Apparatus, method and computer program

By introducing centralized auditing functionality into the 3GPP network, generating and storing integrity protection tagging information, the problems of user data lifecycle tracking and UE-to-UE data sharing are solved, achieving secure data management and network optimization.

CN122248410APending Publication Date: 2026-06-19NOKIA TECHNOLOGIES OY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NOKIA TECHNOLOGIES OY
Filing Date
2025-12-15
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

In 3GPP networks, existing technologies cannot effectively track the lifecycle of user data and UE-to-UE data sharing, leading to inconvenience in data management and privacy and security issues.

Method used

The introduction of a centralized audit function (CAF) ensures data integrity and traceability by generating and storing integrity-protected tagging information to track user data flows, including location, identification, and power information.

Benefits of technology

It enables full lifecycle tracking and management of user data, ensuring data security and compliance, preventing unauthorized access, and optimizing network resource usage.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122248410A_ABST
    Figure CN122248410A_ABST
Patent Text Reader

Abstract

An apparatus for a communication network is provided, the apparatus including a network function and including at least one processor and at least one memory storing instructions, which, when executed by the at least one processor, cause the apparatus to at least perform: obtaining data related to a user equipment from a user equipment; receiving a request for the data related to the user equipment from another network function, wherein the request includes: a reason for the request; generating tagging information, wherein the tagging information includes: an indication of the data, an identifier of the network function, and an identifier of another network function; and providing the generated tagging information to the other network function, wherein the generated tagging information is protected by integrity.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Various embodiments of this disclosure generally relate to methods, apparatus, and computer programs, and particularly, but not limited to, enabling data use and access tracking in 6G. Background Technology

[0002] A communication system can be viewed as a facility that enables communication sessions between two or more communication devices, or provides communication devices with access to a network. Mobile or wireless communication networks are an example of communication networks. Communication devices can be provided with services through application servers.

[0003] Mobile or wireless communication networks can operate according to standards such as those provided by 3GPP (3rd Generation Partnership Project) or ETSI (European Telecommunications Standards Institute). Examples of mobile or wireless communication networks operating according to 3GPP standards are often referred to as 4G (fourth generation) networks, 5G (fifth generation) networks, 5G Advanced networks, and 6G networks. Summary of the Invention

[0004] Some exemplary embodiments of this disclosure will be described with reference to certain aspects. These aspects are not intended to indicate key or essential features of the various exemplary embodiments of this disclosure, nor are they intended to be used to limit its scope. In view of this disclosure, those skilled in the art will readily understand other features, aspects, and elements. For example, it should be understood that additional aspects can be provided by combination of any two or more aspects described herein.

[0005] In a first aspect, a method is provided, the method comprising: acquiring data related to a user equipment from a user equipment; receiving a request for the data related to the user equipment from another network function, wherein the request includes: a reason for the request; generating tagging information, wherein the tagging information includes: an indication of the data, an identifier of the network function, and an identifier of the other network function; and providing the generated tagging information to the other network function, wherein the generated tagging information is protected by integrity.

[0006] The method may include storing the generated tag information.

[0007] The method may include storing the generated tagging information at a centralized auditing function, which may be located outside or inside the network function.

[0008] This method may include providing the generated tagging information to a centralized auditing function.

[0009] Data related to user equipment may include at least one of the following: location information, identification information, or power information.

[0010] The generated tag information may include: timestamps.

[0011] This method may include providing the generated tagging information to another network function via a service application programming interface or header.

[0012] The reason for the request may include at least one of the following: analysis, strategy development, or network optimization.

[0013] The generated token information can be protected for integrity based on the signature of the private key used by the device.

[0014] The data may include: the hash value of the data.

[0015] The generated tagging information may include an indication of the data category.

[0016] In a second aspect, a method is provided, comprising: providing a request for data relating to a user equipment to another network function, wherein the request includes a reason for the request; and receiving tagging information from the other network function, wherein the tagging information is protected for integrity and includes: an indication of the data, an identifier of the network function, and an identifier of the other network function.

[0017] The method may include generating additional tagging information, wherein the additional tagging information includes the received tagging information.

[0018] The method may include storing the received tag information.

[0019] The method may include storing the received tagging information at a centralized auditing function, which may be located outside or inside the network function.

[0020] This method may include providing the received tagging information to a centralized auditing function.

[0021] In a third aspect, an apparatus is provided comprising: components for performing the method according to the first or second aspect.

