WO2024083417A1 - Privacy protection in a wireless communication network - Google Patents

Abstract

Various aspects of the present disclosure relate to an exposure function in a wireless communication network, the exposure function comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the exposure function to: receive, from a second network function, NF, a request for data on which the second NF is to perform external analysis; determine a third NF for sending the request for data; and send, to the third NF, the request for data and an application ID associated with the second NF.

Description

PRIVACY PROTECTION IN A WIRELESS COMMUNICATION NETWORK

TECHNICAL FIELD

[0001] The subject matter disclosed herein relates generally to the field of implementing privacy protection in a wireless communication network. This document defines a network function, NF, in a wireless communication network, and a method performed thereby.

BACKGROUND

[0002] A wireless communications system may include one or multiple network communication devices, such as base stations, which may support wireless communications for one or multiple user communication devices, which may be otherwise known as user equipment (UE), or other suitable terminology. The wireless communications system may support wireless communications with one or multiple user communication devices by utilizing resources of the wireless communication system (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers, or the like). Additionally, the wireless communications system may support wireless communications across various radio access technologies including third generation (3G) radio access technology, fourth generation (4G) radio access technology, fifth generation (5G) radio access technology, among other suitable radio access technologies beyond 5G (e.g., sixth generation (6G)).

SUMMARY

[0003] An article “a” before an element is unrestricted and understood to refer to “at least one” of those elements or “one or more” of those elements. The terms “a,” “at least one,” “one or more,” and “at least one of one or more” may be interchangeable. As used herein, including in the claims, “or” as used in a list of items (e.g., a list of items prefaced by a phrase such as “at least one of’ or “one or more of’ or “one or both of’) indicates an inclusive list such that, for example, a list of at least one of A, B, or C means A or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein, the phrase “based on” shall not be construed as a reference to a closed set of conditions. For example, an example step that is described as “based on condition A” may be based on both a condition A and a condition B without departing from the scope of the present disclosure. In other words, as used herein, the phrase “based on” shall be construed in the same manner as the phrase “based at least in part on. Further, as used herein, including in the claims, a “set” may include one or more elements.

[0004] There is provided an exposure function in a wireless communication network, the exposure function comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the exposure function to: receive, from a second network function, NF, a request for data on which the second NF is to perform external analysis; determine a third NF for sending the request for data; and send, to the third NF, the request for data and an application ID associated with the second NF.

[0005] There is further provided A method performed by an exposure function in a wireless communication network, the method comprising: receiving, from a second network function, NF, a request for data on which the second NF is to perform external analysis; determining 803 a third NF for sending the request for data; and sending, to the third NF, the request for data and an application ID associated with the second NF.

BRIEF DESCRIPTION OF THE DRAWINGS

[0006] Figure 1 illustrates data collection and exposure of that data to 3rd party applications.

[0007] Figure 2 illustrates an example of a wireless communications system in accordance with aspects of the present disclosure.

[0008] Figure 3 illustrates a privacy protection procedure in accordance with aspects of the present disclosure.

[0009] Figure 4 illustrates a further privacy protection procedure in accordance with aspects of the present disclosure. [0010] Figure 5 illustrates a further privacy protection procedure in accordance with aspects of the present disclosure.

[0011] Figure 6 illustrates a further privacy protection procedure in accordance with aspects of the present disclosure.

[0012] Figure 7 illustrates a further privacy protection procedure in accordance with aspects of the present disclosure.

[0013] Figure 8 illustrates a flowchart of a method performed by an exposure function in accordance with aspects of the present disclosure.

[0014] Figure 9 illustrates an example of a user equipment (UE) in accordance with aspects of the present disclosure.

[0015] Figure 10 illustrates an example of a processor in accordance with aspects of the present disclosure.

[0016] Figure 11 illustrates an example of a network equipment (NE) or NF in accordance with aspects of the present disclosure.

DETAILED DESCRIPTION

[0017] 5G systems allow various kinds of data to be collected and processed (e.g., for network analytics, attack detection, security evaluation, security monitoring etc.). The data collected from different wireless network functions, entities, and UEs may contain privacy sensitive data including, but not limited to, Public IP Address, MAC Address, IMSI, GUTI, control plane parameters, subscriber names, email-addresses, cell ids and names with information about the area, operator’s user identities, location information from UE and BTS, etc.

[0018] If the collected privacy sensitive data is shared with processing teams or applications across geographical boundaries, country specific privacy requirements can get violated. [0019] Also, if the collected privacy sensitive data is shared with an external application function (e.g., a 3rd party application function) for any processing reasons, the privacy (i.e., privacy sensitive data of the subscriber, network, and/or network topology) will be impacted.

[0020] While collecting logs for operations and management, like syslogs, BTS snapshot logs, Trace data, Performance Metrics, configuration management data, or Fault Management data (alarms), from different network entities, it is possible that privacy sensitive information is included. If such privacy sensitive data is shared with processing teams or applications across geographical boundaries, country specific privacy requirements can get violated.

[0021] In a multi-vendor environment, management data may be shared between entities provided by different vendors. Data may be shared with 3rd party automated applications or processing teams located in different parts of the world. Country specific privacy requirements can get violated. Within the 3GPP Technical Specification Group Service and System Aspects (TSG SA), an objective of 3 GPP TSG SA WG3 (SA3) in Release 19 was to study these aspects.

[0022] Figure 1 illustrates a general system 100 in which data is collected and may be exposed to 3rd party applications for data analysis (e.g., network data analysis and/or security analysis for monitoring).

[0023] The system 100 comprises a first plurality of network entities 102, a second plurality of network entities 104, an operator’s network management system (NMS) or 0AM 106, a 3rd party analysis application 108 (such as SIEM), and a 3rd party or outsourced troubleshooting team 110.

[0024] At 112, management data collected from different network entities 102, 104 is sent to the operator’s NMS/OAM 106. This collected management data may include privacy sensitive information.

[0025] At 114, the management data may be sent to the 3rd party outsourced team 110 for analysis, and/or to the 3rd party automated analysis application 108. [0026] Thus, there is a risk that privacy sensitive data may be undesirably exposed to numerous unauthorized people/entities. Accordingly, privacy protection to ensure confidentiality of the data is beneficial.

[0027] As another example, in many organizations, Customer Support Teams and R&D teams are spread across the globe in different countries. Country specific regulations require protection of privacy sensitive information. Data shared outside of a mobile operator network may face security risks or, even when such data remains in the operator premises, the entity that collects it may be attacked. Accordingly, privacy protection to ensure confidentiality of the data is beneficial.

[0028] Prior art data collection and data analytics procedures are described in TS 23.288.

[0029] In some prior art applications, a NEF allows interaction with 3rd party application functions (AFs). The NEF performs authentication and authorization of the AFs.

[0030] However, there a several limitations to prior art solutions. For example, present 3 GPP data collection and network data analytics procedures do not involve data exposure to external applications to perform the data processing or analysis (e.g., network data analysis / analytics / security analysis for monitoring etc.). As such, prior art solutions tend not to consider privacy preservation or protection.

[0031] Embodiments described herein advantageously tend to enable privacy protection of the data collected for exposure to external analysis (e.g., for network data analysis / analytics (or) management data analysis / analytics (or) security evaluations/analysis for monitoring etc.) via an exposure function. The embodiments describe variants for applying privacy adaptations (i.e., conversion of privacy sensitive data to the privacy preserved/protected data and exposure to an application function external to the network in an untrusted domain).

[0032] Further embodiments described herein advantageously tend to enable privacy protection to the data collected for exposure to the external analysis by an Application Function residing in a trusted domain (e.g., for network data analysis / analytics (or) management data analysis / analytics (or) security evaluations/analysis for monitoring etc.). The embodiments describe variants for applying privacy adaptations (i.e., conversion of privacy sensitive data to the privacy preserved/protected data) and exposure to an application function.

[0033] Embodiments described herein illustrate a process of anonymization/pseudonymization of privacy sensitive data during the data collection and exposure process.

[0034] An embodiment described herein is a method to determine privacy adaptations based on privacy policies (e.g., which can be specific to Event IDs), and apply said privacy adaptations to data by the data producer (e.g., any Network Function, Application Function, or RAN node) to enable privacy protected data collection and exposure via an exposure function.

[0035] A further embodiment described herein is a method to determine privacy adaptations based on privacy policies (e.g., which can be specific to Event IDs), and apply said privacy adaptations over collected data by a data consumer/collector (e.g., any Network Function, Application Function, or Management function) to enable privacy protected data to be provided for external analysis via an exposure function.

[0036] A further embodiment described herein is a method to determine privacy adaptations based on privacy policies (e.g., which can be specific to Event IDs), and apply said privacy adaptations over collected data by the data exposure function (e.g., any Network Exposure Function, or Management exposure entity/function) to enable privacy protected data to be provided for external analysis via the exposure function.

[0037] A further embodiment described herein is a method to determine privacy adaptations based on privacy policies (e.g., which can be specific to Event IDs) and apply said privacy adaptations by the data producer (e.g., any Network Function, Application Function, or RAN node) to enable privacy protected data collection.

[0038] A further embodiment described herein is a method to determine based on privacy policies (e.g., which can be specific to Event IDs) and apply privacy adaptations over the collected data by the data consumer/collector (e.g., any Network Function, Application Function, Management function) to enable privacy protected data to be provided for external analysis.

[0039] Aspects of the present disclosure are described in the context of a wireless communications system.

[0040] Figure 2 illustrates an example of a wireless communications system 200 in accordance with aspects of the present disclosure. The wireless communications system 200 may include one or more NE 202, one or more UE 204, and a core network (CN) 206. The wireless communications system 200 may support various radio access technologies. In some implementations, the wireless communications system 200 may be a 4G network, such as an LTE network or an LTE- Advanced (LIE- A) network. In some other implementations, the wireless communications system 200 may be a NR network, such as a 5G network, a 5G- Advanced (5G-A) network, or a 5G ultrawideband (5G-UWB) network. In other implementations, the wireless communications system 200 may be a combination of a 4G network and a 5G network, or other suitable radio access technology including Institute of Electrical and Electronics Engineers (IEEE) 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20. The wireless communications system 200 may support radio access technologies beyond 5G, for example, 6G. Additionally, the wireless communications system 200 may support technologies, such as time division multiple access (TDMA), frequency division multiple access (FDMA), or code division multiple access (CDMA), etc.

[0041] The one or more NE 202 may be dispersed throughout a geographic region to form the wireless communications system 200. One or more of the NE 202 described herein may be or include or may be referred to as a network node, a base station, a network element, a network function, a network entity, a radio access network (RAN), a NodeB, an eNodeB (eNB), a next-generation NodeB (gNB), or other suitable terminology. An NE 202 and a UE 204 may communicate via a communication link, which may be a wireless or wired connection. For example, an NE 202 and a UE 204 may perform wireless communication (e.g., receive signaling, transmit signaling) over a Uu interface.

[0042] An NE 202 may provide a geographic coverage area for which the NE 202 may support services for one or more UEs 204 within the geographic coverage area. For example, an NE 202 and a UE 204 may support wireless communication of signals related to services (e.g., voice, video, packet data, messaging, broadcast, etc.) according to one or multiple radio access technologies. In some implementations, an NE 202 may be moveable, for example, a satellite associated with a non-terrestrial network (NTN). In some implementations, different geographic coverage areas associated with the same or different radio access technologies may overlap, but the different geographic coverage areas may be associated with different NE 202.

[0043] The one or more UE 204 may be dispersed throughout a geographic region of the wireless communications system 200. A UE 204 may include or may be referred to as a remote unit, a mobile device, a wireless device, a remote device, a subscriber device, a transmitter device, a receiver device, or some other suitable terminology. In some implementations, the UE 204 may be referred to as a unit, a station, a terminal, or a client, among other examples. Additionally, or alternatively, the UE 204 may be referred to as an Internet-of-Things (loT) device, an Internet-of-Everything (loE) device, or machine-type communication (MTC) device, among other examples.

[0044] A UE 204 may be able to support wireless communication directly with other UEs 204 over a communication link. For example, a UE 204 may support wireless communication directly with another UE 204 over a device- to- device (D2D) communication link. In some implementations, such as vehicle-to-vehicle (V2V) deployments, vehicle-to-everything (V2X) deployments, or cellular-V2X deployments, the communication link may be referred to as a sidelink. For example, a UE 204 may support wireless communication directly with another UE 204 over a PC5 interface.

[0045] An NE 202 may support communications with the CN 206, or with another NE 202, or both. For example, an NE 202 may interface with other NE 202 or the CN 206 through one or more backhaul links (e.g., SI, N2, N2, or network interface). In some implementations, the NE 202 may communicate with each other directly. In some other implementations, the NE 202 may communicate with each other or indirectly (e.g., via the CN 206. In some implementations, one or more NE 202 may include subcomponents, such as an access network entity, which may be an example of an access node controller (ANC). An ANC may communicate with the one or more UEs 204 through one or more other access network transmission entities, which may be referred to as a radio heads, smart radio heads, or transmission-reception points (TRPs).

[0046] The CN 206 may support user authentication, access authorization, tracking, connectivity, and other access, routing, or mobility functions. The CN 206 may be an evolved packet core (EPC), or a 5G core (5GC), which may include a control plane entity that manages access and mobility (e.g., a mobility management entity (MME), an access and mobility management functions (AMF)) and a user plane entity that routes packets or interconnects to external networks (e.g., a serving gateway (S-GW), a Packet Data Network (PDN) gateway (P-GW), or a user plane function (UPF)). In some implementations, the control plane entity may manage non-access stratum (NAS) functions, such as mobility, authentication, and bearer management (e.g., data bearers, signal bearers, etc.) for the one or more UEs 204 served by the one or more NE 202 associated with the CN 206.

