Corporation Methods and system for transmitting a temporary identifier
WO2021010693A1 (fr) * 2019-07-12 2021-01-21 Samsung Electronics Co., Ltd. Procédé et appareil permettant d'identifier un utilisateur dans un système de communication ran

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2553979B1 (fr) * 2010-03-26 2016-12-07 Telefonaktiebolaget LM Ericsson (publ) Politique d'accès à un message posté dans un réseau de communication mobile
WO2016184505A1 (fr) * 2015-05-19 2016-11-24 Telefonaktiebolaget Lm Ericsson (Publ) Identification d'équipement utilisateur se comportant mal déclenchant une procédure d'accès aléatoire
US20200359260A1 (en) * 2018-03-28 2020-11-12 Zte Corporation Methods and system for transmitting a temporary identifier
WO2021010693A1 (fr) * 2019-07-12 2021-01-21 Samsung Electronics Co., Ltd. Procédé et appareil permettant d'identifier un utilisateur dans un système de communication ran

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
O-RAN WORKING GROUP 3: "RAN Control", article "Near-Real-time RAN Intelligent Controller, E2 Service Model (E2SM"

Similar Documents

Publication Publication Date Title
US12003533B2 (en) Mobile communication method, apparatus, and device
TWI757827B (zh) 用以處理非公共網路中無完整性保護拒絕訊息之方法及設備
US9220031B2 (en) Access control method and device
EP2879106B1 (fr) Procédé et système d'alertes d'urgence dans un réseau cellulaire
EP2515583B1 (fr) Procédé et système de commande d'équipement de communication de type machine pour l'accès à un réseau
CN109716834B (zh) 无线通信系统中的临时标识符
JP2015130674A (ja) 通信システムにおける方法および装置
WO2020145005A1 (fr) Station de base source, ue, procédé dans un système de communication sans fil
US9642068B2 (en) Method, network device, and user equipment for controlling access to core network
EP3104629B1 (fr) Méthode de communication de diffusion dispositif à dispositif et équipement utilisateur
US11218880B2 (en) Control signaling in a wireless communication system
WO2017071327A1 (fr) Procédé et dispositif de traitement de transmission de données
CN108293259B (zh) 一种nas消息处理、小区列表更新方法及设备
EP3119130B1 (fr) Dispositif de commande de restriction et procédé de commande de restriction
EP2874367B1 (fr) Procédé d'authentification d'appel, dispositif et système
CN102638848A (zh) 一种机器类型通信设备的拥塞控制方法及系统
KR20120112753A (ko) 매크로 셀로부터 펨토 셀로의 이동국의 핸드오버를 관리하기 위한 방법 및 장치
TWI751265B (zh) 接入方法和終端
WO2023099113A1 (fr) Politique de blocage de réseau d'accès radio ouvert
CN105264965B (zh) 控制应用接入网络的方法和设备
US8326280B2 (en) Call admission control method and radio controller apparatus
US20230058517A1 (en) Systems and methods for securing wireless communication with device pinning
CN110753015B (zh) 一种短消息处理方法、装置及设备
CN117178606A (zh) 基于分片的随机接入信道配置
CN115243364A (zh) 5g终端信号探测方法、系统及计算机存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22812655

Country of ref document: EP

Kind code of ref document: A1