[0022] In a fourth aspect, an apparatus for a communication network is provided, the apparatus including a network function comprising at least one processor and at least one memory storing instructions, which, when executed by the at least one processor, cause the apparatus to perform at least the method according to the first aspect or the second aspect.

[0023] In a fifth aspect, a non-transient computer-readable medium including instructions is provided, wherein when executed by at least one processor of a device, the instructions cause the device to perform the method according to the first or second aspect.

[0024] In a sixth aspect, a computer program including instructions is provided that, when executed by a device, causes the device to perform at least the method according to the first or second aspect.

[0025] Some embodiments of the present invention are defined in the dependent claims.

[0026] Many different aspects have been described above. As previously stated, it should be understood that additional aspects can be provided by combining any two or more of the above (or other aspects in this disclosure) aspects.

[0027] Various other aspects are also described in the following detailed description and claims. Attached Figure Description

[0028] Some embodiments will be described by way of non-limiting and illustrative examples only with reference to the accompanying drawings, in which:

[0029] Figure 1 An example of a communication network to which the examples disclosed herein can be applied is shown;

[0030] Figure 2 A flowchart based on the example method is shown;

[0031] Figure 3 A flowchart based on the example method is shown;

[0032] Figure 4 An example signaling flow between NF1, NF2, NF3 and CAF is shown;

[0033] Figure 5 A flowchart based on the example method is shown;

[0034] Figure 6 A flowchart based on the example method is shown;

[0035] Figure 7 Example signaling flows between UE1, UE2, AMF / MM NF, UPF, and CAF are shown; and

[0036] Figure 8 An example of the device is shown. Detailed Implementation

[0037] The following embodiments are provided by way of non-limiting and illustrative example. Although the specification may refer to "an," "one," or "some" embodiments in several places in the text, this does not necessarily mean that each reference is for the same embodiment(s) or that a particular feature applies only to a single embodiment. Individual features of different embodiments may also be combined to provide other embodiments. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is intended that such feature, structure, or characteristic can be applied in conjunction with other embodiments (whether explicitly described or not).

[0038] It should be understood that although the terms "first," "second," etc., may be used in this document to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another.

[0039] For the purposes of this disclosure, the phrases "at least one of A or B", "at least one of A and B", and "A and / or B" refer to (A), (B), or (A and B). For the purposes of this disclosure, the phrases "A, B, and / or C" refer to (A), (B), (C), (A and B), (A and C), (B and C), or (A, B, and C).

[0040] As used herein, the term “or” means non-exclusive “or” unless otherwise stated (e.g., “otherwise” or “or in the alternative”).

[0041] As used herein, unless explicitly stated otherwise, performing a feature, step, or function "in response to A" does not mean that the feature, step, or function is performed immediately after "A" occurs, because one or more intermediate features, steps, or functions may be performed (at least partially) between the occurrence of the feature, step, or function and "A". Similarly, performing a feature, step, or function "based on A" does not mean that the feature, step, or function is performed solely based on "A", because in addition to "A", the feature, step, or function may be further based on one or more other features, steps, or functions.

[0042] The embodiments described herein can be implemented in communication networks such as any of the following radio access technologies (RATs): WiMAX, GSM (2G), GSM EDGE Radio Access Network (GERAN), General Packet Radio Service (GRPS), Universal Mobile Telecommunications System based on Basic Wideband Code Division Multiple Access (W-CDMA) (UMTS, 3G), High-Speed ​​Packet Access (HSPA), LTE, LTE Advanced and Enhanced LTE (eLTE), 5G (also known as NR), or any future RAT, such as 6G. Furthermore, communication within the communication network can utilize any suitable wireless communication technology, including but not limited to: Code Division Multiple Access (CDMA), Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Frequency Division Duplex (FDD), Time Division Duplex (TDD), Multiple-Input Multiple-Output (MIMO), Orthogonal Frequency Division Multiplexing (OFDM), and / or Discrete Fourier Transform Spread Spectrum OFDM (DFT-s-OFDM).

[0043] As used herein, the term "network device" or "network node" refers to a node in a communication network through which user equipment can access the network and / or through which the node is configured to control wireless communications and manage wireless resources within a cell. A network node or network device may be referred to as a base station (BS), access point (AP), or access node. Depending on the technology applied, a network device may be, for example, a Node B (NodeB or NB), an evolved Node B (eNodeB or eNB), an NR NB (also known as a gNB), a Remote Radio Unit (RRU), a Radio Header Terminal (RH), a Remote Radio Header Terminal (RRH), a relay, an Integrated Access and Backhaul (IAB) node, a low-power node, a non-terrestrial network (NTN) or non-terrestrial network equipment (such as satellite network equipment, low Earth orbit (LEO) satellites, and geostationary orbit (GEO) satellites), or an aircraft network equipment.