[0047] The CN 206 may communicate with a packet data network over one or more backhaul links (e.g., via an SI, N2, N2, or another network interface). The packet data network may include an application server. In some implementations, one or more UEs 204 may communicate with the application server. A UE 204 may establish a session (e.g., a protocol data unit (PDU) session, or the like) with the CN 206 via an NE 202. The CN 206 may route traffic (e.g., control information, data, and the like) between the UE 204 and the application server using the established session (e.g., the established PDU session). The PDU session may be an example of a logical connection between the UE 204 and the CN 206 (e.g., one or more network functions of the CN 206).

[0048] In the wireless communications system 200, the NEs 202 and the UEs 204 may use resources of the wireless communications system 200 (e.g., time resources (e.g., symbols, slots, subframes, frames, or the like) or frequency resources (e.g., subcarriers, carriers)) to perform various operations (e.g., wireless communications). In some implementations, the NEs 202 and the UEs 204 may support different resource structures. For example, the NEs 202 and the UEs 204 may support different frame structures. In some implementations, such as in 4G, the NEs 202 and the UEs 204 may support a single frame structure. In some other implementations, such as in 5 G and among other suitable radio access technologies, the NEs 202 and the UEs 204 may support various frame structures (i.e., multiple frame structures). The NEs 202 and the UEs 204 may support various frame structures based on one or more numerologies.

[0049] One or more numerologies may be supported in the wireless communications system 200, and a numerology may include a subcarrier spacing and a cyclic prefix. A first numerology (e.g., .=Q) may be associated with a first subcarrier spacing (e.g., 15 kHz) and a normal cyclic prefix. In some implementations, the first numerology (e.g., .=Q) associated with the first subcarrier spacing (e.g., 15 kHz) may utilize one slot per subframe. A second numerology (e.g., jU=l ) may be associated with a second subcarrier spacing (e.g., 30 kHz) and a normal cyclic prefix. A third numerology (e.g., .=2) may be associated with a third subcarrier spacing (e.g., 60 kHz) and a normal cyclic prefix or an extended cyclic prefix. A fourth numerology (e.g., jU=3) may be associated with a fourth subcarrier spacing (e.g., 120 kHz) and a normal cyclic prefix. A fifth numerology (e.g., /r=4) may be associated with a fifth subcarrier spacing (e.g., 240 kHz) and a normal cyclic prefix.

[0050] A time interval of a resource (e.g., a communication resource) may be organized according to frames (also referred to as radio frames). Each frame may have a duration, for example, a 10 millisecond (ms) duration. In some implementations, each frame may include multiple subframes. For example, each frame may include 10 subframes, and each subframe may have a duration, for example, a 1 ms duration. In some implementations, each frame may have the same duration. In some implementations, each subframe of a frame may have the same duration.

[0051] Additionally or alternatively, a time interval of a resource (e.g., a communication resource) may be organized according to slots. For example, a subframe may include a number (e.g., quantity) of slots. The number of slots in each subframe may also depend on the one or more numerologies supported in the wireless communications system 200. For instance, the first, second, third, fourth, and fifth numerologies (i.e., /r=0, jU=l, /r=2, JU=3, /I=4) associated with respective subcarrier spacings of 15 kHz, 30 kHz, 60 kHz, 120 kHz, and 240 kHz may utilize a single slot per subframe, two slots per subframe, four slots per subframe, eight slots per subframe, and 16 slots per subframe, respectively.# Each slot may include a number (e.g., quantity) of symbols (e.g., OFDM symbols). In some implementations, the number (e.g., quantity) of slots for a subframe may depend on a numerology. For a normal cyclic prefix, a slot may include 14 symbols. For an extended cyclic prefix (e.g., applicable for 60 kHz subcarrier spacing), a slot may include 12 symbols. The relationship between the number of symbols per slot, the number of slots per subframe, and the number of slots per frame for a normal cyclic prefix and an extended cyclic prefix may depend on a numerology. It should be understood that reference to a first numerology (e.g., /r=0) associated with a first subcarrier spacing (e.g., 15 kHz) may be used interchangeably between subframes and slots.

[0052] In the wireless communications system 200, an electromagnetic (EM) spectrum may be split, based on frequency or wavelength, into various classes, frequency bands, frequency channels, etc. By way of example, the wireless communications system 200 may support one or multiple operating frequency bands, such as frequency range designations FR1 (410 MHz - 7.125 GHz), FR2 (24.25 GHz - 52.6 GHz), FR3 (7.125 GHz - 24.25 GHz), FR4 (52.6 GHz - 114.25 GHz), FR4a or FR4-1 (52.6 GHz - 71 GHz), and FR5 (114.25 GHz - 300 GHz). In some implementations, the NEs 202 and the UEs 204 may perform wireless communications over one or more of the operating frequency bands. In some implementations, FR1 may be used by the NEs 202 and the UEs 204, among other equipment or devices for cellular communications traffic (e.g., control information, data). In some implementations, FR2 may be used by the NEs 202 and the UEs 204, among other equipment or devices for short-range, high data rate capabilities.

[0053] FR1 may be associated with one or multiple numerologies (e.g., at least three numerologies). For example, FR1 may be associated with a first numerology (e.g., /r=0), which includes 15 kHz subcarrier spacing; a second numerology (e.g., /r=l), which includes 30 kHz subcarrier spacing; and a third numerology (e.g., /r=2), which includes 60 kHz subcarrier spacing. FR2 may be associated with one or multiple numerologies (e.g., at least 2 numerologies). For example, FR2 may be associated with a third numerology (e.g., /r=2), which includes 60 kHz subcarrier spacing; and a fourth numerology (e.g., /r=3), which includes 120 kHz subcarrier spacing.

[0054] Figure 3 illustrates an embodiment of a privacy protection procedure 300. [0055] The procedure 300 involves a data producer 302 (such as any NF, AF, or RAN), a UDM 304 (or other management NF such as a UDR or UDSF or NRF), a data consumer or collector 306, an exposure function 308 (such as an EGMF or NEF), and an AF 310.

[0056] The AF 310 can either reside in the operator network or be external to the operator network, i.e. be an external AF. The AF 310 can be considered to be in an untrusted domain.

[0057] The exposure function 308 can be any function in the operator network that helps to request data collection and provide the collected data for external analysis/monitoring. An Exposure Governance Management Function (EGMF) or Network Exposure Function (NEF) or any network function/management function can take the role of the exposure function 308 in this embodiment.

[0058] In this embodiment, a data producer 302 performs Privacy Protection Adaptation before data exposure.

[0059] The procedure 300 is a method to determine privacy adaptations based on privacy policies, and apply said privacy adaptations to data by the data producer 302 to enable privacy protected data collection and exposure via an exposure function. The privacy adaptation (e.g., translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected data) described in this embodiment can be a service offered by a logical function which is co-located with the data producer 302, or it can be a standalone function. In the latter case, the data producer 302 can request and receive the privacy adaptation service (e.g., by providing the input data and receiving the privacy protected input data).

[0060] The procedure 300 commences at 312 at which the AF 310 sends to the exposure function 308 a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs) and/or external analytics ID(s), target of event reporting information, and, optionally, a reporting type and/or period.

[0061] The target of event reporting information may indicate the object(s) for which data is requested to enable analysis and monitoring. It may indicate entities such as specific UEs, a group of UE(s) or any UE (i.e. all UEs), network functions, application functions, RAN nodes, etc.

[0062] In some embodiments, the target of event reporting information may be considered to be ‘Target of External Analytics Reporting or Monitoring information’ or ‘Target of event reporting External ID’.

[0063] If step 312 involves a NEF taking the role of exposure function 308, then steps 312, 332 and 336 can use any appropriate NEF related service operation messages. Alternatively, if step 312 involves any other management domain functions taking the role of the exposure function 308, then steps 312, 332 and 336 can use any appropriate management related service messages.

[0064] At 314, either based on local configuration or by querying the UDM/UDR/UDSF/NRF 304, the exposure function 308 identifies the data collector 306 specific to the received Target of event reporting information.

[0065] In a first option (Option 1), the data collector related identification information is related to the NWDAF/DCCF/MFAF/ADRF. That is to say, in Option 1, the data collector 306 may be the NWDAF/DCCF/MFAF/ADRF. For example, serving NFs and/or RAN node(s) related to target of event reporting can be considered as a data collector or, based on local policy, the target of event reporting information can also be considered as the data collector 306.

[0066] In a second option (Option 2), the data consumer/data collection point related identification information is related to the OAM/NMS/MDAF/MnS. That is to say, in Option 2, the data collector 306 may be the OAM/NMS/MDAF/MnS.

[0067] The exposure function 308 sends, to the identified data collector 306, a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs) and/or external analytics ID(s), target of event reporting information, and reporting type and/or period (if received in step 312).

[0068] Optionally, the exposure function 308 sends, e.g. to the identified data collector 306, the application ID (of the AF 310 which sent event data exposure subscribe/request). [0069] In some embodiments, at 314, the exposure function 308 may query the UDM/UDR/UDSF/NRF 304 by sending a request message (e.g., data collection information request) which can include the application ID of the AF 310 which sent event data exposure subscribe/request, and the received target of event reporting information.

[0070] In response to sending a message, the exposure function 308 can receive a response message (e.g., data collection information response) which can include the identification information (ID /FQDN or address related to the NWDAF/DCCF/MFAF/ADRF or OAM/NMS/MDAF). Alternatively, the exposure function 308 can receive a message (e.g., data collection information response) which can include an ‘exposure not allowed’ indication corresponding to the application ID of the AF 310.

[0071] If the exposure function 308 receives an ‘exposure not allowed’ indication for the AF 310, the exposure function 308 may prevent or oppose exposure of the data collector 306 to the AF 310.

[0072] Steps 314, 330, and 338 can use any appropriate data collection function related service operation messages to subscriber/request, receive notifications/response related to the data exposure and to provide the monitoring results. Alternatively, steps 314, 330, and 338 can use a suitable exposure function related network service operation message or management service message to allow the data collector 306 to subscribe for external analytics related data exposure request notifications and to allow the data collector 306 to provide the exposure function 308 with anonymized input data and to receive the monitoring results respectively.

[0073] At 316, the data collector 306 requests or subscribes to a (set of) Event ID(s) towards the data producer 302 by invoking the Nnf EventExposure Subscribe or Nnf EventExposure Request service operation which can include Event ID(s). This may be performed, for example, if the procedure 300 is following Option 1.

[0074] The Event ID(s) may be those received in step 314, or the data collector 306 may use a set of Event IDs that is based on local configuration and is related to the external analytics ID received in step 314. The data collector 306 may include in its message at 316 an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0075] The data collector 306 may check if data is to be collected for a user (i.e., SUPI or GPSI) or related to the network function/ran node.

[0076] Depending on local policy and regulations, the data collector 306 may check user consent by retrieving the user consent information from the UDM/UDR/UDSF/NRF 304 using Nudm_SDM_Get including the data type "User consent". This may be performed, for example, if the target of event reporting information indicates any UE ID. If user consent is not granted, the data collector 306 does not subscribe to event exposure for events related to this user and the data collection for this SUPI or GPSI stops here. If the target of event reporting information indicates any NF ID/AF ID/ RAN ID (e.g., gNB ID), or any UE ID, additionally, the data collector can check the privacy policy related to the Event ID(s)/external analytics ID(s).

[0077] In some embodiments, when required, the data collector 306 can cancel subscription for a (set of) Event ID(s) by invoking the Nnf EventExposure Unsubscribe service operation.

[0078] The reporting type or period can indicate immediate reporting or periodic reporting, and when or how often the data can be collected and exposed for the external analysis.

[0079] In some embodiments, if the data producer 302 is a RAN node, the data collector 306 may send, to the data producer 302, the EventExposure Subscribe message which can include Event ID(s) and an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0080] At 318, based on local policy and/or the received anonymity required flag/indication, the data producer 302 determines to check the privacy policy related to the indicated event-based data collection.

[0081] The data producer 302 sends, to the UDM/UDR/UDSF/NRF 304, a data collection policy request (i.e., Nudm/Nnf_Data Collection policy request), which can include the NF ID(s), set of UE IDs/Group IDs (based on the target of event reporting information), and Event ID(s) and/or external analytics IDs.

[0082] At 320, the UDM/UDR/UDSF/NRF 304 is preconfigured based on the operator’s local policy with the privacy policy for the data collection and exposure. This privacy policy includes a set of privacy adaption data related to various entities (e.g., NF IDs, AF IDs, RAN Nodes, UE IDs/UE group IDs, Slices - S-NSSAIs), the external analytics ID(s) and/or event ID(s), and related ‘input data’. An example privacy policy is shown in Table 1.1 below.

[0083] The privacy adaptation data includes mapping of privacy sensitive information to its associated privacy protected id/name/code e.g., masked information.

[0084] At 322, based on the external analytics ID/ Event ID(s) and NF ID(s)/set of UE IDs/Group IDs (i.e., the Target of event reporting information), the UDM/UDR/UDSF/NRF 304 fetches the appropriate privacy adaptation data (i.e., the equivalent privacy protected data).

[0085] The UDM/UDR/UDSF/NRF 304 sends, to the data producer 302, the data collection policy response (i.e., Nudm/Nnf_Data Collection policy response), which can include Event ID(s)/external analytics IDs and NF ID(s)/set of UE IDs/Group IDs (i.e., Target of event reporting information) along with the specific privacy adaptation data.

[0086] In some embodiments, the privacy adaptation data can include the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the input data, privacy requirement and the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the privacy policy related to the event ID(s)/external analytics ID. [0087] At 324, if the data producer 302 determines that any one or more of the collected/input data is privacy sensitive data, the data producer 302 applies the privacy adaptation to that input data. In particular, the data producer 302 (i.e., replaces, masks, or overlays the privacy sensitive input data with the received equivalent privacy adaptation data (i.e., privacy protected/preserved version of data).