[0044] Furthermore, in the context of split radio access networks (RANs), network devices can refer to the centralized unit (CU) and / or the distributed unit (DU) of a base station. The interface between the CU and the DU can be referred to as the F1 interface in NR. In a split RAN architecture, node operations can be performed at least partially in a central / centralized unit (CU) (e.g., a server, host, or node) that is operationally coupled to a DU (e.g., a radio head / node). A CU can control one or more DUs to at least act as a transmit / receive (Tx / Rx) node. In some embodiments, a DU may include, for example, a Radio Link Control (RLC), Media Access Control (MAC) layer, and a Physical (PHY) layer, while the CU may include layers above the RLC layer, such as the Packet Data Convergence Protocol (PDCP) layer, Radio Resource Control (RRC), and Internet Protocol (IP) layer. Other functional splitting is also possible. In practice, any processing task can be performed in either a CU or a DU, and the boundary of responsibility transfer between the CU and the DU can depend on the applied implementation.

[0045] The term "terminal device" refers to any terminal device that can be configured to perform wireless communication. For example, a terminal device may be referred to as a communication device, user equipment (UE), subscriber station (SS), or mobile station (MS). Terminal devices can include mobile phones, cellular phones, smartphones, Voice over IP (VoIP) phones, wireless local loop phones, tablets, wearable terminal devices, personal digital assistants (PDAs), portable computers, desktop computers, image capture terminal devices (such as digital cameras), gaming terminal devices, music storage and playback devices, in-vehicle wireless terminal devices, USB dongles, Internet of Things (IoT) devices, watches or other wearable devices, head-mounted displays (HMDs), automobiles, drones, medical devices and applications (e.g., remote surgery), industrial devices and applications (e.g., robots and / or other wireless devices operating in the context of industrial and / or automated processing chains), consumer electronics devices, devices operating on commercial and / or industrial wireless networks, and so on.

[0046] As used herein, the term "resource" can refer to radio resources in the time domain, frequency domain, spatial domain, and / or code domain. Some examples of resources may include, for example, physical resource blocks (PRBs), radio frames, subframes, time slots, subbands, frequency regions, subcarriers, beams, etc. The terms "transmission" and / or "reception" can refer to wireless transmission and / or reception over radio resources via a radio propagation channel.

[0047] Figure 1The illustration shows an example of a communication network to which the examples disclosed herein can be applied. The communication network, or cellular communication network, may include: a network node 110 configured to provide one or more cells, such as cell 100, and a network node 112 configured to provide one or more other cells, such as cell 102. For example, each cell may be a macrocell, microcell, femtocell, or picocell. A cell may define the coverage area or service area of ​​a corresponding access node.

[0048] Network nodes (110, 112) can be configured to provide radio access to a communication network to user equipment (UE) 120 (one or more UEs). Radio access may include downlink (DL) communication from network nodes (110, 112) to UE 120 and uplink (UL) communication from UE 120 to network nodes (110, 112). Examples of uplink channels may include a Physical Uplink Control Channel (PUCCH) for transmitting control information and a Physical Uplink Shared Channel (PUSCH) for transmitting data to the network. Examples of downlink channels may include a Physical Downlink Control Channel (PDCCH) for transmitting control information and a Physical Downlink Shared Channel (PDSCH) for transmitting data to the user equipment.

[0049] Multiple UEs (120, 122) can exist in this system. Each of the multiple UEs can be served by the same or different network nodes (110, 112). UEs can be configured with dual connectivity (DC), where a UE (e.g., UE 120) can be connected to multiple network nodes (110, 112). UEs (120, 122) can communicate with each other when a device-to-device (D2D) communication interface is established between them via a so-called sidechain (SL). For example, this D2D communication can be referred to as machine-to-machine, peer-to-peer (P2P) communication, or vehicle-to-vehicle (V2V) communication.

[0050] In a communication network with multiple network nodes, these nodes can connect to each other via interfaces. For example, the LTE specification refers to this interface as the X2 interface. The interface between an LTE node and a 5G node, or between two 5G nodes, can be called the Xn interface.

[0051] Network nodes 110 and 112 can also be connected to the core network 116 of the communication network via another interface. The LTE specification designates the core network as an Evolved Packet Core (EPC), and the core network can include multiple entities (e.g., Mobility Management Entity (MME) and gateway nodes). The MME can handle the mobility of terminal devices in a tracking area comprising multiple cells and handle signaling connections between the terminal devices and the core network. Gateway nodes can handle data routing within the core network and data routing to / from terminal devices. The 5G specification designates the core network as a 5G Core (5GC). For example, the 5GC can include Access and Mobility Management Functions (AMF) and User Plane Functions / Gateways (UPF), among other functions. The AMF can handle the termination of Non-Access Stratum (NAS) signaling, NAS encryption and integrity protection, registration management, connection management, mobility management, access authentication and authorization, and security context management. For example, UPF nodes can support packet routing and forwarding, packet inspection, and Quality of Service (QoS) processing.

[0052] User data (also known as UE data) is used in different RAN nodes, core NFs, and AFs. After a user or UE provides data to the operator, the operator is responsible for managing and managing the data.

[0053] For example, if the UE provides location data to the RAN, the RAN can provide it to the LMF NF. The LMF can provide the data to the NWDAF or other NFs for different use cases. These NWDAFs / NFs can also provide the data to other NWDAFs / PCFs for different use cases.

[0054] In another example use case, the UE provides AIML-related local inference data to the RAN, and the RAN provides it to the NWDAF NF. For different use cases, the NWDAF may provide it to another NWDAF or other NFs. For different use cases, these NWDAFs / NFs may also provide it to other PCF / AMF / MM NFs.

[0055] User data flows within the operator's network should be tracked for auditing purposes. This is important for data lifecycle management. For example, operators may be responsible for holding user data for three years, and therefore, regardless of which NF / service is consuming the user data, these years should be tracked. Currently, it is not possible to track data and its lifecycle over a period of time in 3GPP networks. Similar issues may arise with UE-to-UE data sharing. When a first UE (UE1) shares data with a second UE (UE2), for example, via a 3GPP-defined interface (PC5), the operator is responsible for tracking the data.

[0056] Data tracking can include tracing, such as tracking the data lifecycle to ensure privacy, security, and compliance.

[0057] Alternatively or additionally, data tracking may include real-time data usage monitoring. Proactive measures can detect unauthorized access and ensure secure access.

[0058] Figure 2 A flowchart of a method according to an example embodiment is shown. This method can be performed at a device. The device may include, be, or be included in a network function. A network function may be referred to as an NF producer or NFp. For example, an NF may be an LMF or an NWDAF.

[0059] At point 201, the method includes: acquiring data related to the user equipment from the user equipment.

[0060] At 202, the method includes: receiving a request for data related to a user equipment from another network function, wherein the request includes a reason for the request.

[0061] At 203, the method includes: generating tagging information, wherein the tagging information includes an indication of data, an identifier of a network function, and an identifier of another network function.

[0062] At 203, the method includes providing the generated tagging information to another network function, wherein the generated tagging information is protected for integrity.

[0063] Figure 3 A flowchart of a method according to an example embodiment is shown. This method can be performed at a device. The device may include, be, or be included in a network function. The network function may be referred to as an NF consumer or NFc.

[0064] At 301, the method includes: providing a request for data relating to a user equipment to another network function, wherein the request includes a reason for the request.

[0065] At 302, the method includes: receiving tagging information from another network function, wherein the tagging information is protected for integrity and includes an indication of data, an identifier of the network function, and an identifier of the other network function.

[0066] Reference Figure 2 and Figure 3In this method, each NF producer providing data (including, for example, a RAN SBA NF) also tags and signs the data, i.e., by providing integrity-protected tagging information to NF consumers. This ensures that NF producers are responsible for the data they generate. NF producers can also store the data and tagging information on a centralized auditing function. Data related to user equipment can be any user data and can include, for example, at least one of the following: location information, identification information, or power information.

[0067] refer to Figure 2 and Figure 3 The described method may include storing the generated or received tag information separately.

[0068] The generated or received tagging information can be stored in a centralized audit function (CAF). CAF is a new network function in 6G that can store data and tagging information. CAF can be implemented in the core network and / or RAN domain.

[0069] Tagging information can be stored in a new CAF NF (e.g., outside the NF producer or consumer) or locally within the CAF service (e.g., inside the NF producer or consumer). For the local option, CAF is a function or service provided by each NF. Each NF can support the CAF service and store tagging information. Network functions can provide generated or received tagging information to centralized auditing functions.

[0070] Tagging information can be used for auditing purposes. CAF NF or functions provide ways to track user data. For example, it can track who generates user data, who consumes user data, and the reasons for consuming or sharing user data.