[0088] In some embodiments, the data producer 302 is configured with privacy adaptation data or the Privacy Policy for data collection and exposure described in Table 1.1. In such a case, steps 318-322 may be omitted and the data producer 302 can apply privacy adaptation to the input data based on the configured information.

[0089] At 326, the data collector 306 sends the privacy protected (i.e., anonymized) input data to the data collector 306. For example, if the data collector 306 subscribes to a (set of) Event ID(s), the data producer 302 notifies the data collector 306 with the privacy protected (i.e., anonymized) input data (e.g. with an Event Report) by invoking Nnf EventExposure Notify service operation according to Event Reporting Information in the subscription. This may be performed, for example, if the procedure 300 is following Option 1.

[0090] As an alternative to steps 316-326, at 328, if data collection is not done directly from the data producer 302 (by following steps 316-326), the data collector 306 can perform data collection from the data producers via the 0AM (i.e., 0AM based data collection). In such a case, the data collector 306 can subscribe/request to the 0AM and get notified by or receive data related to the event related privacy protected input data from the 0 AM. This may be performed similar to as in steps 316-326, but instead of the data producer 302 producing input data, the 0AM manages the data collection from the data producers 302 and provides the collected privacy protected data to the data collector 306. In case of OAM-based data collection, the data producer 302 may perform steps 318-324 or perform only step 324, for example if the privacy adaptation data is configured in the data producer 302 to allow the 0AM to fetch the privacy protected input data from the data producer 302 and to provide it to the data collector 306. [0091] At 330, the data collector 306 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the data exposure function 308.

[0092] At 332, the exposure function 308 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the AF 310.

[0093] At 334, using the received privacy protected input data, the AF 310 performs data analysis and analytics (e.g., for the security evaluation and security monitoring / general monitoring of the network) based on operator implementation (e.g., using any AI/ML algorithms or intelligence like threat detection tools, Security information and event management (SIEM) tools, Security Orchestration, Automation, and Response (SOAR) etc.).

[0094] At 336, the AF 310 sends the monitoring results, i.e. the external analytics output, to the exposure function 308.

[0095] The monitoring results can contain trust value(s) or a reliability metric which may be related to the target of event reporting information. The trust value or reliability metrics can represent a range of how reliable the monitoring results are, e.g. 0-20% = low, 21-50% = medium, 50-99% = high, 100% = fully trusted.

[0096] The monitoring results may be related to the target of event reporting information and may be specific to the IDs indicated. The monitoring results may include a cause code, which can indicate if any of the following has occurred: configuration issues, an attack/threat alert (e.g., DOS/DDoS/NF Hijack, malicious code injection, NF compromise etc.), a malfunction alert, and/or a flooding alert). The monitoring results may include abnormal behaviour statistics/predictions (such as those listed in tables 1.3 and 1.4 below), and/or a time window which can be used by the external analytics consumer to rely upon the data up to the time window.

[0097] Table 1.2 below shows an example of privacy protected input data collected from the data producer 302 (e.g., NFs/AFs/RAN node) for anomalous behaviour detection. [0098] Table 1.2

[0099] Table 1.3 below shows example anomalous/abnormal behaviour statistics.

[0100] Table 1.3

[0101] Table 1.4 below shows example anomalous/abnormal behaviour predictions.

[0102] Table 1.4

[0103] At 338, the exposure function 338 sends the received monitoring results to the data collector 306.

[0104] At 340, the data collector 306 can notify the monitoring results if there is any service consumer subscribed for the external analytics (e.g., related to any (external) monitoring related analytics ID) based on local configuration.

[0105] In this embodiment, if a RAN node takes the role of the data producer 302, at steps 316 and 318, any event exposure subscribe/notify and request/response message can used.

[0106] In this embodiment, the data collector 306 can also perform data distribution.

[0107] In some implementations, the data collector 306 can initiate step 316 based on local policy and further steps can be executed.

[0108] Thus, a privacy protection procedure 300 is provided.

[0109] In embodiments described herein, the data producer may be one or more data producers selected from the group of data producers consisting of: Authentication Server Function (AUSF); Access and Mobility Management Function (AMF); Data Network (DN), e.g. operator services, Internet access or 3rd party services; Unstructured Data Storage Function (UDSF); Network Exposure Function (NEF); Network Repository Function (NRF); Network Slice Admission Control Function (NSACF); Network Slice- specific and SNPN Authentication and Authorization Function (NSSAAF); Network Slice Selection Function (NSSF); Policy Control Function (PCF); Session Management Function (SMF); Unified Data Management (UDM); Unified Data Repository (UDR); User Plane Function (UPF); UE radio Capability Management Function (UCMF); Application Function (AF); User Equipment (UE); (Radio) Access Network ((R)AN); 5G-Equipment Identity Register (5G-EIR); Network Data Analytics Function (NWDAF); CHarging Function (CHF); Time Sensitive Networking AF (TSN AF); Time Sensitive Communication and Time Synchronization Function (TSCTSF); Data Collection Coordination Function (DCCF); Analytics Data Repository Function (ADRF) (n.b. the functionalities provided by DCCF and/or ADRF can also be hosted by an NWDAF); Messaging Framework Adaptor Function (MFAF); Non-Seamless WLAN Offload Function (NSWOF); Edge Application Server Discovery Function (EASDF).

[0110] The 5G System architecture may also comprise one or more of the following network entities: Service Communication Proxy (SCP); Security Edge Protection Proxy (SEPP); Non-3GPP InterWorking Function (N3IWF); Trusted Non-3GPP Gateway Function (TNGF); Wireline Access Gateway Function (W-AGF); Trusted WLAN Interworking Function (TWIF).

[0111] Figure 4 illustrates an embodiment of a privacy protection procedure 400.

[0112] The procedure 400 involves a data producer 402 (such as any NF, AF, or RAN), a UDM 404 (or other management NF such as a UDR or UDSF or NRF), a data consumer or collector 406, an exposure function 408 (such as an EGMF or NEF), and an AF 410.

[0113] The AF 410 can either reside in the operator network or be external to the operator network, i.e. be an external AF. The AF 410 can be considered to be in an untrusted domain.

[0114] The exposure function 408 can be any function in the operator network that helps to request data collection and provide the collected data for external analysis/monitoring. An EGMF or NEF or any network function/management function can take the role of the exposure function 408 in this embodiment. [0115] In this embodiment, the data collector 406 performs Privacy Protection Adaptation before data exposure.

[0116] The procedure 400 is a method to determine privacy adaptations based on privacy policies, and apply said privacy adaptations to data by the data collector 406 (e.g., any Network Function such as NWDAF/DCCF/MFAF/ADRF, Application Function, Management function) to enable privacy protected data collection and exposure via the exposure function 408. The privacy adaptation (e.g., translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected data) described in this embodiment can be a service offered by a logical function which is co-located with the data collector 406, or it can be a standalone function. In the latter case, the data collector 406 can request and receive the privacy adaptation service (e.g., by providing the input data and receiving the privacy protected input data).

[0117] The procedure 400 commences at 412 at which the AF 410 sends a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs)/external analytics ID(s), target of event reporting information and, optionally, a reporting type and/or period to the exposure function 408.

[0118] The target of event reporting information may indicate the object(s) for which data is requested to enable analysis and monitoring. It may indicate entities such as specific UEs, a group of UE(s) or any UE (i.e. all UEs), network functions, application functions, RAN nodes, etc.

[0119] In some embodiments, the target of event reporting information may be considered to be ‘Target of External Analytics Reporting or Monitoring information’ or ‘Target of event reporting External ID’.

[0120] If step 412 involves a NEF taking the role of the exposure function 408, then steps 412, 434 and 438 can use any NEF related service operation messages. Alternatively, if step 412 involves any other management domain functions taking the role of the exposure function 408, then steps 412, 434 and 438 can use any management related service messages. [0121] At 414, either based on local configuration or by querying the UDM/UDR/UDSF/NRF 404, the exposure function 408 identifies the data collector 406 specific to the received target of event reporting information.

[0122] In a first option (Option 1), the data collector related identification information is related to the NWDAF/DCCF/MF F/ADRF. That is to say, in Option 1, the data collector 406 may be the NWDAF/DCCF/MFAF/ADRF. For example, serving NFs and/or RAN node(s) related to target of event reporting can be considered as a data collector or, based on local policy, the target of event reporting information can also be considered as the data collector 406.

[0123] In a second option (Option 2), the data consumer/data collection point related identification information is related to the OAM/NMS/MDAF/MnS. That is to say, in Option 2, the data collector 406 may be the OAM/NMS/MDAF/MnS.

[0124] The exposure function 408 sends, to the identified data collector 406, a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs) and/or external analytics ID(s), target of event reporting information, and reporting type and/or period (if received in step 412).

[0125] Optionally, the exposure function 408 sends, e.g. to the identified data collector 406, the application ID of the AF 410 which sent event data exposure subscribe/request.

[0126] In some embodiments, at 414, the exposure function 408 may query the UDM/UDR/UDSF/NRF 404 by sending a request message (e.g., data collection information request) which can include the application ID of the AF 410 which sent event data exposure subscribe/request, and the received target of event reporting information.

[0127] In response to sending a message, the exposure function 408 can receive a response message (e.g., data collection information response) which can include the identification information (ID /FQDN or address related to the NWDAF/DCCF/MFAF/ADRF or OAM/NMS/MDAF). Alternatively, the exposure function 408 can receive a message (e.g., data collection information response) which can include an ‘exposure not allowed’ indication corresponding to the application ID of the AF 410. [0128] If the exposure function 408 receives an ‘exposure not allowed’ indication for the AF 410, the exposure function 408 may prevent or oppose exposure of the data collector 406 to the AF 410.

[0129] Steps 414, 432 and 440 can use any appropriate data collection function related service operation messages to subscriber/request, receive notifications/response related to the data exposure and to provide the monitoring results. Alternatively, steps 414, 432 and 440 can use a suitable exposure function related network service operation message or management service messages to allow the data collector 406 to subscribe for external analytics related data exposure request notifications and to allow the data collector 406 to provide the exposure function 408 with anonymized input data and to receive the monitoring results respectively.

[0130] At 416, the data collector 406 requests or subscribes to a (set of) Event ID(s) towards the data producer 402 by invoking the Nnf EventExposure Subscribe or Nnf EventExposure Request service operation which can include Event ID(s). This may be performed, for example, if the procedure 400 is following Option 1.

[0131] The Event ID(s) may be those received in step 414, or the data collector 406 may use a set of Event IDs that is based on local configuration and is related to the external analytics ID received in step 414.

[0132] The data collector 406 may check if data is to be collected for a user (i.e. SUPI or GPSI) or related to the network function/RAN node. Depending on local policy and regulations, the data collector 406 may check the user consent by retrieving the user consent information from the UDM/UDR/UDSF/NRF 404 using Nudm_SDM_Get including data type "User consent" (if the target of event reporting information indicates any UE ID). If user consent is not granted, the data collector 406 does not subscribe to event exposure for events related to this user and the data collection for this SUPI or GPSI stops here. If the target of event reporting information indicates any NF ID/AF ID/ RAN ID (e.g., gNB ID), or any UE ID, additionally, the data collector 406 can check the privacy policy related to the event ID(s)/external analytics ID(s). [0133] In some embodiments, when required, the data collector 406 can cancel subscription for a (set of) Event ID(s) by invoking the Nnf EventExposure Unsubscribe service operation.

[0134] The reporting type or period can indicate immediate reporting or periodic reporting, and when or how often the data can be collected and exposed for the external analysis.

[0135] In some embodiments, if the data producer 402 is a RAN node, the data collector 406 may send to the data producer 402 the EventExposure Subscribe message which can include Event ID(s) and an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0136] At 418, the data producer 402 sends the input data to the data collector 406. For example, if the data collector 406 subscribes to a (set of) Event ID(s), the data producer 402 (i.e., NFs) notifies the data collector 406 with the input data (e.g. with the event report) by invoking Nnf EventExposure Notify service operation according to Event Reporting Information in the subscription. Additionally, the input data message, e.g. the Nnf_EventExposure_Notify service message, can include the anonymity required flag if the data producer 402 is configured with such information related to the Event ID(s).

[0137] At 420, based on local policy, the data collector 406 can be configured with the anonymity required flag related to the Event ID(s) or external analytics ID related to the Event ID(s). Alternatively, if the data collector 406 receives the anonymity required flag from the data producer 402 in step 418, the data collector 406 may determine to fetch the privacy adaptation data from the UDM/UDR/UDSF/NRF 404 to apply the privacy adaption data for the set of collected input(s).

[0138] In this embodiment, at 422, based on local policy and the anonymity required indication, the data collector 406 determines to check the privacy policy related to the indicated event-based data collection inputs.

[0139] The data collector 406 sends, to the UDM/UDR/UDSF/NRF 404, the data collection policy request (i.e., Nudm/Nnf_Data Collection policy request), which can include the NF ID(s), set of UE IDs/Group IDs (based on the Target of event reporting information), and Event ID(s)/external analytics IDs.

[0140] At 424, the UDM/UDR/UDSF/NRF 404 is preconfigured based on the operator’s local policy with the privacy policy for the data collection and exposure. This privacy policy includes a set of privacy adaption data related to various entities (e.g., NF IDs, AF IDs, RAN Nodes, UE IDs/UE group IDs, Slices - S-NSSAIs), the external analytics ID(s) and/or event ID(s), and related ‘input data’. An example privacy policy is shown in Table 2.1 below.

[0141] The privacy adaptation data may include a mapping of sensitive information to its associated privacy protected id/name/code e.g., masked information.

[0142] At 426, based on the external analytics ID/ Event ID(s) and NF ID(s)/set of UE IDs/Group IDs (i.e., the target of event reporting information), the UDM/UDR/UDSF/NRF 404 fetches the appropriate privacy adaptation data (i.e., the equivalent privacy protected data).