[0071] Tagging information, including user data, is defined. This tagging information is protected for integrity. The generated tagging information can be protected for integrity based on a signature made using the device's private key. This information is signed by the NF itself, therefore the information cannot be modified (i.e., the information is protected for integrity). Alternatively or additionally, different cryptographic functions can be used to ensure tag integrity.

[0072] The reason for a request can include at least one of the following: analysis, strategy development, or network optimization. This reason can be included in every service request or as part of a custom header. For example, Request Reason = Analysis, Self-consumption for Strategy Development, Self-consumption for Network Optimization, etc.

[0073] Tagging information may include timestamps. Tagging information includes indications of the data category.

[0074] For example, the tagging information may include {Information IE: UE data related IE, Producer ID, Consumer ID, Request Reason: Analysis, Self-consumption for policy formulation, Self-consumption for network optimization, Timestamp: Actual time of tagging}

[0075] refer to Figure 2 The described methods may include providing the generated tagging information to other network functions via a service application programming interface (API) or header. For example, the tagging information may be provided from the producer to the consumer as part of a service API or via a custom header.

[0076] A new custom header can be introduced. This custom header can be named... 3gpp SBI tag information { Information IE: It contains IEs related to UE data. Producer ID Consumer ID Reasons for request: Analysis, self-consumption for strategy formulation, self-consumption for network optimization Timestamp: The actual time marked. Signature: NF1 or signature of the data producer that generates / aggregates / collects data for use in providing data to data consumers. }

[0077] This custom header can be appended to any service request. NF producers can then provide this information along with the data to NF consumers.

[0078] Here, some optimizations can be performed to avoid duplicate data. For example, the data indicator can include the hash value of the data, as follows. 3gpp SBI tag information { Data hash: The hash value of the data is retained, not the actual data. The actual data is transmitted in API / service requests. Producer ID Consumer ID Reasons for request: Analysis, self-consumption for strategy formulation, self-consumption for network optimization Timestamp: The actual time marked. Signature: A signature used by data producers to generate / aggregate / collect data for provision to data consumers.

[0079] Figure 4 The signaling flow between NF1, NF2, NF3 and CAF is shown according to the example.

[0080] NF1 is the producer, which acquires user equipment-related data by collecting user data directly from the UE or via other means, or generates UE-related data. For example, location is determined by LMF, and NWDAF determines the UE's historical communication patterns.

[0081] In step 1, NF1 collects user data from the UE, such as the location at time T.

[0082] At step 2, NF2 requests data related to the UE from NF1. NF2 includes the request reason IE. In this example, the request reason is analysis.

[0083] In step 3, which can occur after authorization and authentication, NF1 determines to provide the requested data to NF2. For this purpose, NF1 determines tagging information. Assuming the UE-related data is the UE location, the tagging information includes... {User location (IE): Actual UE location} Producer: NF1 Consumer: NF2 Reason for request: Analysis, Timestamp: the actual time of the mark, {NF1 (i.e., the signature of the data producer)}

[0084] The token data is signed by NF1 using its private key.

[0085] In step 4, the tagging information is provided from NF1 to NF2. The tagging information can be provided to NF2 via a custom header (e.g., consumer NF or NFc).

[0086] In step 5, the tagging information is stored in the CAF.

[0087] In step 5a, the tagging information is stored in the CAF function at NF.

[0088] In step 5b, the NF producer calls the Ncaf_StoreInfo_Request API of the CAF NF and requests the tag information stored in step 3. The CAF NF stores this information.

[0089] In step 6, after receiving a service response from the NF producer with tagged information, the NF consumer can also repeat step 5. That is, the NF consumer can also store the information in the CAF NF.

[0090] In steps 7 and 8, NF3 requests data from NF2, and steps 3 through 6 are repeated, with NF2 acting as the NF producer and NF3 acting as the NF consumer. The tag information generated by NF2 can be stored at the NF function in the CAF NF or at either NF2 or NF3. If NF2 generates additional tag information, this additional tag information may include the received tag information.

[0091] For example, if the NF2 consumer receives information from another NF (NF1), NF2 may also include previously received tagging information. 3gpp SBI tag information { Information IE: It contains IEs related to UE data. Producer ID Consumer ID Request reason: Analysis, self-consumption for strategy formulation, self-consumption for network optimization; timestamp: actual time marked. Previously received tag list: Tag 1... }

[0092] When distributing data, data traceability can be ensured by attaching signed data tags (i.e., integrity-protecting tagging information), allowing any data consumer / operator to track all data consumers and their purposes for accessing the data at any given time. Alternatively or additionally, centralized variants of CAF can ensure that all data producers / consumers are updating tagging information in a central NF, thereby optimizing control and auditing operations.

[0093] Figure 5 A flowchart of a method according to an example embodiment is shown. This method can be performed at a device. The device may include, be, or be included in a user equipment. The user equipment may be referred to as a UE producer.

[0094] At 501, the method includes: receiving a request from another user equipment for data related to the user equipment, wherein the request includes a reason for the request.

[0095] At 502, the method includes generating tagging information, wherein the tagging information includes an indication of data, an identifier of the user equipment, and another identifier of the user equipment.

[0096] At 503, the method includes providing the generated tagging information to another user device, wherein the generated tagging information is protected for integrity.

[0097] Figure 6A flowchart of a method according to an example embodiment is shown. This method can be performed at a device. The device may include, be, or be included in a user equipment. The user equipment may be referred to as a UE consumer.

[0098] At 601, the method includes providing a request to another user device for data relating to that other user device, wherein the request includes a reason for the request.

[0099] At 602, the method includes: receiving tagging information from another user equipment, wherein the tagging information is protected for integrity and includes an indication of data, an identifier of the user equipment, and an identifier of the other user equipment.

[0100] The user equipment (UE) can be configured to store the generated tagging information. The UE can also provide the generated tagging information to a centralized auditing function for storage via non-access stratum signaling or user plane signaling. In the example, the UE pushes the tagging information to the network (or the new CAF NF). The tagging information can then be used for user data auditing purposes.

[0101] The tagging information is protected for integrity, for example, by being signed with the UE's private key (assuming the UE is configured with a certificate).

[0102] The reason for the request may include at least one of the following: analysis, policy formulation, or network optimization. This reason can be included in each service request or as part of a custom header. For example, Request Reason = Analysis, Self-consumption for Policy Formulation, Self-consumption for Network Optimization, etc. Tagging information may include a timestamp. Tagging information may include an indication of the data category. Data related to the user equipment may include at least one of the following: location information, identification information, or power information.

[0103] For example, the tagging information may include {Information IE: It contains UE data-related IE, producer UE ID, consumer UE ID, request reason: analysis | self-consumption for policy formulation, timestamp: the actual time of the tag. This information is signed by the UE itself, making it unmodifiable (integrity protection).

[0104] The tagging information can be provided to the consumer UE from the producer UE as part of the service API or via a custom header in PC5.

[0105] Figure 7 Example signaling flows between the first UE (UE1), the second UE (UE2), and the NF (including AMF / MM, UPF, and CAF) are shown. These steps are related to... Figure 4 The steps shown are similar.

[0106] In step 1, UE1 and UE2 are connected via PC5.

[0107] In step 2, UE2 requests data from UE1.

[0108] In steps 3 and 4, the UE generates tag information. The UE uses its certificate and public / private key to generate the tag.

[0109] In step 5, in the NAS-based solution, the UE provides tagging information to the network via NAS messages or payload. Then, the AMF / MM NF stores it in the CAF NF via the SBA.

[0110] In step 6, in the UP-based solution, the UE provides tagging information to the network via the user plane. To do this, the UE creates a PDU session and uploads the data to the UPF. The UPF then stores it in the CAF NF via the SBA.

[0111] Figure 8 A block diagram of apparatus 10 is shown by way of example. For example, apparatus 10 includes at least one processor 12 and at least one memory 14 storing instructions 15, which, when executed by the at least one processor, cause apparatus 10 to perform at least one or more methods (or portions thereof) disclosed herein, and any embodiment (or corresponding portions thereof). In the example, at least one memory and instructions (e.g., computer program code, software) are configured, together with at least one processor, to cause apparatus 10 to perform one or more methods (or portions thereof) disclosed herein, and any embodiment (or corresponding portions thereof).

[0112] The processor 12 may include, or be configured as, one or more circuit systems configured to perform phases of the methods according to the embodiments described herein.