[0143] The UDM/UDR/UDSF/NRF 404 sends, to the data collector 406, the data collection policy response (i.e., Nudm/Nnf_Data Collection policy response), which can include Event ID(s)/external analytics IDs and NF ID(s)/set of UE IDs/Group IDs (i.e., Target of event reporting information) along with the specific privacy adaptation data.

[0144] In some embodiments, the privacy adaptation data can include the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the input data, privacy requirement and the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the privacy policy related to the event ID(s)/external analytics ID. [0145] In Option 2, as an alternative to steps 416-426, at 428, if data collection is not done directly from the data producer 402 (by following steps 416-426), the data collector 406 can perform data collection from the data producers 402 via the 0AM (i.e., 0AM based data collection). In such a case, the data collector 406 can subscribe/request to the 0AM and get notified by or receive data related to the event related privacy protected input data from the 0AM. This may be performed similar to as in steps 416-418, but instead of the data producer 402 producing input data, the 0AM manages the data collection from the data producers 402 and provides the collected privacy protected data to the data collector 406. In case of OAM-based data collection, the collector 406 may perform steps 420-426 or perform only step 420 and 430, for example if the privacy adaptation data is configured in the data collector 406 to enable application of privacy protection/privacy adaptation to the collected input data, as described in step 430.

[0146] At 430, if the data collector 406 determines that any one or more of the collected input data (related to the Event IDs) are privacy sensitive, the data collector 406 applies the privacy adaptation to the input data. In particular, the data collector 406 replaces, masks, or overlays the privacy sensitive input data with the received equivalent privacy adaptation data (i.e., to produce privacy protected/preserved version of data).

[0147] In some embodiments, the data collector 406 is configured with the privacy adaptation data or the Privacy Policy for data collection and exposure described in Table 2.1. In such a case, steps 422-426 may be omitted and the data collector 406 can directly perform step 430, i.e., the data collector 406 can apply privacy adaptation to the input data based on the configured information.

[0148] At 432, the data collector 406 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the data exposure function 408.

[0149] At 434, the exposure function 408 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the AF 410. [0150] At 436, using the received privacy protected input data, the AF 410 performs the data analysis and analytics (e.g., for the security evaluation and security monitoring / general monitoring of the network) based on operator implementation (e.g., using any AI/ML algorithms or intelligence like threat detection tools, Security information and event management (SIEM) tools, Security Orchestration, Automation, and Response (SOAR) etc.,)

[0151] At 438, the AF 310 sends the monitoring results i.e., the external analytics output, to the exposure function 408.

[0152] The monitoring results can contain trust value(s) or a reliability metric which may be related to the Target of event reporting information. The trust value or reliability metrics can represent a range of how reliable the monitoring results are, e.g. 0-20% = low, 21-50% = medium, 50-99% = high, 100% = fully trusted.

[0153] The monitoring results may be related to the target of event reporting information and may be specific to the IDs indicated. The monitoring results may include a cause code, which can indicate if any of the following has occurred: configuration issues, an attack/threat alert (e.g., DOS/DDoS/NF Hijack, malicious code injection, NF compromise etc.), a malfunction alert, and/or a flooding alert). The monitoring results may include abnormal behaviour statistics/predictions (such as those listed in tables 1.3 and 1.4 above), and/or a time window which can be used by the external analytics consumer to rely upon the data up to the time window.

[0154] At 440, the exposure function 408 sends the received monitoring results to the data collector 406.

[0155] At 442, the data collector 406 can notify the monitoring results if there is any service consumer subscribed for the external analytics (e.g., related to any (external) monitoring related analytics ID) based on local configuration.

[0156] In this embodiment, if a RAN node takes the role of the data producer 402, at steps 416 and 418, any event exposure subscribe/notify and request/response message can used. [0157] In this embodiment, the data collector 406 can also perform data distribution.

[0158] In some implementations, the data collector 406 can initiate step 416 based on local policy and further steps can be executed.

[0159] Thus, a privacy protection procedure 400 is provided.

[0160] Figure 5 illustrates an embodiment of a privacy protection procedure 500.

[0161] The procedure 500 involves a data producer 502 (such as any NF, AF, or RAN), a UDM 504 (or other management NF such as a UDR or UDSF or NRF), a data consumer or collector 506, an exposure function 508 (such as an EGMF or NEF), and an AF 510.

[0162] The AF 510 can either reside in the operator network or be external to the operator network, i.e. be an external AF. The AF 510 can be considered to be in an untrusted domain.

[0163] The exposure function 508 can be any function in the operator network that helps to request data collection and provide the collected data for external analysis/monitoring. An EGMF or NEF or any network function/management function can take the role of the exposure function 508 in this embodiment.

[0164] In this embodiment, the exposure function 508 performs Privacy Protection Adaptation before data exposure.

[0165] The procedure 500 is a method to determine privacy adaptations based on privacy policies, and apply said privacy adaptations to data by the data exposure function 508 (e.g., any Network exposure Function, Management exposure entity/function) to enable privacy protected data collection and exposure via the exposure function 508. The privacy adaptation (e.g., translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected data) described in this embodiment can be a service offered by a logical function which is co-located with the exposure function 508, or it can be a standalone function. In the latter case, exposure function 508 can request and receive the privacy adaptation service (e.g., by providing the input data and receiving the privacy protected input data). [0166] The procedure 500 commences at 512 at which the AF 510 sends a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs)/external analytics ID(s), target of event reporting information and, optionally, a reporting type and/or period to the exposure function 508.

[0167] The target of event reporting information may indicate the object(s) for which data is requested to enable analysis and monitoring. It may indicate entities such as specific UEs, a group of UE(s) or any UE (i.e. all UEs), network functions, application functions, RAN nodes, etc.

[0168] In some embodiments, the target of event reporting information may be considered to be ‘Target of External Analytics Reporting or Monitoring information’ or ‘Target of event reporting External ID’.

[0169] If step 512 involves a NEF taking the role of the exposure function 508, then steps 512, 532 and 536 can use any appropriate NEF related service operation messages. Alternatively, if step 512 involves any other management domain functions taking the role of the exposure function 508, then steps 512, 532 and 536 can use any appropriate management related service messages.

[0170] At 514, either based on local configuration or by querying the UDM/UDR/UDSF/NRF 504, the exposure function 508 identifies the data collector 506 specific to the received target of event reporting information.

[0171] In a first option (Option 1), the data collector related identification information is related to the NWDAF/DCCF/MFAF/ADRF. That is to say, in Option 1, the data collector 506 may be the NWDAF/DCCF/MFAF/ADRF. For example, serving NFs and/or RAN node(s) related to target of event reporting can be considered as a data collector or, based on local policy, the target of event reporting information can also be considered as the data collector 506.

[0172] In a second option (Option 2), the data consumer/data collection point related identification information is related to the OAM/NMS/MDAF/MnS. That is to say, in Option 2, the data collector 506 may be the OAM/NMS/MDAF/MnS. [0173] The exposure function 508 sends, to the identified data collector 506, a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs) and/or external analytics ID(s), target of event reporting information, and reporting type and/or period (if received in step 512).

[0174] Optionally, the exposure function 508 sends, e.g. to the identified data collector 406, the application ID of the AF 510 which sent event data exposure subscribe/request.

[0175] In some embodiments, at 514, the exposure function 508 may query the UDM/UDR/UDSF/NRF 504 by sending a request message (e.g., data collection information request) which can include the application ID of the AF 510 which sent event data exposure subscribe/request, and the received Target of event reporting information.

[0176] In response to sending a message, the exposure function 508 can receive a response message (e.g., data collection information response) which can include the identification information (ID /FQDN or address related to the NWDAF/DCCF/MFAF/ADRF or OAM/NMS/MDAF). Alternatively, the exposure function 508 can receive a message (e.g., data collection information response) which can include an ‘exposure not allowed’ indication corresponding to the application ID of the AF 510.

[0177] If the exposure function 508 receives an ‘exposure not allowed’ indication for the AF 510, the exposure function 508 may prevent or oppose exposure of the data collector 406 to the AF 510.

[0178] Steps 514, 522 and 538 can use any appropriate data collection function related service operation messages to subscriber/request, receive notifications/response related to the data exposure and to provide the monitoring results. Alternatively, steps 514, 522 and 538 can use a suitable exposure function related network service operation message or management service messages to allow the data collector 506 to subscribe for external analytics related data exposure request notifications and to allow the data collector 506 to provide the exposure function 508 with anonymized input data and to receive the monitoring results respectively. [0179] At 516, the data collector 506 requests or subscribes to a (set of) Event ID(s) towards the data producer 502 by invoking the Nnf EventExposure Subscribe or Nnf EventExposure Request service operation which can include Event ID(s). This may be performed, for example, if the procedure 500 is following Option 1.

[0180] The Event ID(s) may be those received in step 514, or the data collector 506 may use a set of Event IDs that is based on local configuration and is related to the external analytics ID received in step 514.

[0181] The data collector 506 may check if data is to be collected for a user (i.e. SUPI or GPSI) or related to the network function/RAN node. Depending on local policy and regulations, the data collector 506 may check the user consent by retrieving the user consent information from the UDM/UDR/UDSF/NRF 504 using Nudm_SDM_Get including data type "User consent" (if the target of event reporting information indicates any UE ID). If user consent is not granted, the data collector 506 does not subscribe to event exposure for events related to this user and the data collection for this SUPI or GPSI stops here. If the target of event reporting information indicates any NF ID/AF ID/ RAN ID (e.g., gNB ID), or any UE ID, additionally, the data collector 506 can check the privacy policy related to the event ID(s)/external analytics ID(s).

[0182] In some embodiments, when required, the data collector 506 can cancel subscription for a (set of) Event ID(s) by invoking the Nnf EventExposure Unsubscribe service operation.

[0183] The reporting type or period can indicate immediate reporting or periodic reporting, and when or how often the data can be collected and exposed for the external analysis.

[0184] In some embodiments, if the data producer 502 is a RAN node, the data collector 406 may send to the data producer 502 the EventExposure Subscribe message which can include Event ID(s).

[0185] At 518, the data producer 502 sends the input data to the data collector 506. For example, if the data collector 506 subscribes to a (set of) Event ID(s), the data producer 502 (i.e., NFs) notifies the data collector 506 with the input data (e.g. with the event report) by invoking Nnf EventExposure Notify service operation according to Event Reporting Information in the subscription. Additionally, the input data message, e.g. the Nnf_EventExposure_Notify service message, can include the anonymity required flag if the data producer 402 is configured with such information related to the Event ID(s).

[0186] In Option 2, as an alternative to steps 516-518, at 520, if data collection is not done directly from the data producer 502 (by following steps 516-518), the data collector 506 can perform data collection from the data producers 502 via the 0AM (i.e., 0AM based data collection). In such a case, the data collector 506 can subscribe/request to the 0AM and get notified by or receive data related to the event related privacy protected input data from the 0AM. This may be performed similar to as in steps 516-518, but instead of the data producer 502 producing input data, the 0AM manages the data collection from the data producers 502 and provides the collected privacy protected data related to the event(s) to the data collector 506.

[0187] At 522, the data collector 506 sends the monitoring event exposure notify/response message with the collected input data and anonymity required flag to the data exposure function 508.

[0188] Based on local policy, the data collector 506 can be configured with the anonymity required flag related to the Event ID(s) or external analytics ID related to the Event ID(s). Alternatively, if the data collector 506 receives the anonymity required flag from the data producer 502 in step 518, the data collector 506 may include anonymity required flag in the monitoring event exposure notify/response message at 522.

[0189] At 524, based on local policy, the exposure function 508 can be configured with the anonymity required flag related to the event ID(s)/external analytics ID related to the Event ID(s). Alternatively, if the exposure function 508 receives anonymity required flag from the data collector 506 in step 522, the exposure function 508 performs steps 524-528 to apply privacy adaption/protection to the input data before exposure.

[0190] In this embodiment, based on local policy and the anonymity required indication, the exposure function 508 determines to check the privacy policy related to the indicated event-based data collection inputs. [0191] The exposure function 508 sends, to the UDM/UDR/UDSF/NRF 504, the data collection/exposure policy request (i.e., Nudm/Nnf_Data Collection/exposure policy request), which can include the NF ID(s), set of UE IDs/Group IDs (based on the Target of event reporting information), and Event ID(s)/external analytics IDs.

[0192] At 526, the UDM/UDR/UDSF/NRF 504 is preconfigured based on the operator’s local policy with the privacy policy for the data collection and exposure. This privacy policy includes a set of privacy adaption data related to various entities (e.g., NF IDs, AF IDs, RAN Nodes, UE IDs/UE group IDs, Slices - S-NSSAIs), the external analytics ID(s) and/or event ID(s), and related ‘input data’. An example privacy policy is shown in Table 3.1 below.

[0193] The privacy adaptation data may include a mapping of sensitive information to its associated privacy protected id/name/code e.g., masked information.

[0194] At 528, based on the external analytics ID/ Event ID(s) and NF ID(s)/set of UE IDs/Group IDs (i.e., the Target of event reporting information), the UDM/UDR/UDSF/NRF 504 fetches the appropriate privacy adaptation data (i.e., the equivalent privacy protected data).

[0195] The UDM/UDR/UDSF/NRF 504 sends, to the exposure function 508, the data collection policy response (i.e., Nudm/Nnf_Data Collection policy response), which can include Event ID(s)/external analytics IDs and NF ID(s)/set of UE IDs/Group IDs (i.e., Target of event reporting information) along with the specific privacy adaptation data.

[0196] In some embodiments, the privacy adaptation data can include the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the input data, privacy requirement and the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the privacy policy related to the event ID(s)/external analytics ID.

[0197] At 530, if the exposure function 508 determines that any one or more of the collected input data (related to the event IDs) are privacy sensitive, the exposure function 508 applies the privacy adaptation to the input data. In particular, the exposure function 508 replaces, masks or overlays the privacy sensitive input data with the received equivalent privacy adaptation data, i.e., the privacy protected/preserved version of data.