[0113] As used herein, the term "circuit system" may refer to one or more or all of the following: (a) a hardware circuit implementation only, such as an implementation only in analog and / or digital circuit systems; and (b) a combination of hardware circuits and software, such as, as applicable: (i) a combination of (multiple) analog and / or digital hardware circuits with software / firmware; and (ii) any portion of (multiple) hardware processors having software (including (multiple) digital signal processors), software, and (multiple) memories, which work together to enable a device (such as a user equipment) to perform various functions; and (c) (multiple) hardware circuits and / or (multiple) processors, such as (multiple) microprocessors or portions thereof, that require software (e.g., firmware) for operation, but the software may be absent when operation is not required. This definition of circuit system applies to all uses of the term herein (including in any claim). As another example, as used herein, the term circuit system also covers implementations of hardware circuits or processors (or multiple processors) or portions thereof and their accompanying software and / or firmware. The term "circuit system" also covers (for example and if applicable to certain claim elements) baseband integrated circuits or processor integrated circuits for mobile devices, or similar integrated circuits in servers, cellular network devices or other computing or networking devices.

[0114] The memory 14 can be implemented using any suitable data storage technology. The memory may include a database for storing data. For example, the memory 14 may be at least partially located outside the device 10, but may be accessible by the device 10.

[0115] Instruction 15 may be included in a computer-readable medium or a non-transient computer-readable medium. As used herein, the term “non-transient” refers to a limitation on the medium itself (i.e., tangible, not signaling), rather than a limitation on the persistence of data storage (e.g., random access memory (RAM) versus read-only memory (ROM).

[0116] For example, device 10 is a terminal device such as a UE. As another example, the device is included in such a terminal device, for example, as a chipset configured to control the terminal device. Device 10 can be made, configured, or includes functions for at least performing... Figure 5 and / or Figure 6 The methods and / or components of any one or more embodiments described herein.

[0117] As another example, device 10 is a network entity. In another embodiment, the device is included in such a network entity, for example, a chipset configured to control the network entity. Device 10 may be caused, configured, or include functions for at least performing... Figure 2 and / or Figure 3 The methods and / or components of any one or more embodiments described herein.

[0118] The device may include one or more entities of any protocol layer, such as a MAC entity, RRC entity, RLC entity, PDCP entity, or PHY entity. In some embodiments, the entity is configured to at least perform Figure 3 , Figure 4 and / or Figure 8 The method, and / or any one or more embodiments of the described embodiments.

[0119] Device 10 includes a wireless interface 16. The wireless interface 16 can provide communication capabilities to device 10. The wireless interface 16 may include a receiver configured to receive information according to at least one cellular or non-cellular standard. The wireless interface 16 may include a transmitter configured to transmit information according to at least one cellular or non-cellular standard. The receiver may include more than one receiver. The transmitter may include more than one transmitter. The wireless interface 16 may include a transceiver configured to receive and transmit information according to at least one cellular or non-cellular standard. The transceiver may include more than one transceiver.

[0120] Device 10 may include a user interface 18, which includes at least one of the following: a keypad, a microphone, a touch display, a monitor, a speaker, etc. User interface 18 can be used to control the device by a user. User interface 18 may be external to device 10. For example, device 10 may be connected to another device, such as a computer, via a wireless or wired connection, and device 10 may be controlled by a user via the computer.

[0121] In embodiments, at least some of the processes described herein may be performed by means including components for performing at least some of the described processes. Components for performing the method steps disclosed herein may include software and / or hardware components of means 10. For example, at least one processor 12, memory 14, and computer program code form components for performing one or more methods (or portions thereof) disclosed herein, and corresponding portions of any embodiment (or portions thereof). As used herein, the term “component” will be interpreted in the singular, i.e., referring to a single element; or in the plural, i.e., referring to a combination of single elements. Thus, the term “component for [performing A, B, C]” should be interpreted to encompass means having only one component for performing A, B, and C, or means having separate components for performing A, B, and C, or means having partially or completely overlapping components for performing A, B, and C. Furthermore, the terms "component for performing A, component for performing B, and component for performing C" will be interpreted to cover an apparatus in which there is only one component for performing A, B, and C, or an apparatus in which there are separate components for performing A, B, and C, or an apparatus in which there are partially or completely overlapping components for performing A, B, and C.

[0122] Although this disclosure has been described above with reference to the accompanying drawings and non-limiting and illustrative examples, it will be apparent that the scope of this disclosure is not limited thereto, and that it can be modified in many different ways. As technology advances, those skilled in the art will understand how this disclosure can be further implemented and / or modified in various ways. Furthermore, it will be apparent to those skilled in the art that the embodiments described herein can, but need not, be combined with other embodiments described herein in various ways.

Claims

1. An apparatus for a communication network, the apparatus including network functionality, and comprising: At least one processor and at least one memory storing instructions, said instructions, when executed by said at least one processor, cause the device to perform at least the following: Obtain data related to the user equipment from the user equipment; Receive a request for data related to the user equipment from another network function, wherein the request includes a reason for the request; Generate tagging information, wherein the tagging information includes an indication of the data, an identifier of the network function, and an identifier of the additional network function; as well as The generated tagging information is provided to the additional network function, wherein the generated tagging information is protected for integrity.

2. The apparatus of claim 1, wherein the apparatus is configured to: store the generated tag information.

3. The apparatus of claim 2, wherein the apparatus is configured to: store the generated tagging information at a centralized auditing function, wherein the centralized auditing function is external to or internal to the network function.

4. The apparatus of claim 3, wherein the apparatus is configured to: provide the generated tagging information to the centralized auditing function.

5. The apparatus according to any one of claims 1 to 4, wherein the data associated with the user equipment includes at least one of the following: location information, identification information, or power information.

6. The apparatus according to any one of claims 1 to 5, wherein the generated tag information includes a timestamp.

7. The apparatus according to any one of claims 1 to 6, wherein the apparatus is configured to: provide the generated tagging information to the additional network function via a service application programming interface or header.

8. The apparatus according to any one of claims 1 to 7, wherein the reason for the request includes at least one of the following: analysis, strategy formulation, or network optimization.

9. The apparatus according to any one of claims 1 to 8, wherein the generated tag information is protected for integrity based on a signature using the private key of the apparatus.

10. The apparatus according to any one of claims 1 to 9, wherein the indication of the data comprises: The hash value of the data.

11. The apparatus according to any one of claims 1 to 10, wherein the generated tagging information comprises: An indication of the category of the data.

12. An apparatus for a communication network, the apparatus including network functionality, and comprising: At least one processor and at least one memory storing instructions, said instructions, when executed by said at least one processor, cause the device to perform at least the following: Providing a request for data related to a user equipment to another network function, wherein the request includes a reason for the request; and Receive tagging information from the additional network function, wherein the tagging information is protected for integrity and includes an indication of the data, an identifier of the network function, and an identifier of the additional network function.

13. The apparatus of claim 12, wherein the apparatus is configured to: generate additional tag information, wherein the additional tag information includes the received tag information.

14. The apparatus of claim 12 or 13, wherein the apparatus is configured to: store the received tag information.

15. The apparatus of claim 14, wherein the apparatus is configured to: store the received tagging information at a centralized auditing function, wherein the centralized auditing function is external to or internal to the network function.

16. The apparatus of claim 15, wherein the apparatus is configured to: provide the received tagging information to the centralized auditing function.

17. A method for a communication network, comprising: Obtain data related to the user equipment from the user equipment; Receive a request for data related to the user equipment from another network function, wherein the request includes a reason for the request; Generate tagging information, wherein the tagging information includes an indication of the data, an identifier of the network function, and an identifier of the additional network function; as well as The generated tagging information is provided to the additional network function, wherein the generated tagging information is protected for integrity.

18. A method for a communication network, comprising: Providing a request for data related to a user device to another network function, wherein the request includes a reason for the request; as well as Receive tagging information from the additional network function, wherein the tagging information is protected for integrity and includes an indication of the data, an identifier of the network function, and an identifier of the additional network function.

19. An apparatus for a communication network, comprising components for: Obtain data related to the user equipment from the user equipment; Receive a request for data related to the user equipment from another network function, wherein the request includes a reason for the request; Generate tagging information, wherein the tagging information includes an indication of the data, an identifier of the network function, and an identifier of the additional network function; as well as The generated tagging information is provided to the additional network function, wherein the generated tagging information is protected for integrity.

20. An apparatus for a communication network, comprising components for: Providing a request for data related to a user equipment to another network function, wherein the request includes a reason for the request; and Receive tagging information from the additional network function, wherein the tagging information is protected for integrity and includes an indication of the data, an identifier of the network function, and an identifier of the additional network function.

21. A computer program product comprising instructions that, when executed by a device, cause the device to perform at least the following: Obtain data related to the user equipment from the user equipment; Receive a request for data related to the user equipment from another network function, wherein the request includes a reason for the request; Generate tagging information, wherein the tagging information includes an indication of the data, an identifier of the network function, and an identifier of the additional network function; as well as The generated tagging information is provided to the additional network function, wherein the generated tagging information is protected for integrity.

22. A computer program product comprising instructions that, when executed by a means, cause the means to perform at least: Providing a request for data related to a user equipment to another network function, wherein the request includes a reason for the request; and Receive tagging information from the additional network function, wherein the tagging information is protected for integrity and includes an indication of the data, an identifier of the network function, and an identifier of the additional network function.