[0198] In some embodiments, the exposure function 508 is configured with the privacy adaptation data or the Privacy Policy for data collection and exposure described in Table 3.1. In such a case, steps 524-528 may be omitted and the exposure function 508 can directly perform step 530, i.e., the exposure function 508 can apply privacy adaptation to the input data based on the configured information.

[0199] At 532, the exposure function 508 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the AF 510.

[0200] At 534, using the received privacy protected input data, the AF 510 performs the data analysis and analytics (e.g., for the security evaluation and security monitoring / general monitoring of the network) based on operator implementation (e.g., using any AI/ML algorithms or intelligence like threat detection tools, Security information and event management (SIEM) tools, Security Orchestration, Automation, and Response (SOAR) etc.).

[0201] At 536, the AF 510 sends the monitoring results i.e., the external analytics output, to the exposure function 508.

[0202] The monitoring results can contain trust value(s) or a reliability metric which may be related to the Target of event reporting information. The trust value or reliability metrics can represent a range of how reliable the monitoring results are, e.g. 0-20% = low, 21-50% = medium, 50-99% = high, 100% = fully trusted. [0203] The monitoring results may be related to the target of event reporting information and may be specific to the IDs indicated. The monitoring results may include a cause code, which can indicate if any of the following has occurred: configuration issues, an attack/threat alert (e.g., DOS/DDoS/NF Hijack, malicious code injection, NF compromise etc.), a malfunction alert, and/or a flooding alert). The monitoring results may include abnormal behaviour statistics/predictions (such as those listed in tables 1.3 and 1.4 above), and/or a time window which can be used by the external analytics consumer to rely upon the data up to the time window.

[0204] At 538, the exposure function 508 sends the received monitoring results to the data collector 506.

[0205] At 540, the data collector 506 can notify the monitoring results if there is any service consumer subscribed for the external analytics (e.g., related to any (external) monitoring related analytics ID) based on local configuration.

[0206] In this embodiment, if a RAN node takes the role of the data producer 502, at steps 516 and 518, any event exposure subscribe/notify and request/response message can used.

[0207] In this embodiment, the data collector 506 can also perform data distribution.

[0208] In some implementations, the data collector 506 can initiate step 516 based on local policy and further steps can be executed.

[0209] The exposure function 508 may be an Exposure Governance Management Function (EGMF) such as defined in TS 28.533. The exposure function 508 may be an MnF providing management capability exposure governance (MCEG) as described in TR 28.824.

[0210] Thus, a privacy protection procedure 500 is provided.

[0211] Figure 6 illustrates an embodiment of a privacy protection procedure 600.

[0212] The procedure 600 involves a data producer 602 (such as any NF, AF, or RAN), a UDM 604 (or other management NF such as a UDR or UDSF or NRF), a data consumer or collector 606, and an AF 608. [0213] The AF 608 can either reside in the operator network or be external to the operator network, i.e. be an external AF. The AF 608 may be considered to be in a trusted domain.

[0214] In this embodiment, a data producer 602 performs Privacy Protection Adaptation before data exposure.

[0215] The procedure 600 is a method to determine privacy adaptations based on privacy policies, and apply said privacy adaptations to data by the data producer 602 to enable privacy protected data collection and exposure. The privacy adaptation (e.g., translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected data) described in this embodiment can be a service offered by a logical function which is co-located with the data producer 602, or it can be a standalone function. In the latter case, the data producer 602 can request and receive the privacy adaptation service (e.g., by providing the input data and receiving the privacy protected input data).

[0216] The procedure 600 commences at 612 at which the AF 608 sends, to the data collector 606, a monitoring event data exposure subscribe request message which includes the event identifiers (Event IDs)/external analytics ID(s), target of event reporting information, and optionally a reporting type and/or period.

[0217] The target of event reporting information may indicate the object(s) for which data is requested to enable analysis and monitoring. It may indicate entities such as specific UEs, a group of UE(s) or any UE (i.e. all UEs), network functions, application functions, RAN nodes, etc.

[0218] In some embodiments, the target of event reporting information may be considered to be ‘Target of External Analytics Reporting or Monitoring information’ or ‘Target of event reporting External ID’.

[0219] Either based on local configuration or by querying the UDM/UDR/UDSF/NRF 604, the AF 608 identifies the data collector 606 (e.g., data consumer/data collection point related identification information related to the NWDAF/DCCF/MFAF/ADRF) specific to the target of event reporting information (e.g., serving NFs/RAN node related to target of event reporting can be considered as a data collector or based on local policy, the target of event reporting information can also be considered as the data collector).

[0220] In a first option (Option 1), the data collector related identification information is related to the NWDAF/DCCF/MFAF/ADRF. That is to say, in Option 1, the data collector 606 may be the NWDAF/DCCF/MFAF/ADRF. For example, serving NFs and/or RAN node(s) related to target of event reporting can be considered as a data collector or, based on local policy, the target of event reporting information can also be considered as the data collector.

[0221] Alternatively, based on local configuration or by querying the UDM/UDR/UDSF/NRF 604 or any management function (e.g., management repository function or MnS discovery service producer as in TS 28.537), the AF 608 identifies the data collector 606 (e.g., data consumer/data collection point related identification information related to the OAM/NMS/MDAF/MnS) specific to the Target of event reporting information.

[0222] In a second option (Option 2), the data consumer/data collection point related identification information is related to the OAM/NMS/MDAF/MnS. That is to say, in Option 2, the data collector 506 may be the OAM/NMS/MDAF/MnS.

[0223] Steps 612, 628 and 632 can use any data collection function related service operation messages to subscriber/request, receive notifications/response related to the data exposure and to receive or provide the monitoring results. Alternatively, steps 612, 628 and 632 can use a suitable exposure function related network service operation message or management service messages to allow the AF 608 to subscribe for external analytics related data exposure request/notifications and to receive from the data collector 606 the anonymized input and to receive or provide the monitoring results respectively.

[0224] At 614, the data collector 606 requests or subscribes to a (set of) Event ID(s) towards the data producer 302 by invoking the Nnf EventExposure Subscribe or Nnf EventExposure Request service operation which can include Event ID(s). This may be performed, for example, if the procedure 600 is following Option 1. [0225] The Event ID(s) may be those received in step 612, or the data collector 606 may use a set of Event IDs that is based on local configuration and is related to the external analytics ID received in step 612. The data collector 606 may include in its message at 614 an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0226] The data collector 606 may check if data is to be collected for a user (i.e. SUPI or GPSI) or related to the network function/RAN node.

[0227] Depending on local policy and regulations, the data collector 606 may check user consent by retrieving the user consent information from the UDM/UDR/UDSF/NRF 604 using Nudm_SDM_Get including the data type "User consent". This may be performed, for example, if the Target of event reporting information indicates any UE ID. If user consent is not granted, the data collector 606 does not subscribe to event exposure for events related to this user and the data collection for this SUPI or GPSI stops here. If the Target of event reporting information indicates any NF ID/AF ID/ RAN ID (e.g., gNB ID), or any UE ID, additionally, the data collector can check the privacy policy related to the Event ID(s)/external analytics ID(s).

[0228] In some embodiments, when required, the data collector 606 can cancel subscription for a (set of) Event ID(s) by invoking the Nnf EventExposure Unsubscribe service operation.

[0229] The reporting type or period can indicate immediate reporting or periodic reporting, and when or how often the data can be collected and exposed for the external analysis.

[0230] In some embodiments, if the data producer 602 is a RAN node, the data collector 606 may send to the data producer 602 the EventExposure Subscribe message which can include Event ID(s) and an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0231] The data collector 606 (i.e., a data consumer e.g., NWDAF) can either directly send message or can request for event exposure via a DCCF. In the latter case, the data collector 606 may subscribe to data via the DCCF by invoking the Ndccf DataManagement Subscribe (Service Operation, Data Specification, Formatting Instructions, Processing Instructions, NF (or NF-Set) ID, ADRF Information) service operation. The data collector 606 may specify one or more notification endpoints. Service Operation is the service operation to be used by the DCCF to request data (e.g. Namf/Nnf_EventExposure_Subscribe or 0AM Subscribe) from the data sources (i.e., data producer 602). Data Specification provides Service Operation-specific parameters (e.g. event IDs, UE-ID(s), target of event reporting received in 602, etc.) used to retrieve the data. The DCCF determines the NF type(s) and/or 0AM to retrieve the data based on the Service Operation requested. If the NF instance or NF Set ID is not provided by the data collector 606, the DCCF determines the NF instances that can provide data based on the Event ID received and local configuration (i.e., one or more data sources from which to collect data related to the Event ID can be configured). When new output data are available, the Data Source uses Nnf EventExposure Notify to send the data to the DCCF. The DCCF uses Ndccf DataManagement Notify to send the data to all notification endpoints indicated in step 614. Data sent to notification endpoints may be processed and formatted by the DCCF, so they conform to delivery requirements for each data consumer or notification endpoint.

[0232] At 616, based on local policy and the received anonymity required indication, the data producer 602 determines to check the privacy policy related to the indicated eventbased data collection.

[0233] The data producer 602 sends, to the UDM/UDR/UDSF/NRF 604, the data collection policy request (i.e., Nudm/Nnf_Data Collection policy request), which can include the NF ID(s), set of UE IDs/Group IDs (based on the Target of event reporting information), and Event ID(s) and/or external analytics IDs.

[0234] At 618, the UDM/UDR/UDSF/NRF 604 is preconfigured based on the operator’s local policy with the privacy policy for the data collection and exposure. This privacy policy includes a set of privacy adaption data related to various entities (e.g., NF IDs, AF IDs, RAN Nodes, UE IDs/UE group IDs, Slices - S-NSSAIs), the external analytics ID(s) and/or event ID(s), and related ‘input data’. An example privacy policy is shown in Table 1.1 above. [0235] The privacy adaptation data includes mapping of sensitive information and its associated privacy protected id/name/code e.g., masked information.

[0236] At 620, based on the external analytics ID/ Event ID(s) and NF ID(s)/set of UE IDs/Group IDs (i.e., the Target of event reporting information), the UDM/UDR/UDSF/NRF 604 fetches the appropriate privacy adaptation data (i.e., the equivalent privacy protected data).

[0237] The UDM/UDR/UDSF/NRF 604 sends, to the data producer 602, the data collection policy response (i.e., Nudm/Nnf_Data Collection policy response), which can include Event ID(s)/external analytics IDs and NF ID(s)/set of UE IDs/Group IDs (i.e., Target of event reporting information) along with the specific privacy adaptation data.

[0238] In some embodiments, the privacy adaptation data can include the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the input data, privacy requirement and the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the privacy policy related to the event ID(s)/external analytics ID.

[0239] At 622, if the data producer 602 determines that any one or more of the collected/input data is privacy sensitive data, the data producer 602 applies the privacy adaptation to that input data. In particular, the data producer 602 (i.e., replaces, masks, or overlays the privacy sensitive input data with the received equivalent privacy adaptation data (i.e., privacy protected/preserved version of data).

[0240] In some embodiments, the data producer 602 is configured with privacy adaptation data or the Privacy Policy for data collection and exposure described in Table 1.1. In such a case, steps 616-620 may be omitted and the data producer 602 can apply privacy adaptation to the input data based on the configured information.

[0241] At 624, the data producer 602 sends the privacy protected (i.e., anonymized) input data to the data collector 606. For example, if the data collector 606 subscribes to a (set of) Event ID(s), the data producer 602 notifies the data collector 606 with the privacy protected (i.e., anonymized) input data (e.g. with an Event Report) by invoking Nnf EventExposure Notify service operation according to Event Reporting Information in the subscription. This may be performed, for example, if the procedure 300 is following Option 1.

[0242] In Option 2, as an alternative to steps 616-624, at 626, if data collection is not done directly from the data producer 602 (by following steps 616-624), the data collector 606 can perform data collection from the data producers 602 via the 0AM (i.e., 0AM based data collection). In such a case, the data collector 606 can subscribe/request to the 0AM and get notified by or receive data related to the event related privacy protected input data from the 0AM. This may be performed similar to as in steps 614-624, but instead of the data producer 602 producing input data, the 0AM manages the data collection from the data producers 602 and provides the collected privacy protected data to the data collector 606. In case of OAM-based data collection, the data producer 602 may perform steps 616- 624 or perform only step 624, for example if the privacy adaptation data is configured in the data producer 602 to allow the 0AM to fetch the privacy protected input data from the data producer 602 and to provide it to the data collector 606.

[0243] At 628, the data collector 606 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the AF 608.

[0244] At 630, using the received privacy protected input data, the AF 608 performs data analysis and analytics (e.g., for the security evaluation and security monitoring / general monitoring of the network) based on operator implementation (e.g., using any AI/ML algorithms or intelligence like threat detection tools, Security information and event management (SIEM) tools, Security Orchestration, Automation, and Response (SOAR) etc.).

[0245] At 632, the AF 608 sends the monitoring results i.e., the external analytics output, to the data collector 606.

[0246] The monitoring results can contain trust value(s) or a reliability metric which may be related to the Target of event reporting information. The trust value or reliability metrics can represent a range of how reliable the monitoring results are, e.g. 0-20% = low, 21-50% = medium, 50-99% = high, 100% = fully trusted.

[0247] The monitoring results may be related to the Target of event reporting information and may be specific to the IDs indicated. The monitoring results may include a cause code, which can indicate if any of the following has occurred: configuration issues, an attack/threat alert (e.g., DOS/DDoS/NF Hijack, malicious code injection, NF compromise etc.), a malfunction alert, and/or a flooding alert). The monitoring results may include abnormal behaviour statistics/predictions (such as those listed in tables 1.3 and 1.4 below), and/or a time window which can be used by the external analytics consumer to rely upon the data up to the time window.

[0248] At 634, the data collector 606 can notify the monitoring results if there is any service consumer subscribed for the external analytics (e.g., related to any (external) monitoring related analytics ID) based on local configuration.

[0249] In this embodiment, the data collector 606 can also perform data distribution.

[0250] In some implementations, the data collector 606 can initiate step 614 based on local policy and further steps can be executed.

[0251] Thus, a privacy protection procedure 600 is provided.

[0252] Figure 7 illustrates an embodiment of a privacy protection procedure 700.

[0253] The procedure 700 involves a data producer 702 (such as any NF, AF, or RAN), a UDM 704 (or other management NF such as a UDR or UDSF or NRF), a data consumer or collector 706, and an AF 708.

[0254] The AF 708 can either reside in the operator network or be external to the operator network, i.e. be an external AF.

[0255] In this embodiment, the data collector 706 performs Privacy Protection Adaptation before data exposure.

[0256] The procedure 700 is a method to determine privacy adaptations based on privacy policies, and apply said privacy adaptations to data by the data collector 706 (e.g., any Network Function such as NWDAF/DCCF/MFAF/ADRF, Application Function, Management function) to enable privacy protected data collection and exposure. The privacy adaptation (e.g., translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected data) described in this embodiment can be a service offered by a logical function which is co-located with the data collector 706, or it can be a standalone function. In the latter case, the data collector 706 can request and receive the privacy adaptation service (e.g., by providing the input data and receiving the privacy protected input data).

[0257] The procedure 700 commences at 712 at which the AF 708 sends a monitoring event data exposure subscribe/request message which includes the event identifiers (Event IDs)/external analytics ID(s), target of event reporting information and, optionally, a reporting type and/or period to the data collector 706.

[0258] The target of event reporting information may indicate the object(s) for which data is requested to enable analysis and monitoring. It may indicate entities such as specific UEs, a group of UE(s) or any UE (i.e. all UEs), network functions, application functions, RAN nodes, etc.

[0259] In some embodiments, the target of event reporting information may be considered to be ‘Target of External Analytics Reporting or Monitoring information’ or ‘Target of event reporting External ID’.

[0260] Either based on local configuration or by querying the UDM/UDR/UDSF/NRF 704, the AF 708 identifies the data collector 706 (e.g., data consumer/data collection point related identification information related to the NWDAF/DCCF/MFAF/ADRF) specific to the target of event reporting information (e.g., serving NFs/RAN node related to target of event reporting can be considered as a data collector or based on local policy, the target of event reporting information can also be considered as the data collector).

[0261] In a first option (Option 1), the data collector related identification information is related to the NWDAF/DCCF/MFAF/ADRF. That is to say, in Option 1, the data collector 706 may be the NWDAF/DCCF/MFAF/ADRF. For example, serving NFs and/or RAN node(s) related to target of event reporting can be considered as a data collector or, based on local policy, the target of event reporting information can also be considered as the data collector 706.

[0262] Alternatively, based on local configuration or by querying the UDM/UDR/UDSF/NRF 704 or any management function (e.g., management repository function or MnS discovery service producer as in TS 28.537), the AF 708 identifies the data collector 706 (e.g., data consumer/data collection point related identification information related to the O AM/NMS/MD AF/MnS) specific to the target of event reporting information.

[0263] In a second option (Option 2), the data consumer/data collection point related identification information is related to the O AM/NMS/MD AF/MnS. That is to say, in Option 2, the data collector 706 may be the O AM/NMS/MD AF/MnS.

[0264] Steps 712, 730 and 734 can use any appropriate data collection function related service operation messages to subscriber/request, receive notifications/response related to the data exposure and to provide the monitoring results. Alternatively, steps 712, 730 and 734 can use a suitable exposure function related network service operation message or management service message to allow the AF 708 to subscribe for external analytics related data exposure request/notifi cations and to receive from the data collector 706 the anonymized input and to provide the monitoring results respectively.

[0265] At 714, the data collector 706 requests or subscribes to a (set of) Event ID(s) towards the data producer 702 by invoking the Nnf EventExposure Subscribe or Nnf EventExposure Request service operation which can include Event ID(s). This may be performed, for example, if the procedure 700 is following Option 1.

[0266] The Event ID(s) may be those received in step 712, or the data collector 706 may use a set of Event IDs that is based on local configuration and is related to the external analytics ID received in step 712.

[0267] The data collector 706 may check if data is to be collected for a user (i.e., SUPI or GPSI) or related to the network function/RAN node. Depending on local policy and regulations, the data collector 706 may check the user consent by retrieving the user consent information from the UDM/UDR/UDSF/NRF 704 using Nudm_SDM_Get including data type "User consent" (if the target of event reporting information indicates any UE ID). If user consent is not granted, the data collector 706 does not subscribe to event exposure for events related to this user and the data collection for this SUPI or GPSI stops here. If the target of event reporting information indicates any NF ID/AF ID/ RAN ID (e.g., gNB ID), or any UE ID, additionally, the data collector 706 can check the privacy policy related to the event ID(s)/external analytics ID(s).

[0268] In some embodiments, when required, the data collector 706 can cancel subscription for a (set of) Event ID(s) by invoking the Nnf EventExposure Unsubscribe service operation.

[0269] The reporting type or period can indicate immediate reporting or periodic reporting, and when or how often the data can be collected and exposed for the external analysis.

[0270] In some embodiments, if the data producer 702 is a RAN node, the data collector 706 may send to the data producer 702 the EventExposure Subscribe message which can include Event ID(s) and an anonymity required flag (i.e., any indication to state that privacy protection adaptation is required).

[0271] The data collector 706 (i.e., a data consumer e.g., NWDAF) can either directly send a message or can request for event exposure via a DCCF. In the latter case, the data collector 706 subscribes to data via the DCCF by invoking the

Ndccf DataManagement Subscribe (Service Operation, Data Specification, Formatting Instructions, Processing Instructions, NF (or NF-Set) ID, ADRF Information) service operation. The formatting instructions may include privacy adaptation data/ anonymity required flag. The data collector 706 may specify one or more notification endpoints. Service Operation is the service operation to be used by the DCCF to request data (e.g. Namf/Nnf_EventExposure_Subscribe or 0AM Subscribe) from the data sources (i.e., data producer 702). Data Specification provides Service Operation-specific parameters (e.g. event IDs, UE-ID(s), target of event reporting received in step 712) used to retrieve the data. The DCCF determines the NF type(s) and/or 0AM to retrieve the data based on the Service Operation requested. If the NF instance or NF Set ID is not provided by the data collector 706, the DCCF determines the NF instances that can provide data based on the Event ID received and local configuration (i.e., one or more data source to collect data related to the Event ID can be configured). When new output data are available, the Data Source uses Nnf EventExposure Notify to send the data to the DCCF. The DCCF uses Ndccf DataManagement Notify to send the data to all notification endpoints indicated in step 714. Data sent to notification endpoints may be processed and formatted by the DCCF, so they conform to delivery requirements for each data consumer or notification endpoint (i.e., the DCCF may apply privacy protection for the data (i.e., translates privacy sensitive data to a privacy protected data) if it receives formatting instruction related to privacy adaptation data/ anonymity required flag). Based on an implementation, as an alternative option, the DCCF may perform security/privacy filtering or masking of the collected data, if anonymity required flag or privacy adaptation data is included in the formatting and processing instructions. In an implementation, the DCCF may be configured with privacy adaptation data or it can be fetched from the UDM/UDR/UDSF/NRF 704. When using the Messaging Framework, the DCCF sends the formatting and/or processing instructions to the Messaging Framework via the Nmfaf_3daData_Management Service so the MFAF may format and/or process the data before sending notifications to the Data Consumers / notification endpoints. When using Data Delivery via the DCCF, the DCCF performs formatting and/or processing before sending notifications.

[0272] At 716, the data producer 702 sends the input data to the data collector 706. For example, if the data collector 706 subscribes to a (set of) Event ID(s), the data producer 702 (i.e., NFs) notifies the data collector 706 with the input data (e.g. with the event report) by invoking Nnf EventExposure Notify service operation according to Event Reporting Information in the subscription. Additionally, the input data message, e.g. the Nnf_EventExposure_Notify service message, can include the anonymity required flag if the data producer 402 is configured with such information related to the Event ID(s).

[0273] At 718, based on local policy, the data collector 706 can be configured with the anonymity required flag related to the Event ID(s) or external analytics ID related to the Event ID(s). Alternatively, if the data collector 706 receives the anonymity required flag from the data producer in step 716, the data collector 706 may determine to fetch the privacy adaptation data from the UDM/UDR/UDSF/NRF 704 to apply the privacy adaption data for the set of collected input(s).

[0274] In this embodiment, at 720, based on local policy and the anonymity required indication, the data collector 706 determines to check the privacy policy related to the indicated event-based data collection inputs.

[0275] The data collector 706 sends, to the UDM/UDR/UDSF/NRF 704, the data collection policy request (i.e., Nudm/Nnf_Data Collection policy request), which can include the NF ID(s), set of UE IDs/Group IDs (based on the Target of event reporting information), and Event ID(s)/external analytics IDs.

[0276] At 722, the UDM/UDR/UDSF/NRF 704 is preconfigured based on the operator’s local policy with the privacy policy for the data collection and exposure. This privacy policy includes a set of privacy adaption data related to various entities (e.g., NF IDs, AF IDs, RAN Nodes, UE IDs/UE group IDs, Slices - S-NSSAIs), the external analytics ID(s) and/or event ID(s), and related ‘input data’. An example privacy policy is shown in Table 2.1 above.

[0277] The privacy adaptation data may include a mapping of sensitive information to its associated privacy protected id/name/code e.g., masked information.

[0278] At 724, based on the external analytics ID/ Event ID(s) and NF ID(s)/set of UE IDs/Group IDs (i.e., the Target of event reporting information), the UDM/UDR/UDSF/NRF 704 fetches the appropriate privacy adaptation data (i.e., the equivalent privacy protected data).

[0279] The UDM/UDR/UDSF/NRF 704 sends, to the data collector 706, the data collection policy response (i.e., Nudm/Nnf_Data Collection policy response), which can include Event ID(s)/external analytics IDs and NF ID(s)/set of UE IDs/Group IDs (i.e., Target of event reporting information) along with the specific privacy adaptation data.

[0280] In some embodiments, the privacy adaptation data can include the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the input data, privacy requirement and the privacy protected data equivalent to the input data for an event/external analytics. In some embodiments, the privacy adaptation data can include the privacy policy related to the event ID(s)/external analytics ID.

[0281] In Option 2, as an alternative to steps 714-724, at 726, if data collection is not done directly from the data producer 702 (by following steps 714-724), the data collector 706 can perform data collection from the data producers via the 0AM (i.e., 0AM based data collection). In such a case, the data collector 706 can subscribe/request to the 0AM and get notified by or receive data related to the event related privacy protected input data from the 0AM. This may be performed similar to as in steps 714-724, but instead of the data producer 702 producing input data, the 0AM manages the data collection from the data producers 702 and provides the collected privacy protected data to the data collector 706. In case of OAM-based data collection, the data collector 706 may perform steps 718- 728 or perform only step 718 and 728, for example if the privacy adaptation data is configured in the data collector 706 to enable application of privacy protection/privacy adaptation to the collected input data, as described in step 728.

[0282] At 728, if the data collector 706 determines that any one or more of the collected input data (related to the Event IDs) are privacy sensitive, the data collector 706 applies the privacy adaptation to the input data. In particular, the data collector 706 replaces, masks, or overlays the privacy sensitive input data with the received equivalent privacy adaptation data (i.e., to produce privacy protected/preserved version of data).

[0283] In some embodiments, the data collector 706 is configured with the privacy adaptation data or the Privacy Policy for data collection and exposure described in Table 2.1. In such a case, steps 720-724 may be omitted and the data collector 706 can directly perform step 728, i.e., the data collector 706 can apply privacy adaptation to the input data based on the configured information.

[0284] At 730, the data collector 706 sends the monitoring event exposure notify/response message with the privacy protected input data (i.e., anonymized input data) to the AF 708. [0285] At 732, using the received privacy protected input data, the AF 708 performs the data analysis and analytics (e.g., for the security evaluation and security monitoring / general monitoring of the network) based on operator implementation (e.g., using any AI/ML algorithms or intelligence like threat detection tools, Security information and event management (SIEM) tools, Security Orchestration, Automation, and Response (SOAR) etc.,)

[0286] At 734, the AF 310 sends the monitoring results i.e., the external analytics output, to the data collector 706.

[0287] The monitoring results can contain trust value(s) or a reliability metric which may be related to the Target of event reporting information. The trust value or reliability metrics can represent a range of how reliable the monitoring results are, e.g. 0-20% = low, 21-50% = medium, 50-99% = high, 100% = fully trusted.

[0288] The monitoring results may be related to the Target of event reporting information and may be specific to the IDs indicated. The monitoring results may include a cause code, which can indicate if any of the following has occurred: configuration issues, an attack/threat alert (e.g., DOS/DDoS/NF Hijack, malicious code injection, NF compromise etc.), a malfunction alert, and/or a flooding alert). The monitoring results may include abnormal behaviour statistics/predictions (such as those listed in tables 1.3 and 1.4 above), and/or a time window which can be used by the external analytics consumer to rely upon the data up to the time window.

[0289] At 736, the data collector 706 can notify the monitoring results if there is any service consumer subscribed for the external analytics (e.g., related to any (external) monitoring related analytics ID) based on local configuration.

[0290] In this embodiment, if a RAN node takes the role of the data producer 702, at steps 714 and 716, any event exposure subscribe/notify and request/response message can used.

[0291] In this embodiment, the data collector 706 can also perform data distribution. [0292] In some implementations, the data collector 706 can initiate step 714 based on local policy and further steps can be executed.

[0293] Thus, a privacy protection procedure 700 is provided.

[0294] There is provided an exposure function in a wireless communication network. The exposure function comprises: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the exposure function to: receive, from a second network function, NF (e.g., an application function), a request for data on which the second NF is to perform external analysis (e.g., external analytics and/or security monitoring); determine a third NF for sending the request for data; and send, to the third NF, the request for data and an application ID associated with the second NF.

[0295] The request for data may be a request for event-based data. The request may comprise one or more Event IDs and/or external analytics ID (which may correspond to one or more Event IDs). The exposure function may comprise or have access to a mapping of one or more external analytics IDs to a respective set of Event IDs associated to that external analytics ID. The request for data may be a Monitoring Event Exposure Subscribe or Request message. The Monitoring Event Exposure Subscribe or Request message may be a request for or a subscription request to event-based data corresponding to the one or more Event IDs and/or external analytics IDs. The one or more Event IDs and/or external analytics IDs may be related to, e.g. specific to, external security monitoring.

[0296] The one or more Event IDs may identify one or more events selected from the group of events consisting of: abnormal behaviour of a network function; violations to predefined service operation messages; violations to specified message input or outputs; messages exceeding preconfigured limits; resource utilization; authentication failure, e.g. repeated authentication failure; and authorization failure, e.g. repeated authorization failure.

[0297] The normal operations (e.g., predefined message formats allowed (e.g., between NFs, RAN and NFs, between RANs for network communication), Specified (SBI) service based interface operation message exchanges, etc.) can be considered as normal behaviour and used as baseline to identify any violations and to identify any malformed messages to collect input data (e.g., any violations to the normal specified behaviour i.e., network function service(s) inputs/outputs specified in TS 23.502 Clause 5.2).

[0298] Further, based on operator implementation, the NFs/RAN can maintain a threshold (as baseline) for number of messages/service request handling for a period. If that threshold is exceeded, that information can be collected as part of the input data (e.g., to identify if any flooding attack or denial of service attack is being launched/experienced). Based on operator implementation, if any alert arises due to configuration changes, that information can be collected as part of input data. These data can help to identify any attack traces related to active attacks and passive attacks in general for security monitoring.

[0299] Resource utilization events may be information related to the NF/Network slice/RAN level load information. For example, Resource usage may be the usage of assigned virtual resources currently in use for the NF instances (e.g., mean usage of the virtual CPU, memory, disk, etc.) and may be as defined in clause 5.7 of TS 28.552 [8], belonging to a particular Network Slice instance. As another example, Resource usage threshold crossings may be a number of times a resource usage threshold is met or exceeded or crossed on the Network Slice instance and the time when it happened. It may be present if a threshold is provided by the consumer as an Analytics Filter. As another example, resource usage threshold crossings time period (l..max) may be a resource usage threshold crossing vector including time elapsed between times each threshold is met or exceeded or crossed on the Network Slice instance. It may be present if a threshold value is provided by the consumer as an Analytics Filter.

[0300] An authentication failure event may be one in which, during an authentication of the NF/RAN, the authentication fails. The data related to the NF ID/RAN ID, along with the authentication failure status/information, the frequency of authentication failure, the maximum number of time authentication failures happened, etc. can be maintained and can be collected as input data.

[0301] An authorization failure event may be one in which, during authorization (e.g., for the NF / RAN node), the authorization fails. The data related to the respective NF ID/RAN ID, along with the authorization failure status/information, the frequency of authorization failure, the maximum number of time authorization failures happened, etc. can be maintained and can be collected as input data.

[0302] The second NF may be an AF, e.g. an external AF.

[0303] The third NF may be a data consumer or collector selected from the group of data consumers or collectors consisting of: a Network Data Analytics Function, NWDAF; a Data Collection Coordination Function, DCCF; a Messaging Framework Adaptor Function, MFAF; a Analytics Data Repository Function, ADRF; an Operations, Administration and Maintenance function, 0AM; a Network Management System, NMS; and a Management Data Analytics Service, MDAF.

[0304] The at least one processor may be further configured to cause the exposure function to, responsive to receiving the request for data, determine/identify the third NF to which to send the request for data and the application ID.

[0305] The at least one processor may be further configured to cause the exposure function to determine/identify the third NF either based on a local configuration or by querying a management NF, such as a UDM/UDR/UDSF/NRF.

[0306] The at least one processor may be further configured to cause the exposure function to: receive an indication that exposure of certain data (e.g. data related to the or certain Event ID(s)) from the third NF to the second NF is allowed/not allowed; and prevent or oppose exposure of the certain data from the third NF to the second NF if an indication that exposure if is not allowed indication is received.

[0307] The indication that exposure of the certain data from the third NF to the second NF is not allowed is received from an entity selected from the group of entities consisting of: the third NF, e.g. responsive to sending the application ID to the third NF; and a fourth NF, e.g., a management NF, such as a UDM/UDR/UDSF/NRF, which the exposure function may have queried to identify the third NF.

[0308] The at least one processor may be further configured to cause the exposure function to: receive, from the third NF, input data (i.e., requested data, which may be eventbased data corresponding to the requested Event IDs e.g. associated to the external analytics ID), the input data comprising privacy sensitive data (which may correspond to one or more Event-IDs); identify respective privacy adaption data (which may be eventspecific, e.g. Event-ID specific, privacy adaption data) for the privacy sensitive data based on a privacy policy; process the input data to replace or mask the privacy sensitive data with the respective privacy adaption data, thereby to produce privacy protected input data; and send the privacy protected input data to the second NF.

[0309] The privacy adaption data may be anonymised data, which may have identifying particulars of a user, user equipment, location information, network slice identification information, network location information and/or network function identification entity information removed therefrom.

[0310] The privacy adaptation data may include a mapping of privacy sensitive information elements to its associated anonymized information, for example privacy protected id/name/code, to for allow external use.

[0311] Privacy adaptation data can be in general assigned by the operator as part of configuration, and it can contain, ‘Equivalent Anonymized Data or Privacy protected data / Privacy preserved Data / Masked data/ data for external use termed as ‘external data’.

[0312] The at least one processor may be further configured to receive, from the third NF, an indication that the input data is to be privacy protected.

[0313] The at least one processor ma be further configured to cause the exposure function to: responsive to acquiring the input data, send, to a fourth NF, a policy request for the respective privacy adaption data e.g. with Event ID(s); and receive, from the fourth NF, the respective (Event ID specific) privacy adaption data.

[0314] The fourth NF may be an NF selected from the group of NFs consisting of: a Unified Data Management, UDM, entity; a Unified Data Repository, UDR; and a Unstructured Data Storage Function, UDSF; and a Network Repository function (NRF); and is configured to maintain a privacy policy for data collection and exposure. [0315] The at least one processor may be further configured to cause the exposure function to, responsive to sending the privacy protected input data to the second NF, receive, from the second NF, monitoring results based on the privacy protected input data.

[0316] The at least one processor may be further configured to cause the exposure function to send the monitoring results to the third NF.

[0317] The NF may be an exposure function selected from the group of exposure functions consisting of an Exposure Governance Management Function, EGMF, or Network Exposure Function, NEF .

[0318] The request for data may specify a target data source, e.g., by means of a NF ID, UE ID, NF type, RAN ID, Network slice ID, network slice instance, etc., related to which data is to be collected.

[0319] There is further provided a processor for wireless communication, comprising: at least one controller coupled with at least one memory and configured to cause the processor to: receive, from a second network function, NF, a request for data; and send, to a third NF, the request for data and an application ID associated with the second NF.

[0320] Figure 8 illustrates a flowchart of a method 800 in accordance with aspects of the present disclosure. The operations of the method 800 may be implemented by an exposure function as described herein. In some implementations, the exposure function may execute a set of instructions to control the function elements of the exposure function to perform the described functions.

[0321] The method 800 comprises: receiving 802, from a second network function, NF, a request for data on which the second NF is to perform external analysis (e.g., external analytics and/or security monitoring); determining 803 a third NF for sending the request for data; and sending 804, to the third NF, the request for data and an application ID associated with the second NF.

[0322] The operations of receiving 802, determining 803, and second 804 may be performed in accordance with examples as described herein. In some implementations, aspects of the operations of receiving 802, determining 803, and second 804 may be performed by an exposure function as described with reference to Figure 11 and/or by a processor as described with reference to Figure 10.

[0323] It should be noted that the method described herein describes a possible implementation, and that the operations and the steps may be rearranged or otherwise modified and that other implementations are possible.

[0324] There is provided a network function in the network. The network function is configured to: receive request from an exposure function with an external analytics ID and/or application ID; determine to collect data for certain event IDs related to the external analytics ID and/or application ID; check the privacy policy for the event based data collection; send an event exposure request to another network function, optionally with a data anonymization required indication; receive an event exposure response with anonymized/privacy protected input data; send a response to the exposure function with the anonymized/privacy protected input data; and receive monitoring results.

[0325] The privacy policy may include one or more of: an external analytics ID, an event ID, and/or a data anonymization required indication.

[0326] If the network function is a data collector, the event exposure request may be sent to a data producer.

[0327] There is provided a network function in the network. The network function is configured to: check a privacy policy for event based data collection; determined to apply privacy adaptation for the data; perform privacy adaptation to the privacy sensitive data; sends the privacy protected data to a second network function.

[0328] The privacy policy may include one or more of: one or more external analytics IDs, and/or one or more Event IDs, optionally along with input data type, input data value, privacy requirement, equivalent privacy protected input data value for external use, etc.

[0329] The network function may be further configured to receive a data anonymization required indication.

[0330] The network function may be configured with a data anonymization required indication specific to one or more Event IDs. [0331] The network function may be configured to perform privacy adaptation by translation/aggregation/mapping or replacement of privacy sensitive data with an equivalent privacy protected input data value for external use.

[0332] Figure 9 illustrates an example of a UE 900 in accordance with aspects of the present disclosure. The UE 900 may include a processor 902, a memory 904, a controller 906, and a transceiver 908. The processor 902, the memory 904, the controller 906, or the transceiver 908, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.

[0333] The processor 902, the memory 904, the controller 906, or the transceiver 908, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.

[0334] The processor 902 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 902 may be configured to operate the memory 904. In some other implementations, the memory 904 may be integrated into the processor 902. The processor 902 may be configured to execute computer-readable instructions stored in the memory 904 to cause the UE 900 to perform various functions of the present disclosure.

[0335] The memory 904 may include volatile or non-volatile memory. The memory 904 may store computer-readable, computer-executable code including instructions when executed by the processor 902 cause the UE 900 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 904 or another type of memory. Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.

[0336] In some implementations, the processor 902 and the memory 904 coupled with the processor 902 may be configured to cause the UE 900 to perform one or more of the functions described herein (e.g., executing, by the processor 902, instructions stored in the memory 904). For example, the processor 902 may support wireless communication at the UE 900 in accordance with examples as disclosed herein. The UE 900 may be configured to support a means for performing privacy protection as described herein.

[0337] The controller 906 may manage input and output signals for the UE 900. The controller 906 may also manage peripherals not integrated into the UE 900. In some implementations, the controller 906 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 906 may be implemented as part of the processor 902.

[0338] In some implementations, the UE 900 may include at least one transceiver 908. In some other implementations, the UE 900 may have more than one transceiver 908. The transceiver 908 may represent a wireless transceiver. The transceiver 908 may include one or more receiver chains 910, one or more transmitter chains 912, or a combination thereof.

[0339] A receiver chain 910 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 910 may include one or more antennas for receiving the signal over the air or wireless medium. The receiver chain 910 may include at least one amplifier (e.g., a low- noise amplifier (LN A)) configured to amplify the received signal. The receiver chain 910 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 910 may include at least one decoder for decoding and processing the demodulated signal to receive the transmitted data.

[0340] A transmitter chain 912 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 912 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 912 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 912 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium.

[0341] Figure 10 illustrates an example of a processor 1000 in accordance with aspects of the present disclosure. The processor 1000 may be an example of a processor configured to perform various operations in accordance with examples as described herein. The processor 1000 may include a controller 1002 configured to perform various operations in accordance with examples as described herein. The processor 1000 may optionally include at least one memory 1004, which may be, for example, an L1/L2/L3 cache. Additionally, or alternatively, the processor 1000 may optionally include one or more arithmetic-logic units (ALUs) 1006. One or more of these components may be in electronic communication or otherwise coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces (e.g., buses).

[0342] The processor 1000 may be a processor chipset and include a protocol stack (e.g., a software stack) executed by the processor chipset to perform various operations (e.g., receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) in accordance with examples as described herein. The processor chipset may include one or more cores, one or more caches (e.g., memory local to or included in the processor chipset (e.g., the processor 1000) or other memory (e.g., random access memory (RAM), read-only memory (ROM), dynamic RAM (DRAM), synchronous dynamic RAM (SDRAM), static RAM (SRAM), ferroelectric RAM (FeRAM), magnetic RAM (MRAM), resistive RAM (RRAM), flash memory, phase change memory (PCM), and others).

[0343] The controller 1002 may be configured to manage and coordinate various operations (e.g., signaling, receiving, obtaining, retrieving, transmitting, outputting, forwarding, storing, determining, identifying, accessing, writing, reading) of the processor 1000 to cause the processor 1000 to support various operations in accordance with examples as described herein. For example, the controller 1002 may operate as a control unit of the processor 1000, generating control signals that manage the operation of various components of the processor 1000. These control signals include enabling or disabling functional units, selecting data paths, initiating memory access, and coordinating timing of operations.

[0344] The controller 1002 may be configured to fetch (e.g., obtain, retrieve, receive) instructions from the memory 1004 and determine subsequent instruction(s) to be executed to cause the processor 1000 to support various operations in accordance with examples as described herein. The controller 1002 may be configured to track memory address of instructions associated with the memory 1004. The controller 1002 may be configured to decode instructions to determine the operation to be performed and the operands involved. For example, the controller 1002 may be configured to interpret the instruction and determine control signals to be output to other components of the processor 1000 to cause the processor 1000 to support various operations in accordance with examples as described herein. Additionally, or alternatively, the controller 1002 may be configured to manage flow of data within the processor 1000. The controller 1002 may be configured to control transfer of data between registers, arithmetic logic units (ALUs), and other functional units of the processor 1000.

[0345] The memory 1004 may include one or more caches (e.g., memory local to or included in the processor 1000 or other memory, such RAM, ROM, DRAM, SDRAM, SRAM, MRAM, flash memory, etc. In some implementations, the memory 1004 may reside within or on a processor chipset (e.g., local to the processor 1000). In some other implementations, the memory 1004 may reside external to the processor chipset (e.g., remote to the processor 1000).

[0346] The memory 1004 may store computer- readable, computer-executable code including instructions that, when executed by the processor 1000, cause the processor 1000 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such as system memory or another type of memory. The controller 1002 and/or the processor 1000 may be configured to execute computer-readable instructions stored in the memory 1004 to cause the processor 1000 to perform various functions. For example, the processor 1000 and/or the controller 1002 may be coupled with or to the memory 1004, the processor 1000, the controller 1002, and the memory 1004 may be configured to perform various functions described herein. In some examples, the processor 1000 may include multiple processors and the memory 1004 may include multiple memories. One or more of the multiple processors may be coupled with one or more of the multiple memories, which may, individually or collectively, be configured to perform various functions herein.

[0347] The one or more ALUs 1006 may be configured to support various operations in accordance with examples as described herein. In some implementations, the one or more ALUs 1006 may reside within or on a processor chipset (e.g., the processor 1000). In some other implementations, the one or more ALUs 1006 may reside external to the processor chipset (e.g., the processor 1000). One or more ALUs 1006 may perform one or more computations such as addition, subtraction, multiplication, and division on data. For example, one or more ALUs 1006 may receive input operands and an operation code, which determines an operation to be executed. One or more ALUs 1006 be configured with a variety of logical and arithmetic circuits, including adders, subtractors, shifters, and logic gates, to process and manipulate the data according to the operation. Additionally, or alternatively, the one or more ALUs 1006 may support logical operations such as AND, OR, exclusive-OR (XOR), not-OR (NOR), and not- AND (NAND), enabling the one or more ALUs 1006 to handle conditional operations, comparisons, and bitwise operations.

[0348] The processor 1000 may support wireless communication in accordance with examples as disclosed herein. The processor 1000 may be configured to or operable to support a means for performing privacy protection, as described herein.

[0349] Figure 11 illustrates an example of an NF or NE 1100 in accordance with aspects of the present disclosure. The NE 1100 may include a processor 1102, a memory 1104, a controller 1106, and a transceiver 1108. The processor 1102, the memory 1104, the controller 1106, or the transceiver 1108, or various combinations thereof or various components thereof may be examples of means for performing various aspects of the present disclosure as described herein. These components may be coupled (e.g., operatively, communicatively, functionally, electronically, electrically) via one or more interfaces.

[0350] The processor 1102, the memory 1104, the controller 1106, or the transceiver

1108, or various combinations or components thereof may be implemented in hardware (e.g., circuitry). The hardware may include a processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), or other programmable logic device, or any combination thereof configured as or otherwise supporting a means for performing the functions described in the present disclosure.

[0351] The processor 1102 may include an intelligent hardware device (e.g., a general- purpose processor, a DSP, a CPU, an ASIC, an FPGA, or any combination thereof). In some implementations, the processor 1102 may be configured to operate the memory 1104. In some other implementations, the memory 1104 may be integrated into the processor 1102. The processor 1102 may be configured to execute computer-readable instructions stored in the memory 1104 to cause the NE 1100 to perform various functions of the present disclosure.

[0352] The memory 1104 may include volatile or non-volatile memory. The memory 1104 may store computer-readable, computer-executable code including instructions when executed by the processor 1102 cause the NE 1100 to perform various functions described herein. The code may be stored in a non-transitory computer-readable medium such the memory 1104 or another type of memory. Computer-readable media includes both non- transitory computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A non-transitory storage medium may be any available medium that may be accessed by a general-purpose or special-purpose computer.

[0353] In some implementations, the processor 1102 and the memory 1104 coupled with the processor 1102 may be configured to cause the NE 1100 to perform one or more of the functions described herein (e.g., executing, by the processor 1102, instructions stored in the memory 1104). For example, the processor 1102 may support wireless communication at the NE 1100 in accordance with examples as disclosed herein. The NE 1100 may be configured to support a means for privacy protection as described herein. [0354] The controller 1106 may manage input and output signals for the NE 1100. The controller 1106 may also manage peripherals not integrated into the NE 1100. In some implementations, the controller 1106 may utilize an operating system such as iOS®, ANDROID®, WINDOWS®, or other operating systems. In some implementations, the controller 1106 may be implemented as part of the processor 1102.

[0355] In some implementations, the NE 1100 may include at least one transceiver 1108. In some other implementations, the NE 1100 may have more than one transceiver 1108. The transceiver 1108 may represent a wireless transceiver. The transceiver 1108 may include one or more receiver chains 1110, one or more transmitter chains 1112, or a combination thereof.

[0356] A receiver chain 1110 may be configured to receive signals (e.g., control information, data, packets) over a wireless medium. For example, the receiver chain 1110 may include one or more antennas for receive the signal over the air or wireless medium. The receiver chain 1110 may include at least one amplifier (e.g., a low-noise amplifier (LNA)) configured to amplify the received signal. The receiver chain 1110 may include at least one demodulator configured to demodulate the receive signal and obtain the transmitted data by reversing the modulation technique applied during transmission of the signal. The receiver chain 1110 may include at least one decoder for decoding the processing the demodulated signal to receive the transmitted data.

[0357] A transmitter chain 1112 may be configured to generate and transmit signals (e.g., control information, data, packets). The transmitter chain 1112 may include at least one modulator for modulating data onto a carrier signal, preparing the signal for transmission over a wireless medium. The at least one modulator may be configured to support one or more techniques such as amplitude modulation (AM), frequency modulation (FM), or digital modulation schemes like phase-shift keying (PSK) or quadrature amplitude modulation (QAM). The transmitter chain 1112 may also include at least one power amplifier configured to amplify the modulated signal to an appropriate power level suitable for transmission over the wireless medium. The transmitter chain 1112 may also include one or more antennas for transmitting the amplified signal into the air or wireless medium. [0358] The description herein is provided to enable a person having ordinary skill in the art to make or use the disclosure. Various modifications to the disclosure will be apparent to a person having ordinary skill in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not limited to the examples and designs described herein but is to be accorded the broadest scope consistent with the principles and novel features disclosed herein.

[0359] The following abbreviations are relevant in the field addressed by this document:

5 GC 5 G Core N etwork

5G-AN 5G Access Network

5G-RG 5G Residential Gateway

NG-RAN 5G Radio Access Network

ADRF Analytics Data Repository Function

AMF Access and Mobility Management Function

ARPF Authentication credential Repository and Processing Function AUN3 Authenti cable Non-3GPP devices

AUSF Authentication Server Function

Cell-ID Cell Identity

CIoT Cellular Internet of Things cNRF consumer's NRF

CP Control Plane

CU Central Unit

DCCF Data Collection Coordination Function

DN Data Network

DNN Data Network Name

DU Distributed Unit

EDT Early Data Transmission

EN-DC E-UTRA-NR Dual Connectivity

ENSI External Network Slice Information

EPS Evolved Packet System

FN-RG Fixed Network RG FS Fault Supervision gNB NR Node B

GUTI Globally Unique Temporary UE Identity

IAB Integrated Access and Backhaul

IPUPS Inter-PLMN UP Security

IPX IP exchange service

LI Lawful Intercept

MBSF Multicast/Broadcast Service Function

MBSSF Multicast/Broadcast Service Security Function

MBSTF Multicast/Broadcast Service Transport Function

MeNB Master eNB

MFAF Messaging Framework Adaptor Function

MN Master Node

ME Managed Element

MO-EDT Mobile Originated Early Data Transmission

MT-EDT Mobile Terminated Early Data Transmission

MnS Management Service

N3IWF Non-3GPP access InterWorking Function

NWDAF Network Data Analytics Function

NAI Network Access Identifier

NF Network Function

NG Next Generation

NMS Network Management System ng-eNB Next Generation Evolved Node-B

NR New Radio

NRF Network Repository Function

NSSAI Network Slice Selection Assistance Information

OAM Operations, Administration and Maintenance

PDN Packet Data Network

PEI Permanent Equipment Identifier

SEAF SEcurity Anchor Function SCP Service Communication Proxy

SEPP Security Edge Protection Proxy

SgNB Secondary gNB

SIDF Subscription Identifier De-concealing Function

SMF Session Management Function

SN Id Serving Network Identifier

SUCI Subscription Concealed Identifier

SUPI Subscription Permanent Identifier

TNAN Trusted Non-3GPP Access Network

TNAP Trusted Non-3GPP Access Point

TNGF Trusted Non-3GPP Gateway Function

TWAP Trusted WLAN Access Point

TWIF Trusted WLAN Interworking Function

UE User Equipment

UDM Unified Data Management

UDR Unified Data Repository

UPF User Plane Function

USIM Universal Subscriber Identity Module

UDSF Unstructured Data Storage Function

Claims

CLAIMS What is claimed is:

1. An exposure function in a wireless communication network, the exposure function comprising: at least one memory; and at least one processor coupled with the at least one memory and configured to cause the exposure function to: receive, from a second network function, NF, a request for data on which the second NF is to perform external analysis; determine a third NF for sending the request for data; and send, to the third NF, the request for data and an application ID associated with the second NF.

2. The exposure function of claim 1 , wherein the request for data is a request for event-based data, the request comprising one or more Event IDs and/or external analytics ID.

3. The exposure function of claim 1 or 2, wherein the exposure function comprises or has access to a mapping of one or more external analytics IDs to a respective set of Event IDs associated to that external analytics ID.

4. The exposure function of claim 2 or 3, wherein the request for data is a Monitoring Event Exposure Subscribe or Request message that is a request for or is a subscription request to event-based data corresponding to the one or more Event IDs and/or external analytics IDs, the one or more Event IDs and/or external analytics IDs being related to external security monitoring.

5. The exposure function of any of claims 2 to 4, wherein the one or more Event IDs identify one or more events selected from the group of events consisting of: abnormal behaviour of a network function; violations to predefined service operation messages; violations to specified message input or outputs; messages exceeding preconfigured limits; resource utilization; authentication failure; and authorization failure.

6. The exposure function of any of claims 1 to 5, wherein the second NF is an Application Function, AF.

7. The exposure function of any of claims 1 to 6, wherein the third NF is a data consumer or collector selected from the group of data consumers or collectors consisting of: a Network Data Analytics Function, NWDAF; a Data Collection Coordination Function, DCCF; a Messaging Framework Adaptor Function, MFAF; a Analytics Data Repository Function, ADRF; an Operations, Administration and Maintenance function, OAM; a Network Management System, NMS; and a Management Data Analytics Service, MDAF.

8. The exposure function of any of claims 1 to 7, wherein the at least one processor is further configured to cause the exposure function to determine the third NF either based on a local configuration or by querying a NF.

9. The exposure function of claim 1 or 8, wherein the at least one processor is further configured to cause the exposure function to: receive an indication that exposure of certain data from the third NF to the second NF is allowed/not allowed; and prevent or oppose exposure of the certain data from the third NF to the second NF if an indication that exposure if is not allowed indication is received.

10. The exposure function of claim 9, wherein the indication that exposure of the certain data from the third NF to the second NF is not allowed is received from an entity selected from the group of entities consisting of: the third NF; and a fourth NF.

11. The exposure function of any of claims 1 to 10, wherein the at least one processor is further configured to cause the exposure function to: receive, from the third NF, input data, the input data comprising privacy sensitive data; identify respective privacy adaption data for the privacy sensitive data based on a privacy policy; process the input data to replace or mask the privacy sensitive data with the respective privacy adaption data, thereby to produce privacy protected input data; and send the privacy protected input data to the second NF.

12. The exposure function claim 11, wherein the privacy adaption data is anonymised data.

13. The exposure function claim 11 or 12, wherein the at least one processor is further configured to receive, from the third NF, an indication that the input data is to be privacy protected.

14. The exposure function of any of claims 11 to 13, wherein the at least one processor is further configured to cause the exposure function to: responsive to acquiring the input data, send, to a fourth NF, a policy request for the respective privacy adaption data with Event ID(s); and receive, from the fourth NF, respective Event ID specific privacy adaption data.

15. The exposure function of claim 14, wherein the fourth NF is an NF selected from the group of NFs consisting of: a Unified Data Management, UDM, entity; a Unified Data Repository, UDR; and an Unstructured Data Storage Function, UDSF; and a Network Repository Function (NRF); and is configured to maintain a privacy policy for data collection and exposure.

16. The exposure function of any of claims 11 to 15, wherein the at least one processor is further configured to cause the exposure function to, responsive to sending the privacy protected input data to the second NF, receive, from the second NF, monitoring results based on the privacy protected input data.

17. The exposure function of claim 16, wherein the at least one processor is further configured to cause the exposure function to send the monitoring results to the third NF.

18. The exposure function of any of claims 1 to 17, wherein the NF is an exposure function selected from the group of exposure functions consisting of an Exposure Governance Management Function, EGMF, or Network Exposure Function, NEF.

19. The exposure function of any of claims 1 to 18, wherein the request for data specifies a target data source related to which data is to be collected.

20. A method performed by an exposure function in a wireless communication network, the method comprising: receiving, from a second network function, NF, a request for data on which the second NF is to perform external analysis; determining a third NF for sending the request for data; and sending, to the third NF, the request for data and an application ID associated with the second NF.